Skip to main content
SpringerLink
Log in

COTS Diversity Based Intrusion Detection and Application to Web Servers

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3858))

Included in the following conference series:

Abstract

It is commonly accepted that intrusion detection systems (IDS) are required to compensate for the insufficient security mechanisms that are available on computer systems and networks. However, the anomaly-based IDSes that have been proposed in the recent years present some drawbacks, e.g., the necessity to explicitly define a behaviour reference model. In this paper, we propose a new approach to anomaly detection, based on the design diversity, a technique from the dependability field that has been widely ignored in the intrusion detection area. The main advantage is that it provides an implicit, and complete reference model, instead of the explicit model usually required. For practical reasons, we actually use Components-off-the-shelf (COTS) diversity, and discuss on the impact of this choice. We present an architecture using COTS-diversity, and then apply it to web servers. We also provide experimental results that confirm the expected properties of the built IDS, and compare them with other IDSes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Shannon, C., Moore, D.: The spread of the witty worm. Security and Privacy 2 (2004)

    Google Scholar 

  2. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. Security and Privacy 1, 33–39 (2003)

    Article  Google Scholar 

  3. Kantz, H., Veider, A.: Design of a vital platform for railway signalling applications. In: Proceedings of the 10th European Workshop on Dependable Computing (EWDC-10), Vienna, Austria, pp. 37–41 (1999)

    Google Scholar 

  4. Adelsbach, A., Cachin, C., Creese, S., Deswarte, Y., Kursawe, K., Laprie, J.C., Pfitzmann, B., Powell, D., Randell, B., Riodan, J., Stroud, R.J., Veríssimo, P., Waidner, M., Welch, I.: MAFTIA conceptual model and architecture. Maftia deliverable d2, LAAS-CNRS (2001)

    Google Scholar 

  5. Valdes, A., Almgren, M., Cheung, S., Deswarte, Y., Dutertre, B., Levy, J., Saïdi, H., Stravidou, V., Uribe, T.E.: An adaptive intrusion-tolerant server architecture. In: Proceedings of the 10th International Workshop on Security Protocols, Cambridge, UK (2002)

    Google Scholar 

  6. Just, J., Reynolds, J., Clough, L., Danforth, M., Levitt, K., Maglich, R., Rowe, J.: Learning Unknown Attacks - A Start. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 158. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  7. Veríssimo, P.E., Neves, N.F., Correia, M.P.: Intrusion-tolerant architectures: Concepts and design. In: de Lemos, R., Gacek, C., Romanovsky, A. (eds.) Architecting Dependable Systems. LNCS, vol. 2677. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  8. Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference, pp. 353–365 (1997)

    Google Scholar 

  9. Ko, C., Fink, G., Levitt, K.: Automated detection of vulnerabilities in privileged programs by execution monitoring. In: Proceedings of the 10th Annual Computer Security Applications Conference, pp. 134–144. IEEE Computer Society Press, Los Alamitos (1994)

    Chapter  Google Scholar 

  10. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Oakland, CA, pp. 144–155 (2001)

    Google Scholar 

  11. Avizienis, A., Kelly, J.P.J.: Fault tolerance by design diversity: Concepts and experiments. IEEE Computer, 67–80 (1984)

    Google Scholar 

  12. Randell, B.: System structure for software fault tolerance. In: Proceedings of the International Conference on Reliable software, pp. 437–449 (1975)

    Google Scholar 

  13. Laprie, J.C., Arlat, J., Béounes, C., Kanoun, K.: Definition and analysis of hardware-and-software fault-tolerant architectures. IEEE Computer 23, 39–51 (1990)

    Google Scholar 

  14. Avizienis, A., Chen, L.: On the implementation of n-version programming for sotware fault tolerance during execution. Proceedings of the IEEE COMPSAC 77, 149–155 (1977)

    Google Scholar 

  15. Lyu, M., He, Y.: Improving the N-version programming process through the evolution of a design paradigm. IEEE Transactions on Reliability 42, 179–189 (1993)

    Article  Google Scholar 

  16. Gashi, I., Popov, P., Stankovic, V., Strigini, L.: On Designing Dependable Services with Diverse Off-The-Shelf SQL Servers. In: de Lemos, R., Gacek, C., Romanovsky, A. (eds.) Architecting Dependable Systems II. LNCS, vol. 3069, pp. 196–220. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  17. Wang, R., Wang, F., Byrd, G.T.: Design and implementation of acceptance monitor for building scalable intrusion tolerant system. In: Proceedings of the 10th International Conference on Computer Communications and Networks, Phoenix, Arizona, pp. 200–205 (2001)

    Google Scholar 

  18. Saidane, A., Deswarte, Y., Nicomette, V.: An intrusion tolerant architecture for dynamic content internet servers. In: Liu, P., Pal, P. (eds.) Proceedings of the 2003 ACM Workshop on Survivable and Self-Regenerative Systems (SSRS 2003), Fairfax, VA, pp. 110–114. ACM Press, New York (2003)

    Google Scholar 

  19. Tombini, E., Debar, H., Mé, L., Ducassé, M.: A serial combination of anomaly and misuse idses applied to http traffic. In: Proceedings of ACSAC 2004 (2004)

    Google Scholar 

  20. Debar, H., Tombini, E.: Webanalyzer: Accurate and fast detection of http attack traces in web server logs. In: Proceedings of EICAR, Malta (2005)

    Google Scholar 

  21. Vigna, G., Robertson, W., Kher, V., Kemmerer, R.: A stateful intrusion detection system for world-wide web servers. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823, pp. 34–43. Springer, Heidelberg (2003)

    Google Scholar 

  22. Roesch, M.: Snort - lightweight intrusion detection for networks. In: 13th Administration Conference, LISA 1999, Seattle, WA (1999)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Supélec, BP 81127, 35511 Cedex, Cesson-Sévigné, France

    Eric Totel, Frédéric Majorczyk & Ludovic Mé

Authors
  1. Eric Totel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frédéric Majorczyk
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ludovic Mé
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SRI International, 333 Ravenswood Ave., 94025, Menlo Park, CA, USA

    Alfonso Valdes

  2. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Totel, E., Majorczyk, F., Mé, L. (2006). COTS Diversity Based Intrusion Detection and Application to Web Servers. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_3

Download citation

  • DOI: https://doi.org/10.1007/11663812_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-31778-4

  • Online ISBN: 978-3-540-31779-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation