Advertisement

PrISM: Automatic Detection and Prevention from Cyber Attacks

  • Ahmed Zeeshan
  • Anwar M. Masood
  • Zafar M. Faisal
  • Azam Kalim
  • Naheed Farzana
Part of the Communications in Computer and Information Science book series (CCIS, volume 20)

Abstract

Network security is a discipline that focuses on securing networks from unauthorized access. Given the escalating threats of malicious cyber attacks, modern enterprises employ multiple lines of defense. A comprehensive defense strategy against such attacks should include: (1) an attack detection component that determines the fact that a system is compromised, (2) an attack identification and prevention component that identifies attack packets so that one can block such packets in the future and prevent the attack from further propagation. Over the last decade, significant research time has been invested in systems that can detect cyber attacks, either statically at compile time, or dynamically at run time. However, not much effort has been spent on automated attack packet identification or attack prevention. In this paper, we present a unified solution to these problems. We implemented this solution after reverse engineering an Open Source Security Information Management (OSSIM) system, called Preventive Information Security Management (PrISM) system, which correlates input from different sensors so that the resulting product can automatically detect any cyber attack against it, and prevent attack by identifying the actual attack packet(s). PrISM was always able to detect the attacks, identify the attack packets and most often prevent attack by blocking the attacker’s IP address to continue normal execution. There is no additional run-time performance overhead for attack prevention.

Keywords

Information Security Management System Network security Computer Security Intrusion Detection Intrusion Prevention 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Guttman, J.D., Herzog, A.L.: Rigorous automated network security management. Int. J. Inf. Secur. 4, 29–48 (2005)CrossRefGoogle Scholar
  2. 2.
    Landwehr, C.E.: Computer security. IJIS 1, 3–13 (2001)CrossRefGoogle Scholar
  3. 3.
    Krause, M., Harold, F.T.: Handbook of Information Security Management. CRC Press LLC (2006)Google Scholar
  4. 4.
    Technical White Paper, Event Horizontm: Lanifex Intrusion Detection Solution., ver. 1.5, CSO Lanifex GmbH (2003) Google Scholar
  5. 5.
    Smirnov, A., Chiueh, T.: DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks. In: Proc. of 12th Annual Network and Distributed System Security Symposium, San Diego, California (2005)Google Scholar
  6. 6.
    Anwar, M., Zafar, M.F., Ahmed, Z.: A Proposed Preventive Information Security System. In: Proceedings of International Multitopic Conference (INMIC 2006), Islamabad, Pakistan (2006)Google Scholar
  7. 7.
    Guo, F., Yu, Y., Chiueh, T.: Automated and Safe Vulnerability Assessment. In: Proceedings of 21st Annual Computer Security Applications Conference (ACSAC 2005), Tucson, USA (2005)Google Scholar
  8. 8.
    Evans, D., Guttag, J., Horning, J., Tan, Y.M.: LCLint: A tool for using specifications to check code. In: Proceedings of the ACM SIGOFT Symposium on the Foundations of Software Engineering, vol. 19(5), pp. 87–96 (1994)Google Scholar
  9. 9.
    Johnson, S.C.: Lint, a C program checker. In: AT&T Bell Laboratories. Murray Hill, NJ, USA (1978)Google Scholar
  10. 10.
    Nazario, J.: Project Pedantic – source code analysis tool(s) (2002), pedantic.sourceforge.net
  11. 11.
    Secure software solutions. Rough auditing tool for security, RATS 2.1, www.securesw.com/rats
  12. 12.
    Viega, J., Bloch, J.T., Kohno, T., McGraw, G.: ITS4: A static vulnerability scanner for C and C++ code. In: Proceeding of the 16th Annual Computer Security Applications Conference (ACSAC 2000), p. 257 (2000)Google Scholar
  13. 13.
    Wheeler, D.: Flawfinder, www.dwheeler.com/flawfinder
  14. 14.
    Vendicator. StackShield, G.C.C.: Compiler patch, http://www.angelfire.com/sk/stackshield
  15. 15.
    Chiueh, T.C., Hsu, F.H.: RAD: A compile-time solution to buffer overflow attacks. In: Proc. of 21st Intl. Conf. on Distributed Computing Systems (ICDCS 2001), pp. 4–9 (2001)Google Scholar
  16. 16.
    Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: Format Guard: Automatic protection from printf format string vulnerabilities. In: Proceedings of 10th USENIX Security Symposium, Washington, D.C., USA (2001)Google Scholar
  17. 17.
    Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: Stack-Guard: Automatic detection and prevention of buffer over flow attacks. In: Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, USA (1998)Google Scholar
  18. 18.
    Etoh, H.: GCC extensions for protecting applications from stack-smashing attacks (2000), http://www.trl.ibm.com/projects/security/ssp
  19. 19.
    Frantzen, M., Shuey, M.: StackGhost: Hardware facilitated stack protection. In: Proceedings of the 10th USENIX Security Symposium, Washington, D.C., USA (2001)Google Scholar
  20. 20.
    Team, P.: Non-executable pages design and implementation, http://pax.grsecurity.net/~docs/noexec.txt
  21. 21.
    Openwall project, http://www.openwall.com
  22. 22.
    Hastings, R., Joyce, B.: Purify: Fast detection of memory leaks and access errors. In: Proceedings of the Winter USENIX Conference San Francisco, USA, pp. 125–138 (1992)Google Scholar
  23. 23.
    Hangal, S., Lam, M.S.: Tracking down software bugs using automatic anomaly detection. In: Proceedings of 24th Int. Conf. Software Engineering, pp. 291–301 (2002)Google Scholar
  24. 24.
    Prvulovic, M., Torrellas, J.: ReEnact: Using thread-level speculation to debug software; An application to data races in multithreaded codes. In: Proceedings of the 30th Annual International Symposium on Computer Architecture, pp. 110–121 (2003)Google Scholar
  25. 25.
    Zhou, P., Qin, F., Liu, W., Zhou, Y., Torrellas, J.: iWatcher: Efficient architectural support for software debugging. In: Proceedings of the 31st Annual International Symposium on Computer Architecture (2004)Google Scholar
  26. 26.
    Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium, San Diego, CA, USA (2004)Google Scholar
  27. 27.
    Toth, T., Kruegel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  28. 28.
    Min, S.L., Choi, J.D.: An efficient cache-based access anomaly detection scheme. In: Proceedings of the Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, Santa Clara, CA, USA, pp. 235–244 (1991)Google Scholar
  29. 29.
    Open Source Security Management, www.ossim.net
  30. 30.
    LBL Network Research Group: Arpwatch, www.securityfocus.com/tools/142
  31. 31.
    Zalewski, M.: P0f: a versatile passive OS fingerprinting tool, http://lcamtuf.coredump.cx/p0f.shtml
  32. 32.
  33. 33.
    Tenable Network Security, The Network Vulnerability Scanner, http://www.nessus.org
  34. 34.
    Sourcefire, Inc., Open Source Snort, http://www.snort.org
  35. 35.
    Benson, S.: Tcptrack, A sniffer to displays information about TCP connections on a network interface, www.rhythm.cx/~steve/devel/tcptrack/
  36. 36.
    Hoagland, J., Staniford, S.: SPADE (Statistical Packet Anomaly Detection Engine) Snort preprocessor plugin, www.securityfocus.com/tools/1767
  37. 37.
    ntop. A network traffic probe to show network usage, www.ntop.org
  38. 38.
    Nagios Enterprises, L.L.C.: Nagios, Open source host, service and network monitoring program, www.nagios.org
  39. 39.
    Paul, J.B.: Intrusion Detection – Evolution beyond Anomalous Behavior and Pattern Matching. Security Essentials Version 1.4 (2002)Google Scholar
  40. 40.
    Denning, D.E.: An Intrusion Detection Model. IEEE Trans. Software Eng. 13(2), 222–232 (1987)CrossRefGoogle Scholar
  41. 41.
    Wang, T., Suckow, W., Brown, D.: A Survey of Intrusion Detection Systems. In: CSE221 course notes, Department of Computer Science, University of California, San Diego, CA, USA (2001)Google Scholar
  42. 42.
    Ghosh, A.K., Wanken, J., Charron, F.: Detecting Anomalous and Unknown Intrusions Against Programs. In: Proc. Annual Computer Security Application Conference (ACSAC 1998), pp. 259–267. IEEE CS Press, Los Alamitos (1998)Google Scholar
  43. 43.
    Ilgun, K., Kemmerer, R.A., Porras, P.A.: State Transition Analysis: A Rule-Based Intrusion Detection System. IEEE Trans. Software Eng. 21(3), 181–199 (1995)CrossRefGoogle Scholar
  44. 44.
    Lindqvist, U., Porras, P.A.: Detecting Computer and Network Misuse with the Production-Based Expert System Toolset (P-BEST). In: 1999 IEEE Symp. Security and Privacy, pp. 146–161 (1999)Google Scholar
  45. 45.
    Scarfone, K., Mell, P.: Guide to Intrusion Detection and Prevention Systems (IDPS). Special Publication 800-94, National Institute of Standards and Technology, Gaithersburg, MD, US (2007)Google Scholar
  46. 46.
    Roesch, M.: Snort – Lightweight Intrusion Detection for Networks, www.snort.org/docs/lisapaper.txt
  47. 47.
    Aleph One: Smashing the Stack for Fun and Profit, Phrack, vol. 7(49), (1996), www.phrack.com
  48. 48.
    Hansen, S.E., Atkins, E.T.: Centralized System Monitoring with Swatch. In: USENIX Seventh Conference on Systems Administration, Monterey, California, USA, pp. 145–152 (1993)Google Scholar
  49. 49.
    Angela, O., Eric, C.: Intrusion Prevention and Active Response: Implementing an Open Source Defense. Sys. Admin. Magazine 14(3) (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Ahmed Zeeshan
    • 1
  • Anwar M. Masood
    • 1
  • Zafar M. Faisal
    • 1
  • Azam Kalim
    • 1
  • Naheed Farzana
    • 1
  1. 1.Informatics Complex (ICCC)IslamabadPakistan

Personalised recommendations