Skip to main content

Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance

Publication ,  Journal Article
Gao, D; Reiter, MK; Song, D
Published in: IEEE Transactions on Dependable and Secure Computing
January 1, 2009

Many host-based anomaly detection techniques have been proposed to detect code-injection attacks on servers. The vast majority, however, are susceptible to "mimicry attacks in which the injected code masquerades as the original server software, including returning the correct service responses, while conducting its attack. "Behavioral distance, by which two diverse replicas processing the same inputs are continually monitored to detect divergence in their low-level (system-call) behaviors and hence potentially the compromise of one of them, has been proposed for detecting mimicry attacks. In this paper, we present a novel approach to behavioral distance measurement using a new type of Hidden Markov Model, and present an architecture realizing this new approach. We evaluate the detection capability of this approach using synthetic workloads and recorded workloads of production web and game servers, and show that it detects intrusions with substantially greater accuracy than a prior proposal on measuring behavioral distance. We also detail the design and implementation of a new architecture, which takes advantage of virtualization to measure behavioral distance. We apply our architecture to implement intrusion-tolerant web and game servers, and through trace-driven simulations demonstrate that it experiences moderate performance costs even when thresholds are set to detect stealthy mimicry attacks. © 2006 IEEE.

Duke Scholars

Published In

IEEE Transactions on Dependable and Secure Computing

DOI

ISSN

1545-5971

Publication Date

January 1, 2009

Volume

6

Issue

2

Start / End Page

96 / 110

Related Subject Headings

  • Strategic, Defence & Security Studies
  • 4606 Distributed computing and systems software
  • 4604 Cybersecurity and privacy
  • 0805 Distributed Computing
  • 0804 Data Format
  • 0803 Computer Software
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Gao, D., Reiter, M. K., & Song, D. (2009). Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance. IEEE Transactions on Dependable and Secure Computing, 6(2), 96–110. https://doi.org/10.1109/TDSC.2008.39
Gao, D., M. K. Reiter, and D. Song. “Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance.” IEEE Transactions on Dependable and Secure Computing 6, no. 2 (January 1, 2009): 96–110. https://doi.org/10.1109/TDSC.2008.39.
Gao D, Reiter MK, Song D. Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance. IEEE Transactions on Dependable and Secure Computing. 2009 Jan 1;6(2):96–110.
Gao, D., et al. “Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance.” IEEE Transactions on Dependable and Secure Computing, vol. 6, no. 2, Jan. 2009, pp. 96–110. Scopus, doi:10.1109/TDSC.2008.39.
Gao D, Reiter MK, Song D. Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance. IEEE Transactions on Dependable and Secure Computing. 2009 Jan 1;6(2):96–110.

Published In

IEEE Transactions on Dependable and Secure Computing

DOI

ISSN

1545-5971

Publication Date

January 1, 2009

Volume

6

Issue

2

Start / End Page

96 / 110

Related Subject Headings

  • Strategic, Defence & Security Studies
  • 4606 Distributed computing and systems software
  • 4604 Cybersecurity and privacy
  • 0805 Distributed Computing
  • 0804 Data Format
  • 0803 Computer Software