Cross-layer personalization as a first-class citizen for situation awareness and computer infrastructure security
Authors: 
Aokun Chen, Pratik Brahma, Dapeng Oliver Wu, Natalie Ebner, Brandon Matthews, Jedidiah Crandall, Xuetao Wei, Michalis Faloutsos, 
Daniela OliveiraAuthors Info & Claims
Aokun Chen, Pratik Brahma, Dapeng Oliver Wu, Natalie Ebner, Brandon Matthews, Jedidiah Crandall, Xuetao Wei, Michalis Faloutsos, Daniela OliveiraAuthors Info & ClaimsPages 23 - 35
Abstract
We propose a new security paradigm that makes cross-layer personalization a premier component in the design of security solutions for computer infrastructure and situational awareness. This paradigm is based on the observation that computer systems have a personalized usage profile that depends on the user and his activities. Further, it spans the various layers of abstraction that make up a computer system, as if the user embedded his own DNA into the computer system. To realize such a paradigm, we discuss the design of a comprehensive and cross-layer profiling approach, which can be adopted to boost the effectiveness of various security solutions, e.g., malware detection, insider attacker prevention and continuous authentication. The current state-of-the-art in computer infrastructure defense solutions focuses on one layer of operation with deployments coming in a "one size fits all" format, without taking into account the unique way people use their computers. The key novelty of our proposal is the cross-layer personalization, where we derive the distinguishable behaviors from the intelligence of three layers of abstraction. First, we combine intelligence from: a) the user layer, (e.g., mouse click patterns); b) the operating system layer; c) the network layer. Second, we develop cross-layer personalized profiles for system usage. We will limit our scope to companies and organizations, where computers are used in a more routine and one-on-one style, before we expand our research to personally owned computers. Our preliminary results show that just the time accesses in user web logs are already sufficient to distinguish users from each other,with users of the same demographics showing similarities in their profiles. Our goal is to challenge today's paradigm for anomaly detection that seems to follow a monoculture and treat each layer in isolation. We also discuss deployment, performance overhead, and privacy issues raised by our paradigm.
References
[1]
S. Kumar and E. H. Spafford, "An application of pattern matching in intrusion detection," tech. rep., Purdue University, July. 1994.
[2]
K. Ilgun, R. A. Kemmerer, and P. A. Porras, "State transition analysis: A rule-based intrusion detection approach," IEEE Trans. Softw. Eng., vol. 21, pp. 181--199, Mar. 1995.
[3]
G. Vigna and R. A. Kemmerer, "Netstat: a network-based intrusion detection approach," in Proceedings of the 14th Annual Computer Security Applications Conference, pp. 25--34, ACM, 1998.
[4]
"Bromium end point protection (https://www.bromium.com/)," Apr. 2016.
[5]
S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, "A sense of self for unix processes," in Proceedings of IEEE Symposium on Security and Privacy, pp. 120--128, IEEE, 1996.
[6]
A. Somayaji, S. Hofmeyr, and S. Forrest, "Principles of a computer immune system," in Proceedings of the 1997 Workshop on New Security Paradigms, NSPW '97, (New York, NY, USA), pp. 75--82, ACM, 1997.
[7]
S. A. Hofmeyr, S. Forrest, and A. Somayaji, "Intrusion detection using sequences of system calls," Journal of Computer Security, vol. 6, pp. 151--180, Aug. 1998.
[8]
C. Warrender, S. Forrest, and B. Pearlmutter, "Detecting intrusions using system calls: Alternative data models," Proceedings of IEEE Symposium on Security and Privacy, pp. 133--145, 1999.
[9]
C. Kruegel, D. Mutz, F. Valeur, and G. Vigna, "On the detection of anomalous system call arguments," ESORICS, vol. 2808, pp. 326--343, 2003.
[10]
E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. A. Kemmerer, "Behavior-based spyware detection," in Proceedings of the 15th USENIX Security Symposium, USENIX-SS'06, 2006.
[11]
C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang, "Effective and efficient malware detection at the end host," in Proceedings of the 18th USENIX Security Symposium, USENIX-SS'09, pp. 351--366, 2009.
[12]
A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda, "Accessminer: Using system-centric models for malware protection," in Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pp. 399--412, 2010.
[13]
D. Canali, A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda, "A quantitative study of accuracy in system call-based malware detection," in Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, pp. 122--132, 2012.
[14]
T. Wrightson, Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization. McGraw-Hill Education, 1st ed., 2014.
[15]
"Email Attacks: This Time It's Personal (http://itknowledgeexchange.techtarget.com/security-detail/cisco-report-email-attacks-this-time-its-personal/)," Jul. 2011.
[16]
"RSA: SecurID Attack Was Phishing Via an Excel Spreadsheet (https://threatpost.com/rsa-securid-attack-was-phishing-excel-spreadsheet-040111/75099/)," Apr. 2011.
[17]
K. Kupferschmiddt, "A Trail of Microbes - The Unique Mix of Bacteria You Leave Behind Wherever You Go Might Be Used to Identify You," Science, vol. 351, no. 6278, 2016.
[18]
D. M. Freeman, S. Jain, M. Dürmuth, B. Biggio, and G. Giacinto, "Who are you? a statistical approach to measuring user authenticity," in 23rd Annual Network & Distributed System Security Symposium (NDSS). The Internet Society, 2016.
[19]
S. Duarte Torres, I. Weber, and D. Hiemstra, "Analysis of search and browsing behavior of young users on the web," ACM Transactions on the Web (TWEB), vol. 8, no. 2, p. 7, 2014.
[20]
B. Mobasher, "Data mining for web personalization," in The adaptive web, pp. 90--135, Springer, 2007.
[21]
C. C. Aggarwal and P. S. Yu, "Outlier detection for high dimensional data," in Proceedings of the 2001 ACM SIGMOD International Conference on Management of Data, SIGMOD '01, (New York, NY, USA), pp. 37--46, ACM, 2001.
[22]
I. Jolliffe, Principal component analysis. Wiley Online Library, 2002.
[23]
K. Kira and L. Rendell, "The feature selection problem: Traditional methods and a new algorithm," in Tenth National Conference on Artificial Intelligence (AAAI-92), pp. 129--134, MIT Press, 1992.
[24]
B. Schoelkopf and A. J. Smola, Learning with Kernels. Cambridge, MA: The MIT Press, 2002.
[25]
M. Gupta, J. Gao, C. Aggarwal, and J. Han, "Outlier detection for temporal data," Synthesis Lectures on Data Mining and Knowledge Discovery, vol. 5, no. 1, pp. 1--129, 2014.
[26]
P. Vincent, H. Larochelle, I. Lajoie, Y. Bengio, and P.-A. Manzagol, "Stacked denoising autoencoders: Learning useful representations in a deep network with a local denoising criterion," The Journal of Machine Learning Research, vol. 11, pp. 3371--3408, 2010.
[27]
G. Szarvas, R. Farkas, and R. Busa-Fekete, "State-of-the-art anonymization of medical records using an iterative machine learning framework," Journal of the American Medical Informatics Association, vol. 14, no. 5, pp. 574--580, 2007.
[28]
A. Gregio, R. Bonacin, A. C. de Marchi, O. F. Nabuco, and P. L. de Geus, "An ontology of suspicious software behavior," Applied Ontology, vol. 1, pp. 1--21, 2016.
[29]
Y. Song, M. Ben Salem, S. Hershkop, and S. J. Stolfo, "System level user behavior biometrics using fisher features and gaussian mixture models," in Security and Privacy Workshops (SPW), pp. 52--59, IEEE, 2013.
[30]
J. Yang, Y. Qiao, X. Zhang, H. He, F. Liu, and G. Cheng, "Characterizing user behavior in mobile internet," Emerging Topics in Computing, IEEE Transactions on, vol. 3, no. 1, pp. 95--106, 2015.
[31]
M. Baglioni, U. Ferrara, A. Romei, S. Ruggieri, and F. Turini, "Preprocessing and mining web log data for web personalization," in AI* IA 2003: Advances in Artificial Intelligence, pp. 237--249, Springer, 2003.
[32]
A. Nogueira, M. R. De Oliveira, P. Salvador, R. Valadas, and A. Pacheco, "Classification of internet users using discriminant analysis and neural networks," in Next Generation Internet Networks, pp. 341--348, IEEE, 2005.
[33]
G. Castellano, L. C. Jain, and A. M. Fanelli, Web Personalization in Intelligent Environments. Springer Publishing Company, Incorporated, 1st ed., 2009.
[34]
C. C. Chang, P.-L. Chen, F.-R. Chiu, and Y.-K. Chen, "Application of neural networks and Kanos method to content recommendation in web personalization," Expert Systems with Applications, vol. 36, no. 3, pp. 5310--5316, 2009.
[35]
D. Davidson, M. Fredrikson, and B. Livshits, "Morepriv: Mobile os support for application personalization and privacy," in Proceedings of the 30th Annual Computer Security Applications Conference, pp. 236--245, ACM, 2014.
[36]
C. Marforio, R. J. Masti, C. Soriente, K. Kostiainen, and S. Capkun, "Personalized security indicators to detect application phishing attacks in mobile platforms," CoRR, vol. abs/1502.06824, 2015.
[37]
J.-Y. Jiang, C.-L. Li, C.-P. Yang, and C.-T. Su, "Poster: Scanning-free personalized malware warning system by learning implicit feedback from detection logs," in Proceedings of the 21st ACM Conference on Computer and Communications Security, CCS '14, pp. 1436--1438, ACM, 2014.
[38]
D. Barman, J. Chandrashekar, N. Taft, M. Faloutsos, L. Huang, and F. Giroire, "Impact of IT monoculture on behavioral end host intrusion detection," in Proceedings of the 1st ACM Workshop on Research on Enterprise Networking, WREN '09, (New York, NY, USA), pp. 27--36, ACM, 2009.
[39]
S. Forrest, A. Somayaji, and D. Ackley, "Building diverse computer systems," in Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), HOTOS '97, (Washington, DC, USA), pp. 67--72, IEEE Computer Society, 1997.
[40]
E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanović, "Randomized instruction set emulation," ACM Trans. Inf. Syst. Secur., vol. 8, pp. 3--40, Feb. 2005.
[41]
S. Forrest, S. A. Hofmeyr, and A. Somayaji, "Computer immunology," Commun. ACM, vol. 40, pp. 88--96, Oct. 1997.
[42]
S. A. Hofmeyr and S. A. Forrest, "Architecture for an artificial immune system," Evol. Comput., vol. 8, pp. 443--473, Dec. 2000.
[43]
H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, "Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis," Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 116--127, 2007.
[44]
L. Martignoni, E. Stinson, M. Fredrikson, S. Jha, and J. C. Mitchell, "A layered architecture for detecting malicious behaviors," in Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection, RAID '08, pp. 78--97, 2008.
[45]
A. Dinaburg, P. Royal, M. Sharif, and W. Lee, "Ether: Malware analysis via hardware virtualization extensions," in Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS '08, pp. 51--62, ACM, 2008.
[46]
Y. Ye, T. Li, S. Zhu, W. Zhuang, E. Tas, U. Gupta, and M. Abdulhayoglu, "Combining file content and file relations for cloud based malware detection," in Proceedings of the 17th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '11, (New York, NY, USA), pp. 222--230, ACM, 2011.
[47]
S. J. Stolfo, W. Fan, W. Lee, A. Prodromidis, and P. K. Chan, "Cost-based modeling for fraud and intrusion detection: Results from the jam project," in DARPA Information Survivability Conference and Exposition. DISCEX'00. Proceedings, vol. 2, pp. 130--144, IEEE, 2000.
[48]
M. S. Hoque, M. Mukit, M. Bikas, A. Naser, et al., "An implementation of intrusion detection system using genetic algorithm," arXiv preprint arXiv:1204.1336, 2012.
[49]
K. Wang and S. J. Stolfo, "Anomalous payload-based network intrusion detection," in Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection, RAID '08, pp. 203--222, 2004.
[50]
T. Brugger, "KDD Cup '99 dataset (Network Intrusion) considered harmful." KDnuggets News, n18: item4, 15 Sep 2007.
[51]
V. Engen, J. Vincent, and K. Phalp, "Exploring discrepancies in findings obtained with the kdd cup '99 data set," Intell. Data Anal., vol. 15, pp. 251--276, Apr. 2011.
[52]
A. Patcha and J.-M. Park, "An overview of anomaly detection techniques: Existing solutions and latest technological trends," Journal of Computer Networks, vol. 51, no. 12, pp. 3448--3470, 2007.
[53]
R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee, "Mcpad: A multiple classifier system for accurate payload-based anomaly detection," Journal of Computer Networks, vol. 53, no. 6, pp. 864--881, 2009.
[54]
S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle, "Grids - a graph based intrusion detection system for large networks," in In Proceedings of the 19th National Information System Security Conference, pp. 361--370, 1996.
[55]
P. D. McDaniel, S. Sen, O. Spatscheck, J. E. van der Merwe, W. Aiello, and C. R. Kalmanek, "Enterprise security: A community of interest based approach.," in 13th Annual Network & Distributed System Security Symposium (NDSS), pp. 1--3, 2006.
[56]
C. Gates and C. Taylor, "Challenging the anomaly detection paradigm: a provocative discussion," in Proceedings of the 2006 Workshop on New Security Paradigms, pp. 21--29, ACM, 2006.
[57]
R. Sommer and V. Paxson, "Outside the closed world: On using machine learning for network intrusion detection," in Proceedings of IEEE Symposium on Security and Privacy, pp. 305--316, IEEE, 2010.
[58]
J. R. Crandall and D. Oliveira, "Holographic vulnerability studies: Vulnerabilities as fractures in interpretation as information flows across abstraction boundaries," in Proceedings of the 2012 Workshop on New Security Paradigms, NSPW '12, (New York, NY, USA), pp. 141--152, ACM, 2012.
[59]
D. Oliveira, J. Crandall, H. Kalodner, N. Morin, M. Maher, J. Navarro, and F. Emiliano, An Information Flow-Based Taxonomy to Understand the Nature of Software Vulnerabilities, pp. 227--242. Cham: Springer International Publishing, 2016.
[60]
P. A. Lachenbruch, "Statistical power analysis for the behavioral sciences," Journal of the American Statistical Association, vol. 84, no. 408, pp. 1096--1097, 1989.
Index Terms
- Cross-layer personalization as a first-class citizen for situation awareness and computer infrastructure security
Recommendations
Smaclad: Secure Mobile Agent Based Cross Layer Attack Detection and Mitigation in Wireless Network
AbstractThreats in wireless network are common these days and when it comes to security threats their consequences are countless. Some of the most commonly witnessed security threats are route manipulation and jamming. There are several researches that ...
Cross-layer design: a software engineering perspective
WiCOM'09: Proceedings of the 5th International Conference on Wireless communications, networking and mobile computingCross-layer design is critical for efficient utilization of the scarce radio resources under time varying wireless channel. In this paper, a cross-layer design architecture named CLIME is proposed, which introduces the theory of modern software ...
Comments
Information & Contributors
Information
Published In
September 2016
113 pages
ISBN:9781450348133
DOI:10.1145/3011883
- General Chair:
- Carrie Gates,
- Program Chairs:
- Rainer Böhme,
- Serge Egelman,
- Publications Chair:
- Mohammad Mannan
Copyright © 2016 ACM.
© 2016 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.
Sponsors
- ACSA: Applied Computing Security Assoc
- The National Science Foundation
- DELL
- CISCO
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 September 2016
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Assistant Secretary of Defense for Researching and Engineering
- Defense Advanced Research Projects Agency
Conference
NSPW '16
Sponsor:
- ACSA
Acceptance Rates
Overall Acceptance Rate 98 of 265 submissions, 37%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 474Total Downloads
- Downloads (Last 12 months)89
- Downloads (Last 6 weeks)11
Reflects downloads up to 16 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in