Intrusion detection in distributed systems, an approach based on taint marking

Hauser, Christophe, Tronel, Frederic, Mé, Ludovic, & Fidge, Colin J. (2013) Intrusion detection in distributed systems, an approach based on taint marking. In Proceedings of the 2013 IEEE International Conference on Communications (ICC), IEEE Computer Society, Budapest, Hungary, pp. 1962-1967.

View at publisher


This paper presents a new framework for distributed intrusion detection based on taint marking. Our system tracks information flows between applications of multiple hosts gathered in groups (i.e., sets of hosts sharing the same distributed information flow policy) by attaching taint labels to system objects such as files, sockets, Inter Process Communication (IPC) abstractions, and memory mappings. Labels are carried over the network by tainting network packets. A distributed information flow policy is defined for each group at the host level by labeling information and defining how users and applications can legally access, alter or transfer information towards other trusted or untrusted hosts. As opposed to existing approaches, where information is most often represented by two security levels (low/high, public/private, etc.), our model identifies each piece of information within a distributed system, and defines their legal interaction in a fine-grained manner. Hosts store and exchange security labels in a peer to peer fashion, and there is no central monitor. Our IDS is implemented in the Linux kernel as a Linux Security Module (LSM) and runs standard software on commodity hardware with no required modification. The only trusted code is our modified operating system kernel. We finally present a scenario of intrusion in a web service running on multiple hosts, and show how our distributed IDS is able to report security violations at each host level.

Impact and interest:

1 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

82 since deposited on 24 Nov 2013
9 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 64725
Item Type: Conference Paper
Refereed: Yes
Additional URLs:
Keywords: Information security, Computer networking, Taint analysis, Intrusion detection
DOI: 10.1109/ICC.2013.6654811
ISBN: 978-1-4673-3122-7
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Computer System Security (080303)
Divisions: Current > QUT Faculties and Divisions > Science & Engineering Faculty
Copyright Owner: Copyright 2013 IEEE
Deposited On: 24 Nov 2013 22:43
Last Modified: 26 Nov 2013 22:42

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page