Building survivable systems: an integrated approach based on intrusion detection and damage containment

Reliance on networked information systems to support critical infrastructures prompts interest in making network information systems survivable, so that they continue functioning even when under attack. To build survivable systems, attacks must be detected and reacted to before they impact performance or functionality. Previous survivable systems research focused primarily on detecting intrusions, rather than on preventing or containing damage due to intrusions. We have therefore developed a new approach that combines early attack detection with automated reaction for damage prevention and containment, as well as tracing and isolation of attack origination point(s). Our approach is based on specifying security-relevant behaviors using patterns over sequences of observable events, such as a process's system calls and their arguments, and the contents of network packets. By intercepting actual events at runtime and comparing them to specifications, attacks can be detected and operations associated with the deviant events can be modified to thwart the attack. Being based on security-relevant behaviors rather than known attack signatures, our approach can protect against unknown attacks. At the same time, our approach produces few false positives-a property that is critical for automating reactions. Our host-based mechanisms for attack detection and isolation coordinate with network routers enhanced with active networking technology in order to trace the origin of the attack and isolate the attacker.

[1]  Thomas E. Anderson,et al.  SLIC: An Extensibility System for Commodity Operating Systems , 1998, USENIX Annual Technical Conference.

[2]  Michael B. Jones,et al.  Interposition agents: transparently interposing user code at the system interface , 1994, SOSP '93.

[3]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[4]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[5]  R. Sekar,et al.  Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications , 1999, USENIX Security Symposium.

[6]  R. Sekar,et al.  A high-performance network intrusion detection system , 1999, CCS '99.

[7]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  R. Sekar,et al.  On Preventing Intrusions by Process Behavior Monitoring , 1999, Workshop on Intrusion Detection and Network Monitoring.

[9]  Robert K. Cunningham,et al.  Results of the DARPA 1998 Offline Intrusion Detection Evaluation , 1999, Recent Advances in Intrusion Detection.

[10]  T. Mitchem,et al.  Using kernel hypervisors to secure applications , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[11]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[12]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[13]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[14]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[15]  Leon J. Osterweil,et al.  Cecil: A Sequencing Constraint Language for Automatic Static Analysis Generation , 1990, IEEE Trans. Software Eng..

[16]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[17]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[18]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[19]  Gérard Berry,et al.  Synchronous programming of reactive systems: an introduction to ESTEREL , 1988 .

[20]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[21]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[22]  Carl A. Gunter,et al.  PLAN: a packet language for active networks , 1998, ICFP '98.

[23]  Biswanath Mukherjee,et al.  Network security via reverse engineering of TCP code: vulnerability analysis and proposed solutions , 1996, Proceedings of IEEE INFOCOM '96. Conference on Computer Communications.

[24]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[25]  Marcus J. Ranum,et al.  Implementing a generalized tool for network monitoring , 1997, Inf. Secur. Tech. Rep..

[26]  David C. Luckham,et al.  An Event-Based Architecture Definition Language , 1995, IEEE Trans. Software Eng..

[27]  Karl N. Levitt,et al.  MCF: a malicious code filter , 1995, Comput. Secur..

[28]  Salvatore J. Stolfo,et al.  Automated Intrusion Detection Using NFR: Methods and Experiences , 1999, Workshop on Intrusion Detection and Network Monitoring.

[29]  Stephanie Forrest,et al.  Computer immunology , 1997, CACM.

[30]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[31]  J. F. McClary,et al.  NADIR: An automated system for detecting network intrusion and misuse , 1993, Comput. Secur..

[32]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[33]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[34]  Robert McNaughton,et al.  Regular Expressions and State Graphs for Automata , 1960, IRE Trans. Electron. Comput..

[35]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[36]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.