Spss Tutorial
CHAPTER
Intrusion Response Systems: A Survey
10
10.1 INTRODUCTION
The occurrence of outages due to failures in today’s information technology infrastructure is a real problem that still begs a satisfactory solution. The backbone of the ubiquitous information technology infrastructure is formed by distributed systems—distributed middleware, such as CORBA and DCOM; distributed file systems, such as NFS and XFS; distributed coordination-based systems, such as publish-subscribe systems and network protocols; and above all, the distributed infrastructure of the World Wide Web. Distributed systems support many critical applications in the civilian and military domains. Critical civilian applications abound in private enterprise, such as banking, electronic commerce, and industrial control systems, as well as in the public enterprise, such as air traffic control, nuclear power plants, and protection of public infrastructures through Supervisory Control and Data Acquisition (SCADA) systems. The dependency dramatically magnifies the consequence of failures, even if transient. There is little wonder that distributed systems, therefore, are called upon to provide alwaysavailable and trustworthy services. The terminology that we will use in this chapter is to consider the distributed systems as composed of multiple services and the services interact with one another through standardized network protocols. Consider, for example, a distributed e-commerce system with the traditional threetier architecture of a web server, application server, and database server. The services are typically located on multiple hosts. The importance of distributed systems has led to a long interest in securing such systems through prevention and runtime detection of intrusions. The prevention is traditionally achieved by a system for user authentication and identification (e.g., users log in by providing some identifying information such as log-in signature and password, biometric information,
Intrusion Response Systems: A Survey
10
10.1 INTRODUCTION
The occurrence of outages due to failures in today’s information technology infrastructure is a real problem that still begs a satisfactory solution. The backbone of the ubiquitous information technology infrastructure is formed by distributed systems—distributed middleware, such as CORBA and DCOM; distributed file systems, such as NFS and XFS; distributed coordination-based systems, such as publish-subscribe systems and network protocols; and above all, the distributed infrastructure of the World Wide Web. Distributed systems support many critical applications in the civilian and military domains. Critical civilian applications abound in private enterprise, such as banking, electronic commerce, and industrial control systems, as well as in the public enterprise, such as air traffic control, nuclear power plants, and protection of public infrastructures through Supervisory Control and Data Acquisition (SCADA) systems. The dependency dramatically magnifies the consequence of failures, even if transient. There is little wonder that distributed systems, therefore, are called upon to provide alwaysavailable and trustworthy services. The terminology that we will use in this chapter is to consider the distributed systems as composed of multiple services and the services interact with one another through standardized network protocols. Consider, for example, a distributed e-commerce system with the traditional threetier architecture of a web server, application server, and database server. The services are typically located on multiple hosts. The importance of distributed systems has led to a long interest in securing such systems through prevention and runtime detection of intrusions. The prevention is traditionally achieved by a system for user authentication and identification (e.g., users log in by providing some identifying information such as log-in signature and password, biometric information,
References: 341 [13] W. Lee, W. Fan, M. Miller, S. J. Stolfo, and E. Zadok, “Toward Cost-Sensitive Modeling for Intrusion Detection and Response,” Journal of Computer Security, 10:5–22, 2002. [14] D. Wang, B. B. Madan, and K. S. Trivedi, “Security Analysis of SITAR Intrusion Tolerance System,” Proceedings of the ACM Workshop on Survivable and Self-Regenerative Systems, Fairfax, VA, 2003, pp. 23–32. [15] C. Cachin,“Distributing Trust on the Internet,” Proceedings of the International Conference on Dependable Systems and Networks (DSN), Göteborg, Sweden, 2001, pp. 183–192. [16] P. Pal, F. Webber, and R. Schantz, “Survival by Defense-Enabling,” in Jaynarayan H. Lala (Ed.), Foundations of Intrusion Tolerant Systems (Organically Assured and Survivable Information Systems). Los Alamitos, CA: IEEE Computer Society, 2003, pp. 261–269. [17] F. B. Schneider and L. Zhou, “Implementing Trustworthy Services Using Replicated State Machines,” Security & Privacy Magazine, IEEE, 3:34–43, 2005. [18] M. A. Hiltunen, R. D. Schlichting, and C. A. Ugarte, “Building Survivable Services Using Redundancy and Adaptation,” IEEE Transactions on Computers, 52:181–194, 2003. [19] D. Sterne, K. Djahandari, B. Wilson, B. Babson, D. Schnackenberg, H. Holliday, and T. Reid, “Autonomic Response to Distributed Denial of Service Attacks,” Proceedings of the 4th International Symposium on Rapid Advances in Intrusion Detection (RAID), Davis, CA, 2001, pp. 134–149. [20] C. Douligeris and A. Mitrokotsa, “DDoS Attacks and Defense Mechanisms: Classification and State-of-the-Art,” Computer Networks, 44:643–666, 2004. [21] G. Koutepas, F. Stamatelopoulos, and B. Maglaris, “Distributed Management Architecture for Cooperative Detection and Reaction to DDoS Attacks,” Journal of Network and Systems Management, 12:73–94, 2004. [22] University of Southern California, Information Sciences Institute, “Generic Authorization and Access-control API (GAA-API),” at http://gost.isi.edu/info/gaaapi/. [23] Netfilter Core Team, “Libipq—Iptables Userspace Packet Queuing Library,” at http://www .cs.princeton.edu/~nakao/libipq.htm. [24] McAfee Inc.,“Network Intrusion Prevention,” at http://www.mcafee.com/us/smb/products/ network_intrusion_prevention/index.html. [25] McAfee Inc., “McAfee Host Intrusion Prevention,” at http://www.mcafee.com/us/local_ content/datasheets/partners/ds_hips.pdf. [26] B. Foo, Y. S. Wu, Y. C. Mao, S. Bagchi, and E. Spafford, “ADEPTS: Adaptive Intrusion Response Using Attack Graphs in an E-commerce Environment,” Proceedings of the International Conference on Dependable Systems and Networks (DSN), Yokohama, Japan, 2005, pp. 508–517. [27] Y. Wu, B. Foo, Y. Mao, S. Bagchi, and E. H. Spafford,“Automated Adaptive Intrusion Containment in Systems of Interacting Services,” Elsevier Computer Networks Journal, Special Issue on “From Intrusion Detection to Self-Protection,” 51(5):1334–1360, April 2007. [28] D. Armstrong, S. Carter, G. Frazier, and T. Frazier, “Autonomic Defense: Thwarting Automated Attacks via Real-Time Feedback control,” Wiley Complexity, 9:41–48, 2003. [29] D. Armstrong, G. Frazier, S. Carter, T. Frazier, and I. Alphatech,“A Controller-Based Autonomic Defense System,”Proceedings of the DARPA Information Survivability Conference and Exposition, Washington, DC, 2003, vol. 2, pp. 21–23. [30] O. P. Kreidl and T. M. Frazier, “Feedback Control Applied to Survivability: A Host-Based Autonomic Defense System,” IEEE Transactions on Reliability, 53:148–166, 2004. 342 CHAPTER 10 Intrusion Response Systems: A Survey [31] P. A. Porras and P. G. Neumann, “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances,”Proceedings of the National Information Systems Security Conference, Baltimore, MD, 1997, pp. 353–365. [32] P. Porras, D. Schnackenberg, S. Staniford-Chen, M. Stillman, and F. Wu, “The Common Intrusion Detection Framework,” CIDF working group document, at http://www.gidos.org. [33] M. Petkac and L. Badger, “Security Agility in Response to Intrusion Detection,” Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC), New Orleans, LA, 2000, pp. 11–20. [34] P. P. Pal, F. Webber, R. E. Schantz, and J. P. Loyall, “Intrusion Tolerant Systems,”Proceedings of the IEEE Information Survivability Workshop (ISW-2000), Boston, MA, 2000, pp. 24–26. [35] V. Stavridou, B. Dutertre, R. A. Riemenschneider, and H. Saidi, “Intrusion Tolerant Software Architectures,”Proceedings of the 2001 DARPA Information Survivability Conference & Exposition, 2001, pp. 230–241. [36] S. M. Khattab, C. Sangpachatanaruk, D. Mosse, R. Melhem, and T. Znati, “Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks,” Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS), 2004, pp. 328–337. [37] W. J. Blackert, D. M. Gregg, A. K. Castner, E. M. Kyle, R. L. Hom, and R. M. Jokerst, “Analyzing Interaction between Distributed Denial of Service Attacks and Mitigation Technologies,” Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX), 2003, vol. 1, pp. 26–36. [38] D. K. Y. Yau, J. C. S. Lui, L. Feng, and Y. Yeung,“Defending against Distributed Denial-of-Service Attacks with Max-Min Fair Server-Centric Router Throttles,” IEEE/ACM Transactions on Networking, 13:29–42, 2005. [39] D. Schnackenberg, K. Djahandari, and D. Sterne, “Infrastructure for Intrusion Detection and Response,”Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX), 2000, vol. 2, pp. 3–11. [40] Carnegie Mellon University, Software Engineering Institute, “Survivable Network Technology,” at http://www.sei.cmu.edu/organization/programs/nss/surv-net-tech.html. [41] R. J. Ellison, R. C. Linger, T. Longstaff, and N. R. Mead, “Survivable Network System Analysis: A Case Study,” IEEE Software, 16(4): 70–77, Jul./Aug. 1999. [42] S. Jha, J. Wing, R. Linger, and T. Longstaff, “Survivability Analysis of Network Specifications,” Proceedings of International Conference on Dependable Systems and Networks (DSN), New York, NY, 2000, pp. 613–622. [43] J. R. Horgan, S. London, and M. R. Lyu, “Achieving Software Quality with Testing Coverage Measures,” Computer, 27:60–69, 1994. [44] Devellion Limited,“CubeCart: PHP and MySQL Shopping Cart,” at http://www.cubecart.com/. [45] V. Srinivasan, G. Varghese, and S. Suri, “Packet Classification Using Tuple Space Search,” Proceedings of ACM SIGCOMM, Sept. 1999, pp. 135–146. [46] M. Waldvogel, G. Varghese, J. Turner, and B. Plattner, “Scalable High Speed IP Routing Lookups,” Proceedings of ACM SIGCOMM, Sept. 1997, pp. 25–36. [47] P. Gupta and N. McKeown, “Algorithms for Packet Classification,” IEEE Network, 15(2): 24–32, 2001. [48] P. Gupta and N. McKeown, “Packet Classification Using Hierarchical Intelligent Cuttings,” Hot Interconnects VII, Aug. 1999. [49] P. Gupta, S. Lin, and N. McKeown,“Routing Lookups in Hardware at Memory Access Speeds,” Proceedings of IEEE INFOCOM, 8:1240–1247, Mar. 1999.