|
Intrusion Confinement by Isolation in Information Systems
2000 Award Winner
Peng Liu, Department of Information Systems, University of Maryland
Sushil Jajodia, The MITRE Corporation
Catherine D. McCollum, The MITRE Corporation
ABSTRACT
System protection mechanisms such as access controls can be fooled by authorized but malicious users, masqueraders, and misfeasors. Intrusion detection techniques are therefore used to supplement them. However, damage could have occurred before an intrusion is detected. In many computing systems the requirement for a high degree of soundness of intrusion reporting can yield poor performance in detecting intrusions and cause long detection latency. As a result, serious damage can be caused either because many intrusions are never detected or the average detection latency is too long. The process of bounding the damage caused by intrusions during intrusion detection is referred to as intrusion confinement. We justify the necessity for intrusion confinement during detection by using a probabilistic analysis model, and propose a general solution to achieve intrusion confinement. The key idea of the solution is to isolate likely suspicious actions before a definite determination of intrusion is reported. We also present two concrete isolation protocols in the database and file system contexts, respectively, to evaluate the feasibility of the general solution, which can be applied to many types of information systems.
Publication
Published in 2000. Journal of Computer Security, Vol. 8, pp. 243-279.
Additional Search Keywords
intrusion confinement, isolation, intrusion detections
|
