Intrusion Response Systems: A Survey
The occurrence of outages due to failures in today’s information technology infrastructure is a real problem that still begs a satisfactory solution. The backbone of the ubiquitous information technology infrastructure is formed by distributed systems—distributed middleware, such as CORBA and DCOM; distributed ﬁle systems, such as NFS and XFS; distributed coordination-based systems, such as publish-subscribe systems and network protocols; and above all, the distributed infrastructure of the World Wide Web. Distributed systems support many critical applications in the civilian and military domains. Critical civilian applications abound in private enterprise, such as banking, electronic commerce, and industrial control systems, as well as in the public enterprise, such as air trafﬁc control, nuclear power plants, and protection of public infrastructures through Supervisory Control and Data Acquisition (SCADA) systems. The dependency dramatically magniﬁes the consequence of failures, even if transient. There is little wonder that distributed systems, therefore, are called upon to provide alwaysavailable and trustworthy services. The terminology that we will use in this chapter is to consider the distributed systems as composed of multiple services and the services interact with one another through standardized network protocols. Consider, for example, a distributed e-commerce system with the traditional threetier architecture of a web server, application server, and database server. The services are typically located on multiple hosts. The importance of distributed systems has led to a long interest in securing such systems through prevention and runtime detection of intrusions. The prevention is traditionally achieved by a system for user authentication and identiﬁcation (e.g., users log in by providing some identifying information such as log-in signature and password, biometric information, or smart card); access control mechanisms (rules to indicate which user has what privileges over what resources in the system); and building a “protective shield” around the computer system (typically a ﬁrewall that inspects incoming and optionally outgoing network trafﬁc and allows it if the trafﬁc is determined to be benign). The prevention mechanism by itself
CHAPTER 10 Intrusion Response Systems: A Survey
is considered inadequate, because without being too restrictive, it is impossible to block out all malicious trafﬁc from the outside. Also, if a legitimate user’s password is compromised or an insider launches an attack, then prevention may not be adequate. Intrusion detection systems (IDSs) seek to detect the behavior of an adversary by observing its manifestations on a system. The detection is done at runtime when the attack has been launched. There are many IDSs that have been developed in research and as commercial products. They fundamentally operate by analyzing the signatures of incoming packets and either matching them against known attack patterns (misuse-based signatures) or against patterns of expected system behavior (anomaly-based signatures). There are two metrics for evaluating IDSs: rate of false alarms (legitimate trafﬁc being ﬂagged as malicious) and rate of missed alarms (malicious trafﬁc not ﬂagged by the IDS). However, in order to meet the challenges of continuously available trustworthy services from today’s distributed systems, intrusion detection needs to be followed by response actions. This has typically been considered the domain of system administrators who manually “patch” a system in response to detected attacks. The traditional mode of performing response was that ﬁrst, the system administrator would get an alert from the IDS. Then, he or she would consult logs and run various system commands on the different machines comprising the entire system in an effort to determine if the attack were currently active...