Intrusion Confinement by Isolation in Information Systems

System protection mechanisms such as access controls can be fooled by authorized but malicious users, masqueraders, and misfeasors. Intrusion detection techniques are therefore used to supplement them. However, damage could have occurred before an intrusion is detected. In many computing systems the requirement for a high degree of soundness of intrusion reporting can yield poor performance in detecting intrusions, and can cause long detection latency. As a result, serious damage can be caused either because many intrusions are never detected or because the average detection latency is too long. The process of bounding the damage caused by intrusions during the process of intrusion detection is referred to as intrusion confinement. We justify the necessity for intrusion confinement during detection by a probabilistic analysis model, and propose a general solution to achieve intrusion confinement. The crux of the solution is to isolate likely suspicious actions before a definite determination of intrusion is reported. We also present a concrete isolation protocol in the file system context to evaluate the feasibility of the general solution, which can be applied in many types of information systems.

[1]  Sushil Jajodia,et al.  Surviving information warfare attacks on databases , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[2]  Brajendra Panda,et al.  Reconstructing the Database after Electronic Attacks , 1998, DBSec.

[3]  John P. McDermott,et al.  Towards a model of storage jamming , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[4]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[5]  Shiuh-Pyng Shieh,et al.  A pattern-oriented intrusion-detection model and its applications , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Koral Ilgun USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Sushil Jajodia,et al.  Abstraction-based misuse detection: high-level specifications and adaptable strategies , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[8]  John P. McDermott,et al.  Storage Jamming , 1995, DBSec.

[9]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[10]  Shiuh-Pyng Shieh,et al.  On a Pattern-Oriented Model for Intrusion Detection , 1997, IEEE Trans. Knowl. Data Eng..

[11]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[12]  Sushil Jajodia,et al.  Application-level isolation to cope with malicious database users , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[13]  Sushil Jajodia,et al.  Recovery from Malicious Transactions , 2002, IEEE Trans. Knowl. Data Eng..

[14]  Alley Stoughton,et al.  Detection of Mutual Inconsistency in Distributed Systems , 1983, IEEE Transactions on Software Engineering.

[15]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .