Using Commodity Coprocessors for Host Intrusion Detection
MetadataVis full innførsel
The ever-rising importance of communication services and devices emphasizes the significance of intrusion detection. Besides general network attacks, private hosts in particular are within the focus of cyber criminals. Private data theft and the integration of individual hosts into large-scale botnets are two common purposes successfully subverted systems are used for. In order to detect any attack, intrusion detection mechanisms need to probe the data in question. Therefore, the acquisition of sensor data is one of the fundamental steps in any intrusion detection system, as the execution of a detection algorithm – be it anomaly- or signature-based – relies on the integrity of the assessed data. In cases where the intrusion detection system (and the sensor data acquisition component, in particular) is installed on the very same host it is supposed to protect, attacks against its preventive and detective safeguards are rather simple and supported by potential vulnerabilities of the host’s operating system. Detection speed plays a vital role in keeping the damage caused by subversion attempts as small as possible. Dispatching the data acquisition and detection mechanisms from the host is desirable, as a higher degree of independence allows high-speed execution even in cases where the host has already been infected, or where its central processing units work to capacity. The history of computer science, with cryptography being an excellent example, has taught us that the level of security can be increased by outsourcing certain operations to additional, special-purpose hardware. Here, a positive side effect is that the increase in security is often accompanied by an increased speed at which the corresponding operations can be executed. The present thesis seizes upon the idea of outsourcing, but rather than employing additional special-purpose hardware, it proposes the execution of relevant operations on commodity hardware. While the application of coprocessors for network intrusion detection is common practice, and approaches using PCI add-in cards, as well as external cryptographic coprocessors exist, we propose the application of commodity coprocessors for host intrusion detection, i.e., modern graphics processing cards (GPU) found in current laptop and desktop computers. Our focus was on validating the assumption that modern GPUs are, in general, applicable in the task of acquiring host sensor data for intrusion detection purposes. Thus, we propose their application as independent auditors, and present research results regarding their feasibility to function as such. We detail abstract cost models and their practical validation, as well as a proof of concept implementation of an autonomous GPU kernel. This allows us to conclude that – leaving aside their programming and runtime frameworks – commodity, off-the-shelf coprocessors (i.e., modern GPUs) are able to perform host observation tasks in an unintrusive manner.
SerieDoktorgradsavhandlinger ved Høgskolen i Gjøvik;1/2012
Doctoral dissertations at Gjøvik University College;1/2012