Software system heals itself

By Kimberly Patch, Technology Research News

The human body is largely self-healing -- you don't have to consciously orchestrate the process of platelets forming a scab and skin healing over after you cut your finger. Your body senses what needs to be done and does it automatically, freeing you up to complain all you want about the pain and inconvenience.

A computer system, however, usually has to stop what it's doing in order to recover from a virus or hacker attack. This can range from annoying to expensive: some database systems process thousands of financial transactions per second.

Researchers from Pennsylvania State University are working on a database system that automates the process of recovering from attacks, and keeps the database running during the recovery process.

Although it is difficult to prevent intrusions from unauthorized users, many intrusions can be detected soon after they occur. The key is to contain the damage so it does not spread, according to Peng Liu, an assistant professor of information sciences and technology at Penn State University. With this in mind, the researchers built a system that "monitors its environment and its health status in real-time," said Liu.

One requirement for database health is that the percentage of corrupted data objects should be small, said Liu. Whenever the status reaches a certain threshold, the system adapts its behavior to make sure its health does not worsen, he said.

The researcher' self-healing system detects intrusions, contains the part of the database that has been damaged, locates the corrupted data, and repairs each corrupted data object by restoring its most recent undamaged backup copy, said Liu.

A key part of the system is that its algorithms only replace corrupted objects, and it allows the rest of the database to keep processing transactions while this takes place.

The Penn State process is less interruptive than existing schemes, which take an entire database off-line to restore it, then must re-create transactions that occurred between the backup version and when the damage occurred, according to Liu. Traditional recovery mechanisms address the problem using complete rollbacks, which undo the work of benign transactions as well as malicious ones, he said.

The researchers have implemented a prototype system using an Oracle database running on the Windows NT operating system. The software "can already support many real-world Oracle database applications," said Liu.

The researchers' software includes a separate log file that keeps track of transactions written to the database in a more detailed way than the standard Oracle database log. The software includes an algorithm that mediates every user transaction in order to collect log information and make the system aware of the status of transactions.

An intrusion detection algorithm receives an alert when a new event is recorded in the log, and uses log information to identify bad transactions. If a bad transaction is active when it is identified, the software will abort the transaction. If the transaction is already committed, the system puts it on a list of bad transactions and sends an alert to a repair manager algorithm so that the damage can be assessed and quickly repaired.

The repair algorithm is based on traditional recovery mechanisms, according to Liu. The challenge was keeping the database working during the healing process, he said.

Each repair algorithm has static and dynamic versions. The dynamic version allows the database to keep running as the repairs are made. The repair manager keeps tabs on the growing log of on-the-fly histories and marks any bad or suspect transactions. The repair manager builds an undo transaction for every bad or suspect transaction and submits it to a scheduler, which schedules the operations to generate a correct on-the-fly history.

There is a drawback to using the dynamic repair manager algorithm, however, according to Liu. The researchers' tests show that it backs out, or reverts, more good transactions than the static version. The advantage of the static version is that less work must be done reprocessing transactions, but the database is inaccessible while repairs are taking place.

The work is novel, said Karl Levitt, a professor of computer science at the University of California at Davis. "Rather than using checkpointing, it relies on identifying the bad transactions and generating anti-transactions," he said.

And it uses "a clever method of syntactic dependency to identify, from the many transactions that occur after a single, attack-causing transaction, those that are linked to the bad transaction," said Levitt.

One potential drawback to the system is that it relies on the identification of a single attack transaction, Levitt said. "Some intrusion detection systems detect the occurrence of a bad state but do not identify the single transaction, if, indeed, there is just one, that caused the bad state," he said.

Such a system also has to deal with false positives that get carried over from the intrusion detector, said Madhavi Gandhi, a researcher at the University of California at Davis. "Repairing falsely accused bad transactions may have greater impact than simply falsely detecting them," she said.

The performance hit a database will have to take to run the self-healing software could also be an issue, said Gandhi. Performance generally degrades when audit logs are collected; "using triggers in databases also typically drains performance and is recommended for limited use. The design of the attack recovery system here seems to use them on all tables," she said.

The self-healing software slows the database 10 to 30 percent, according to Liu. "Using a lot of triggers does have negative impact," he said. This may be remedied by integrating the algorithms into the database program, however, he said. "If our algorithms [were to be] built into the database kernel, the performance impact should be near zero percent," he said.

This type of work is needed, but rare, Levitt added. "This is one of just a few papers that suggest work beyond just detecting attacks." The industry needs ways of automatically responding to attacks "using state restoration, as this paper suggests; stopping the attack if it is a fast-moving worm; fighting back, [which is] very controversial; fixing the bug or misconfiguration that permitted the attack in the first place; [and] deception, to slow down the attack," he said.

The researchers are looking to give the system the ability to adapt during the healing process so that it will be less vulnerable to the same damage a second time, said Liu. "We will extend the work from self-healing to self-regenerative, where the database system can be generated... into an even stronger system after self-healing from some attacks," he said.

The researchers are aiming for software that will adapt to its circumstances in ways similar to living beings, he said. "We ultimately aim for a system as autonomic and resilient as human bodies."

The system should be ready for practical use in two to four years, according to Liu.

Liu's research colleagues were Paul Ammann and Sushil Jajodia. They published the research in the September, 2002 issue of IEEE Transactions on Knowledge and Data Engineering. The research was funded by The Defense Advanced Research Projects Agency (DARPA), the U.S. Air Force and the National Science Foundation (NSF).

Timeline:   2-4 years
Funding:   Government
TRN Categories:  Databases and Information Retrieval; Cryptography and Security
Story Type:   News
Related Elements:  Technical paper, "Recovery from Malicious Transactions," IEEE Transactions on Knowledge and Data Engineering, September, 2002.


November 27/December 4, 2002

Page One

Molecule stores picture

Fast quantum crypto demoed

Software system heals itself

Motifs distinguish networks

Oxygen makes nanotube memory


Research News Roundup
Research Watch blog

View from the High Ground Q&A
How It Works

RSS Feeds:
News  | Blog  | Books 

Ad links:
Buy an ad link


Ad links: Clear History

Buy an ad link

Home     Archive     Resources    Feeds     Offline Publications     Glossary
TRN Finder     Research Dir.    Events Dir.      Researchers     Bookshelf
   Contribute      Under Development     T-shirts etc.     Classifieds
Forum    Comments    Feedback     About TRN

© Copyright Technology Research News, LLC 2000-2006. All rights reserved.