The cost of observation for intrusion detection: Performance impact of concurrent host observation

Mark M. Seeger, S. Wolthusen, C. Busch, Harald Baier
{"title":"The cost of observation for intrusion detection: Performance impact of concurrent host observation","authors":"Mark M. Seeger, S. Wolthusen, C. Busch, Harald Baier","doi":"10.1109/ISSA.2010.5588311","DOIUrl":null,"url":null,"abstract":"Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.","PeriodicalId":423118,"journal":{"name":"2010 Information Security for South Africa","volume":"21 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-09-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 Information Security for South Africa","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSA.2010.5588311","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3

Abstract

Intrusion detection relies on the ability to obtain reliable and trustworthy measurements, while adversaries will inevitably target such monitoring and security systems to prevent their detection. This has led to a number of proposals for using coprocessors as protected monitoring instances. However, such coprocessors suffer from two problems, namely the ability to perform measurements without relying on the host system and the speed at which such measurements can be performed. The availability of smart, high-performance subsystems in commodity computer systems such as graphics processing units (GPU) strongly motivates an investigation into novel ways of achieving the twin objectives of self-protected observation and monitoring systems and sufficient measurement frequency. This, however, gives rise to performance penalties imposed by memory synchronization particularly in non-uniform memory architectures (NUMA) even for the case of direct memory access (DMA) transfers. Based on prior work detailing a cost model for synchronization of memory access in such advanced architectures, we report an experimental validation of the cost model using an IEEE 1394 DMA bus mastering environment, which provides full access to the measurement target's main memory and involves multiple bus bridges and concomitant synchronization mechanisms. We observed up to 25% performance degradation, highlighting the need for efficient sampling strategies for both, memory size and a preference for quiescent data structures for monitoring executed by off-host devices.
入侵检测的观察代价:并发主机观察对性能的影响
入侵检测依赖于获得可靠和可信测量的能力,而攻击者将不可避免地针对此类监控和安全系统来阻止他们的检测。这导致了许多使用协处理器作为受保护监视实例的建议。然而,这种协处理器有两个问题,即在不依赖于主机系统的情况下执行测量的能力,以及执行这些测量的速度。商用计算机系统中智能、高性能子系统的可用性,如图形处理单元(GPU),强烈激发了对实现自我保护观察和监控系统以及足够测量频率的双重目标的新方法的研究。然而,这导致了内存同步带来的性能损失,特别是在非统一内存体系结构(NUMA)中,甚至对于直接内存访问(DMA)传输也是如此。基于先前的工作,详细介绍了在这种先进架构中存储器访问同步的成本模型,我们报告了使用IEEE 1394 DMA总线控制环境对成本模型的实验验证,该环境提供了对测量目标主存储器的完全访问,并涉及多个总线桥接和伴随的同步机制。我们观察到高达25%的性能下降,强调需要有效的采样策略,内存大小和对非主机设备执行的监视的静态数据结构的偏好。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信