Automated monitoring and debugging of large scale manycore heterogeneous systems - Computer Security

Online surveillance of computerized systems – Analysis of current and future needs

ahamou-lhadj — Wed, 13 Nov 2013 22:39:07 +0000

M. Couture, A. Hamou-Lhadj, M. Dagenais, A. Goel, "Online surveillance of computerized systems – Analysis of current and future needs", NATO Joint Symposium (RTO SET-183 / IST-112), Quebec City, QC, 2012.

The rapid development of software and hardware technologies has led to a significant increase in the number and variety of computer systems and networks supporting command and control (C2) operations. Current operations may use any mix of hosts (any type of computerized system and its software). The risk of occurrence of errors or failures on these hosts has become increasingly larger over the years not only because of the rising complexity of the software and hardware, but also because of the larger number of cyber attacks and their ever-increasing sophistication and diversity. The presence of anomalies in a host may correlate with the presence of important security breaches. Some of these can be very hard to detect and eliminate. They can stay stealthy and dormant for long periods of time, maintaining hosts in a compromised state with the likely consequence of a serious impact on C2 operations when activated.
Current surveillance technologies running on these hosts are relatively limited in their ability to detect unwanted software behaviours and states. Significant improvements in the effectiveness of online host-level monitoring are necessary in order to ensure the dependability of services offered by the hosts during C2 operations. Operators and system administrators need continuously updated reports depicting detected anomalies and their potential impacts in order to be able to build and maintain situational awareness of their hosts, and to be able to react and/or pro-act in timely fashion to correct or prevent any problems. The nature of current and future cyber threats demands detection techniques that are able to cover the widest possible spectrum of anomalies. In this paper, approaches outlined in the "NATO Code of Best Practice for C2 Assessment" (COBP) [1] are utilized to study current and future needs in terms of technologies for online host-level surveillance, which can be considered as another component of C2. We first formulate problems that are specific to this domain and describe their characteristics and constraints according to the COBP prescriptions. An analysis of the various classes of Measures of Merit (MoMs) is then made in order to identify a number of potential solutions for the improvement of host-level surveillance, which could involve both current leading-edge and anticipated detection technologies.

Diversity Through N-Version Programming: Current State, Challenges and Recommendations

ahamou-lhadj — Wed, 13 Nov 2013 22:37:12 +0000

R. Khoury, A. Hamou-Lhadj, M. Couture, Robert Charpentier, "Diversity Through N-Version Programming: Current State, Challenges and Recommendations", International Journal of Information Technology and Computer Science (IJITCS), MECS Publisher, 4(2), pp.56-64, 2012.

N-version programming is a software development paradigm that draws upon the concept of diversity to increase the reliability of software. The central idea is to independently produce multiple functionally equivalent versions of a program, and execute them in parallel. If the versions fail independently, then the probability of multiple versions producing a faulty output on any given input is very small; much lower than the failure probability of any single version. In this paper, we examine and contrast various experiments that have been performed to evaluate the benefits of this approach and draw some conclusions. We find that for diversity to be effective, it must be introduced in a targeted and informed manner and encompass several phases of the software’s development.

A Host-based Anomaly Detection Approach by Representing System Calls as States of Kernel Modules

ahamou-lhadj — Wed, 13 Nov 2013 22:29:02 +0000

S. S. Murtaza, W. Khreich, A. Hamou-Lhadj, M. Couture , "A Host-based Anomaly Detection Approach by Representing System Calls as States of Kernel Modules," In Proc. of the 24th IEEE International Symposium on Software Reliability Engineering (ISSRE), Pasadena, CA, USA, 2013.

Despite over two decades of research, high false alarm rates, large trace sizes and high processing times remain among the key issues in host-based anomaly intrusion detection systems. In an attempt to reduce the false alarm rate and processing time while increasing the detection rate, this paper presents a novel anomaly detection technique based on semantic interactions of system calls. The key concept is to represent system calls as states of kernel modules, analyze the state interactions, and identify anomalies by comparing the probabilities of occurrences of states in normal and anomalous traces. In addition, the proposed technique allows a visual understanding of system behaviour, and hence a more informed decision making. We evaluated this technique on Linux based programs of UNM datasets and a new modern Firefox dataset. We created the Firefox dataset on Linux using contemporary test suites and hacking techniques. The results show that our technique yields fewer false alarms and can handle large traces with smaller (or comparable) processing times compared against the existing techniques for the host based anomaly intrusion detection systems.

Automated monitoring and debugging of large scale manycore heterogeneous systems - Computer Security

Online surveillance of computerized systems – Analysis of current and future needs

Tags:

Diversity Through N-Version Programming: Current State, Challenges and Recommendations

Tags:

A Host-based Anomaly Detection Approach by Representing System Calls as States of Kernel Modules

Tags: