Skip to Main content Skip to Navigation
Conference papers

Intrusion detection in distributed systems, an approach based on taint marking

Christophe Hauser 1, 2 Frédéric Tronel 1 Colin Fidge 2 Ludovic Mé 1 
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : This paper presents a new framework for distributed intrusion detection based on taint marking. Our system tracks information flows between applications of multiple hosts gathered in groups (i.e. sets of hosts sharing the same distributed information flow policy) by attaching taint labels to system objects such as files, sockets, Inter Process Communication (IPC) abstractions, and memory mappings. Labels are carried over the network by tainting network packets. A distributed information flow policy is defined for each group at the host level by labeling information and defining how users and applications can legally access, alter or transfer information towards other trusted or untrusted hosts. As opposed to existing approaches, where information is most often represented by two security levels (low/high, public/private etc.), our model identifies each piece of information within a distributed system, and defines their legal interaction in a fine-grained manner. Hosts store and exchange security labels in a peer to peer fashion, and there is no central monitor. Our IDS is implemented in the Linux kernel as a Linux Security Module (LSM) and runs standard software on commodity hardware with no required modification. The only trusted code is our modified operating system kernel. We finally present a scenario of intrusion in a web service running on multiple hosts, and show how our distributed IDS is able to report security violations at each host level.
Document type :
Conference papers
Complete list of metadata

Cited literature [17 references]  Display  Hide  Download
Contributor : Frédéric Tronel Connect in order to contact the contributor
Submitted on : Tuesday, July 2, 2013 - 11:51:55 AM
Last modification on : Wednesday, February 2, 2022 - 3:50:52 PM
Long-term archiving on: : Thursday, October 3, 2013 - 4:08:26 AM


Publisher files allowed on an open archive


  • HAL Id : hal-00840338, version 1


Christophe Hauser, Frédéric Tronel, Colin Fidge, Ludovic Mé. Intrusion detection in distributed systems, an approach based on taint marking. IEEE ICC2013 - IEEE International Conference on Communications, Jun 2013, Budapest, Hungary. ⟨hal-00840338⟩



Record views


Files downloads