Title :
A model for partially asynchronous observation of malicious behavior
Author :
Seeger, Mark M. ; Wolthusen, Stephen D.
Author_Institution :
Dept. Secure Services, Center for Adv. Security Res. Darmstadt (CASED), Darmstadt, Germany
Abstract :
For a non-trivial attack to be successful in compromising a target, multiple causally related operations must be performed. Detecting such potentially unknown sequences is the core problem in intrusion detection. In this paper, we focus on the problem of observing attacks over non-uniform, partially asynchronous event sets. We hence propose charactering attacks as partially ordered sets, and we show how these can be detected asynchronously, as will typically be the case in a modern computing architecture. By extending a naïve model incorporating subsets of known causal dependencies, enhanced observation strategies minimizing the number and cost of observations can be derived. This incorporation of knowledge regarding constraints on attack causality into observations allows for notable enhancements in the efficiency of detection. We also provide a simple example of an application of the model for the case of an intrusion detection system on a co-processor observing a host, although the model is intended for arbitrary non-uniform architectures and concurrent operations.
Keywords :
security of data; arbitrary nonuniform architectures; attack causality; causal dependencies; charactering attacks; concurrent operations; coprocessor; intrusion detection system; malicious behavior; modern computing architecture; naïve model; nontrivial attack; partially asynchronous event sets; partially asynchronous observation; partially ordered sets; Cryptography; Intrusion detection; asynchronous and partially asynchronous observation; causality models;
Conference_Titel :
Information Security for South Africa (ISSA), 2012
Conference_Location :
Johannesburg, Gauteng
Print_ISBN :
978-1-4673-2160-0
DOI :
10.1109/ISSA.2012.6320435
