On Leveraging Stochastic Models for Remote Attestation

  • Tamleek Ali
  • Mohammad Nauman
  • Xinwen Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6802)

Abstract

Remote attestation is an essential feature of Trusted Computing that allows a challenger to verify the trustworthiness of a target platform. Existing approaches towards remote attestation are largely static or too restrictive. In this paper, we present a new paradigm in remote attestation that leverages recent advancements in intrusion detection systems. This new approach allows the modeling of an application’s behavior through stochastic models of machine learning. We present the idea of using sequences of system calls as a metric for our stochastic models to predict the trustworthiness of a target application. This new remote attestation technique enables detection of unknown and zero-day malware as opposed to the known-good and known-bad classification currently being used. We provide the details of challenges faced in the implementation of this new paradigm and present empirical evidence supporting the effectiveness of our approach.

Keywords

Stochastic Model Intrusion Detection System Call Intrusion Detection System Target Application 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and Implementation of a TCG-based Integrity Measurement Architecture. In: SSYM 2004: Proceedings of the 13th Conference on USENIX Security Symposium (2004)Google Scholar
  2. 2.
    Shacham, H.: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In: Proceedings of the 14th ACM conference on Computer and Communications Security (CCS 2008), pp. 552–561. ACM, New York (2007)Google Scholar
  3. 3.
    Gu, L., Ding, X., Deng, R., Xie, B., Mei, H.: Remote Attestation on Program Execution. In: STC 2008: Proceedings of the 2008 ACM Workshop on Scalable Trusted Computing. ACM, New York (2008)Google Scholar
  4. 4.
    Loscocco, P.A., Wilson, P.W., Pendergrass, J.A., McDonell, C.D.: Linux Kernel Integrity Measurement Using Contextual Inspection. In: STC 2007: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pp. 21–29. ACM, New York (2007)CrossRefGoogle Scholar
  5. 5.
    Davi, L., Sadeghi, A., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54. ACM, New York (2009)CrossRefGoogle Scholar
  6. 6.
    Alam, M., Zhang, X., Nauman, M., Ali, T., Seifert, J.P.: Model-based Behavioral Attestation. In: SACMAT 2008: Proceedings of the Thirteenth ACM Symposium on Access Control Models and Technologies. ACM Press, New York (2008)Google Scholar
  7. 7.
    Nauman, M., Khan, S., Zhang, X.: Beyond Kernel-level Integrity Measurement: Enabling Remote Attestation for the Android Platform. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 1–15. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of IEEE Symposium on Security and Privacy, 1996, pp. 120–128 (1996)Google Scholar
  9. 9.
    Mehdi, B., Ahmed, F., Khayyam, S., Farooq, M.: Towards a Theory of Generalizing System Call Representation For In-Execution Malware Detection. In: ICC 2010: Proceedings of the IEEE International Conference on Communications (2010)Google Scholar
  10. 10.
    Mutz, D., Robertson, W., Vigna, G., Kemmerer, R.: Exploiting execution context for the detection of anomalous system calls. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 1–20. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    University of New Mexico: Computer Immune Systems – Datasets, http://www.cs.unm.edu/~immsec/systemcalls.htm (accessed May, 2010)
  12. 12.
    Pearson, S.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR, Upper Saddle River (2002)Google Scholar
  13. 13.
    Jaeger, T., Sailer, R., Shankar, U.: PRIMA: Policy-Reduced Integrity Measurement Architecture. In: SACMAT 2006: Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies, pp. 19–28. ACM Press, New York (2006)CrossRefGoogle Scholar
  14. 14.
    Nauman, M., Alam, M., Ali, T., Zhang, X.: Remote Attestation of Attribute Updates and Information Flows in a UCON System. In: Chen, L., Mitchell, C.J., Martin, A. (eds.) Trust 2009. LNCS, vol. 5471, pp. 63–80. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Gu, L., Cheng, Y., Ding, X., Deng, R., Guo, Y., Shao, W.: Remote Attestation on Function Execution. In: Trust 2009: Proceedings of the 2009 International Conference on Trusted Systems (2009)Google Scholar
  16. 16.
    Axelsson, S.: Intrusion detection systems: A survey and taxonomy. Technical report, Department of Computer Engineering, Chalmers University (2000)Google Scholar
  17. 17.
    Krügel, C., Tóth, T.: Using decision trees to improve signature-based intrusion detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 173–191. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)CrossRefGoogle Scholar
  19. 19.
    Hofmeyr, S., Forrest, S.: Architecture for an artificial immune system. Evolutionary Computation 8(4), 443–473 (2000)CrossRefGoogle Scholar
  20. 20.
    Wilson, W., Feyereisl, J., Aickelin, U.: Detecting Motifs in System Call Sequences. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 157–172. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    TCG: TCG Specification Architecture Overview v1.2, pp 11–12. Technical report, Trusted Computing Group (April 2004)Google Scholar
  22. 22.
    Wright, C., Cowan, C., Morris, J., Smalley, S., Kroah-Hartman, G.: Linux security module framework. In: Ottawa Linux Symposium. Citeseer (2002)Google Scholar
  23. 23.
    Heavens, V.X.: Information and hosting for computer viruses, http://vx.netlux.org/ (accessed June 02, 2010)
  24. 24.
    Bayes, T.: Learning Bayesian networks: The combination of knowledge and statistical data. Philosophical Transactions of Royal Society of London 53, 370–418 (1763)Google Scholar
  25. 25.
    Heckerman, D., Geiger, D., Chickering, D.: Learning Bayesian networks: The combination of knowledge and statistical data. Machine Learning 20(3), 197–243 (1995)MATHGoogle Scholar
  26. 26.
    Quinlan, J.: C4.5: programs for machine learning. Morgan Kaufmann, San Francisco (1993)Google Scholar
  27. 27.
    Witten, I., Frank, E.: Data Mining: Practical machine learning tools and techniques. Morgan Kaufmann Pub., San Francisco (2005)MATHGoogle Scholar
  28. 28.
    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.: The WEKA data mining software: An update. ACM SIGKDD Explorations Newsletter 11(1), 10–18 (2009)CrossRefGoogle Scholar
  29. 29.
    Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D., Cunningham, R., et al.: Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: Proceedings of DARPA Information Survivability Conference and Exposition, DISCEX 2000, vol. 2 (2000)Google Scholar
  30. 30.
    Ali, M., Khan, H., Sajjad, A., Khayam, S.: On achieving good operating points on an ROC plane using stochastic anomaly score prediction. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pp. 314–323. ACM, New York (2009)Google Scholar
  31. 31.
    McCune, J., Parno, B., Perrig, A., Reiter, M., Isozaki, H.: Flicker: An execution infrastructure for TCB minimization. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, pp. 315–328. ACM, New York (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Tamleek Ali
    • 1
  • Mohammad Nauman
    • 2
  • Xinwen Zhang
    • 3
  1. 1.Institute of Management SciencesPeshawarPakistan
  2. 2.Computer Science Research and Development Unit (CSRDU)Pakistan
  3. 3.Huawei Research CenterUSA

Personalised recommendations