research-article

Monitoring for security intrusion using performance signatures

Authors:

Alberto Avritzer,

Rajanikanth Tanikella,

Robert G. Cole,

Elaine WeyukerAuthors Info & Claims

WOSP/SIPEW '10: Proceedings of the first joint WOSP/SIPEW international conference on Performance engineering

Pages 93 - 104

https://doi.org/10.1145/1712605.1712623

Published: 28 January 2010 Publication History

Abstract

A new approach for detecting security attacks on software systems by monitoring the software system performance signatures is introduced. We present a proposed architecture for security intrusion detection using off-the-shelf security monitoring tools and performance signatures. Our approach relies on the assumption that the performance signature of the well-behaved system can be measured and that the performance signature of several types of attacks can be identified. This assumption has been validated for operations support systems that are used to monitor large infrastructures and receive aggregated traffic that is periodic in nature. Examples of such infrastructures include telecommunications systems, transportation systems and power generation systems. In addition, significant deviation from well-behaved system performance signatures can be used to trigger alerts about new types of security attacks. We used a custom performance benchmark and five types of security attacks to derive performance signatures for the normal mode of operation and the security attack mode of operation. We observed that one of the types of the security attacks went undetected by the off-the-shelf security monitoring tools but was detected by our approach of monitoring performance signatures. We conclude that an architecture for security intrusion detection can be effectively complemented by monitoring of performance signatures.

References

[1]

A. Avritzer and E.J. Weyuker. The Automatic Generation of Load Test Suites and the Assessment of the Resulting Software. IEEE Trans. on Software Engineering, Sept 1995, pp. 705--716.

Digital Library

[2]

A. Avritzer and E.J. Weyuker, Detecting failed processes using fault signatures, International Computer Performance and Dependability Symposium, July, 1996.

Digital Library

[3]

A. Avritzer and E.J. Weyuker, Monitoring Smoothly Degrading Systems for Increased Dependability, Empirical Software Engineering, Springer Netherlands, March 1997.

Digital Library

[4]

A. Avritzer, J.P. Ros and E.J. Weyuker, Estimating the CPU utilization of a rule-based system, Proc. Fourth International Workshop on Software and Performance 2004, Redwood Shores, California, Jan, 2004, pp. 1--12.

Digital Library

[5]

A. Avritzer, A. Bondi and E.J. Weyuker, Ensuring Stable Performance for Systems that Degrade, Proc. Fifth International Workshop on Software and Performance 2005, Palma de Mallorca, Spain, July, 2005, pp. 43--51.

Digital Library

[6]

A. Avritzer, R.G. Cole and E.J. Weyuker, Using performance signatures and software rejuvenation for worm mitigation in tactical MANETs, Proc. Sixth International Workshop on Software and Performance 2007, Buenos Aires, Argentina, February, 2007, pp. 172--180.

Digital Library

[7]

W. Diffie and M.E. Hellman, New directions in cryptography. IEEE Transactions on Information Theory, vol IT-22, Nov 1976, pp:644--654.

[8]

S.A. Hofmeyr and S. Forrest and A. Somayaji, Intrusion Detection Using Sequences of System Calls. Journal of Computer Security, vol 6, No 3, 1998, pp 151--180.

Digital Library

[9]

Y. Huang, C. Kintala, N. Kolettis, and N.D. Fulton, Software rejuvenation:Analysis, module and applications. Proc. Twenty-fifth International Symp. on Fault-Tolerant Computing, 1995, pp. 381--390.

Digital Library

[10]

IBM Cryptography Research Group. http://domino.research.ibm.com/security

[11]

D. Khan. The code breakers. Macmillan, 1967.

[12]

R. Mariani. Performance Signature: A qualitative approach to dependence guidance. International Computer Measurement Group Conference, pp 469--474, 2006.

[13]

D.L .Oppenheimer and M.R. Martonosi, Performance Signatures: A Mechanism for Intrusion Detection. Proceedings of the 1997 IEEE Information Survivability Workshop, 1997. http://www.sysnet.ucsd.edu/ davidopp/pubs/perfsig.html.

[14]

R.L. Rivest, A. Shamir and L. Adleman. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, Feb. 1978, pp 120--126.

Digital Library

[15]

http://www.wired.com/threatlevel/2009/01/professedtwitt/

[16]

Snort http://www.snort.org/

[17]

Cain & Abel http://www.oxid.it/cain.html

[18]

Wireshark http://www.wireshark.org/

[19]

Hyperic Sigar http://www.hyperic.com/products/sigar.html

[20]

DoSHttp http://www.socketsoft.net/

[21]

Base http://base.secureideas.net/

[22]

CurrPorts http://www.nirsoft.net/utils/cports.html

[23]

SysTracer http://www.blueproject.ro/systracer

Cited By

Kim SJin HJoo KLee JLee D(2024)DROPSYS: Detection of ROP attacks using system informationComputers & Security10.1016/j.cose.2024.103813(103813)Online publication date: Mar-2024
https://doi.org/10.1016/j.cose.2024.103813
Guri M(2023)AirKeyLogger: Hardwareless Air-Gap Keylogging Attack2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00089(637-647)Online publication date: Jun-2023
https://doi.org/10.1109/COMPSAC57700.2023.00089
Gonçalves CMenasché DAvritzer AAntunes NVieira M(2023)Detecting Anomalies Through Sequential Performance Analysis in Virtualized EnvironmentsIEEE Access10.1109/ACCESS.2023.329364311(70716-70740)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3293643
Show More Cited By

Index Terms

Monitoring for security intrusion using performance signatures

Recommendations

Enhancing byte-level network intrusion detection signatures with context
CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an ...
Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
Security Arguments for Digital Signatures and Blind Signatures

Since the appearance of public-key cryptography in the seminal Diffie--Hellman paper, many new schemes have been proposed and many have been broken. Thus, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WOSP/SIPEW '10: Proceedings of the first joint WOSP/SIPEW international conference on Performance engineering

January 2010

294 pages

ISBN:9781605585635

DOI:10.1145/1712605

General Chairs:
Alan Adamson
SPEC Board of Directors
,
André Bondi
Siemens Corporate Research, USA
,
Program Chairs:
Carlos Juiz
University of the Balearic Islands, Spain
,
Mark S. Squillante
IBM T.J. Watson Research Center, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 January 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WOSP/SIPEW'10

Sponsor:

WOSP/SIPEW'10: First Joint WOSP/SIPEW International Conference on Performance Engineering

January 28 - 30, 2010

California, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 149 of 241 submissions, 62%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
552
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kim SJin HJoo KLee JLee D(2024)DROPSYS: Detection of ROP attacks using system informationComputers & Security10.1016/j.cose.2024.103813(103813)Online publication date: Mar-2024
https://doi.org/10.1016/j.cose.2024.103813
Guri M(2023)AirKeyLogger: Hardwareless Air-Gap Keylogging Attack2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00089(637-647)Online publication date: Jun-2023
https://doi.org/10.1109/COMPSAC57700.2023.00089
Gonçalves CMenasché DAvritzer AAntunes NVieira M(2023)Detecting Anomalies Through Sequential Performance Analysis in Virtualized EnvironmentsIEEE Access10.1109/ACCESS.2023.329364311(70716-70740)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3293643
Miranda LLima CMenasch DDomingues G(2022)Sequential Performance Analysis of Systems that Age and Rejuvenate2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW55968.2022.00061(146-153)Online publication date: Oct-2022
https://doi.org/10.1109/ISSREW55968.2022.00061
Panjei EGruenwald LLeal ENguyen CSilvia S(2022)A survey on outlier explanationsThe VLDB Journal10.1007/s00778-021-00721-131:5(977-1008)Online publication date: 26-Jan-2022
https://doi.org/10.1007/s00778-021-00721-1
Avritzer AAmaral JKoziolek ATrubiani CIosup A(2020)Automated Scalability Assessment in DevOps EnvironmentsCompanion of the ACM/SPEC International Conference on Performance Engineering10.1145/3375555.3384936(10-10)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3375555.3384936
Goncalves CMenasche DAvritzer AAntunes NVieira M(2020)A Model-Based Approach to Anomaly Detection Trading Detection Time and False Alarm Rate2020 Mediterranean Communication and Computer Networking Conference (MedComNet)10.1109/MedComNet49392.2020.9191549(1-8)Online publication date: Jun-2020
https://doi.org/10.1109/MedComNet49392.2020.9191549
Rufino VNogueira MAvritzer AMenasche DRusso BJanes AFerme VVan Hoorn ASchulz HLima C(2020)Improving Predictability of User-Affecting Metrics to Support Anomaly Detection in Cloud ServicesIEEE Access10.1109/ACCESS.2020.30285718(198152-198167)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3028571
Zhang JGao CGong LGu ZMan DYang WLi W(2020)Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at HypervisorMobile Networks and Applications10.1007/s11036-019-01503-4Online publication date: 8-Jan-2020
https://doi.org/10.1007/s11036-019-01503-4
Kounev SLange KKistowski JKounev SLange Kvon Kistowski J(2020)Software and System SecuritySystems Benchmarking10.1007/978-3-030-41705-5_18(389-421)Online publication date: 2020
https://doi.org/10.1007/978-3-030-41705-5_18
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents