Paper Info
Title
Intrusion confinement by isolation in information systems
Abstract
System protection mechanisms such as access controls can be fooledby authorized but malicious users, masqueraders, and misfeasors.Intrusion detection techniques are therefore used to supplementthem. However, damage could have occurred before an intrusion isdetected. In many computing systems the requirement for a highdegree of soundness of intrusion reporting can yield poorperformance in detecting intrusions and cause long detectionlatency. As a result, serious damage can be caused either becausemany intrusions are never detected or the average detection latencyis too long. The process of bounding the damage caused byintrusions during intrusion detection is referred to as intrusionconfinement. We justify the necessity for intrusion confinementduring detection by using a probabilistic analysis model, andpropose a general solution to achieve intrusion confinement. Thekey idea of the solution is to isolate likely suspicious actionsbefore a definite determination of intrusion is reported. We alsopresent two concrete isolation protocols in the database and filesystem contexts, respectively, to evaluate the feasibility of thegeneral solution, which can be applied to many types of informationsystems.
Year
Venue
Keywords
1999
Journal of Computer Security - Special issue on database security
intrusion confinement,information systems,thegeneral solution,general solution,information system,becausemany intrusion,serious damage,intrusion reporting,intrusion detection technique,long detectionlatency,average detection,intrusion detection,probabilistic analysis,access control
DocType
Volume
Issue
Conference
8
4
ISSN
Citations 
PageRank 
1571-5736
30
2.19
References 
Authors
17
3
Name
Order
Citations
PageRank
Peng Liu123915.80
Sushil Jajodia293751839.16
Catherine McCollum318627.58