first draft of intro
This commit is contained in:
Arthur
parent
f305cb206b
commit
42b1299512
2 changed files with 36 additions and 3 deletions
|
|
@ -2,13 +2,20 @@
|
|||
short={IDS},
|
||||
long={Intrusion Detection System}
|
||||
}
|
||||
|
||||
\DeclareAcronym{hids}{
|
||||
short={HIDS},
|
||||
long={Host-Based Intrusion Detection System}
|
||||
}
|
||||
|
||||
\DeclareAcronym{os}{
|
||||
short={OS},
|
||||
long={Operating System}
|
||||
}
|
||||
\DeclareAcronym{sci}{
|
||||
short={SCI},
|
||||
long={Side-Channel Information}
|
||||
}
|
||||
\DeclareAcronym{cpu}{
|
||||
short={CPU},
|
||||
long={Central Processing Unit}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -104,9 +104,35 @@ For the purpose of this study, we do not differentiate between Unix-based OSs an
|
|||
Of course, many methods have been proposed and implemented to detect or counter process list tampering.
|
||||
These methods --- although they leverage different mechanisms --- are all host-based.
|
||||
This create a circular dependency where the \ac{ids} rely on the host system to provide the very information leveraged to assess its integrity.
|
||||
As rootkis providing process hiding remained a threat since their introduction, it is safe to assume that current countermesures --- and future ones based on similar technics --- do not provide adequate protection.
|
||||
In this situation, an attacker that succesfully compromises a machine can employ evasion technics that manipulate the data used for detection.
|
||||
As rootkis providing process hiding remained a threat since their introduction, it is safe to assume that current countermesures --- and future ones based on similar technics --- do not provide complete protection.
|
||||
|
||||
% is it a bird? is it a plane? No its the good old power consumption!
|
||||
One possible alternate method for detecting process list manipulation is using a secondary source of information to corroborate the process list.
|
||||
To avoid bypass, the secondary source must be independent from the \ac{os} and not require its cooperation to enable protection.
|
||||
However, the source must also provide information correlated with process presence and activity on the machine.
|
||||
|
||||
\ac{sci} are compeling as the secondary source.
|
||||
As involuntary emissions, they are intrisecely independent from the origin system.
|
||||
No communication is required with the system to access these information.
|
||||
As physical by-product of the computation, they are hard to forge from an attacker point of view.
|
||||
A program can somewhat controle its computation intensity but it is difficult to precisely controle the generated emission and impossible to fully supress them.
|
||||
If the attacker wish to perform any computation on the compromised machine, it will result in some form of physical emission.
|
||||
The most common \ac{sci} leveraged for attack or defense is energy consumption.
|
||||
Due to its ease of capture, high reliability, large range of application, and good informative potential about the activity of the system.
|
||||
Of course, there are drawbacks to using power consumption as a source of information.
|
||||
First, the raw power consumption of a machine is not an actionable piece of information.
|
||||
A step of information mining --- for example pattern recognition, anomaly detection, or even a simple thresholding --- is always required to take a decision.
|
||||
Then, measuring true independent power consumption data require additional hardware.
|
||||
Although software estimations of power consumption are available, they bear the same issue as other host-based source of information.
|
||||
Finaly, the power consumption of a mchine only ontains a small subset of all information related to processes activity.
|
||||
A \ac{cpu} are capable or hundreds to thousands of millions operations per seconds.
|
||||
Each intruction triggers multiple consumptions patterns acrosses multiple components of the system.
|
||||
Although --- in theory --- the power consumption is a sum of all these sub-consumptions, the reality of measurement --- in terms of resolution, accuracy, and sampling rate --- make single-instruction measurement unrealistic at a global scale of the \ac{cpu}.
|
||||
|
||||
Taking all these limitations into account, the power consumption of a machine --- and more specifically the global power consuption of its \ac{cpu} --- is a valuable complementary source of information.
|
||||
The correlation between a list of processes and the power consumption can enable the detection of process list tampering, evidence of malware activity.
|
||||
|
||||
|
||||
% Thank you king of sweden. No it was nothing you are welcome. Ok get home safe now. Byeeee.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue