A case study: Using architectural features to improve sophisticated denial-of-service attack detections

Authors

Ran Tao, LSU College of Engineering
Li Yang, College of Engineering and Computer Science
Lu Peng, LSU College of Engineering
Bin Li, Louisiana State University
Alma Cemerlic, College of Engineering and Computer Science

Document Type

Conference Proceeding

Publication Date

7-20-2009

Abstract

Application features such as port numbers are used by Network-based Intrusion Detection Systems (NIDSs) to detect attacks coming from networks. System calls and the operating system related information are used by Host-based Intrusion Detection Systems (HIDSs) to detect intrusions towards a host. However, the relationship between hardware architecture events and Denial-of-Service (DoS) attacks has not been well revealed. When increasingly sophisticated intrusions emerge, some attacks are able to bypass both the application and the operating system level feature monitors. Therefore, a more effective solution is required to enhance existing HIDSs. In this paper, we identify the following hardware architecture features: Instruction Count, Cache Miss, Bus Traffic and integrate them into a novel HIDS framework based on a modern statistical Gradient Boosting Trees model. Through the integration of application, operating system and architecture level features, our proposed HIDS demonstrates a significant improvement of the detection rate in terms of sophisticated DoS intrusions. © 2009 IEEE.

Publication Source (Journal or Book title)

2009 IEEE Symposium on Computational Intelligence in Cyber Security, CICS 2009 - Proceedings

Recommended Citation

Tao, R., Yang, L., Peng, L., Li, B., & Cemerlic, A. (2009). A case study: Using architectural features to improve sophisticated denial-of-service attack detections. 2009 IEEE Symposium on Computational Intelligence in Cyber Security, CICS 2009 - Proceedings https://doi.org/10.1109/CICYBS.2009.4925084