A Semantic-Based Approach for Automated Response to Attacks


Research Goal

Current approaches to attacks rely on automated detection -- primarily intrusion detection systems (IDS), but entirely on human-generated actions once the attack has been detected.

We believe that automated response (AR) is necessary. In the community of system administrators, and even computer security researchers, there is much skepticism about the viability of AR, primarily because it is felt that a system with such a capability offers a major vulnerability to be exploited: all the attacker has to do is launch a benign attack that the AR system will (falsely) interpret as a serious attack and initiate a response that causes much more loss of service than that attack itself. We argue that an informed AR system will not cause such self-inflicted denial of service and, moreover, has the potential of deciding on and effecting an optimal response: a response that balances the often conflicting goals of stopping the attack with minimal impact on essential services.

Approach

Funding

This material is based upon work supported by the National Science Foundation under Grant No. 0313411.

Contact person:
Karl Levitt
levitt@cs.ucdavis.edu

last modified 5/5/04