Intrusion confinement by isolation in information systems

Peng Liu, Sushil Jajodia, Catherine D. McCollum

Research output: Contribution to journalArticle

29 Citations (Scopus)

Abstract

System protection mechanisms such as access controls can be fooled by authorized but malicious users, masqueraders, and misfeasors. Intrusion detection techniques are therefore used to supplement them. However, damage could have occurred before an intrusion is detected. In many computing systems the requirement for a high degree of soundness of intrusion reporting can yield poor performance in detecting intrusions and cause long detection latency. As a result, serious damage can be caused either because many intrusions are never detected or the average detection latency is too long. The process of bounding the damage caused by intrusions during intrusion detection is referred to as intrusion confinement. We justify the necessity for intrusion confinement during detection by using a probabilistic analysis model, and propose a general solution to achieve intrusion confinement. The key idea of the solution is to isolate likely suspicious actions before a definite determination of intrusion is reported. We also present two concrete isolation protocols in the database and file system contexts, respectively, to evaluate the feasibility of the general solution, which can be applied to many types of information systems.

Original languageEnglish (US)
Pages (from-to)243-279
Number of pages37
JournalJournal of Computer Security
Volume8
Issue number4
DOIs
StatePublished - Jan 1 2000

Fingerprint

Intrusion detection
Information systems
Access control
Concretes

All Science Journal Classification (ASJC) codes

  • Software
  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this

Liu, Peng ; Jajodia, Sushil ; McCollum, Catherine D. / Intrusion confinement by isolation in information systems. In: Journal of Computer Security. 2000 ; Vol. 8, No. 4. pp. 243-279.
@article{8eb3b22b5e964e35be5c6b3473133e40,
title = "Intrusion confinement by isolation in information systems",
abstract = "System protection mechanisms such as access controls can be fooled by authorized but malicious users, masqueraders, and misfeasors. Intrusion detection techniques are therefore used to supplement them. However, damage could have occurred before an intrusion is detected. In many computing systems the requirement for a high degree of soundness of intrusion reporting can yield poor performance in detecting intrusions and cause long detection latency. As a result, serious damage can be caused either because many intrusions are never detected or the average detection latency is too long. The process of bounding the damage caused by intrusions during intrusion detection is referred to as intrusion confinement. We justify the necessity for intrusion confinement during detection by using a probabilistic analysis model, and propose a general solution to achieve intrusion confinement. The key idea of the solution is to isolate likely suspicious actions before a definite determination of intrusion is reported. We also present two concrete isolation protocols in the database and file system contexts, respectively, to evaluate the feasibility of the general solution, which can be applied to many types of information systems.",
author = "Peng Liu and Sushil Jajodia and McCollum, {Catherine D.}",
year = "2000",
month = "1",
day = "1",
doi = "10.3233/JCS-2000-8402",
language = "English (US)",
volume = "8",
pages = "243--279",
journal = "Journal of Computer Security",
issn = "0926-227X",
publisher = "IOS Press",
number = "4",

}

Intrusion confinement by isolation in information systems. / Liu, Peng; Jajodia, Sushil; McCollum, Catherine D.

In: Journal of Computer Security, Vol. 8, No. 4, 01.01.2000, p. 243-279.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Intrusion confinement by isolation in information systems

AU - Liu, Peng

AU - Jajodia, Sushil

AU - McCollum, Catherine D.

PY - 2000/1/1

Y1 - 2000/1/1

N2 - System protection mechanisms such as access controls can be fooled by authorized but malicious users, masqueraders, and misfeasors. Intrusion detection techniques are therefore used to supplement them. However, damage could have occurred before an intrusion is detected. In many computing systems the requirement for a high degree of soundness of intrusion reporting can yield poor performance in detecting intrusions and cause long detection latency. As a result, serious damage can be caused either because many intrusions are never detected or the average detection latency is too long. The process of bounding the damage caused by intrusions during intrusion detection is referred to as intrusion confinement. We justify the necessity for intrusion confinement during detection by using a probabilistic analysis model, and propose a general solution to achieve intrusion confinement. The key idea of the solution is to isolate likely suspicious actions before a definite determination of intrusion is reported. We also present two concrete isolation protocols in the database and file system contexts, respectively, to evaluate the feasibility of the general solution, which can be applied to many types of information systems.

AB - System protection mechanisms such as access controls can be fooled by authorized but malicious users, masqueraders, and misfeasors. Intrusion detection techniques are therefore used to supplement them. However, damage could have occurred before an intrusion is detected. In many computing systems the requirement for a high degree of soundness of intrusion reporting can yield poor performance in detecting intrusions and cause long detection latency. As a result, serious damage can be caused either because many intrusions are never detected or the average detection latency is too long. The process of bounding the damage caused by intrusions during intrusion detection is referred to as intrusion confinement. We justify the necessity for intrusion confinement during detection by using a probabilistic analysis model, and propose a general solution to achieve intrusion confinement. The key idea of the solution is to isolate likely suspicious actions before a definite determination of intrusion is reported. We also present two concrete isolation protocols in the database and file system contexts, respectively, to evaluate the feasibility of the general solution, which can be applied to many types of information systems.

UR - http://www.scopus.com/inward/record.url?scp=0034513874&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0034513874&partnerID=8YFLogxK

U2 - 10.3233/JCS-2000-8402

DO - 10.3233/JCS-2000-8402

M3 - Article

AN - SCOPUS:0034513874

VL - 8

SP - 243

EP - 279

JO - Journal of Computer Security

JF - Journal of Computer Security

SN - 0926-227X

IS - 4

ER -