Abstract
As the frequency of attacks faced by the average host connected to the Internet increases, reliance on manual intervention for response is decreasingly tenable. Operating system and application based mechanisms for automated response are increasingly needed. Existing solutions have either been customized to specific attacks, such as disabling an account after a number of authentication failures, or utilize harsh measures, such as shutting the system down. In contrast, we present a framework for systematic fine grained response that is achieved by dynamically controlling the host’s exposure to perceived threats.
This paper introduces a formal model to characterize the risk faced by a host. It also describes how the risk can be managed in real-time by adapting the exposure. This is achieved by modifying the access control subsystem to let the choice of whether to grant a permission be delegated to code that is customized to the specific right. The code can then use the runtime context to make a more informed choice, thereby tightening access to a resource when a threat is detected. The running time can be constrained to provide performance guarantees.
The framework was implemented by modifying the Java Runtime. A suite of vulnerable Jigsaw servlets and corresponding attacks was created. The following were manually added: code for dynamic permission checks; estimates of the reduction in exposure associated with each check; the frequencies with which individual permissions occurred in a typical workload; a global risk tolerance. The resulting platform disrupted the attacks by denying the permissions needed for their completion.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Bauer, D.S., Koblentz, M.E.: NIDX - A Real-Time Intrusion Detection Expert System. In: Proc. of USENIX Technical Conference, pp. 261–273 (1988)
Bilar, D.: Quantitative Risk Analysis of Computer Networks, PhD thesis, Dartmouth College (2003)
Carver, C.: Adaptive, Agent-based Intrusion Response, PhD thesis, Texas A and M University (2001)
Guidelines for Automatic Data Processing Physical Security and Risk Management, National Bureau of Standards (1974)
Fisch, E.: Intrusive Damage Control and Assessment Techniques, PhD thesis, Texas A and M University (1996)
Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. Freeman, San Francisco (1979)
Gehani, A.: Support for Automated Passive Host-based Intrusion Response, PhD thesis, Duke University (2003)
Ilgun, K., Kemmerer, R.A., Porras, P.A.: State Transition Analysis: A Rule-Based Intrusion Detection Approach. IEEE Transactions on Software Engineering 21(3), 181–199 (1995)
http://enterprisesecurity.symantec.com/content/ProductJump.cfm?Product=171
http://documents.iss.net/literature/RealSecure/RSDP-UG_70.pdf
Kellerer, H., Pferschy, U.: A new fully polynomial approximation scheme for the knapsack problem. In: Jansen, K., Rolim, J.D.P. (eds.) APPROX 1998. LNCS, vol. 1444, pp. 123–134. Springer, Heidelberg (1998)
Koved, L., Nadalin, A.J., Neal, D., Lawson, T.: The Evolution of Java Security. IBM Systems Journal 37(3), 349–364 (1998)
Guidelines for Automatic Data Processing Physical Security and Risk Management, National Institute of Standards and Technology (1996)
Pooch, U., White, G.B.: Cooperating Security Managers: Distributed Intrusion Detection System. Computer and Security 5(15), 441–450 (1996)
Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proceedings of the Nineteenth National Computer Security Conference, Baltimore, MD, October 1997, pp. 353–365 (1997)
Hoo, K.S.: Guidelines for Automatic Data Processing Physical Security and Risk Management, PhD Thesis, Stanford University (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gehani, A., Kedem, G. (2004). RheoStat: Real-Time Risk Management. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-30143-1_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23123-3
Online ISBN: 978-3-540-30143-1
eBook Packages: Springer Book Archive