Observation Mechanism and Cost Model for Tightly Coupled Asymmetric Concurrency

Whilst the precise objectives and mechanisms used by malicious code will vary widely and may involve wholly unknown techniques to achieve their respective objectives, certain second-order operations such as privilege escalation or concealment of the code´s presence or activity are predictable. In particular, concealment mechanisms must modify well-known data structures, which could be detected trivially otherwise. We argue that any such mechanism is necessarily non-atomic and can hence be detected through concurrent observations forcing an interleaved linearization of the malicious code with observations of memory state changes induced in tightly coupled concurrent processing units. Extending previous research for the case of symmetric concurrent observation, we propose a computational model and observation mechanism for the case of tightly coupled asymmetric concurrent processing units as may be found in most current computing environments with particular emphasis on metrics for the cost of forced synchronization and resource contention caused by observations. We argue that the resulting observations will provide a novel sensor datum for intrusion detection but may also be used as a standalone probabilistic detection mechanism particularly suited to detect attacks in progress.