The cost of observation for intrusion detection: Performance impact of concurrent host observation
Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However...
Gespeichert in:
Hauptverfasser: | , , , |
---|---|
Format: | Tagungsbericht |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext bestellen |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
container_end_page | 8 |
---|---|
container_issue | |
container_start_page | 1 |
container_title | |
container_volume | |
creator | Seeger, Mark M Wolthusen, Stephen D Busch, Christoph Baier, Harald |
description | Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices. |
doi_str_mv | 10.1109/ISSA.2010.5588311 |
format | Conference Proceeding |
fullrecord | <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_5588311</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>5588311</ieee_id><sourcerecordid>5588311</sourcerecordid><originalsourceid>FETCH-LOGICAL-i90t-6d4d031c402d5052b0f924583d53494c19ec9cf8a3d51bc066d5565164a7b3583</originalsourceid><addsrcrecordid>eNpFkMtOwzAQRY2gEm3JByA2_oGUGb9is6sqHpUqgdQs2FWO7ahGNKmcFIm_Jy1FrEbn3pmzGEJuEWaIYO6X6_V8xmBAKbXmiBckM4VGwYSQwkh2SSZ_wN-vyJhxDrnRGkdkwgCM4UXBxDXJuu4DAFBpJlCNSVVuA3Vt19O2pm3VhfRl-9g2tG4TjU2fDt2RfOiDO-YP9C2kodvZxgUad3vrTqeubdwhpdD0dHuy_atuyKi2n13IznNKyqfHcvGSr16fl4v5Ko8G-lx54YGjE8C8BMkqqA0TUnMvuTDCoQnOuFrbIcDKgVJeSiVRCVtUfNibkrtfbQwhbPYp7mz63pzfxX8AfkBa1w</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>The cost of observation for intrusion detection: Performance impact of concurrent host observation</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Seeger, Mark M ; Wolthusen, Stephen D ; Busch, Christoph ; Baier, Harald</creator><creatorcontrib>Seeger, Mark M ; Wolthusen, Stephen D ; Busch, Christoph ; Baier, Harald</creatorcontrib><description>Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.</description><identifier>ISSN: 2330-9881</identifier><identifier>ISBN: 142445493X</identifier><identifier>ISBN: 9781424454938</identifier><identifier>EISBN: 9781424454952</identifier><identifier>EISBN: 1424454948</identifier><identifier>EISBN: 9781424454945</identifier><identifier>EISBN: 1424454956</identifier><identifier>DOI: 10.1109/ISSA.2010.5588311</identifier><identifier>LCCN: 2009937724</identifier><language>eng</language><publisher>IEEE</publisher><subject>asynchronous memory access ; Computers ; coprocessor ; Data structures ; DMA ; Firewire ; Generators ; Host intrusion detection ; IEEE 1394 Standard ; IEEE1394 ; NUMA ; Runtime ; Synchronization</subject><ispartof>2010 Information Security for South Africa, 2010, p.1-8</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/5588311$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,776,780,785,786,2051,27904,54898</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/5588311$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Seeger, Mark M</creatorcontrib><creatorcontrib>Wolthusen, Stephen D</creatorcontrib><creatorcontrib>Busch, Christoph</creatorcontrib><creatorcontrib>Baier, Harald</creatorcontrib><title>The cost of observation for intrusion detection: Performance impact of concurrent host observation</title><title>2010 Information Security for South Africa</title><addtitle>ISSA</addtitle><description>Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.</description><subject>asynchronous memory access</subject><subject>Computers</subject><subject>coprocessor</subject><subject>Data structures</subject><subject>DMA</subject><subject>Firewire</subject><subject>Generators</subject><subject>Host intrusion detection</subject><subject>IEEE 1394 Standard</subject><subject>IEEE1394</subject><subject>NUMA</subject><subject>Runtime</subject><subject>Synchronization</subject><issn>2330-9881</issn><isbn>142445493X</isbn><isbn>9781424454938</isbn><isbn>9781424454952</isbn><isbn>1424454948</isbn><isbn>9781424454945</isbn><isbn>1424454956</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2010</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNpFkMtOwzAQRY2gEm3JByA2_oGUGb9is6sqHpUqgdQs2FWO7ahGNKmcFIm_Jy1FrEbn3pmzGEJuEWaIYO6X6_V8xmBAKbXmiBckM4VGwYSQwkh2SSZ_wN-vyJhxDrnRGkdkwgCM4UXBxDXJuu4DAFBpJlCNSVVuA3Vt19O2pm3VhfRl-9g2tG4TjU2fDt2RfOiDO-YP9C2kodvZxgUad3vrTqeubdwhpdD0dHuy_atuyKi2n13IznNKyqfHcvGSr16fl4v5Ko8G-lx54YGjE8C8BMkqqA0TUnMvuTDCoQnOuFrbIcDKgVJeSiVRCVtUfNibkrtfbQwhbPYp7mz63pzfxX8AfkBa1w</recordid><startdate>201008</startdate><enddate>201008</enddate><creator>Seeger, Mark M</creator><creator>Wolthusen, Stephen D</creator><creator>Busch, Christoph</creator><creator>Baier, Harald</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>201008</creationdate><title>The cost of observation for intrusion detection: Performance impact of concurrent host observation</title><author>Seeger, Mark M ; Wolthusen, Stephen D ; Busch, Christoph ; Baier, Harald</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i90t-6d4d031c402d5052b0f924583d53494c19ec9cf8a3d51bc066d5565164a7b3583</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2010</creationdate><topic>asynchronous memory access</topic><topic>Computers</topic><topic>coprocessor</topic><topic>Data structures</topic><topic>DMA</topic><topic>Firewire</topic><topic>Generators</topic><topic>Host intrusion detection</topic><topic>IEEE 1394 Standard</topic><topic>IEEE1394</topic><topic>NUMA</topic><topic>Runtime</topic><topic>Synchronization</topic><toplevel>online_resources</toplevel><creatorcontrib>Seeger, Mark M</creatorcontrib><creatorcontrib>Wolthusen, Stephen D</creatorcontrib><creatorcontrib>Busch, Christoph</creatorcontrib><creatorcontrib>Baier, Harald</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Seeger, Mark M</au><au>Wolthusen, Stephen D</au><au>Busch, Christoph</au><au>Baier, Harald</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>The cost of observation for intrusion detection: Performance impact of concurrent host observation</atitle><btitle>2010 Information Security for South Africa</btitle><stitle>ISSA</stitle><date>2010-08</date><risdate>2010</risdate><spage>1</spage><epage>8</epage><pages>1-8</pages><issn>2330-9881</issn><isbn>142445493X</isbn><isbn>9781424454938</isbn><eisbn>9781424454952</eisbn><eisbn>1424454948</eisbn><eisbn>9781424454945</eisbn><eisbn>1424454956</eisbn><abstract>Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.</abstract><pub>IEEE</pub><doi>10.1109/ISSA.2010.5588311</doi><tpages>8</tpages></addata></record> |
fulltext | fulltext_linktorsrc |
identifier | ISSN: 2330-9881 |
ispartof | 2010 Information Security for South Africa, 2010, p.1-8 |
issn | 2330-9881 |
language | eng |
recordid | cdi_ieee_primary_5588311 |
source | IEEE Electronic Library (IEL) Conference Proceedings |
subjects | asynchronous memory access Computers coprocessor Data structures DMA Firewire Generators Host intrusion detection IEEE 1394 Standard IEEE1394 NUMA Runtime Synchronization |
title | The cost of observation for intrusion detection: Performance impact of concurrent host observation |
url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-24T14%3A15%3A26IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=The%20cost%20of%20observation%20for%20intrusion%20detection:%20Performance%20impact%20of%20concurrent%20host%20observation&rft.btitle=2010%20Information%20Security%20for%20South%20Africa&rft.au=Seeger,%20Mark%20M&rft.date=2010-08&rft.spage=1&rft.epage=8&rft.pages=1-8&rft.issn=2330-9881&rft.isbn=142445493X&rft.isbn_list=9781424454938&rft_id=info:doi/10.1109/ISSA.2010.5588311&rft_dat=%3Cieee_6IE%3E5588311%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9781424454952&rft.eisbn_list=1424454948&rft.eisbn_list=9781424454945&rft.eisbn_list=1424454956&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=5588311&rfr_iscdi=true |