Black penguin: On the feasibility of detecting intrusion with homogeneous memory

Abstract

Growing complexity in modern software is making signature-based intrusion detection an increasing challenge. Many recent intrusion detection systems rely on accurate recovery of application semantics from memory. In this paper, we approach the problem from a different angle. We observe that the user applications in corporate network often run in identical system environments due to standardized IT deployment procedure. The same applications share similar runtime statistics across different workstations through out the time, despite different uses by the end users. When an application is compromised on one workstation, its runtime profile would be different from the rest, similar to how a black penguin would look distinctly different from the rest of the colony. In this work, we present our preliminary study on Black Penguin, a compare-view based intrusion detection system leveraging homogeneity of application-level memory statistics in corporate environment. The detection system follows a three-step process that includes memory analysis, unsupervised learning and risk mitigation. To explore the feasibility of Black Penguin, we conduct two types of experiments using Internet Explorer and Firefox as target applications. First, we examine the statistical differences of the same application under different user usage. To this end, we collect and analyze memory statistics of browser when visiting the top 500 websites ranked by Moz. Second, we examine the difference when the application is under attack. Several browser attacks are used to generate the intrusion samples. Our preliminary evaluation demonstrates the feasibility of the approach. Lastly, we also provide discussions on the limitations of the proposed system as well as future directions.