Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance
Many host-based anomaly detection techniques have been proposed to detect code-injection attacks on servers. The vast majority, however, are susceptible to "mimicry" attacks in which the injected code masquerades as the original server software, including returning the correct service resp...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2009
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/765 https://ink.library.smu.edu.sg/context/sis_research/article/1764/viewcontent/Beyond_output_voting_Detecting_compromised_replicas_using_HMM_based_behavioral_distance.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-1764 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-17642020-01-14T02:53:26Z Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance GAO, Debin Reiter, Michael K. SONG, Dawn Many host-based anomaly detection techniques have been proposed to detect code-injection attacks on servers. The vast majority, however, are susceptible to "mimicry" attacks in which the injected code masquerades as the original server software, including returning the correct service responses, while conducting its attack. "Behavioral distance," by which two diverse replicas processing the same inputs are continually monitored to detect divergence in their low-level (system-call) behaviors and hence potentially the compromise of one of them, has been proposed for detecting mimicry attacks. In this paper, we present a novel approach to behavioral distance measurement using a new type of hidden Markov model, and present an architecture realizing this new approach. We evaluate the detection capability of this approach using synthetic workloads and recorded workloads of production Web and game servers, and show that it detects intrusions with substantially greater accuracy than a prior proposal on measuring behavioral distance. We also detail the design and implementation of a new architecture, which takes advantage of virtualization to measure behavioral distance. We apply our architecture to implement intrusion-tolerant Web and game servers, and through trace-driven simulations demonstrate that it experiences moderate performance costs even when thresholds are set to detect stealthy mimicry attacks. 2009-04-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/765 info:doi/10.1109/TDSC.2008.39 https://ink.library.smu.edu.sg/context/sis_research/article/1764/viewcontent/Beyond_output_voting_Detecting_compromised_replicas_using_HMM_based_behavioral_distance.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Fault-tolerance Information flow controls Intrusion detection Measurements Network-level security and protection Performance measures Protection mechanisms Reliability Security Unauthorized access (hacking Web server and serviceability availability behavioral distance. output voting phreaking) replicated system system call Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Fault-tolerance Information flow controls Intrusion detection Measurements Network-level security and protection Performance measures Protection mechanisms Reliability Security Unauthorized access (hacking Web server and serviceability availability behavioral distance. output voting phreaking) replicated system system call Information Security |
| spellingShingle |
Fault-tolerance Information flow controls Intrusion detection Measurements Network-level security and protection Performance measures Protection mechanisms Reliability Security Unauthorized access (hacking Web server and serviceability availability behavioral distance. output voting phreaking) replicated system system call Information Security GAO, Debin Reiter, Michael K. SONG, Dawn Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance |
| description |
Many host-based anomaly detection techniques have been proposed to detect code-injection attacks on servers. The vast majority, however, are susceptible to "mimicry" attacks in which the injected code masquerades as the original server software, including returning the correct service responses, while conducting its attack. "Behavioral distance," by which two diverse replicas processing the same inputs are continually monitored to detect divergence in their low-level (system-call) behaviors and hence potentially the compromise of one of them, has been proposed for detecting mimicry attacks. In this paper, we present a novel approach to behavioral distance measurement using a new type of hidden Markov model, and present an architecture realizing this new approach. We evaluate the detection capability of this approach using synthetic workloads and recorded workloads of production Web and game servers, and show that it detects intrusions with substantially greater accuracy than a prior proposal on measuring behavioral distance. We also detail the design and implementation of a new architecture, which takes advantage of virtualization to measure behavioral distance. We apply our architecture to implement intrusion-tolerant Web and game servers, and through trace-driven simulations demonstrate that it experiences moderate performance costs even when thresholds are set to detect stealthy mimicry attacks. |
| format |
text |
| author |
GAO, Debin Reiter, Michael K. SONG, Dawn |
| author_facet |
GAO, Debin Reiter, Michael K. SONG, Dawn |
| author_sort |
GAO, Debin |
| title |
Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance |
| title_short |
Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance |
| title_full |
Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance |
| title_fullStr |
Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance |
| title_full_unstemmed |
Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance |
| title_sort |
beyond output voting: detecting compromised replicas using hmm-based behavioral distance |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2009 |
| url |
https://ink.library.smu.edu.sg/sis_research/765 https://ink.library.smu.edu.sg/context/sis_research/article/1764/viewcontent/Beyond_output_voting_Detecting_compromised_replicas_using_HMM_based_behavioral_distance.pdf |
| _version_ |
1770570705285414912 |