Intrusion Response Systems: A Survey
The occurrence of outages due to failures in today’s information technology infrastructure is a real problem that still begs a satisfactory solution. The backbone of the ubiquitous information technology infrastructure is formed by distributed systems—distributed middleware, such as CORBA and DCOM; distributed ﬁle systems, such as NFS and XFS; distributed coordination-based systems, such as publish-subscribe systems and network protocols; and above all, the distributed infrastructure of the World Wide Web. Distributed systems support many critical applications in the civilian and military domains. Critical civilian applications abound in private enterprise, such as banking, electronic commerce, and industrial control systems, as well as in the public enterprise, such as air trafﬁc control, nuclear power plants, and protection of public infrastructures through Supervisory Control and Data Acquisition (SCADA) systems. The dependency dramatically magniﬁes the consequence of failures, even if transient. There is little wonder that distributed systems, therefore, are called upon to provide alwaysavailable and trustworthy services. The terminology that we will use in this chapter is to consider the distributed systems as composed of multiple services and the services interact with one another through standardized network protocols. Consider, for example, a distributed e-commerce system with the traditional threetier architecture of a web server, application server, and database server. The services are typically located on multiple hosts. The importance of distributed systems has led to a long interest in securing such systems through prevention and runtime detection of intrusions. The prevention is traditionally achieved by a system for user authentication and identiﬁcation (e.g., users log in by providing some identifying information such as log-in signature and password, biometric information, or smart card); access control mechanisms (rules to indicate which user has what privileges over what resources in the system); and building a “protective shield” around the computer system (typically a ﬁrewall that inspects incoming and optionally outgoing network trafﬁc and allows it if the trafﬁc is determined to be benign). The prevention mechanism by itself
CHAPTER 10 Intrusion Response Systems: A Survey
is considered inadequate, because without being too restrictive, it is impossible to block out all malicious trafﬁc from the outside. Also, if a legitimate user’s password is compromised or an insider launches an attack, then prevention may not be adequate. Intrusion detection systems (IDSs) seek to detect the behavior of an adversary by observing its manifestations on a system. The detection is done at runtime when the attack has been launched. There are many IDSs that have been developed in research and as commercial products. They fundamentally operate by analyzing the signatures of incoming packets and either matching them against known attack patterns (misuse-based signatures) or against patterns of expected system behavior (anomaly-based signatures). There are two metrics for evaluating IDSs: rate of false alarms (legitimate trafﬁc being ﬂagged as malicious) and rate of missed alarms (malicious trafﬁc not ﬂagged by the IDS). However, in order to meet the challenges of continuously available trustworthy services from today’s distributed systems, intrusion detection needs to be followed by response actions. This has typically been considered the domain of system administrators who manually “patch” a system in response to detected attacks. The traditional mode of performing response was that ﬁrst, the system administrator would get an alert from the IDS. Then, he or she would consult logs and run various system commands on the different machines comprising the entire system in an effort to determine if the attack were currently active...
 W. Lee, W. Fan, M. Miller, S. J. Stolfo, and E. Zadok, “Toward Cost-Sensitive Modeling for Intrusion Detection and Response,” Journal of Computer Security, 10:5–22, 2002.  D. Wang, B. B. Madan, and K. S. Trivedi, “Security Analysis of SITAR Intrusion Tolerance System,” Proceedings of the ACM Workshop on Survivable and Self-Regenerative Systems, Fairfax, VA, 2003, pp. 23–32.  C. Cachin,“Distributing Trust on the Internet,” Proceedings of the International Conference on Dependable Systems and Networks (DSN), Göteborg, Sweden, 2001, pp. 183–192.  P. Pal, F. Webber, and R. Schantz, “Survival by Defense-Enabling,” in Jaynarayan H. Lala (Ed.), Foundations of Intrusion Tolerant Systems (Organically Assured and Survivable Information Systems). Los Alamitos, CA: IEEE Computer Society, 2003, pp. 261–269.  F. B. Schneider and L. Zhou, “Implementing Trustworthy Services Using Replicated State Machines,” Security & Privacy Magazine, IEEE, 3:34–43, 2005.  M. A. Hiltunen, R. D. Schlichting, and C. A. Ugarte, “Building Survivable Services Using Redundancy and Adaptation,” IEEE Transactions on Computers, 52:181–194, 2003.  D. Sterne, K. Djahandari, B. Wilson, B. Babson, D. Schnackenberg, H. Holliday, and T. Reid, “Autonomic Response to Distributed Denial of Service Attacks,” Proceedings of the 4th International Symposium on Rapid Advances in Intrusion Detection (RAID), Davis, CA, 2001, pp. 134–149.  C. Douligeris and A. Mitrokotsa, “DDoS Attacks and Defense Mechanisms: Classiﬁcation and State-of-the-Art,” Computer Networks, 44:643–666, 2004.  G. Koutepas, F. Stamatelopoulos, and B. Maglaris, “Distributed Management Architecture for Cooperative Detection and Reaction to DDoS Attacks,” Journal of Network and Systems Management, 12:73–94, 2004.  University of Southern California, Information Sciences Institute, “Generic Authorization and Access-control API (GAA-API),” at http://gost.isi.edu/info/gaaapi/.  Netﬁlter Core Team, “Libipq—Iptables Userspace Packet Queuing Library,” at http://www .cs.princeton.edu/~nakao/libipq.htm.  McAfee Inc.,“Network Intrusion Prevention,” at http://www.mcafee.com/us/smb/products/ network_intrusion_prevention/index.html.  McAfee Inc., “McAfee Host Intrusion Prevention,” at http://www.mcafee.com/us/local_ content/datasheets/partners/ds_hips.pdf.  B. Foo, Y. S. Wu, Y. C. Mao, S. Bagchi, and E. Spafford, “ADEPTS: Adaptive Intrusion Response Using Attack Graphs in an E-commerce Environment,” Proceedings of the International Conference on Dependable Systems and Networks (DSN), Yokohama, Japan, 2005, pp. 508–517.  Y. Wu, B. Foo, Y. Mao, S. Bagchi, and E. H. Spafford,“Automated Adaptive Intrusion Containment in Systems of Interacting Services,” Elsevier Computer Networks Journal, Special Issue on “From Intrusion Detection to Self-Protection,” 51(5):1334–1360, April 2007.  D. Armstrong, S. Carter, G. Frazier, and T. Frazier, “Autonomic Defense: Thwarting Automated Attacks via Real-Time Feedback control,” Wiley Complexity, 9:41–48, 2003.  D. Armstrong, G. Frazier, S. Carter, T. Frazier, and I. Alphatech,“A Controller-Based Autonomic Defense System,”Proceedings of the DARPA Information Survivability Conference and Exposition, Washington, DC, 2003, vol. 2, pp. 21–23.  O. P. Kreidl and T. M. Frazier, “Feedback Control Applied to Survivability: A Host-Based Autonomic Defense System,” IEEE Transactions on Reliability, 53:148–166, 2004.
CHAPTER 10 Intrusion Response Systems: A Survey
 P. A. Porras and P. G. Neumann, “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances,”Proceedings of the National Information Systems Security Conference, Baltimore, MD, 1997, pp. 353–365.  P. Porras, D. Schnackenberg, S. Staniford-Chen, M. Stillman, and F. Wu, “The Common Intrusion Detection Framework,” CIDF working group document, at http://www.gidos.org.  M. Petkac and L. Badger, “Security Agility in Response to Intrusion Detection,” Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC), New Orleans, LA, 2000, pp. 11–20.  P. P. Pal, F. Webber, R. E. Schantz, and J. P. Loyall, “Intrusion Tolerant Systems,”Proceedings of the IEEE Information Survivability Workshop (ISW-2000), Boston, MA, 2000, pp. 24–26.  V. Stavridou, B. Dutertre, R. A. Riemenschneider, and H. Saidi, “Intrusion Tolerant Software Architectures,”Proceedings of the 2001 DARPA Information Survivability Conference & Exposition, 2001, pp. 230–241.  S. M. Khattab, C. Sangpachatanaruk, D. Mosse, R. Melhem, and T. Znati, “Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks,” Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS), 2004, pp. 328–337.  W. J. Blackert, D. M. Gregg, A. K. Castner, E. M. Kyle, R. L. Hom, and R. M. Jokerst, “Analyzing Interaction between Distributed Denial of Service Attacks and Mitigation Technologies,” Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX), 2003, vol. 1, pp. 26–36.  D. K. Y. Yau, J. C. S. Lui, L. Feng, and Y. Yeung,“Defending against Distributed Denial-of-Service Attacks with Max-Min Fair Server-Centric Router Throttles,” IEEE/ACM Transactions on Networking, 13:29–42, 2005.  D. Schnackenberg, K. Djahandari, and D. Sterne, “Infrastructure for Intrusion Detection and Response,”Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX), 2000, vol. 2, pp. 3–11.  Carnegie Mellon University, Software Engineering Institute, “Survivable Network Technology,” at http://www.sei.cmu.edu/organization/programs/nss/surv-net-tech.html.  R. J. Ellison, R. C. Linger, T. Longstaff, and N. R. Mead, “Survivable Network System Analysis: A Case Study,” IEEE Software, 16(4): 70–77, Jul./Aug. 1999.  S. Jha, J. Wing, R. Linger, and T. Longstaff, “Survivability Analysis of Network Speciﬁcations,” Proceedings of International Conference on Dependable Systems and Networks (DSN), New York, NY, 2000, pp. 613–622.  J. R. Horgan, S. London, and M. R. Lyu, “Achieving Software Quality with Testing Coverage Measures,” Computer, 27:60–69, 1994.  Devellion Limited,“CubeCart: PHP and MySQL Shopping Cart,” at http://www.cubecart.com/.  V. Srinivasan, G. Varghese, and S. Suri, “Packet Classiﬁcation Using Tuple Space Search,” Proceedings of ACM SIGCOMM, Sept. 1999, pp. 135–146.  M. Waldvogel, G. Varghese, J. Turner, and B. Plattner, “Scalable High Speed IP Routing Lookups,” Proceedings of ACM SIGCOMM, Sept. 1997, pp. 25–36.  P. Gupta and N. McKeown, “Algorithms for Packet Classiﬁcation,” IEEE Network, 15(2): 24–32, 2001.  P. Gupta and N. McKeown, “Packet Classiﬁcation Using Hierarchical Intelligent Cuttings,” Hot Interconnects VII, Aug. 1999.  P. Gupta, S. Lin, and N. McKeown,“Routing Lookups in Hardware at Memory Access Speeds,” Proceedings of IEEE INFOCOM, 8:1240–1247, Mar. 1999.
Please join StudyMode to read the full document