Semantic-Based Approach for Automated Response to Attacks
Current approaches to attacks rely on automated detection
-- primarily intrusion detection systems (IDS), but entirely on human-generated
actions once the attack has been detected.
We believe that automated response (AR) is necessary. In the community of
system administrators, and even computer security researchers, there is
much skepticism about the viability of AR, primarily because it is felt
that a system with such a capability offers a major vulnerability to be
exploited: all the attacker has to do is launch a benign attack that the
AR system will (falsely) interpret as a serious attack and initiate a response
that causes much more loss of service than that attack itself. We argue
that an informed AR system will not cause such self-inflicted denial of
service and, moreover, has the potential of deciding on and effecting an
optimal response: a response that balances the often conflicting goals of
stopping the attack with minimal impact on essential services.
- Models for services, including services that depend on other
- Models of attacks, including scenario attacks (multi-stage
attacks), expressed in our Jigsaw attack modeling language. Jigsaw supports
the composition of attack steps through preconditions that characterize the
capabilities (essentially abstractions of the common notion associated with
capability-based operating systems) needed for the attack to proceed and postconditions
that characterize the capabilities added (or removed) by the attack step.
- Models for response agents, including wrappers for programs,
packet blockers process killers, dynamic schedulers, deception, and many more.
Similar to attack steps, we model the response agents in terms of capabilities
needed for the response to proceed and capabilities denied to the attacker
as a result of the response.
- An autonomic response system, based in part on control
theory, that effects responses to stop the attack in its tracks but possibly
having less than optimal effect on essential services. The responses here
are reversible once better responses are determined.
- An AR planning system that generates a sequence of response
actions to achieve a goal of capabilities denied to the attacker but not for
essential services. Through this planning system, responses close to optimal
can be generated and the autonomic response is removed.
- A form of game theory when the detection system is initially
behind the attacker so it is necessary to consider moves the attacker could
have made subsequent to detection. The actions available to the attacker are
represented in Jigsaw and those available to the defenders as invocations
of response agents.
This material is based upon work supported by the National
Science Foundation under Grant No. 0313411.
last modified 5/5/04