To be able to increasingly rely on complex interrelated computer systems
built with insecure operating systems and applications in an environment
of continuous and changing attacks, we need to add dynamism to our systems
that can respond to attacks. The challenge is to introduce this dynamism
without indtroducing increased risks into the systems. For example, we need
to ensure that any response is not worse than the attack itself.
To create dynamic but safe capability UC Davis in collaboration with Net
Squared, Inc.is developing semantic models that can identify optimal changes
to the configuration of a computer system or network in order to thwart
an on-going attack. The models will include concepts such as safety so that
proposed responses can be measured as to their effect on legitimate operations.
The models will also include concepts such as costs so that proposed solutions
can be ranked based on various cost models.
To achieve our vision of a model that can identify the best responses with
respect to safety and cost, U.C. Davis will carry out the following tasks.
- Most attack sensors provide “atomic” event reports.These describe
specific technical activities that indicate the presence of an attacker, but
not the overall goals that the attacker is trying to achieve.We will investigate
models describing how multiple atomic attacks compose into a sequence of steps
taken toward the final goal.This model can be used statically, to prioritize
the application of monitoring and patching resources to reduce the threat
of the most serious types of attacks.
- Oftentimes, the effects of a specific type of computer attack are only
of concern when directed against specific important computing resources. Determining
which system resources are important, however, is a difficult technical problem.
At the very least, the expertise of trained personnel is required to classify
the importance of computer assets. To assist in this task we will,
a) Develop a language that expresses the important computing resources and
their dependencies. This can be used statically, by system experts, to describe
the configuration of a particular site and enable our environmentally aware
security system to compute the severity of damage for successful attacks and
design appropriate countermeasures.
b) Develop a prototype for automatically learning the important resources
of a live system by passive monitoring. Based upon observed traffic volume
and the time ordered sequence of specific network packets, this prototype
would be able to infer the location of critical system resources and their
dependencies under normal usage.
c) Incorporate a method for actively probing a live system to discover unknown
important backup resources that are used only in the rare event that the primary
service is unavailable.
- A major drawback to current systems is the lack of attack descriptions
that explain the real consequences.We will investigate methods for automatically
compiling richer semantic descriptions of observed malicious activity.
- Evaluation of the effectiveness of our approach to security is essential.
UC Davis will conduct ongoing experiments with Net Squared that determine
the utility of the proposed environmentally-aware security approach. This
will involve installation and operation of the prototype system on emulated
network test-beds as well as on live systems.
- Support Net Squared in the development of the overall design of the system.We
will provide components of the attack monitoring and attack aggregation prototype.
- Conduct joint weekly project meetings attended by all UC Davis project
personnel and by Net Squared.
- Attend semi-annual PI meetings, held at locations determined by the ARDA
sponsors, and provide technical presentations of overall project progress
Net Squared, Inc.
last modified 5/5/04