Storage-based intrusion detection allows storage systems to transparently watch for suspicious activity. Storage systems are well-positioned to spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. Further, an intrusion detection system (IDS) embedded in a storage device continues to operate even after client systems are compromised. This paper describes a number of specific warning signs visible at the storage interface. It describes and evaluates a storage IDS, embedded in an NFS server, demonstrating both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead and memory required (40 KB for a reasonable set of rules) are minimal. With small extensions, storage IDSs can also be embedded in block-based storage devices.

System protection mechanisms such as access controls can be fooled by authorized but malicious users, masqueraders, and misfeasors. Intrusion detection techniques are therefore used to supplement them. However, damage could have occurred before an intrusion is detected. In many computing systems the requirement for a high degree of soundness of intrusion reporting can yield poor performance in detecting intrusions and cause long detection latency. As a result, serious damage can be caused either because many intrusions are never detected or the average detection latency is too long. The process of bounding the damage caused by intrusions during intrusion detection is referred to as intrusion connement. We justify the necessity for intrusion connement during detection by using a probabilistic analysis model, and propose a general solution to achieve intrusion connement. The key idea of the solution is to isolate likely suspicious actions before a denite determination of in...

The growing number of storage security breaches as well as the need to adhere to government regulations is driving the need for greater storage protection. However, there is the lack of a comprehensive process to designing storage protection solutions. Designing protection for storage systems is best done by utilizing proactive system engineering rather than reacting with ad hoc countermeasures to the latest attack du jour. The purpose of threat modeling is to organize system threats and vulnerabilities into general classes to be addressed with known storage protection techniques. Although there has been prior work on threat modeling primarily for software applications, to our knowledge this is the first attempt at domain-specific threat modeling for storage systems. We discuss protection challenges unique to storage systems and propose two di#erent processes to creating a threat model for storage systems: one based on classical security principles (Confidentiality, I ntegrity, Availability, Authentication, or CIAA) and another based on the Data Lifecycle Model. It is our hope that this initial work will start a discussion on how to better design and implement storage protection solutions against storage threats.

System protection mechanisms such as access controls can be fooled by authorized but malicious users, masqueraders, and misfeasors. Intrusion detection techniques are therefore used to supplement them. The capacity of these techniques, however, is limited: innocent users may be mistaken for malicious ones while malicious users stay at large. Isolation is a method that has been applied to protect systems from damage while investigating further. This paper proposes the use of isolation at an application level to gain its benefits while minimizing loss of resources and productive work in the case of incidents later deemed innocent. We describe our scheme in the database context. It isolates the database transparently from further damage by users suspected to be malicious, while still maintaining continued availability for their transactions. Isolation is complicated by the inconsistencies that may develop between isolated database versions. We present both static and dynamic approaches to...

We survey security research from the point of view of the dependability taxonomy developed by IFIP Working Group 10.4 and discuss changes since a similar survey was performed four years ago.

We consider recovery from malicious but committed transactions. Traditional recovery mechanisms do not address this problem, except for complete rollbacks, which undo the work of good transactions as well as malicious ones, and compensating transactions, whose utility depends on application semantics. We develop an algorithm that rewrites execution histories for the purpose of backing out malicious transactions. Good transactions that are affected, directly or indirectly, by malicious transactions complicate the process of backing out undesirable transactions. We show that the prefix of a rewritten history produced by the algorithm serializes exactly the set of unaffected good transactions. The suffix of the rewritten history includes special state information to describe affected good transactions as well as malicious transactions. We describe techniques that can extract additional good transactions from this latter part of a rewritten history. The latter processing saves more ...

This paper presents a new technique for intrusion detection based on concurrent monitoring of user operations. In this scheme, prior to starting a session on a computer, an auxiliary process called watchdog first queries users for a scope file and then generates a table called a sprint-plan. The sprint-plan is composed of carefully derived assertions that can be used as a basis for concurrent monitoring of user commands. The plan is general enough to allow a normal user to perform his task without much interference from the watchdog or system administrator and is specific enough to detect intrusions, both external and internal. A distributed watchdog process architecture based on the notion of verifiable assertions is presented. This scheme is a significant enhancement over the traditional approaches that rely on audit trail analysis in that the intrusion detection latency could be much shorter.

detection objects satisfy two properties 1. Indistinguishability: To any jamming process, a detection object is indistinguishable from a storage object. 2. Sensitivity: The only authentic process that modifies the detection object is the detection process. The implementation problem for a detection object defense is to preserve both indistinguishability (avoid counter-detection) and sensitivity (avoid false detections). In our example external jammer, we could model this by declaring a variable a to hold the subject of the security administrator. We could add the counter-detection by modifying line 23 to append a check 1 for ownership of the target. 38 || t, d[t] := rand(t), g(u.val) if count ³ JAM Ù u ¹ null Ùwrite Î P[s0, d[t]] 39 Ù own ÏP[a,d[t]] This kind of counterdetection may not even require inside knowledge of a particular system. If a proposed defense is known to always operate in this mode, a jamming program may be able to obtain a list of user names that correspond to ...

Attacks on computer systems have received a great deal of press attention; however, most of the focus has been on how an attacker can disrupt an organization's operations. Although attack prevention is clearly preferred, preventive measures do fail, and some attacks inevitably succeed in compromising some or all of particular systems. We propose research into a fault-tolerance approach that addresses all phases of survivability: attack detection, damage confinement, damage assessment and repair, and attack avoidance. We focus attention on continued service and recovery issues. A promising area of research for continued service addresses relaxed notions of consistency. Expanding on the notion of self stabilization, the idea is to formalize the degree of damage under which useful services is still possible. A complementary research area for recovery is the engineering of suitable mechanisms into existing systems. We explain the underlying models for these research areas and ...

In this paper, we present the design and implementation of ITDB, a self-healing or intrusion-tolerant database prototype system. While traditional secure database systems rely on preventive controls and are very limited in surviving malicious attacks, ITDB can detect intrusions, isolate attacks, contain, assess, and repair the damage caused by intrusions in a timely manner such that sustained, self-stabilized levels of data integrity and availability can be provided to applications in the face of attacks. ITDB is implemented on top of a COTS DBMS. We have evaluated the cost-effectiveness of ITDB using several micro-benchmarks. Preliminary testing measurements suggest that when the accuracy of intrusion detection is satisfactory, ITDB can effectively locate and repair the damage on-the-fly with reasonable (database) performance penalty. Keywords: Security, Survivability, Self-Healing Database Systems 1