Abstract
It is commonly accepted that intrusion detection systems (IDS) are required to compensate for the insufficient security mechanisms that are available on computer systems and networks. However, the anomaly-based IDSes that have been proposed in the recent years present some drawbacks, e.g., the necessity to explicitly define a behaviour reference model. In this paper, we propose a new approach to anomaly detection, based on the design diversity, a technique from the dependability field that has been widely ignored in the intrusion detection area. The main advantage is that it provides an implicit, and complete reference model, instead of the explicit model usually required. For practical reasons, we actually use Components-off-the-shelf (COTS) diversity, and discuss on the impact of this choice. We present an architecture using COTS-diversity, and then apply it to web servers. We also provide experimental results that confirm the expected properties of the built IDS, and compare them with other IDSes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Shannon, C., Moore, D.: The spread of the witty worm. Security and Privacy 2 (2004)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. Security and Privacy 1, 33–39 (2003)
Kantz, H., Veider, A.: Design of a vital platform for railway signalling applications. In: Proceedings of the 10th European Workshop on Dependable Computing (EWDC-10), Vienna, Austria, pp. 37–41 (1999)
Adelsbach, A., Cachin, C., Creese, S., Deswarte, Y., Kursawe, K., Laprie, J.C., Pfitzmann, B., Powell, D., Randell, B., Riodan, J., Stroud, R.J., Veríssimo, P., Waidner, M., Welch, I.: MAFTIA conceptual model and architecture. Maftia deliverable d2, LAAS-CNRS (2001)
Valdes, A., Almgren, M., Cheung, S., Deswarte, Y., Dutertre, B., Levy, J., Saïdi, H., Stravidou, V., Uribe, T.E.: An adaptive intrusion-tolerant server architecture. In: Proceedings of the 10th International Workshop on Security Protocols, Cambridge, UK (2002)
Just, J., Reynolds, J., Clough, L., Danforth, M., Levitt, K., Maglich, R., Rowe, J.: Learning Unknown Attacks - A Start. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 158. Springer, Heidelberg (2002)
Veríssimo, P.E., Neves, N.F., Correia, M.P.: Intrusion-tolerant architectures: Concepts and design. In: de Lemos, R., Gacek, C., Romanovsky, A. (eds.) Architecting Dependable Systems. LNCS, vol. 2677. Springer, Heidelberg (2003)
Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference, pp. 353–365 (1997)
Ko, C., Fink, G., Levitt, K.: Automated detection of vulnerabilities in privileged programs by execution monitoring. In: Proceedings of the 10th Annual Computer Security Applications Conference, pp. 134–144. IEEE Computer Society Press, Los Alamitos (1994)
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, pp. 144–155 (2001)
Avizienis, A., Kelly, J.P.J.: Fault tolerance by design diversity: Concepts and experiments. IEEE Computer, 67–80 (1984)
Randell, B.: System structure for software fault tolerance. In: Proceedings of the International Conference on Reliable software, pp. 437–449 (1975)
Laprie, J.C., Arlat, J., Béounes, C., Kanoun, K.: Definition and analysis of hardware-and-software fault-tolerant architectures. IEEE Computer 23, 39–51 (1990)
Avizienis, A., Chen, L.: On the implementation of n-version programming for sotware fault tolerance during execution. Proceedings of the IEEE COMPSAC 77, 149–155 (1977)
Lyu, M., He, Y.: Improving the N-version programming process through the evolution of a design paradigm. IEEE Transactions on Reliability 42, 179–189 (1993)
Gashi, I., Popov, P., Stankovic, V., Strigini, L.: On Designing Dependable Services with Diverse Off-The-Shelf SQL Servers. In: de Lemos, R., Gacek, C., Romanovsky, A. (eds.) Architecting Dependable Systems II. LNCS, vol. 3069, pp. 196–220. Springer, Heidelberg (2004)
Wang, R., Wang, F., Byrd, G.T.: Design and implementation of acceptance monitor for building scalable intrusion tolerant system. In: Proceedings of the 10th International Conference on Computer Communications and Networks, Phoenix, Arizona, pp. 200–205 (2001)
Saidane, A., Deswarte, Y., Nicomette, V.: An intrusion tolerant architecture for dynamic content internet servers. In: Liu, P., Pal, P. (eds.) Proceedings of the 2003 ACM Workshop on Survivable and Self-Regenerative Systems (SSRS 2003), Fairfax, VA, pp. 110–114. ACM Press, New York (2003)
Tombini, E., Debar, H., Mé, L., Ducassé, M.: A serial combination of anomaly and misuse idses applied to http traffic. In: Proceedings of ACSAC 2004 (2004)
Debar, H., Tombini, E.: Webanalyzer: Accurate and fast detection of http attack traces in web server logs. In: Proceedings of EICAR, Malta (2005)
Vigna, G., Robertson, W., Kher, V., Kemmerer, R.: A stateful intrusion detection system for world-wide web servers. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823, pp. 34–43. Springer, Heidelberg (2003)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: 13th Administration Conference, LISA 1999, Seattle, WA (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Totel, E., Majorczyk, F., Mé, L. (2006). COTS Diversity Based Intrusion Detection and Application to Web Servers. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_3
Download citation
DOI: https://doi.org/10.1007/11663812_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31778-4
Online ISBN: 978-3-540-31779-1
eBook Packages: Computer ScienceComputer Science (R0)