Random r-Continuous Matching Rule for Immune-Based
Secure Storage System
Cai Tao, Ju ShiGuang, Zhong Wei, and Niu DeJiao*
JiangSu University, Computer Department, ZhengJiang, China, 212013
caitao@ujs.edu.cn
Abstract. On the basis of analyzing demand of secure storage system, this paper use the artificial immune algorithm to research access control system for the secure storage system. Firstly
some current matching rules are introduced and analyzed. Then the elements in immune-based
access control system are defined. To improve the efficiency of the artificial immune algorithm,
this paper proposes the random r-continuous matching rule, and analyze the number of illegal
access requests that one detector can check out. Implementing prototype of the random rcontinuous matching rule to evaluate and compare its performance with current matching rules.
The result proves the random r-continuous matching rule is more efficient than current matching rules. At last, we use the random r-continuous matching rule to realize immune-based access control system for OST in Lustre. Evaluating its I/O performance, the result shows its I/O
performance loss is below 8%, it proves that the random r-continuous matching rule can be
used to realize the secure storage system that can keep high I/O performance.
Keywords: matching rule; artificial immune algorithm; secure storage system.
1 Introduction
The secure storage system is the hot topic in current researching. There are six directions in current researching. Firstly, encrypting file system to ensure security of storage system, it contains CFS[1], AFS[2], SFS[3,4] and Secure NAS [5]. Secondly,
researching new disk structure to realize secure storage system, it contains NASD[6]
and Self Securing Storage[7,8]. Thirdly, researching survivable strategy for storage
system, it contains PASIS[9,10] and OceanStore[11]. Fourth, researching efficient
key management strategy for secure storage system, it contains SNAD[12,13,14],
PLUTUS[15] and iSCSI-Based Network Attached Storage Secure System[16]. Fifth,
researching the secure middle-ware module to ensure security of storage system, it
contains SiRiUS[17] and two-layered secure structure for storage system [18]. Sixth,
using zone and mask code to ensure security of storage system. Encryption, authentication, data redundancy and intrusion detection are used in current researching of
secure storage system. But large time and space consumption are needed to ensure
security of enormous data stored in storage system, and the loss of I/O performance in
the secure storage system is very large. High I/O performance is important character
for storage system. We use the artificial immune algorithm to research fast access
control strategy for the secure storage system.
*
Support by JiangSu Science Foundation of China No.2007086.
E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 294–300, 2009.
springerlink.com
© Springer-Verlag Berlin Heidelberg 2009
Random r-Continuous Matching Rule for Immune-Based Secure Storage System
295
The artificial immune algorithm simulates natural immune system, it has many
good characters such as distributability, multi-layered, diversity, autonomy and
adaptability and so on. It can protect system efficiently. The classic theory is the
negative selection algorithm that presented by Forrest in 1994. It simulates selftolerance of T cells. We use the artificial immune algorithm to judge whether access
request is legal in secure storage system and realize fast access control system, then
ensure the security of the storage system. The matching rule used to select selftolerance detectors and judge whether detector matches access request, so it is important for efficiency and accuracy the secure storage system. When self, access request
and detector are represented by binary string, matching rule is used to compare two
binary strings.
The remainder of this paper is organized as follows. Section 2 analyzes current
matching rules. Section 3 gives definition of some elements and presents random rcontinuous matching rule. Section 4 analyzes the efficiency of random r-continuous
matching rule and compare with current matching rules. Section 5 implements prototype of random r-continuous matching rule to evaluate its performance, then compares efficiency and accuracy with current matching rules. Section 6 use random
r-continuous matching rule to realize access control system for object-based storage
target in storage area network system named Lustre, and evaluate its I/O performance.
2 Related Works
The matching rule used to judge whether two binary strings matches between detector
and self or between detector and access request. Current matching rules contain rcontiguous matching rule, r-chunk matching rule, Hamming distance matching rule
and Rogers and Tanimoto matching rule.
Forrest presented r-contiguous matching rule in 1994[24]. r-contiguous matching
rule can discriminate non-self accurately, but need large number of detectors. Every
detector with l bits contains l-r+1 characteristic sub-string. Every characteristic subl −r
string can detect 2 non-self. One detector can recognize (l − r + 1)2 non-self
mostly.
Balthrop presented r-chunk matching rule to improve accuracy and efficiency of rcontiguous matching rule in 2002[25]. r-chunk matching rule is to add condition to rcontiguous matching rule. Start position can improve the accuracy and restrict form
ith to (i+r-1)th in detector are valid, i is special to one detector. One detector contains
l -r
l-r-i+1 characteristic sub-string and can recognize (l - r - i + 1)2 non-self mostly.
The recognition capability of detector is smaller than r-contiguous matching rule.
Hamming distance matching rule was proposed by Farmer in 1986[26]. Hamming
distance matching rule check whether there are r counterpart and same bits, and it do
not care whether these r bits are continuous. Every detector can recognize
l-r
(l - r - i + 1)2l -r non-self mostly. But it had less accuracy.
Harmer analyzes different matching rules by calculating the signal-to-noise ratio
and the function-value distribution of each matching rule when applied to a randomly
generated data set[27]. But current matching rules are less efficiency.
296
C. Tao et al.
3 The Random r-Continuous Matching Rule
We give definition of the elements and present the random r-continuous matching rule.
3.1 Definition of Elements
Definition 1. Domain. U={0,1}l it is a set of all binary strings with l bits, it contains
by self set and non-self set.
Definition 2. Self set. S ∈ U it is a set of all legal strings in domain.
Definition 3. Non-self set. NS ∈ U it is a set of all illegal strings in domain.
Definition 4. Access request. x=x1x2…xl (xi ∈ {0,1}) it is betoken of one access request in storage system and it is one string in domain.
Definition 5. Threshold. r is criterion to judge whether x matches d.
∈
Definition 6. Detector. d=(d1d2…dl,r) (di {0,1}) is binary string with l bits l.
Definition 7. Characteristic sub-string. It is sub-string in detector that used to check
access request.
3.2 Random r-Continuous Matching Rule
When checking access request by the artificial immune algorithm, the characteristic
sub-string is critical. So increasing the number of non-self that very characteristic substring can match is the important way to improve efficiency of matching rule. The rcontiguous matching rule and r-chunk matching rule check whether the length of
identical and counterpart sub-string between antigen and detector is larger than
threshold, detector matches antigen. This condition limits efficiency of matching rule.
The Hamming distance matching rule check the number of counterpart and identical
bits, the condition of identical and counterpart bits limits efficiency of matching rule
also. We propose the random r-continuous matching rule to increase the number of
illegal access request that one detector can match and improve efficiency. Given detector(d) and access request(x), its definition is as formula 1.
Formula 1:
d matches x ≡ ∃i ≤ l − r + 1 and ∃j ≤ l − r + 1 such that xk = d l
for k = i, L , i + r − 1 and l = j , L , j + r − 1
If the length of identicial sub-string is larger than threshold between detector and
access request, then d matches x.
4 Performance Analyze
We analyze and compare the number of illegal access request that one detector can
recognize using different matching rules.
Random r-Continuous Matching Rule for Immune-Based Secure Storage System
297
Using random r-continuous matching rule, one detector with l bits contains l-r+1
characteristic sub-strings. One detector can matches (l − r + 1)2 l − r +1 illegal access
request. Table 1 shows how many detectors one detector can match when using different matching rules. We can find the number of illegal access request that one detector can recognize is largest when using random r-continuous matching rule, it proves
that random r-continuous matching rule can improve efficiency of artificial immune
algorithm obviously.
Table 1. Number of illegal access request one detector can recognize using different matching
rules
Matching rule
random rcontinuous
matching rule
r-contiguous
matching rule
r-chunk
matching rule
Hamming
distance
matching rule
The number
of illegal
access request
that one
detector can
recognize
(l − r + 1)2 l − r +1
(l − r + 1)2 l −r
(l-r-i + 1)2 l-r
(l − r + 1)2 l −r
5 Prototype of Random r-Continuous Matching Rule
We implement the prototype of immune-based access control system using the random r-continuous matching rule and other matching rules on Linux. Access request
and detector are betokened by string with eight bits. Self and access request are stored
in two text file. Using the exhaustive detector generating algorithm to generate original detector and do not limit number of self-tolerance detector. Prototype output the
result of detection and the number of detectors which are needed to check out all
illegal access requests, then comparing with current matching rules. The minimum
value of r is 1, maximal value is 8 and increment is 1.
Firstly we use the exhaustive strategy to generate all 256 different strings with 8
number bits. We choose some strings as self sequence and other as access request.
Then self and access request are complementary and all access requests are illegal.
We create seven self files with 0, 8, 16, 32, 64, 128 and 192 access requests specially
cne
rae
lo
tlfe
s
fo
re
bm
un
140
120
ro100
cte 80
etd 60
40
20
0
0
8
16 32 64 128 192
number of self
prototype of
random rcontinous
matching rule
prototype of
r-contiguous
matching rule
prototype of
r-chunk
matching rule
prototype of
Hamming
distance
matching rule
Fig. 1. Number of detectors needed to recognize all illegal access requests
298
C. Tao et al.
and corresponding access request files. And evaluating how many detectors needed to
check out all illegal access requests. The result shows in figure 1.
From figure 1 we find that prototype can check out all illegal access requests with
smallest number of detectors when using the random r-continuous matching rule. This
result proves that the random r-continuous matching rule is more efficient than other
matching rules.
6 Prototype of Immune-Based Secure Storage
Lustre is an open source storage area network system. There are three modules such
as client, MDS and OST in system. OST is an object-based storage target. We use
the random r-continuous matching rule to realize immune-based access control
system for OST. Using the Iozone to test I/O performance. We test writing performance of 1M file with different size block such as 4k, 8k, 16k, 32k, 64k, 128k,
256k, 512k and 1024k. The result shows in figure 2. It shows that the prototype of
the secure storage system lose 8% writing performance of Lustre that can keep high
I/O performance.
writing performance
/XVWUH
600000
500000
400000
b/s 300000
200000
100000
0
481632641282565121024
block size
/XVWUH
ZLWK
LPPXQH
EDVHG
DFFHVV
FRQWURO
V\VWHP
Fig. 2. Writing performance
7 Conclusion
This paper presents the random r-continuous matching rule to improve the efficiency
of the artificial immune algorithm. By analyzing the number of illegal access request
that one detector can check out, evaluating and comparing with current matching
rules. The result proves the random r-continuous matching rule is more efficient than
current matching rules. At last we using the random r-continuous matching rule to
realize immune-based access control system for OST in the Lustre, the I/O performance testing proves that random r-continuous matching rule can used to realize the
secure storage system that can keep high I/O performance.
Different detector will contain same characteristic sub-string that will increase consumption of detection. Next step we analyze characteristic sub-string in detector and
research new detector generating algorithm to improve efficiency.
Random r-Continuous Matching Rule for Immune-Based Secure Storage System
299
References
1. Blaze, M.: A cryptographic file system for UNIX. In: Proceedings of 1st ACM Conference
on Communications and Computing Security (1993)
2. Howard, J., Kazar, M., Menees, S., Nichols, D., Satyanarayanan, M., Sidebotham, R.,
West, M.: Scale and performance in a distributed file system. ACM TOCS 6(1) (February
1988)
3. Fu, K., Kaashoek, M., Mazieres, D.: Fast and secure distributed read-only file system.
OSDI (October 2000)
4. Mazieres, D., Kaminsky, M., Kaashoek, M., Witchel, E.: Separating key management
from file system security. SOSP (December 1999)
5. Li, X., Yang, J., Wu, Z.: An NFSv4-Based Security Scheme for NAS, Parallel and Distributed Processing and Applications, NanJiang, China (2005)
6. Gobioff, H., Nagle, D., Gibson, G.: Embedded Security for Network-Attached Storage,
CMU SCS technical report CMU-CS-99-154 (June 1999)
7. John, D., Strunk, G.R., Goodson, M.L., Sheinholtz, C.A.N., Soules, G.R.: Self-Securing
Storage: Protecting Data in Compromised Systems. In: 4th Symposium on Operating System Design and Implementation, San Diego, CA (October 2000)
8. Craig, A.N., Soules, G.R., Goodson, J.D., Strunk, G.R.: Metadata Efficiency in Versioning
File Systems. In: 2nd USENIX Conference on File and Storage Technologies, San Francisco, CA, March 31-April 2 (2003)
9. Wylie, J., Bigrigg, M., Strunk, J., Ganger, G., Kiliccote, H., Khosla, P.: Survivable information storage systems. IEEE Computer, Los Alamitos (2000)
10. Ganger, G.R., Khosla, P.K., Bakkaloglu, M., Bigrigg, M.W., Goodson, G.R., Oguz, S.,
Pandurangan, V., Soules, C.A.N., Strunk, J.D., Wylie, J.J.: Survivable Storage Systems.
In: DARPA Information Survivability Conference and Exposition, Anaheim, CA, 12-14
June 2001, vol. 2, pp. 184–195. IEEE, Los Alamitos (2001)
11. Kubiatowicz, J., Bindel, D., Chen, Y., Czerwinski, S., Eaton, P., Geels, D., Gummadi, R.,
Rhea, S., Weatherspoon, H., Weimer, W., Wells, C., Zhao, B.: OceanStore: An Architecture for Global-Scale Persistent Storage. In: ASPLOS (December 2000)
12. Freeman, W., Miller, E.: Design for a decentralized security system for network-attached
storage. In: Proceedings of the 17th IEEE Symposium on Mass Storage Systems and
Technologies, College Park, MD, pp. 361–373 (March 2000)
13. Miller, E.L., Long, D.D.E., Freeman, W., Reed, B.: Strong security for distributed file systems. In: Proceedings of the 20th IEEE international Performance, Computing and Communications Conference (IPCCC 2001), Phoenix, April 2001, pp. 34–40. IEEE, Los
Alamitos (2001)
14. Miller, E.L., Long, D.D.E., Freeman, W.E., Reed, B.C.: Strong Security for NetworkAttached Storage. In: Proceedings of the 2002 Conference on File and Storage Technologies (FAST), January 2002, pp. 1–13 (2002)
15. Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q., Fu, K.: PLUTUS: Scalable secure
file sharing on untrusted storage. In: Conference on File andStorage Technology (FAST
2003), San Francisco, CA, 31 March - 2 April 2003, pp. 29–42. USENIX, Berkeley (2003)
16. De-zhi, H., Xiang-lin, F., Jiang-zhong, H.: Study and Implementation of a iSCSI-Based
Network Attached Storage Secure System. MINI-MICRO SYSTEMS 7, 1223–1227
(2004)
17. Goh, E.-J., Shacham, H., Modadugu, N., Boneh, D.: SiRiUS:Securing Remote Untrusted
Storage. In: The proceedings of the Internet Society (ISOC) Network and Distributed Systems Security (NDSS) Symposium 2003(2003)
300
C. Tao et al.
18. Azagury, A., Cabetti, R., Factor, M., Halevi, S., Henis, E., Naor, D., Rinetzky, N., Rodeh,
O., Satran, J.: A Two Layered Approach for Secuting an Object Store Network. In: SISW
2002 (2002)
19. Hewlett-Packard Company. HP OpenView storage allocator (October 2001),
http://www.openview.hp.com
20. Brocade Communications Systems, Inc. Advancing Security in Storage Area Networks.
White Paper (June 2001)
21. Hewlett-Packard Company. HP SureStore E Secure Manager XP (March 2001),
http://www.hp.com/go/storage
22. Dasgupta, D.: An overview of artificial immune systems and their applications. In: Dasgupta, D. (ed.) Artificial immune systems and their applications, pp. 3–23. Springer, Heidelberg (1999)
23. de Castro, L.N., Timmis, J.: Artificial Immune Systems: A New Computational Approach.
Springer, London (2002)
24. Forrest, S., Perelson, A., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: Proceedings IEEE Symposium on Research in Security and Privacy, Los Alamitos, CA, pp. 202–212. IEEE Computer Society Press, Los Alamitos (1994)
25. Balthrop, J., Esponda, F., Forrest, S., Glickman, M.: Coverage and generalization in an artificial immune system. In: Langdon, W.B., Cantú-Paz, E., Mathias, K., Roy, R., Davis,
D., Poli, R., Balakrishnan, K., Honavar, V., Rudolph, G., Wegener, J., Bull, L., Potter,
M.A., Schultz, A.C., Miller, J.F., Burke, E., Jonoska, N. (eds.) Proceedings of the Genetic
and Evolutionary Computation Conference (GECCO), 9-13 July 2002, pp. 3–10. Morgan
Kaufmann Publishers, San Francisco (2002)
26. Farmer, J.D., Packard, N.H., Perelson, A.S.: The immune system, adaptation, and machine
learning. Physica D 22, 187–204 (1986)
27. Harmer, P., Williams, G., Gnusch, P.D., Lamont, G.: An Artificial Immune System Architecture for Computer Security Applications. IEEE Transactions on Evolutionary Computation 6(3), 252–280 (2002)
28. Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-Nonself Discrimination in a
computer. In: Proceeding of IEEE Symposium on Research in Security and Privacy, pp.
202–212. IEEE Computer Society Press, Los Alamitos (1994)
29. Helman, P., Forrest, S.: An efficient algorithm for generating random antibody strings,
Technical Report CS-94-07, The University of New Mexico, Albuquerque, NM (1994)
30. D’haeseleer, P., Forrest, S., Helman, P.: An immunological approach to change detection:
algorithms, analysis and implications. In: McHugh, J., Dinolt, G. (eds.) Proceedings of the
1996 IEEE Symposium on Computer Security and Privacy, USA, pp. 110–119. IEEE
Press, Los Alamitos (1996)
31. D’haeseleer, P.: Further efficient algorithms for generating antibody strings, Technical
Report CS95-3, The University of New Mexico, Albuquerque, NM (1995)