Article

A holistic approach to service survivability

Authors:

Angelos D. Keromytis,

Philip N. Gross,

Dan Rubenstein,

Sal StolfoAuthors Info & Claims

SSRS '03: Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security

Pages 11 - 22

https://doi.org/10.1145/1036921.1036923

Published: 31 October 2003 Publication History

Abstract

We present SABER (Survivability Architecture: Block, Evade, React), a proposed survivability architecture that blocks, evades and reacts to a variety of attacks by using several security and survivability mechanisms in an automated and coordinated fashion. Contrary to the ad hoc manner in which contemporary survivable systems are built-using isolated, independent security mechanisms such as firewalls, intrusion detection systems and software sandboxes-SABER integrates several different technologies in an attempt to provide a unified framework for responding to the wide range of attacks malicious insiders and outsiders can launch.

This coordinated multi-layer approach will be capable of defending against attacks targeted at various levels of the network stack, such as congestion-based DoS attacks, software-based DoS or code-injection attacks, and others. Our fundamental insight is that while multiple lines of defense are useful, most conventional, uncoordinated approaches fail to exploit the full range of available responses to incidents. By coordinating the response, the ability to survive successful security breaches increases substantially.

We discuss the key components of SABER, how they will be integrated together, and how we can leverage on the promising results of the individual components to improve survivability in a variety of coordinated attack scenarios. SABER is currently in the prototyping stages, with several interesting open research topics.

References

[1]

2001 Economic Impact of Malicious Code Attacks. http : //www. computereconomics, com/cei/press/pr9210 i. html.]]

[2]

DARPA OASIS (Organically Assured and Survivable Information System). http://www.tolerantsystems,org/index,html.]]

[3]

Malicious- and Accidental-Fault Tolerance for Intemet Applications. RTD Research Project IST-1999-11583, IST Programme. http://maftia.org/.]]

[4]

Microsoft Security Tool Kit: Installing and Securing a New Windows 2000 System. Microsoft TechNet. http://www.microsoft.com/technet/security/tools/tools/w2knew, asp.]]

[5]

Microsoft Windows Software Update Services. http://www.microsoft.com/windows2000/windowsupdate/sus/.]]

[6]

OC48 Analysis - Trace Data Stratified by Applications. http://www.caida,org/analysis/workload/byappli\-cation/oc48/pott\_analy%sis\_app.xml.]]

[7]

RedHat 9 Security Advisories. https://rhn.redhat.com/errata/rh9-errata-security,html.]]

[8]

The Code Security Analysis Kit (CoSAK). http://serg.cs.drexel,edu/cosak/index,shtml/.]]

[9]

Using Network-Based Application Recognition and Access Control Lists for Blocking the "Code Red" Worm at Network Ingress Points. Technical report, Cisco Systems, Inc.]]

[10]

Web Server Survey. http://www.securityspace.com/s_survey/data/200304/.]]

[11]

Intrusion Tolerant Server Infrastructure. http://www.tolerantsystems,org/ProjectSummaries /Intrusion_Tol erant_Serv%er_Infrastructure.html,2000.]]

[12]

CERT Advisory CA-2001-19: 'Code Red' Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-200i-19.html, July 2001.]]

[13]

Cert Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/advisories/CA-2003-04.html, January 2003.]]

[14]

The Spread of the Sapphire/Slammer Worm. http://www.silicondefense,com/research/worms/slammer, php, February 2003.]]

[15]

W. Aiello, S. M. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, A. D. Keromytis, and O. Reingold. Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols. In Proceedings of the ACM Computer and Communications Security (CCS) Conference, pages 48-58, November 2003.]]

Digital Library

[16]

F. Apap, A. Honig, S. Hershkop, E. Eskin, and S. J. Stolfo. Detecting malicious software by monitoring anomalous windows registry accesses. In Proceedings of the 23rd International Symposium on Recent Advances in Intrusion Detection (RAID-2002), Zurich, Switzerland, October 2002.]]

Digital Library

[17]

M. Atighetchi, P. Pal, C. Jones, P. Rubel, R. Schantz, J. Loyall, and J. Zinky. Building Auto-Adaptive Distributed Applications: The QuO-APOD Experience. In Proceedings of the 3rd International Workshop on Distributed Auto-adaptive and Reconfigurable Systems, in conjunction with the 23rd International Conference on Distributed Computing Systems, May 2003.]]

Digital Library

[18]

R. Balzer. Mediating connectors. In 19th IEEElnternational Conference on Distributed Computing Systems Workshop, 1994.]]

[19]

V. Barnett and T. Lewis. Outliers in Statistical Data. John Wiley and Sons, 1994.]]

[20]

S. M. Bellovin. Distributed Firewalls. ;login: magazine, special issue on security, pages 37-39, November 1999.]]

[21]

J. Brunner. The Shockwave Rider. Del Rey Books, Canada, 1975.]]

Digital Library

[22]

A. Carzaniga, D. Rosenblum, and A. Wolf. Design and evaluation of a wide-area event notification service. In ACM Transactions on Computer Systems, volume 19(3), pages 332-383, August 2001.]]

Digital Library

[23]

H. Chen and D. Wagner. MOPS: an Infrastructure for Examining Security Properties of Software. In Proceedings of the ACM Computer and Communications Security (CCS) Conference, pages 235-244, November 2002.]]

Digital Library

[24]

D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra, and D. Rubenstein. WebSOS: Protecting Web Servers From DDoS Attacks. In Proceedings of the IEEE International Conference on Networks (ICON), September/October 2003.]]

[25]

C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, January 1998.]]

Digital Library

[26]

D.E. Denning. An intrusion detection model. IEEE Transactions on Software Engineering, SE-13:222-232, 1987.]]

Digital Library

[27]

T. Dierks and C. Allen. The TLS protocol version 1.0. RFC 2246, January 1999.]]

Digital Library

[28]

E. Eskin. Anomaly detection over noisy data using learned probability distributions. In Proceedings of the Seventeenth International Conference on Machine Learning (ICML-2000), 2000.]]

Digital Library

[29]

S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for unix processes, pages 120-128. IEEE Computer Society, 1996.]]

Digital Library

[30]

Fyodor. The art of port scanning. Phrack 51, 7, September 1997. http://www.phrack,com/phrack/5 i/P51-ii.]]

[31]

A. K. Ghosh and J. M. Voas. Inoculating software for survivability. Communications of the ACM, 42(7):38--44, 1999.]]

Digital Library

[32]

S. Hershkop, R. Ferster, L. H. Bui, K. Wang, and S. J. Stolfo. Host-based anomaly detection by wrapping file system accesses. Technical report, Columbia University Department of Computer Science, April 2003.]]

[33]

S.A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detect using sequences of system calls. Journal of Computer Security, 6:151-180, 1998.]]

Digital Library

[34]

S. Ioannidis, A. Keromytis, S. Bellovin, and J. Smith. Implementing a Distributed Firewall. In Proceedings of Computer and Communications Security (CCS), pages 190--199, November 2000.]]

Digital Library

[35]

R. Janakiraman, M. Waldvogel, and Q. Zhang. Indra: A peer-topeer approach to network intrusion detection and prevention. In Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, June 2003.]]

Digital Library

[36]

H. S. Javitz and A. Valdes. The nides statistical component: Description and justification. Technical report, SRI International, 1993.]]

[37]

J.E. Just, L. A. Clough, M. Danforth, K. N. Levitt, R. Maglich, J. C. Reynolds, and J. Rowe. Learning Unknown Attacks - A Start. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.]]

Digital Library

[38]

G. Kaiser, J. Parekh, P. Gross, and G. Valetto. Kinesthetics eXtreme: An external infrastructure for monitoring distributed legacy systems. In Proceedings of the Autonomic Computing Workshop, F~h Annual Workshop on Active Middleware Services, 2003.]]

[39]

S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, Nov. 1998.]]

Digital Library

[40]

A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proceedings ofACM S1GCOMM, pages 61-72, August 2002.]]

Digital Library

[41]

A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: An Architecture For Mitigating DDoS Attacks. IEEE Journal on Selected Areas of Communications (JSAC), 2003. (to appear).]]

Digital Library

[42]

C. Ko, G. Fink, and K. Levitt. Automated detection of vulnerabilifies in privileged programs by execution monitoring. In lOth Annual Computer Security Applications Conference, pages 134-144, December 1994.]]

[43]

O. Kreidl and T. Frazier. Feedback control applied to survivability: a host-based autonomic defense system. IEEE Transactions on Reliability, Vol. 52, No. 3, September 2003.]]

[44]

D. Larochelle and D. Evans. Statically Detecting Likely Buffer Overflow Vulnerabilities. In Proceedings of the lOth USENIX Security Symposium, pages 177-190, August 2001.]]

Digital Library

[45]

W. Lee, S. Stolfo, and K. Mok. A data mining framework for building intrusion detection models. 1999.]]

[46]

W. Lee, S. J. Stolfo, and P. K. Chan. Learning patterns from unix processes execution traces for intrusion detection, pages 50-56. AAAI Press, 1997.]]

[47]

W. Lee, S. J. Stolfo, and K. Mok. Data mining in work flow environments: Experiences in intrusion detection. In Proceedings of the 1999 Conference on Knowledge Discovery and Data Mining (KDD-99), 1999.]]

Digital Library

[48]

M. Mahoney and P. Chan. Detecting novel attacks by identifying anomalous network packet headers. Technical Report CS-2001-2, Florida Institute of Technology, Melbourne, FL, 2001.]]

[49]

M. V. Mahoney and P. K. Chan. Leaming nonstationary models of normal network traffic for detecting novel attacks. In Proceedings of the eighth ACM S1GKDD international conference on Knowledge discovery and data mining, pages 376-385. ACM Press, 2002.]]

Digital Library

[50]

D. Milojicic, E Douglis, and R. Wheeler. Mobility: Pro-cesses, Computers, and Agents. Addison Wesley Longman, February 1999.]]

[51]

D. Moore, C. Shannon, G. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code. In Proceedings of the IEEE lnfocom Conference, April 2003.]]

[52]

D. Moore, G. M. Voelker, and S. Savage. Inferring intemet Denial-of-Service activity. In Proceedings of the lOth Usenix Security Symposium, pages 9-22, 2001.]]

Digital Library

[53]

D. Newman, J. Snyder, and R. Thayer. Crying wolf: False alarms hide attacks. Network WorM, June 2002. http://www.nwfusion,tom/techinsider/2002/0624securityl.html.]]

[54]

D. Nojiri, J. Rowe, and K. Levitt. Cooperative Response Strategies for Large Scale Attack Mitigation. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX), pages 293-302, April 2003.]]

[55]

S. Northcutt. Network Intrusion Detection: An Analyst's Handbook, pages 122-139. New Riders, Indianapolis, 1999.]]

Digital Library

[56]

S. Osman, D. Subhraveti, G. Su, and J. Nieh. The design and implementation of Zap: A system for migrating computing environments. In Proceedings of the Fij~h Symposium on Operating Systems Design and Implementation (OSDI 2002), pages 361-376, Boston, MA, December 2002.]]

Digital Library

[57]

P. PAl, M. Afighetchi, F. Webber, R. Schantz, and C. Jones. Adaptive Use of Netwokr-Centric Mechanisms in Cyber-Defense. In Proceedings of the 6th IEEE International Symposium on Object-oriented Real-time Distributed Computing, May 2003.]]

Digital Library

[58]

P. Pal, M. Atighetchi, F. Webber, R. Schantz, and C. Jones. Reflections on Evaluating Survivability: The APOD Experiments. In Proceedings of the 2nd IEEE International Symposium on Network Computing and Applications, April 2003.]]

[59]

L. Perrochon. Using context-based correlation in network operations management. Technical report, Stanford University Department of Computer Science, 1999. http://pavg.stanford,edu/cep/cidf,ps.gz.]]

[60]

M. Prasad and T. Chiueh. A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks. In Proceedings of the USENIX Annual Technical Conference, June 2003.]]

[61]

J. C. Reynolds, J. Just, L. Clough, and R. Maglich. On-Line Intrusion Detection and Attack Prevention Using Diversity, Generate-and-Test, and Generalization. In Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS), January 2003.]]

Digital Library

[62]

J. C. Reynolds, J. Just, E. Lawson, L. Ciough, and R. Maglich. The Design and Implementation of an Intrusion Tolerant System. In Proceedings of the International Conference on Dependable Systems and Networks (DSN), June 2002.]]

Digital Library

[63]

S. Robertson, E. V. Siegel, M. Miller, and S. J. Stolfo. Surveillance detection in high bandwidth environments. In Proceedings of the 2003 DARPA DISCEX III Conference, April 2003.]]

[64]

B. Segall, D. Arnold, J. Boot, et al. Content-based routing with Elvin4. In Proceedings of AUUG2K, June 2000.]]

[65]

J.F. Shoch and J. A. Hupp. The "worm" programs - early experiments with a distributed computation. Communications of the ACM, 22(3): 172-180, March 1982.]]

Digital Library

[66]

S. Sidiroglou and A. D. Keromytis. A Network Worm Vaccine Architecture. In Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, June 2003.]]

Digital Library

[67]

S. Staniford, J. Hoagland, and J. McAlemey. Practical automated detection of stealthy portscans. In Proceedings of the Seventh ACM Conference on Computer and Communications Security, Athens, Greece, 2000.]]

[68]

S. Staniford, V. Paxson, and N. Weaver. How to Own the Intemet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, pages 149-167, August 2002.]]

Digital Library

[69]

R. Sterritt and D. Bustard. Autonomic computing-a means of achieving dependability? In Proceedings of IEEE International Conference on the Engineering of Computer Based Systems (ECBS'03), pages 247-251, April 2003.]]

[70]

J. D. Strunk, G. R. Goodson, A. G. Pennington, C. A. Soules, and G. R. Ganger. Intrusion detection, diagnosis, and recovery with self-secunng storage. Technical report, Carnegie Mellon University, 2002.]]

[71]

P. Thompson. Web services - beyond http tunneling. In W3C Workshop on Web Services, April 2001.]]

[72]

G. Valetto and G. Kaiser. Using process technology to control and coordinate software adaptation. In Proceedings of International Conference on Software Engineering, May 2003.]]

Digital Library

[73]

F. Wang, F. Gong, C. Sargor, K. Goseva-Popstojanova, K. Trivedi, and F. Jou. Sitar: A scalable intrusion tolerance architecture for distributed servers. In Proceedings of the IEEE 2nd SMC Information Assurance Workshop, 2001.]]

[74]

E Wang and R. Uppalli. SITAR: A Scalable Intrusion-Tolerant Architecture for Distributed Services. In Volume H of the Proceedings of DISCEX III, pages 153-155, April 2003.]]

[75]

C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: alternative data models, pages 133-145. IEEE Computer Society, 1999.]]

[76]

A. Wolf, D. Heimbigner, A.Carzaniga, J. Knight, E Devenbu, and M. Gertz. Bend, don't break: Using reconfiguration to achieve survivability. In Proceedings of the Third Information Survivability Workshop (ISW2000), pages 187-190, October 2000.]]

[77]

A. Wolf, D. Heimbigner, A. Carzaniga, J. Knight, E Devenbu, and M. Gertz. Bend, Don't Break: Using Reconfiguration to Achieve Survivability. In Proceedings of the 3rd Information Survivability Workshop, pages 187-190, October 2000.]]

[78]

E. Zadok and I. Badulescu. A stackable file system interface for Linux. In LinuxExpo 99, May 1999.]]

[79]

C.C. Zou, W. Gong, and D. Towsley. Code Red Worm Propagation Modeling and Analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), pages 138-147, November 2002.]]

Digital Library

Cited By

Uzunov ANepal SBaruwal Chhetri M(2019)Proactive Antifragility: A New Paradigm for Next-Generation Cyber Defence at the Edge2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC)10.1109/CIC48465.2019.00039(246-255)Online publication date: Dec-2019
https://doi.org/10.1109/CIC48465.2019.00039
Zuo Y(2013)Moving and RelocatingProceedings of the 2013 IEEE 7th International Conference on Software Security and Reliability10.1109/SERE.2013.10(139-148)Online publication date: 18-Jun-2013
https://dl.acm.org/doi/10.1109/SERE.2013.10
Nogueira MSantos APujolle G(2012)Dependability and Security on Wireless Self-Organized NetworksPerformance and Dependability in Service Computing10.4018/978-1-60960-794-4.ch015(340-358)Online publication date: 2012
https://doi.org/10.4018/978-1-60960-794-4.ch015
Show More Cited By

Index Terms

A holistic approach to service survivability

Recommendations

Sustaining Availability of Web Services under Distributed Denial of Service Attacks

The recent tide of Distributed Denial of Service (DDoS) attacks against high-profile web sites demonstrate how devastating DDoS attacks are and how defenseless the Internet is under such attacks. We design a practical DDoS defense system that can ...
Maximization of Network Survivability under Malicious and Epidemic Attacks
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications Workshops

Due to the Internet s scalability and connectivity, enterprises and organizations increasingly rely upon it to provide services for customers. However, attackers intelligently attack enterprises and organizations through continuous vulnerability ...
Survivability Experiment and Attack Characterization for RFID

Radio Frequency Identification (RFID) has been developed as an important technique for many high security and high integrity settings. In this paper, we study survivability issues for RFID. We first present an RFID survivability experiment to define a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SSRS '03: Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security

October 2003

129 pages

ISBN:1581137842

DOI:10.1145/1036921

Program Chairs:
Peng Liu
Pennsylvania State University
,
Partha Pal
BBN Technologies

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 October 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS03

Sponsor:

SIGSAC

CCS03: Tenth ACM Conference on Computer and Communications Security 2003

October 31, 2003

VA, Fairfax

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

28
Total Citations
View Citations
1,028
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)2

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Uzunov ANepal SBaruwal Chhetri M(2019)Proactive Antifragility: A New Paradigm for Next-Generation Cyber Defence at the Edge2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC)10.1109/CIC48465.2019.00039(246-255)Online publication date: Dec-2019
https://doi.org/10.1109/CIC48465.2019.00039
Zuo Y(2013)Moving and RelocatingProceedings of the 2013 IEEE 7th International Conference on Software Security and Reliability10.1109/SERE.2013.10(139-148)Online publication date: 18-Jun-2013
https://dl.acm.org/doi/10.1109/SERE.2013.10
Nogueira MSantos APujolle G(2012)Dependability and Security on Wireless Self-Organized NetworksPerformance and Dependability in Service Computing10.4018/978-1-60960-794-4.ch015(340-358)Online publication date: 2012
https://doi.org/10.4018/978-1-60960-794-4.ch015
Nogueira MSantos ATorres JPujolle G(2011)Biologically inspired architecture for security management on wireless self-organized networks2011 7th Latin American Network Operations and Management Symposium10.1109/LANOMS.2011.6102260(1-8)Online publication date: Oct-2011
https://doi.org/10.1109/LANOMS.2011.6102260
Pei FPan L(2010)Formal Verification of a Network Survivability Validate Model2010 International Conference on Biomedical Engineering and Computer Science10.1109/ICBECS.2010.5462412(1-4)Online publication date: Apr-2010
https://doi.org/10.1109/ICBECS.2010.5462412
Zuo Y(2010)A Framework of Survivability Requirement Specification for Critical Information Systems2010 43rd Hawaii International Conference on System Sciences10.1109/HICSS.2010.13(1-10)Online publication date: Jan-2010
https://doi.org/10.1109/HICSS.2010.13
Zuo Y(2010)Changing Hands TogetherProceedings of the 2010 43rd Hawaii International Conference on System Sciences10.1109/HICSS.2010.100(1-10)Online publication date: 5-Jan-2010
https://dl.acm.org/doi/10.1109/HICSS.2010.100
Zuo YPanda B(2009)Unifying strategies and tacticsProceedings of the 2009 IEEE international conference on Intelligence and security informatics10.5555/1706428.1706449(119-124)Online publication date: 8-Jun-2009
https://dl.acm.org/doi/10.5555/1706428.1706449
Wang X(2009)Network System SurvivabilityProceedings of the 2009 International Conference on Industrial and Information Systems10.1109/IIS.2009.46(232-235)Online publication date: 24-Apr-2009
https://dl.acm.org/doi/10.1109/IIS.2009.46
Bing-Lin DXue-Guang WShi-Yong Z(2009)Research on Survivability of Networked Information SystemProceedings of the 2009 International Conference on Signal Processing Systems10.1109/ICSPS.2009.64(56-60)Online publication date: 15-May-2009
https://dl.acm.org/doi/10.1109/ICSPS.2009.64
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents