Defending The Data

FAYETTEVILLE, Ark. — War is being waged around the globe, but the target is neither people nor buildings — it is data. Stored in networked computers, huge databases enable everything from business transactions to military operations, medical research and Internet browsing. But in information warfare adversaries attack these databases and modify or delete data. The damage can range from loss of money to loss of lives.

University of Arkansas researcher Brajendra Panda, associate professor of computer science and computer engineering, specializes in defensive information warfare. He works with the U.S. Air Force to develop more effective detection and response methods to prevent damage by these invasions. An FBI survey released yesterday found about 90 percent of business, government and educational institutions detected computer security breaches in the past year.

Panda has developed systems that will allow computers to detect incursions and respond more rapidly, without using most of the computer’s resources. This approach allows the database to continue to function while it is being repaired. He presented his results at the Association for Computing Machinery Symposium on Applied Computing in March in Madrid, Spain, and at the International Society for Computers and Their Applications Annual Conference in San Francisco last week.

"Malicious attacks on an organization’s information base by electronic means — information warfare — can be intended to cause a temporary disruption in operations, such as a denial of service attack, or extensive damage to the system," explained Panda. "The attackers may be external hackers and crackers from other companies or governments who come in over the network, or an unhappy organization insider."

Defensive information warfare requires protection of the system, detection of intrusion and rapid reaction and recovery of the database. If an invasion occurs, the system must be able to identify the data element that has been changed and every operation that has occurred since that change. It must also recover and restore the system accurately in a minimum amount of time.

"Speed is vital in recovering a database," said Panda. "Infected data spreads like cancer. A quick and accurate response is critical to the survival of the system."

In the early days of networked computing, data recovery techniques focused on catastrophic machine failure. But, in the past five years attention has become focused on data security and information warfare. Network users have become familiar with constant warnings about computer viruses, which can damage or destroy data, and worms, which can spread without human assistance and slow a network to a crawl. However, most users remain unaware of the extent of information warfare and the damage that it can cause.

As an example, Panda points to the NATO bombing of the Chinese Embassy in Belgrade, Yugoslavia, in 1999. Because databases queried before the target was selected had incorrect data and failed to identify the coordinates correctly, three people were killed and the United States was embroiled in a major international incident.

There are many approaches to system protection, the first component of defensive information warfare, including authentication, access control, firewalls, data encryption and digital signatures. However, there are only two major approaches to detection and recovery — transaction dependency and data dependency.

"Transaction dependency, the old approach, looks at the relationship between individual transactions. It can be slow and inefficient because it requires unaffected transactions to be undone and redone," Panda explained. "The currently available data-dependency approach looks at the state of each data point to determine if it has changed and authenticate that change. It is faster, but it is also limited."

Panda developed a method that makes the data dependency approach more useful. His damage-assessment algorithm considers the dependencies among data items accessed by various transactions, precisely identifies affected data items in a damaged database and restores them to their consistent values.

If the database is to survive, it must be up and running, but detection and restoration can use up most of the system resources and make accessing the database difficult. One of the most resource-intensive parts of recovery is developing a log of transaction records so that affected transactions can be identified. Not only is this logging process time consuming at a point when speed is vital, but traditional logging methods do not record read operations and purge the log periodically, while data restoration requires that the log never be purged.

Panda has developed a fast-logging technique that increases the speed at which data moves through the system. This approach to damage assessment segments the log according to a fixed size cluster, which reduces the amount of computation required to create the log and expedites information retrieval.

"Accurate logging of events is an important part of damage assessment in defensive information warfare," said Panda. "The damage assessment algorithms produce a list of all malicious and affected transactions. The extended data dependency approach can then be used to carry out the recovery process."