ABSTRACT
Hosts connected to the Internet continue to suffer attacks with high frequency. The use of an intrusion detector allows potential threats to be flagged. When an alarm is raised, preventive action can be taken. A primary goal of such action is to assure the security of the data stored in the system. If this operation is effected manually, the delay between the alarm and the response may be enough for an intruder to cause significant damage.The alternative proposed in this paper is to provide a response primitive for intrusion detectors to utilize in automating the response. We describe RICE, a modification to the Java file subsystem that provides such functionality for data that is deemed to be threatened by an attack. If it is activated when an intrusion appears likely to succeed, it guarantees the confidentiality, integrity and availability of the protected data even after a system is compromised.In particular, RICE allows cryptographic encapsulation of data to be reduced to simple key deletion so that it can be effected rapidly. Further, it uses digitally signed hashes of file deltas to allow untained data to be distinguished from the rest. Finally, file deltas are replicated at a remote node to ensure that changes made by an attacker can be undone using the remote replicas.
- M. Blaze, A cryptographic file system for UNIX, Proceedings of 1st ACM Conference on Communications and Computing Security, 1993. Google ScholarDigital Library
- G. Cattaneo and L. Catuogno and A. Del Sorbo and P. Persiano, The Design and Implementation of a Transparent Cryptographic Filesystem for UNIX, FREENIX, 2001. Google ScholarDigital Library
- K. Fu, Group Sharing and Random Access in Cryptographic Storage Filesystems, MIT Master's Thesis, 1999.Google Scholar
- K. Fu, M. F. Kaashoek and D. Mazieres, Fast and Secure Distributed Read-only Filesystem, Proceedings of the 4th USENIX Symposium on Operating Systems Design and Implementation, 2000. Google ScholarDigital Library
- A. Gehani and G. Kedem, RheoStat: Real-time Risk Management, Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection, 2004.Google ScholarCross Ref
- J. Hughes et al, A Universal Access, Smart-Card-Based, Secure File System, 9th USENIX Security Symposium, 2000.Google Scholar
- http://icat.nist.govGoogle Scholar
- http://www.w3.org/JigsawGoogle Scholar
- D. Mazieres et al, Separating Key Management from Filesystem Security, 17th Symposium on Operating Systems Principles, 1999. Google ScholarDigital Library
- Encrypting File System for Windows 2000, Microsoft, 1999.Google Scholar
- P.A. Porras, STAT - A state transition analysis tool for intrusion detection, Master's Theisis, University of California Santa Barbara, June 1992.Google Scholar
- http://www.specbench.org/osg/jvm98/Google Scholar
- E. Zadok, I. Badulescu and A. Shender, Cryptfs: A Stackable Vnode Level Encryption Filesystem, Columbia University Technical Report CUCS-012-98, 1998.Google Scholar
Index Terms
- Augmenting storage with an intrusion response primitive to ensure the security of critical data
Recommendations
A taxonomy of intrusion response systems
Recent advances in the field of intrusion detection brought new requirements to intrusion prevention and response. Traditionally, the response to an attack is manually triggered by an administrator. However, increased complexity and speed of the attack-...
Storage-Based Intrusion Detection
Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan ...
Storage-based intrusion detection: watching storage activity for suspicious behavior
SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium - Volume 12Storage-based intrusion detection allows storage systems to watch for data modifications characteristic of system intrusions. This enables storage systems to spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and ...
Comments