The implementation and evaluation of a recovery system for workflows

Workflow systems are popular in daily business processing. Since vulnerability cannot be totally removed from a workflow management system, successful attacks always happen and may inject malicious tasks or incorrect data into the workflow system. Moreover, legitimate tasks referring to the incorrect data will further corrupt more data objects in the system. As a result, the integrity level of the system can be seriously compromised. This problem cannot be efficiently solved by existing defense mechanisms, such as access control, intrusion detection, and checkpoints. In this paper, we propose a practical solution for on-line attack recovery of workflows. The recovery system discovers all damages caused by the malicious tasks and automatically repairs the damages based on data and control dependencies between workflow tasks. We describe fundamental theories for workflow attack recovery system. Based on these theories, we build a prototype system and develop the corresponding recovery algorithms. We evaluate the performance of the recovery system under different attacking densities, intrusion detection delays and arrival rates. The experimental results show that our system is practical.

[1]  Sushil Jajodia,et al.  Intrusion Confinement by Isolation in Information Systems , 2000, J. Comput. Secur..

[2]  Paul Helman,et al.  Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse , 1993, IEEE Trans. Software Eng..

[3]  Craig A. N. Soules,et al.  Survivable storage systems , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[4]  Peng Liu,et al.  Self-healing workflow systems under attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[5]  Sushil Jajodia,et al.  Multi-phase damage confinement in database systems for intrusion tolerance , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[6]  Yanjun Zuo,et al.  Damage Discovery in Distributed Database Systems , 2004, DBSec.

[7]  Johann Eder,et al.  Workflow recovery , 1996, Proceedings First IFCIS International Conference on Cooperative Information Systems.

[8]  B. Dutertre,et al.  Intrusion tolerant software architectures , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[9]  Jing Zhou,et al.  Succinct and Fast Accessible Data Structures for Database Damage Assessment , 2004, ICDCIT.

[10]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[11]  Deep Medhi,et al.  Multi-layered network survivability-models, analysis, architecture, framework and implementation: an overview , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[12]  Yi-Bing Lin,et al.  A study of time warp rollback mechanisms , 1991, TOMC.

[13]  Craig A. N. Soules,et al.  Self-securing storage: protecting data in compromised systems , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[14]  TERRAN LANE,et al.  Temporal sequence learning and data reduction for anomaly detection , 1999, TSEC.

[15]  Wanyu Zang,et al.  Multi-version attack recovery for workflow systems , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[16]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[17]  Pradeep K. Khosla,et al.  Survivable Information Storage Systems , 2000, Computer.

[18]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[19]  Peng Liu,et al.  The design of an adaptive intrusion tolerant database system , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[20]  David R. Jefferson,et al.  Virtual time , 1985, ICPP.

[21]  Sushil Jajodia,et al.  Surviving information warfare attacks on databases , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[22]  Brajendra Panda,et al.  Extended data dependency approach: a robust way of rebuilding database , 2002, SAC '02.

[23]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[24]  Sushil Jajodia,et al.  Rewriting Histories: Recovering from Malicious Transactions , 2004, Distributed and Parallel Databases.

[25]  Vijayalakshmi Atluri,et al.  A Chinese wall security model for decentralized workflow systems , 2001, CCS '01.

[26]  Umeshwar Dayal,et al.  Failure handling for transaction hierarchies , 1997, Proceedings 13th International Conference on Data Engineering.

[27]  Sushil Jajodia,et al.  Recovery from Malicious Transactions , 2002, IEEE Trans. Knowl. Data Eng..

[28]  Sushil Jajodia,et al.  Using Checksums to Detect Data Corruption , 2000, EDBT.

[29]  T. Chiueh,et al.  Design, Implementation, and Evaluation of a Repairable Database Management System , 2005, ICDE.

[30]  Matthew C. Elder,et al.  Survivability architectures: issues and approaches , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[31]  Pradeep K. Khosla,et al.  Selecting the Right Data Distribution Scheme for a Survivable Storage System (CMU-CS-01-120) , 2001 .

[32]  Mario A. Nascimento,et al.  A Survey of Distributed Database Checkpointing , 1997, Distributed and Parallel Databases.

[33]  Jian Tang,et al.  A Scheme to Specify and Implement Ad-Hoc Recovery in Workflow Systems , 1998, EDBT.

[34]  Peng Liu,et al.  ODAR: An On-the-fly Damage Assessment and Repair System for Commercial Database Applications , 2001, DBSec.

[35]  Peng Liu DAIS: a real-time data attack isolation system for commercial database applications , 2001, Seventeenth Annual Computer Security Applications Conference.

[36]  Rangaswamy Jagannathan,et al.  SYSTEM DESIGN DOCUMENT: NEXT-GENERATION INTRUSION DETECTION EXPERT SYSTEM (NIDES) , 1993 .

[37]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[38]  Jun-Lin Lin,et al.  A Low-Cost Checkpointing Technique for Distributed Databases , 2001, Distributed and Parallel Databases.

[39]  John P. McDermott,et al.  Towards a model of storage jamming , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.