Abstract
Network security is a discipline that focuses on securing networks from unauthorized access. Given the escalating threats of malicious cyber attacks, modern enterprises employ multiple lines of defense. A comprehensive defense strategy against such attacks should include: (1) an attack detection component that determines the fact that a system is compromised, (2) an attack identification and prevention component that identifies attack packets so that one can block such packets in the future and prevent the attack from further propagation. Over the last decade, significant research time has been invested in systems that can detect cyber attacks, either statically at compile time, or dynamically at run time. However, not much effort has been spent on automated attack packet identification or attack prevention. In this paper, we present a unified solution to these problems. We implemented this solution after reverse engineering an Open Source Security Information Management (OSSIM) system, called Preventive Information Security Management (PrISM) system, which correlates input from different sensors so that the resulting product can automatically detect any cyber attack against it, and prevent attack by identifying the actual attack packet(s). PrISM was always able to detect the attacks, identify the attack packets and most often prevent attack by blocking the attacker’s IP address to continue normal execution. There is no additional run-time performance overhead for attack prevention.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Guttman, J.D., Herzog, A.L.: Rigorous automated network security management. Int. J. Inf. Secur. 4, 29–48 (2005)
Landwehr, C.E.: Computer security. IJIS 1, 3–13 (2001)
Krause, M., Harold, F.T.: Handbook of Information Security Management. CRC Press LLC (2006)
Technical White Paper, Event Horizontm: Lanifex Intrusion Detection Solution., ver. 1.5, CSO Lanifex GmbH (2003)
Smirnov, A., Chiueh, T.: DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks. In: Proc. of 12th Annual Network and Distributed System Security Symposium, San Diego, California (2005)
Anwar, M., Zafar, M.F., Ahmed, Z.: A Proposed Preventive Information Security System. In: Proceedings of International Multitopic Conference (INMIC 2006), Islamabad, Pakistan (2006)
Guo, F., Yu, Y., Chiueh, T.: Automated and Safe Vulnerability Assessment. In: Proceedings of 21st Annual Computer Security Applications Conference (ACSAC 2005), Tucson, USA (2005)
Evans, D., Guttag, J., Horning, J., Tan, Y.M.: LCLint: A tool for using specifications to check code. In: Proceedings of the ACM SIGOFT Symposium on the Foundations of Software Engineering, vol. 19(5), pp. 87–96 (1994)
Johnson, S.C.: Lint, a C program checker. In: AT&T Bell Laboratories. Murray Hill, NJ, USA (1978)
Nazario, J.: Project Pedantic – source code analysis tool(s) (2002), pedantic.sourceforge.net
Secure software solutions. Rough auditing tool for security, RATS 2.1, www.securesw.com/rats
Viega, J., Bloch, J.T., Kohno, T., McGraw, G.: ITS4: A static vulnerability scanner for C and C++ code. In: Proceeding of the 16th Annual Computer Security Applications Conference (ACSAC 2000), p. 257 (2000)
Wheeler, D.: Flawfinder, www.dwheeler.com/flawfinder
Vendicator. StackShield, G.C.C.: Compiler patch, http://www.angelfire.com/sk/stackshield
Chiueh, T.C., Hsu, F.H.: RAD: A compile-time solution to buffer overflow attacks. In: Proc. of 21st Intl. Conf. on Distributed Computing Systems (ICDCS 2001), pp. 4–9 (2001)
Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: Format Guard: Automatic protection from printf format string vulnerabilities. In: Proceedings of 10th USENIX Security Symposium, Washington, D.C., USA (2001)
Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: Stack-Guard: Automatic detection and prevention of buffer over flow attacks. In: Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, USA (1998)
Etoh, H.: GCC extensions for protecting applications from stack-smashing attacks (2000), http://www.trl.ibm.com/projects/security/ssp
Frantzen, M., Shuey, M.: StackGhost: Hardware facilitated stack protection. In: Proceedings of the 10th USENIX Security Symposium, Washington, D.C., USA (2001)
Team, P.: Non-executable pages design and implementation, http://pax.grsecurity.net/~docs/noexec.txt
Openwall project, http://www.openwall.com
Hastings, R., Joyce, B.: Purify: Fast detection of memory leaks and access errors. In: Proceedings of the Winter USENIX Conference San Francisco, USA, pp. 125–138 (1992)
Hangal, S., Lam, M.S.: Tracking down software bugs using automatic anomaly detection. In: Proceedings of 24th Int. Conf. Software Engineering, pp. 291–301 (2002)
Prvulovic, M., Torrellas, J.: ReEnact: Using thread-level speculation to debug software; An application to data races in multithreaded codes. In: Proceedings of the 30th Annual International Symposium on Computer Architecture, pp. 110–121 (2003)
Zhou, P., Qin, F., Liu, W., Zhou, Y., Torrellas, J.: iWatcher: Efficient architectural support for software debugging. In: Proceedings of the 31st Annual International Symposium on Computer Architecture (2004)
Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium, San Diego, CA, USA (2004)
Toth, T., Kruegel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)
Min, S.L., Choi, J.D.: An efficient cache-based access anomaly detection scheme. In: Proceedings of the Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, Santa Clara, CA, USA, pp. 235–244 (1991)
Open Source Security Management, www.ossim.net
LBL Network Research Group: Arpwatch, www.securityfocus.com/tools/142
Zalewski, M.: P0f: a versatile passive OS fingerprinting tool, http://lcamtuf.coredump.cx/p0f.shtml
Tenable Network Security, The Network Vulnerability Scanner, http://www.nessus.org
Sourcefire, Inc., Open Source Snort, http://www.snort.org
Benson, S.: Tcptrack, A sniffer to displays information about TCP connections on a network interface, www.rhythm.cx/~steve/devel/tcptrack/
Hoagland, J., Staniford, S.: SPADE (Statistical Packet Anomaly Detection Engine) Snort preprocessor plugin, www.securityfocus.com/tools/1767
ntop. A network traffic probe to show network usage, www.ntop.org
Nagios Enterprises, L.L.C.: Nagios, Open source host, service and network monitoring program, www.nagios.org
Paul, J.B.: Intrusion Detection – Evolution beyond Anomalous Behavior and Pattern Matching. Security Essentials Version 1.4 (2002)
Denning, D.E.: An Intrusion Detection Model. IEEE Trans. Software Eng. 13(2), 222–232 (1987)
Wang, T., Suckow, W., Brown, D.: A Survey of Intrusion Detection Systems. In: CSE221 course notes, Department of Computer Science, University of California, San Diego, CA, USA (2001)
Ghosh, A.K., Wanken, J., Charron, F.: Detecting Anomalous and Unknown Intrusions Against Programs. In: Proc. Annual Computer Security Application Conference (ACSAC 1998), pp. 259–267. IEEE CS Press, Los Alamitos (1998)
Ilgun, K., Kemmerer, R.A., Porras, P.A.: State Transition Analysis: A Rule-Based Intrusion Detection System. IEEE Trans. Software Eng. 21(3), 181–199 (1995)
Lindqvist, U., Porras, P.A.: Detecting Computer and Network Misuse with the Production-Based Expert System Toolset (P-BEST). In: 1999 IEEE Symp. Security and Privacy, pp. 146–161 (1999)
Scarfone, K., Mell, P.: Guide to Intrusion Detection and Prevention Systems (IDPS). Special Publication 800-94, National Institute of Standards and Technology, Gaithersburg, MD, US (2007)
Roesch, M.: Snort – Lightweight Intrusion Detection for Networks, www.snort.org/docs/lisapaper.txt
Aleph One: Smashing the Stack for Fun and Profit, Phrack, vol. 7(49), (1996), www.phrack.com
Hansen, S.E., Atkins, E.T.: Centralized System Monitoring with Swatch. In: USENIX Seventh Conference on Systems Administration, Monterey, California, USA, pp. 145–152 (1993)
Angela, O., Eric, C.: Intrusion Prevention and Active Response: Implementing an Open Source Defense. Sys. Admin. Magazine 14(3) (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zeeshan, A., Masood, A.M., Faisal, Z.M., Kalim, A., Farzana, N. (2008). PrISM: Automatic Detection and Prevention from Cyber Attacks. In: Hussain, D.M.A., Rajput, A.Q.K., Chowdhry, B.S., Gee, Q. (eds) Wireless Networks, Information Processing and Systems. IMTIC 2008. Communications in Computer and Information Science, vol 20. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89853-5_46
Download citation
DOI: https://doi.org/10.1007/978-3-540-89853-5_46
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89852-8
Online ISBN: 978-3-540-89853-5
eBook Packages: Computer ScienceComputer Science (R0)