TY - GEN
T1 - Cross-layer personalization as a first-class citizen for situation awareness and computer infrastructure security
AU - Chen, Aokun
AU - Brahma, Pratik
AU - Wu, Dapeng Oliver
AU - Ebner, Natalie
AU - Matthews, Brandon
AU - Crandall, Jedidiah
AU - Wei, Xuetao
AU - Faloutsos, Michalis
AU - Oliveira, Daniela
N1 - Funding Information:
We would like to thank our shepherd Mohammad Mannan and Paul Van Oorschot for guidance in writing the pre-proceeding and post-proceeding version of the paper, and the NSPW 2016 anonymous reviewers for their valuable feedback. This research has been supported by DARPA Trusted Computing Project, grant No. FA8650-15-C-7565, and MIT Lincoln Laboratory through Air Force Contract No. A8721-05-C-0002 and/or FA8702-15-D-0001.
Publisher Copyright:
© 2016 ACM.
PY - 2016/9/26
Y1 - 2016/9/26
N2 - We propose a new security paradigm that makes cross-layer personalization a premier component in the design of security solutions for computer infrastructure and situational awareness. This paradigm is based on the observation that computer systems have a personalized usage profile that depends on the user and his activities. Further, it spans the various layers of abstraction that make up a computer system, as if the user embedded his own DNA into the computer system. To realize such a paradigm, we discuss the design of a comprehensive and cross-layer profiling approach, which can be adopted to boost the effectiveness of various security solutions, e.g., malware detection, insider attacker prevention and continuous authentication. The current state-of-the-art in computer infrastructure defense solutions focuses on one layer of operation with deployments coming in a "one size fits all" format, without taking into account the unique way people use their computers. The key novelty of our proposal is the cross-layer personalization, where we derive the distinguishable behaviors from the intelligence of three layers of abstraction. First, we combine intelligence from: a) the user layer, (e.g., mouse click patterns); b) the operating system layer; c) the network layer. Second, we develop cross-layer personalized profiles for system usage. We will limit our scope to companies and organizations, where computers are used in a more routine and one-on-one style, before we expand our research to personally owned computers. Our preliminary results show that just the time accesses in user web logs are already sufficient to distinguish users from each other, with users of the same demographics showing similarities in their profiles. Our goal is to challenge today's paradigm for anomaly detection that seems to follow a monoculture and treat each layer in isolation. We also discuss deployment, performance overhead, and privacy issues raised by our paradigm.
AB - We propose a new security paradigm that makes cross-layer personalization a premier component in the design of security solutions for computer infrastructure and situational awareness. This paradigm is based on the observation that computer systems have a personalized usage profile that depends on the user and his activities. Further, it spans the various layers of abstraction that make up a computer system, as if the user embedded his own DNA into the computer system. To realize such a paradigm, we discuss the design of a comprehensive and cross-layer profiling approach, which can be adopted to boost the effectiveness of various security solutions, e.g., malware detection, insider attacker prevention and continuous authentication. The current state-of-the-art in computer infrastructure defense solutions focuses on one layer of operation with deployments coming in a "one size fits all" format, without taking into account the unique way people use their computers. The key novelty of our proposal is the cross-layer personalization, where we derive the distinguishable behaviors from the intelligence of three layers of abstraction. First, we combine intelligence from: a) the user layer, (e.g., mouse click patterns); b) the operating system layer; c) the network layer. Second, we develop cross-layer personalized profiles for system usage. We will limit our scope to companies and organizations, where computers are used in a more routine and one-on-one style, before we expand our research to personally owned computers. Our preliminary results show that just the time accesses in user web logs are already sufficient to distinguish users from each other, with users of the same demographics showing similarities in their profiles. Our goal is to challenge today's paradigm for anomaly detection that seems to follow a monoculture and treat each layer in isolation. We also discuss deployment, performance overhead, and privacy issues raised by our paradigm.
KW - Cross-layer personalization
KW - Intrusion detection system
UR - http://www.scopus.com/inward/record.url?scp=85009154261&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85009154261&partnerID=8YFLogxK
U2 - 10.1145/3011883.3011888
DO - 10.1145/3011883.3011888
M3 - Conference contribution
AN - SCOPUS:85009154261
T3 - ACM International Conference Proceeding Series
SP - 23
EP - 35
BT - NSPW 2016 - Proceedings of the 2016 New Security Paradigms Workshop
PB - Association for Computing Machinery
T2 - 25th New Security Paradigms Workshop, NSPW 2016
Y2 - 26 September 2016 through 29 September 2016
ER -