system heals itself
Technology Research News
The human body is largely self-healing
-- you don't have to consciously orchestrate the process of platelets
forming a scab and skin healing over after you cut your finger. Your body
senses what needs to be done and does it automatically, freeing you up
to complain all you want about the pain and inconvenience.
A computer system, however, usually has to stop what it's doing in order
to recover from a virus or hacker attack. This can range from annoying
to expensive: some database systems process thousands of financial transactions
Researchers from Pennsylvania State University are working on a database
system that automates the process of recovering from attacks, and keeps
the database running during the recovery process.
Although it is difficult to prevent intrusions from unauthorized users,
many intrusions can be detected soon after they occur. The key is to contain
the damage so it does not spread, according to Peng Liu, an assistant
professor of information sciences and technology at Penn State University.
With this in mind, the researchers built a system that "monitors its environment
and its health status in real-time," said Liu.
One requirement for database health is that the percentage of corrupted
data objects should be small, said Liu. Whenever the status reaches a
certain threshold, the system adapts its behavior to make sure its health
does not worsen, he said.
The researcher' self-healing system detects intrusions, contains the part
of the database that has been damaged, locates the corrupted data, and
repairs each corrupted data object by restoring its most recent undamaged
backup copy, said Liu.
A key part of the system is that its algorithms only replace corrupted
objects, and it allows the rest of the database to keep processing transactions
while this takes place.
The Penn State process is less interruptive than existing schemes, which
take an entire database off-line to restore it, then must re-create transactions
that occurred between the backup version and when the damage occurred,
according to Liu. Traditional recovery mechanisms address the problem
using complete rollbacks, which undo the work of benign transactions as
well as malicious ones, he said.
The researchers have implemented a prototype system using an Oracle database
running on the Windows NT operating system. The software "can already
support many real-world Oracle database applications," said Liu.
The researchers' software includes a separate log file that keeps track
of transactions written to the database in a more detailed way than the
standard Oracle database log. The software includes an algorithm that
mediates every user transaction in order to collect log information and
make the system aware of the status of transactions.
An intrusion detection algorithm receives an alert when a new event is
recorded in the log, and uses log information to identify bad transactions.
If a bad transaction is active when it is identified, the software will
abort the transaction. If the transaction is already committed, the system
puts it on a list of bad transactions and sends an alert to a repair manager
algorithm so that the damage can be assessed and quickly repaired.
The repair algorithm is based on traditional recovery mechanisms, according
to Liu. The challenge was keeping the database working during the healing
process, he said.
Each repair algorithm has static and dynamic versions. The dynamic version
allows the database to keep running as the repairs are made. The repair
manager keeps tabs on the growing log of on-the-fly histories and marks
any bad or suspect transactions. The repair manager builds an undo transaction
for every bad or suspect transaction and submits it to a scheduler, which
schedules the operations to generate a correct on-the-fly history.
There is a drawback to using the dynamic repair manager algorithm, however,
according to Liu. The researchers' tests show that it backs out, or reverts,
more good transactions than the static version. The advantage of the static
version is that less work must be done reprocessing transactions, but
the database is inaccessible while repairs are taking place.
The work is novel, said Karl Levitt, a professor of computer science at
the University of California at Davis. "Rather than using checkpointing,
it relies on identifying the bad transactions and generating anti-transactions,"
And it uses "a clever method of syntactic dependency to identify, from
the many transactions that occur after a single, attack-causing transaction,
those that are linked to the bad transaction," said Levitt.
One potential drawback to the system is that it relies on the identification
of a single attack transaction, Levitt said. "Some intrusion detection
systems detect the occurrence of a bad state but do not identify the single
transaction, if, indeed, there is just one, that caused the bad state,"
Such a system also has to deal with false positives that get carried over
from the intrusion detector, said Madhavi Gandhi, a researcher at the
University of California at Davis. "Repairing falsely accused bad transactions
may have greater impact than simply falsely detecting them," she said.
The performance hit a database will have to take to run the self-healing
software could also be an issue, said Gandhi. Performance generally degrades
when audit logs are collected; "using triggers in databases also typically
drains performance and is recommended for limited use. The design of the
attack recovery system here seems to use them on all tables," she said.
The self-healing software slows the database 10 to 30 percent, according
to Liu. "Using a lot of triggers does have negative impact," he said.
This may be remedied by integrating the algorithms into the database program,
however, he said. "If our algorithms [were to be] built into the database
kernel, the performance impact should be near zero percent," he said.
This type of work is needed, but rare, Levitt added. "This is one of just
a few papers that suggest work beyond just detecting attacks." The industry
needs ways of automatically responding to attacks "using state restoration,
as this paper suggests; stopping the attack if it is a fast-moving worm;
fighting back, [which is] very controversial; fixing the bug or misconfiguration
that permitted the attack in the first place; [and] deception, to slow
down the attack," he said.
The researchers are looking to give the system the ability to adapt during
the healing process so that it will be less vulnerable to the same damage
a second time, said Liu. "We will extend the work from self-healing to
self-regenerative, where the database system can be generated... into
an even stronger system after self-healing from some attacks," he said.
The researchers are aiming for software that will adapt to its circumstances
in ways similar to living beings, he said. "We ultimately aim for a system
as autonomic and resilient as human bodies."
The system should be ready for practical use in two to four years, according
Liu's research colleagues were Paul Ammann and Sushil Jajodia. They published
the research in the September, 2002 issue of IEEE Transactions on Knowledge
and Data Engineering. The research was funded by The Defense Advanced
Research Projects Agency (DARPA), the U.S. Air Force and the National
Science Foundation (NSF).
Timeline: 2-4 years
TRN Categories: Databases and Information Retrieval; Cryptography
Story Type: News
Related Elements: Technical paper, "Recovery from Malicious
Transactions," IEEE Transactions on Knowledge and Data Engineering, September,
27/December 4, 2002
Molecule stores picture
Fast quantum crypto demoed
Software system heals
Motifs distinguish networks
Oxygen makes nanotube
Research News Roundup
Research Watch blog
View from the High Ground Q&A
How It Works
News | Blog
Buy an ad link