Article

Augmenting storage with an intrusion response primitive to ensure the security of critical data

Authors:
Ashish Gehani

University of Notre Dame, Notre Dame, IN

University of Notre Dame, Notre Dame, IN
View Profile

,
Surendar Chandra

University of Notre Dame, Notre Dame, IN

University of Notre Dame, Notre Dame, IN
View Profile

,
Gershon Kedem

Duke University, Durham, NC

Duke University, Durham, NC
View Profile

ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications securityMarch 2006Pages 114–124https://doi.org/10.1145/1128817.1128836

Published:21 March 2006Publication History

ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security

Pages 114–124

ABSTRACT

Hosts connected to the Internet continue to suffer attacks with high frequency. The use of an intrusion detector allows potential threats to be flagged. When an alarm is raised, preventive action can be taken. A primary goal of such action is to assure the security of the data stored in the system. If this operation is effected manually, the delay between the alarm and the response may be enough for an intruder to cause significant damage.The alternative proposed in this paper is to provide a response primitive for intrusion detectors to utilize in automating the response. We describe RICE, a modification to the Java file subsystem that provides such functionality for data that is deemed to be threatened by an attack. If it is activated when an intrusion appears likely to succeed, it guarantees the confidentiality, integrity and availability of the protected data even after a system is compromised.In particular, RICE allows cryptographic encapsulation of data to be reduced to simple key deletion so that it can be effected rapidly. Further, it uses digitally signed hashes of file deltas to allow untained data to be distinguished from the rest. Finally, file deltas are replicated at a remote node to ensure that changes made by an attacker can be undone using the remote replicas.

References

M. Blaze, A cryptographic file system for UNIX, Proceedings of 1st ACM Conference on Communications and Computing Security, 1993. Google ScholarDigital Library
G. Cattaneo and L. Catuogno and A. Del Sorbo and P. Persiano, The Design and Implementation of a Transparent Cryptographic Filesystem for UNIX, FREENIX, 2001. Google ScholarDigital Library
K. Fu, Group Sharing and Random Access in Cryptographic Storage Filesystems, MIT Master's Thesis, 1999.Google Scholar
K. Fu, M. F. Kaashoek and D. Mazieres, Fast and Secure Distributed Read-only Filesystem, Proceedings of the 4th USENIX Symposium on Operating Systems Design and Implementation, 2000. Google ScholarDigital Library
A. Gehani and G. Kedem, RheoStat: Real-time Risk Management, Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection, 2004.Google ScholarCross Ref
J. Hughes et al, A Universal Access, Smart-Card-Based, Secure File System, 9th USENIX Security Symposium, 2000.Google Scholar
http://icat.nist.govGoogle Scholar
http://www.w3.org/JigsawGoogle Scholar
D. Mazieres et al, Separating Key Management from Filesystem Security, 17th Symposium on Operating Systems Principles, 1999. Google ScholarDigital Library
Encrypting File System for Windows 2000, Microsoft, 1999.Google Scholar
P.A. Porras, STAT - A state transition analysis tool for intrusion detection, Master's Theisis, University of California Santa Barbara, June 1992.Google Scholar
http://www.specbench.org/osg/jvm98/Google Scholar
E. Zadok, I. Badulescu and A. Shender, Cryptfs: A Stackable Vnode Level Encryption Filesystem, Columbia University Technical Report CUCS-012-98, 1998.Google Scholar

Index Terms

Augmenting storage with an intrusion response primitive to ensure the security of critical data

Recommendations

A taxonomy of intrusion response systems

Recent advances in the field of intrusion detection brought new requirements to intrusion prevention and response. Traditionally, the response to an attack is manually triggered by an administrator. However, increased complexity and speed of the attack-...
Read More
Storage-Based Intrusion Detection

Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan ...
Read More
Storage-based intrusion detection: watching storage activity for suspicious behavior
SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium - Volume 12

Storage-based intrusion detection allows storage systems to watch for data modifications characteristic of system intrusions. This enables storage systems to spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security
March 2006
384 pages
ISBN:1595932720
DOI:10.1145/1128817
Conference Chair:
Ferng-Ching Lin
Executive Yuan, Taiwan
,
General Chairs:
Der-Tsai Lee
Academia Sinica, Taiwan
,
Bao-Shuh Lin
ITRI, Taiwan
,
Program Chairs:
Shiuhpyng Shieh
National Chiao Tung University, Taiwan
,
Sushil Jajodia
George Mason University, USA
Copyright © 2006 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 21 March 2006
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate418of2,322submissions,18%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 5
  Total Citations
  View Citations
- 486
  Total Downloads
- Downloads (Last 12 months)4
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Augmenting storage with an intrusion response primitive to ensure the security of critical data

ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

A taxonomy of intrusion response systems

Storage-Based Intrusion Detection

Storage-based intrusion detection: watching storage activity for suspicious behavior