A case study: Using architectural features to improve sophisticated denial-of-service attack detections

• Published in: 2009 IEEE Symposium on Computational Intelligence in Cyber Security pp. 13 - 18
• Main Authors: Ran Tao, Li Yang, Lu Peng, Bin Li, Cemerlic, A.
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.03.2009
• Subjects: Application software; Boosting; Computer crime; Hardware; Intrusion detection; Operating systems; Radio access networks; TCPIP; Telecommunication traffic; Traffic control
• ISBN: 9781424427697; 142442769X
• DOI: 10.1109/CICYBS.2009.4925084

Application features such as port numbers are used by network-based intrusion detection systems (NIDSs) to detect attacks coming from networks. System calls and the operating system related information are used by host-based intrusion detection systems (HIDSs) to detect intrusions towards a host. However, the relationship between hardware architecture events and denial-of-service (DoS) attacks has not been well revealed. When increasingly sophisticated intrusions emerge, some attacks are able to bypass both the application and the operating system level feature monitors. Therefore, a more effective solution is required to enhance existing HIDSs. In this paper, we identify the following hardware architecture features: instruction count, cache miss, bus traffic and integrate them into a novel HIDS framework based on a modern statistical gradient boosting trees model. Through the integration of application, operating system and architecture level features, our proposed HIDS demonstrates a significant improvement of the detection rate in terms of sophisticated DoS intrusions.