The cost of observation for intrusion detection: Performance impact of concurrent host observation

Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Seeger, Mark M, Wolthusen, Stephen D, Busch, Christoph, Baier, Harald
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 8
container_issue
container_start_page 1
container_title
container_volume
creator Seeger, Mark M
Wolthusen, Stephen D
Busch, Christoph
Baier, Harald
description Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.
doi_str_mv 10.1109/ISSA.2010.5588311
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_5588311</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>5588311</ieee_id><sourcerecordid>5588311</sourcerecordid><originalsourceid>FETCH-LOGICAL-i90t-6d4d031c402d5052b0f924583d53494c19ec9cf8a3d51bc066d5565164a7b3583</originalsourceid><addsrcrecordid>eNpFkMtOwzAQRY2gEm3JByA2_oGUGb9is6sqHpUqgdQs2FWO7ahGNKmcFIm_Jy1FrEbn3pmzGEJuEWaIYO6X6_V8xmBAKbXmiBckM4VGwYSQwkh2SSZ_wN-vyJhxDrnRGkdkwgCM4UXBxDXJuu4DAFBpJlCNSVVuA3Vt19O2pm3VhfRl-9g2tG4TjU2fDt2RfOiDO-YP9C2kodvZxgUad3vrTqeubdwhpdD0dHuy_atuyKi2n13IznNKyqfHcvGSr16fl4v5Ko8G-lx54YGjE8C8BMkqqA0TUnMvuTDCoQnOuFrbIcDKgVJeSiVRCVtUfNibkrtfbQwhbPYp7mz63pzfxX8AfkBa1w</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>The cost of observation for intrusion detection: Performance impact of concurrent host observation</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Seeger, Mark M ; Wolthusen, Stephen D ; Busch, Christoph ; Baier, Harald</creator><creatorcontrib>Seeger, Mark M ; Wolthusen, Stephen D ; Busch, Christoph ; Baier, Harald</creatorcontrib><description>Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.</description><identifier>ISSN: 2330-9881</identifier><identifier>ISBN: 142445493X</identifier><identifier>ISBN: 9781424454938</identifier><identifier>EISBN: 9781424454952</identifier><identifier>EISBN: 1424454948</identifier><identifier>EISBN: 9781424454945</identifier><identifier>EISBN: 1424454956</identifier><identifier>DOI: 10.1109/ISSA.2010.5588311</identifier><identifier>LCCN: 2009937724</identifier><language>eng</language><publisher>IEEE</publisher><subject>asynchronous memory access ; Computers ; coprocessor ; Data structures ; DMA ; Firewire ; Generators ; Host intrusion detection ; IEEE 1394 Standard ; IEEE1394 ; NUMA ; Runtime ; Synchronization</subject><ispartof>2010 Information Security for South Africa, 2010, p.1-8</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/5588311$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,776,780,785,786,2051,27904,54898</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/5588311$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Seeger, Mark M</creatorcontrib><creatorcontrib>Wolthusen, Stephen D</creatorcontrib><creatorcontrib>Busch, Christoph</creatorcontrib><creatorcontrib>Baier, Harald</creatorcontrib><title>The cost of observation for intrusion detection: Performance impact of concurrent host observation</title><title>2010 Information Security for South Africa</title><addtitle>ISSA</addtitle><description>Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.</description><subject>asynchronous memory access</subject><subject>Computers</subject><subject>coprocessor</subject><subject>Data structures</subject><subject>DMA</subject><subject>Firewire</subject><subject>Generators</subject><subject>Host intrusion detection</subject><subject>IEEE 1394 Standard</subject><subject>IEEE1394</subject><subject>NUMA</subject><subject>Runtime</subject><subject>Synchronization</subject><issn>2330-9881</issn><isbn>142445493X</isbn><isbn>9781424454938</isbn><isbn>9781424454952</isbn><isbn>1424454948</isbn><isbn>9781424454945</isbn><isbn>1424454956</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2010</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNpFkMtOwzAQRY2gEm3JByA2_oGUGb9is6sqHpUqgdQs2FWO7ahGNKmcFIm_Jy1FrEbn3pmzGEJuEWaIYO6X6_V8xmBAKbXmiBckM4VGwYSQwkh2SSZ_wN-vyJhxDrnRGkdkwgCM4UXBxDXJuu4DAFBpJlCNSVVuA3Vt19O2pm3VhfRl-9g2tG4TjU2fDt2RfOiDO-YP9C2kodvZxgUad3vrTqeubdwhpdD0dHuy_atuyKi2n13IznNKyqfHcvGSr16fl4v5Ko8G-lx54YGjE8C8BMkqqA0TUnMvuTDCoQnOuFrbIcDKgVJeSiVRCVtUfNibkrtfbQwhbPYp7mz63pzfxX8AfkBa1w</recordid><startdate>201008</startdate><enddate>201008</enddate><creator>Seeger, Mark M</creator><creator>Wolthusen, Stephen D</creator><creator>Busch, Christoph</creator><creator>Baier, Harald</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>201008</creationdate><title>The cost of observation for intrusion detection: Performance impact of concurrent host observation</title><author>Seeger, Mark M ; Wolthusen, Stephen D ; Busch, Christoph ; Baier, Harald</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i90t-6d4d031c402d5052b0f924583d53494c19ec9cf8a3d51bc066d5565164a7b3583</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2010</creationdate><topic>asynchronous memory access</topic><topic>Computers</topic><topic>coprocessor</topic><topic>Data structures</topic><topic>DMA</topic><topic>Firewire</topic><topic>Generators</topic><topic>Host intrusion detection</topic><topic>IEEE 1394 Standard</topic><topic>IEEE1394</topic><topic>NUMA</topic><topic>Runtime</topic><topic>Synchronization</topic><toplevel>online_resources</toplevel><creatorcontrib>Seeger, Mark M</creatorcontrib><creatorcontrib>Wolthusen, Stephen D</creatorcontrib><creatorcontrib>Busch, Christoph</creatorcontrib><creatorcontrib>Baier, Harald</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Seeger, Mark M</au><au>Wolthusen, Stephen D</au><au>Busch, Christoph</au><au>Baier, Harald</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>The cost of observation for intrusion detection: Performance impact of concurrent host observation</atitle><btitle>2010 Information Security for South Africa</btitle><stitle>ISSA</stitle><date>2010-08</date><risdate>2010</risdate><spage>1</spage><epage>8</epage><pages>1-8</pages><issn>2330-9881</issn><isbn>142445493X</isbn><isbn>9781424454938</isbn><eisbn>9781424454952</eisbn><eisbn>1424454948</eisbn><eisbn>9781424454945</eisbn><eisbn>1424454956</eisbn><abstract>Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.</abstract><pub>IEEE</pub><doi>10.1109/ISSA.2010.5588311</doi><tpages>8</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 2330-9881
ispartof 2010 Information Security for South Africa, 2010, p.1-8
issn 2330-9881
language eng
recordid cdi_ieee_primary_5588311
source IEEE Electronic Library (IEL) Conference Proceedings
subjects asynchronous memory access
Computers
coprocessor
Data structures
DMA
Firewire
Generators
Host intrusion detection
IEEE 1394 Standard
IEEE1394
NUMA
Runtime
Synchronization
title The cost of observation for intrusion detection: Performance impact of concurrent host observation
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-24T14%3A15%3A26IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=The%20cost%20of%20observation%20for%20intrusion%20detection:%20Performance%20impact%20of%20concurrent%20host%20observation&rft.btitle=2010%20Information%20Security%20for%20South%20Africa&rft.au=Seeger,%20Mark%20M&rft.date=2010-08&rft.spage=1&rft.epage=8&rft.pages=1-8&rft.issn=2330-9881&rft.isbn=142445493X&rft.isbn_list=9781424454938&rft_id=info:doi/10.1109/ISSA.2010.5588311&rft_dat=%3Cieee_6IE%3E5588311%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9781424454952&rft.eisbn_list=1424454948&rft.eisbn_list=9781424454945&rft.eisbn_list=1424454956&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=5588311&rfr_iscdi=true