Check out the new USENIX Web site. next up previous
Next: Discussion Up: Automated Response Using System-Call Previous: pH in Practice

Related Work

Our approach to homeostatic computing is similar in spirit to Brooks' approach to mobile robot control, based on loosely coupled feedback loops, real-time interactions with dynamic environments, and no centralized representation of the outside world [9,10]. We believe Brooks' subsumption architecture can be applied to the construction of a computer security system. pH in its current form is analogous to feedback loops that help a robot maintain balance; with the addition of a parameter-adjusting control daemon, we may be able to teach pH how to ``walk.''

Although research IDSs have performed anomaly detection for years [1,27,17,16], most commercial systems emphasize misuse detection (i.e. pattern matching for known attacks), requiring frequent updates as new exploits are developed. Many current commercial network IDSs [3,12,22] are capable of automatically responding to network attacks through increased logging, firewall reconfiguration, termination of connections, and even automatic blocking of suspicious networks. Combined host and network IDSs such as ISS RealSecure [22] can also respond to threats by terminating individual processes. However, because responses that halt attacks can also cause significant service reductions, these responses must be reserved for attacks which can be easily and reliably identified through specific misuse signatures. Although useful for high-security installations, actions such as session capture and email/pager notification are simply a burden to most administrators.

Sekar, Bowen, and Segal [30] have developed a specification-based approach for intrusion detection and automated response at the system-call level. They have created a language called ASL for specifying program behavior and responses to abnormal behavior, and they have created Linux kernel extensions which allow their specifications to be enforced on-line. Their approach has the advantage of allowing subtle responses to security violations, ranging from changing system call arguments to confining a program to an alternative file system. Unfortunately, it also has the disadvantages of being labor-intensive, in that specifications must be constructed manually for each executable.

Michael Ernst and others at the University of Washington have developed techniques for dynamically determining program invariants [15]. pH also dynamically detects invariants in program behavior, although it does so at the system-call instead of the data-structure level. Perhaps Ernst's techniques could be used to create an online data monitoring tool which would complement the system-call monitoring of pH.

Delays are used throughout computing to achieve varying goals. Most laptop CPUs have the ability to run at a slower speed to minimize heat or maximize battery life; Transmeta's Crusoe processor [14] goes a step further by allowing the speed of the chip to vary continuously in response to system load, maximizing battery life and perceived performance. The Ethernet protocol arbitrates wire access by having transmitting computers exponentially delay their packets when collisions are detected [36]. And, at the software level, the standard login program on most UNIX systems delays repeated login attempts to interfere with password guessing attacks. A final example is the program getty, which notices if it spawns processes too frequently on a given tty device and in this event, puts itself to sleep for a few minutes.

The core of pH can be seen as an unusual type of process scheduling. In most UNIX systems [4], processes are scheduled using static priorities (provided by the administrator), dynamic priorities (based on recent CPU and I/O behavior), and the number of processes on the system. ``Fair share'' schedulers divide CPU time between users, not processes [18,24]. pH's delay mechanism could be viewed as an implicit mechanism for allocating CPU time; however, instead of being fair to all processes or users, it favors processes which are behaving ``normally.''

Research on high-performance operating systems emphasizes extensible [5,31] and minimal [23] kernels. These systems require novel security mechanisms to moderate the increased power given to application programs, relative to operating systems with conventional, monolithic kernels. In contrast, our work on biologically-inspired OS extensions assumes a conventional kernel, and aims to increase the stability and security of the system.

Adaptive, on-line control has been widely studied as a method for improving system performance. Whether motivated by non-stationary workloads [7], extensible operating systems [32], parallelism [25], or on-line database transaction processing [39], researchers have focused on using adaptive methods for improving system performance, not robustness. Work in using adaptive control in real-time systems [6] has focused on using adaptation to help meet timing and robustness constraints.

Finally, pH can be seen as a type of fault tolerant system [8,33,19], except that we focus on security violations instead of hardware or software failures.

next up previous
Next: Discussion Up: Automated Response Using System-Call Previous: pH in Practice
Anil B. Somayaji 2000-06-14