HPCgnature: A hardware-based application-level intrusion detection system

Abstract

In the past decade, commodity software applications have been deployed more than ever in almost every domain. Having the ability to differentiate the original trusted application at run-time from its compromised, mimic or trojanised versions would mitigate a broad range of intrusion threats to these applications. This has been addressed by application-level intrusion detection systems, however, such schemes mostly depend on the system software for either monitoring or modelling the application. This is while system software can itself get compromised by kernel-level rootkit attacks. In this study, the authors have proposed a new hardware-based app-IDS, which works independent of the system software of the target system. The proposed method, referred to as HPCgnature, includes a new abstraction corresponding to the repetitious functionalities of programs. Such functionalities generate a distinguishing sequence of periods, referred to in this study as the Operational Periodicity. The method uses monitoring scheme based on external access to the hardware performance counters of CPUs. Implementing a prototype, they have shown how HPCgnature can detect intrusions in 12 complex interactive desktop applications. Evaluation results indicate this model could differentiate applications with 98% accuracy, and can detect even small run-time code injection attacks by an accuracy of >75%.