APHID: Anomaly Processor in Hardware for Intrusion Detection

Author

Samuel A. Hart

Date of Award

3-8-2007

Document Type

Thesis

Degree Name

Master of Science in Computer Engineering

Department

Department of Electrical and Computer Engineering

First Advisor

Paul D. Williams, PhD

Abstract

The Anomaly Processor in Hardware for Intrusion Detection (APHID) is a step forward in the field of co-processing intrusion detection mechanism. By using small, fast hardware primitives APHID relieves the production CPU from the burden of security processing. These primitives are tightly coupled to the CPU giving them access to critical state information such as the current instruction(s) in execution, the next instruction, registers, and processor state information. By monitoring these hardware elements, APHID is able to determine when an anomalous action occurs within one clock cycle. Upon detection, APHID can force the processor into a corrective state, or a halted state, depending on the required response. APHID primitives also harden the production system against attacks such as Distribute Denial of Service attack and buffer overflow attacks. APHID is designed to be fast and agile, with the ability to create multiple monitors that switch in and out of monitoring with the context switches of the production processor to highly focused coverage over multiple devices and sections of code.

AFIT Designator

AFIT-GCE-ENG-07-04

DTIC Accession Number

ADA469491

Recommended Citation

Hart, Samuel A., "APHID: Anomaly Processor in Hardware for Intrusion Detection" (2007). Theses and Dissertations. 3100.
https://scholar.afit.edu/etd/3100