In computer security, available tools provide automated capabilities in one or more of the following areas: intruder prevention, intruder detection, and damage assessment.  Many intrusion detection tools provide some form of automated intruder response, but few security tools perform any automated recovery.  Ellison, Fisher, Linger, et. al. define the four key properties that survivable systems must exhibit as: resistance to attacks; recognition of attacks and the extent of damages; recovery of full and essential services after attack; and adaptation and evolution to reduce effectiveness of future attacks [Ellison 97].  Anderson and Lee list the four phases of fault tolerance as: error detection, damage confinement and assessment, error recovery, and fault treatment and continued service [Anderson 81].  Although there are some similarities in the requirements for computer security, survivability, and fault tolerance, significant difference do exist between these three disciplines.

As proposed by Ellison, Fisher, Linger, et. al., the four survivability services can be categorized as: resistance, recognition, recovery, and adaptation and evolution [Ellison 97].  It is our contention that intruder response and damage assessment should also be separate survivability services.  We propose six key services for survivability, and order these key services based upon the time when each service is required.

In fault tolerant computing once the occurrence of a fault has been detected, the errors resulting from that fault must be confined from spreading through the system.  The term damage confinement is used to define this process.  Constraints are placed on the flow of information within the system to confine these errors.  Unfortunately, some time may elapse before a fault manifests itself as an error and the error is detected.  So in addition to confining the errors from spreading through the system, we need to assess what damage has been caused to the system as a result of the fault.  In performing damage assessment, the system is evaluated to identify the boundaries through which the errors have not flowed.  The extent of the damage then must reside inside these system boundaries.

In computer security, intruder response is performed during an attack in order to stop an intruder from damaging the system.  A number of automated intruder responses have been implemented as part of intrusion detection systems.  Some responses may be active such as terminating a process or closing a connection.  Other responses are passive such as sending an e-mail to the system administrator.  Damage assessment is normally performed after an attack.  A number of vulnerability scanning tools such as "Tiger" may be used to perform damage assessment.  Other tools such as the "Tripwire" were specifically developed to aid in damage assessment.  At Texas A&M, a prototype tool called the Automated Incident Response System (AIRS) [Fisch 97] was developed to perform damage control and and damage assessment on individual hosts in a network.  Fisch, White, and Pooch state that the AIRS primary function is to provide protection of the local system [Fisch97].

The goal of the electronic quarantine is to dynamically and without need for human intervention isolate a compromised system from hosts inside the bounded network and the Internet [Brutch 97].  Often this means logically isolating the compromised host from the rest of the bounded network until the compromised host can be fully restored.  If the compromised host is a server which supports a critical application, then a complete quarantine of this server would not be an acceptable solution.  For some critical applications, however, the availability of the service may be more important than the integrity or confidentiality of the information.  In this situation, the electronic quarantine could permit remote users to access the server only for this critical application.  All other remote access to the compromised server would be denied, and no user on the server's console would be able to connect to any other host in the bounded network or the Internet.

We also intend to use the capabilities provided by intrusion detection systems (IDS).  A prototype IDS called the Cooperating Security Managers (CSM) [White 96] was developed at Texas A&M.  The CSM not only maintains a suspicion level for each user on the host but also evaluates the overall suspicion level of the entire system.  White, Fisch, and Pooch state that the system's suspicion level is a function of the suspicion level of all current users [White 96].  Whenever the suspicion level for a host has reached a predefined threshold value, the electronic quarantine will consider that host compromised.  White, Fisch, and Pooch state that the design of the CSM system dictates that a CSM be run on each host in the bounded network, and that autonomous CSMs communicate with each other to track users as they travel between the monitored hosts [White 96].

The electronic quarantine concept requires the use of host-based intrusion detection systems, which perform real-time activity monitoring, and maintain a suspicion level for each user as well as an overall suspicion level of the monitored host.  It is also assumed that the intrusion detection system can provide active responses such as terminating processes, closing connections, and disabling accounts.  Although not absolutely required, the ability of host-based intrusion detection systems to cooperate and share information in order to track users as they connect to other monitored hosts, is also important.   The electronic quarantine also requires that the organization has at least an Internet firewall and that each host has a sever filter such, as "TCP Wrapper" installed to perform network service access control.

Since the majority of intrusions are caused by inside users, we will explain how an electronic quarantine is implemented for a server providing a critical service when it is compromised by an intruder on the server's console.  When the intrusion detection system on the server determines that the server has been compromised, it first needs to determine which account is responsible.  Once the intruder is identified, the intrusion detection system will terminate all processes and close all connections of the intruder.  The intrusion detection system will then disable the intruder's account and contact SANCTUM, which resides on a centralized security server in the bounded network.  SANCTUM will evaluate a new organizational network service access policy which quarantines the compromised server while allowing remote access only for the critical service.  SANCTUM does this by developing a firewall access policy which blocks all incoming Internet traffic to the compromised server, except for the critical service.  SANCTUM also develops a network service access policy for the compromised server which denies all remote access, except for the critical service.  One exception to this rule is that the compromised server will allow continued access from the centralized security server on which SANCTUM resides.  SANCTUM also develops network service access polices for each of the monitored hosts in the bounded network in order to deny any connection from the compromised server.  In addition, SANCTUM develops a new firewall access policy in order to block any connections from the compromised server to the Internet.

The network service access policies developed by SANCTUM will be sent to each component in the bounded network which provides network service access control.   When a component, such as a host or a firewall, receives a new network service access policy, that policy must be implemented.  Currently this is performed manually by the BNST system.  SANCTUM must provide the capability to automatically implement these new host and firewall access control policies without the need for human intervention.

If the attack occurs from another host within the bounded network, similar actions are taken except that the intruder's presence must also be removed from the host on which the attack originated.  Intrusion detection systems that cooperate to provide user tracking, such as the CSM, can effectively terminate an intruder's sessions and disable their account over multiple hosts.  One of the goals of the electronic quarantine is to ensure that the intruder can not access the compromised host again in order to exploit any back doors which may have been left.

Anderson 81

Anderson, T.; and Lee, P., "Fault Tolerance: Principles and Practices", Prentice Hall International, 1981.

Brutch 96

Brutch, P.; McDonald, M.; Crotwell, L.; Marti, W.; and Pooch, U., "Basic Network Security Tool", http://www.cs.tamu.edu, Technical Report TR 96-033, 1 October 1996.

Brutch 97

Brutch, P.; Marti, W., White, G.; Pooch, U.; and Pradhan, D.,"Intruder Containment: An Automated Method of Response to Potential Security Incidents", 9th Annual FIRST Conference and Workshop on Computer Security Incident Handling and Response, 23 -27 June 1997.

Ellison 97

Ellison, R.; Fisher, D.; Linger, R. et. al., "Survivable Network Systems: An Emerging Discipline", CMU/SEI-97-TR-013, Carnegie Mellon University, http://www.cert.org/research, November 1997.

Fisch 97

Fisch, E.; Pooch, U.; and White, G., "The Design and Creation of a UNIX Based Automated Incident Response System", 9th Annual FIRST Conference and Workshop on Computer Security Incident Handling and Response, 23 -27 June 1997.

Linger 97

Linger, R.; Mead N.; Lipson. H., "Requirements Definition for Survivable Network Systems", http://www.cert.org/research, 1997.

Neumann 97

Neumann, P.; and Porras, P., "A Global View of Information Survivability" 1997 Information Survivability Workshop - ISW 97, February 12-13 1997.

White 96

White, G.; Fisch, E.; and Pooch, U., "Cooperating Security Managers: A Peer-Based Intrusion Detection System", IEEE Network, Jan./Feb. 1996.

Tiger is available at (ftp://net.tamu.edu/pub/security/TAMU).

Tripwire is available at (ftp://coast.cs.purdue.edu/pub/COAST/Tripwire).

Back to the Table of Contents
   [6]