A case study: Using architectural features to improve sophisticated denial-of-service attack detections

Application features such as port numbers are used by network-based intrusion detection systems (NIDSs) to detect attacks coming from networks. System calls and the operating system related information are used by host-based intrusion detection systems (HIDSs) to detect intrusions towards a host. However, the relationship between hardware architecture events and denial-of-service (DoS) attacks has not been well revealed. When increasingly sophisticated intrusions emerge, some attacks are able to bypass both the application and the operating system level feature monitors. Therefore, a more effective solution is required to enhance existing HIDSs. In this paper, we identify the following hardware architecture features: instruction count, cache miss, bus traffic and integrate them into a novel HIDS framework based on a modern statistical gradient boosting trees model. Through the integration of application, operating system and architecture level features, our proposed HIDS demonstrates a significant improvement of the detection rate in terms of sophisticated DoS intrusions.