Automated Response project

A Semantic-Based Approach for Automated Response to Attacks

Research Goal

Current approaches to attacks rely on automated detection -- primarily intrusion detection systems (IDS), but entirely on human-generated actions once the attack has been detected.

We believe that automated response (AR) is necessary. In the community of system administrators, and even computer security researchers, there is much skepticism about the viability of AR, primarily because it is felt that a system with such a capability offers a major vulnerability to be exploited: all the attacker has to do is launch a benign attack that the AR system will (falsely) interpret as a serious attack and initiate a response that causes much more loss of service than that attack itself. We argue that an informed AR system will not cause such self-inflicted denial of service and, moreover, has the potential of deciding on and effecting an optimal response: a response that balances the often conflicting goals of stopping the attack with minimal impact on essential services.

Approach

Models for services, including services that depend on other services
Models of attacks, including scenario attacks (multi-stage attacks), expressed in our Jigsaw attack modeling language. Jigsaw supports the composition of attack steps through preconditions that characterize the capabilities (essentially abstractions of the common notion associated with capability-based operating systems) needed for the attack to proceed and postconditions that characterize the capabilities added (or removed) by the attack step.
Models for response agents, including wrappers for programs, packet blockers process killers, dynamic schedulers, deception, and many more. Similar to attack steps, we model the response agents in terms of capabilities needed for the response to proceed and capabilities denied to the attacker as a result of the response.
An autonomic response system, based in part on control theory, that effects responses to stop the attack in its tracks but possibly having less than optimal effect on essential services. The responses here are reversible once better responses are determined.
An AR planning system that generates a sequence of response actions to achieve a goal of capabilities denied to the attacker but not for essential services. Through this planning system, responses close to optimal can be generated and the autonomic response is removed.
A form of game theory when the detection system is initially behind the attacker so it is necessary to consider moves the attacker could have made subsequent to detection. The actions available to the attacker are represented in Jigsaw and those available to the defenders as invocations of response agents.

Funding

This material is based upon work supported by the National Science Foundation under Grant No. 0313411.

Contact person:
Karl Levitt
levitt@cs.ucdavis.edu

last modified 5/5/04