COTS Diversity Based Intrusion Detection and Application to Web Servers

It is commonly accepted that intrusion detection systems (IDS) are required to compensate for the insufficient security mechanisms that are available on computer systems and networks. However, the anomaly-based IDSes that have been proposed in the recent years present some drawbacks, e.g., the necessity to explicitly define a behaviour reference model. In this paper, we propose a new approach to anomaly detection, based on the design diversity, a technique from the dependability field that has been widely ignored in the intrusion detection area. The main advantage is that it provides an implicit, and complete reference model, instead of the explicit model usually required. For practical reasons, we actually use Components-off-the-shelf (COTS) diversity, and discuss on the impact of this choice. We present an architecture using COTS-diversity, and then apply it to web servers. We also provide experimental results that confirm the expected properties of the built IDS, and compare them with other IDSes.

[1]  Jean Arlat,et al.  Definition and analysis of hardware- and software-fault-tolerant architectures , 1990, Computer.

[2]  Lorenzo Strigini,et al.  On Designing Dependable Services with Diverse Off-the-Shelf SQL Servers , 2003, WADS.

[3]  Brian Randell,et al.  System structure for software fault tolerance , 1975, IEEE Transactions on Software Engineering.

[4]  Giovanni Vigna,et al.  A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[5]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[6]  Sadie Creese,et al.  MAFTIA Conceptual Model and Architecture , 2001 .

[7]  Hervé Debar,et al.  WebAnalyzer: accurate detection of HTTP attack traces in web server logs , 2006, Ann. des Télécommunications.

[8]  Yves Deswarte,et al.  An intrusion tolerant architecture for dynamic content internet servers , 2003, SSRS '03.

[9]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[10]  Michael R. Lyu,et al.  Improving the N-version programming process through the evolution of a design paradigm , 1993 .

[11]  Karl N. Levitt,et al.  Learning Unknown Attacks - A Start , 2002, RAID.

[12]  Algirdas Avizienis,et al.  Fault Tolerance by Design Diversity: Concepts and Experiments , 1984, Computer.

[13]  Rong Wang,et al.  Design and implementation of acceptance monitor for building scalable intrusion tolerant system , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[14]  Miguel Correia,et al.  Intrusion-Tolerant Architectures: Concepts and Design , 2002, WADS.

[15]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[16]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[17]  Hervé Debar,et al.  A serial combination of anomaly and misuse IDSes applied to HTTP traffic , 2004, 20th Annual Computer Security Applications Conference.

[18]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.

[19]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[20]  Magnus Almgren,et al.  An Adaptive Intrusion-Tolerant Server Architecture , 2004 .

[21]  Magnus Almgren,et al.  An Architecture for an Adaptive Intrusion-Tolerant Server , 2002, Security Protocols Workshop.