Environment-Aware Security System


Research Goal

To be able to increasingly rely on complex interrelated computer systems built with insecure operating systems and applications in an environment of continuous and changing attacks, we need to add dynamism to our systems that can respond to attacks. The challenge is to introduce this dynamism without indtroducing increased risks into the systems. For example, we need to ensure that any response is not worse than the attack itself.

To create dynamic but safe capability UC Davis in collaboration with Net Squared, Inc.is developing semantic models that can identify optimal changes to the configuration of a computer system or network in order to thwart an on-going attack. The models will include concepts such as safety so that proposed responses can be measured as to their effect on legitimate operations. The models will also include concepts such as costs so that proposed solutions can be ranked based on various cost models.

Approach

To achieve our vision of a model that can identify the best responses with respect to safety and cost, U.C. Davis will carry out the following tasks.

  1. Most attack sensors provide “atomic” event reports.These describe specific technical activities that indicate the presence of an attacker, but not the overall goals that the attacker is trying to achieve.We will investigate models describing how multiple atomic attacks compose into a sequence of steps taken toward the final goal.This model can be used statically, to prioritize the application of monitoring and patching resources to reduce the threat of the most serious types of attacks.
  2. Oftentimes, the effects of a specific type of computer attack are only of concern when directed against specific important computing resources. Determining which system resources are important, however, is a difficult technical problem. At the very least, the expertise of trained personnel is required to classify the importance of computer assets. To assist in this task we will,
    a) Develop a language that expresses the important computing resources and their dependencies. This can be used statically, by system experts, to describe the configuration of a particular site and enable our environmentally aware security system to compute the severity of damage for successful attacks and design appropriate countermeasures.
    b) Develop a prototype for automatically learning the important resources of a live system by passive monitoring. Based upon observed traffic volume and the time ordered sequence of specific network packets, this prototype would be able to infer the location of critical system resources and their dependencies under normal usage.
    c) Incorporate a method for actively probing a live system to discover unknown important backup resources that are used only in the rare event that the primary service is unavailable.
  3. A major drawback to current systems is the lack of attack descriptions that explain the real consequences.We will investigate methods for automatically compiling richer semantic descriptions of observed malicious activity.
  4. Evaluation of the effectiveness of our approach to security is essential. UC Davis will conduct ongoing experiments with Net Squared that determine the utility of the proposed environmentally-aware security approach. This will involve installation and operation of the prototype system on emulated network test-beds as well as on live systems.
  5. Support Net Squared in the development of the overall design of the system.We will provide components of the attack monitoring and attack aggregation prototype.
  6. Conduct joint weekly project meetings attended by all UC Davis project personnel and by Net Squared.
  7. Attend semi-annual PI meetings, held at locations determined by the ARDA sponsors, and provide technical presentations of overall project progress and status.

Funding

Net Squared, Inc.

Contact person:
Karl Levitt
levitt@cs.ucdavis.edu

last modified 5/5/04