Abstract

Intrusion detection, which refers to the detection of illegal attempts at accessing and manipulating a computing system, is an essential protection mechanism for any computing platform. Despite its importance, currently deployed intrusion detection systems (IDSs) tend to be conservative, incomplete, or impose too much computational overhead. Moreover, IDSs have limited adaptability and extensibility in the face of ever-increasing attack sophistication.

This thesis describes a novel approach to the problem of intrusion detection and prevention. The approach is built on the realization that a critical requirement for intrusion detection is the ability to observe an appropriate ensemble of features or behaviors, which is often not available or apparent until after the malicious code has executed. The approach proposed in this thesis leverages the “benefit of hindsight” offered by isolation techniques, such as virtualization, in order to execute a program in isolation, irrespective of its code origin, data destination, and control transfers; thus, capturing the program’s complete behavioral model. This is especially attractive when both benign and compromised executions display very similar behavior, which is an inevitable trend as attacks and attackers become more and more sophisticated.

The thesis also introduces an extension of the proposed IDS approach in the context of embedded systems. Embedded systems are becoming increasingly complex and are being deployed on physically insecure networks, which exposes them to the same risks facing general-purpose systems. This calls for new approaches and design methodologies that consider security as a primary objective in the embedded system design process.

In addition to intrusion detection, the thesis explores how to enhance the hardware and software architecture of embedded computing platforms to make them more secure.

The thesis also presents a technique to augment the software stack of an embedded device with a software implementation of the trusted platform module (TPM), and evaluates the imposed energy and run-time overheads. It shows how to accelerate the TPM functionality through a combination of design (choice of cryptographic algorithms), software, and hardware optimizations. Hardware optimizations are already widely used for embedded systems in various forms, including customized hardware, co-processors, and dedicated processors. Along this line of hardware/software co-design, the thesis also proposes architectures to accelerate robust biometric algorithms on embedded devices.

In summary, this thesis introduces new intrusion detection techniques for both general-purpose and embedded computing systems. It also contributes to the area of design of secure embedded systems.