Home

Survivable Active Networks

Welcome to our project Home Page! You may want to browse our publications and presentations to get a more detailed overview of SAN, or check out related projects at the Secure and Reliable System Laboratory.

Networks and distributed software systems are bringing about fundamental changes in the way we conduct our commercial, educational and research activities. Critical infrastructures such as banking and commerce, telecommunication, transportation, power distribution and medicine, are all becoming increasingly dependent on networked software systems. This has led to a surge of interest in techniques for making network and software systems survivable so that they can continue to perform their critical functions even in the face of spontaneous faults or coordinated, malicious attacks.

Objective:

To develop techniques to prevent or proactively detect a variety of attacks, initiate responses to contain any damage, track down the attack, and stop it close to its source. Preventive and (automated) response capabilities are necessary to ensure continued availability of mission-critical systems.

Approach:

The key to building survivable systems is to detect and respond to problems before they impact system functionality or security. In contrast with prior research efforts aimed mainly at post-attack detection, this project proposes a new approach aimed at early attack identification, damage prevention and containment, tracing of attack origin, and stopping it close to its source.

Assuming physical security of the different components of the information system, the only mechanism for delivering attacks is the network packets arriving at the target host. Moreover, any damage to the system must eventually be effected via the system calls made by the attacked process to obtain services from its operating system environment. Based on these observations, the approach taken in this project is to specify security-related (normal or under-attack) behaviors of processes or hosts as patterns over sequences of system calls and network packets in a high-level language called ASL. The ASL compiler generates optimized programs for efficient detection of deviations (and initiation of corresponding responses) from these specifications. These programs are linked with appropriate runtime environments to produce the system call monitoring system (SMS) and network-packet monitoring system (NMS) respectively. An attack is identified when a deviation from the specified normal behavior (or conformance with known attack behavior) is detected.

The simplest response to an attack is to deny the attacker any access to the system. Instead, this project provides the option of continued access, but ensures that the compromised process is run in an isolated environment where it cannot damage the rest of the system. If the attackers think that they are being successful, they would continue on, thus providing an opportunity to observe and track them down. The isolation mechanisms are built as a software layer that intercepts process-to-OS interactions (and in some cases, host-to-network interactions) and modifies them as needed to ensure the integrity of the rest of the system.

In a distributed environment, this project uses active networking technology to trace the source of attacks, and then isolate the offending hosts or sites from the rest of the network. The coordination among the host-based and network-based components will be implemented using the CIDF framework.

The key innovations of this project include: (a) expressive and robust high-level language that simplifies specification of normal (or under-attack) behaviors of processes and hosts, (b) compilation algorithms for generating efficient code for detecting conformance with specifications, (c) efficient techniques for runtime enforcement of behaviors (and isolation of compromised processes) by interception and modification of process-to-operating system and host-to-network interactions, and (d) use of active networking technology for identification and isolation of attack source.

Recent Accomplishments

	DARPA 1998 Intrusion Detection Evaluation. The NMS participated in the evaluation, and among the attacks within its target domain, the NMS detected 96% of the attacks, and achieved an 85% score. The NMS also provides the high-performance needed for online interception: using a commodity PC, it processes an entire day of tcpdump data (about 1GB) in under 1 minute. The NMS is targeted at intrusions that are not manifest in abnormal system calls. This includes most probing attacks, a majority of denial-of-service attacks, but not any of the user-to-root or remote-to-user attacks of the 1998 evaluation. A paper on this work will be presented at the 1999 ACM Computer and Communication Security Conference.
	Improved runtime environment. A new in-kernel implementation of the runtime environment has been developed. As compared to the earlier implementation within the libc library, the kernel implementation is more secure and provides significantly higher performance. A key feature of this implementation is that it requires no source code modifications to the kernel. A paper describing the design is under review for ACM Symposium on Operating System Principles.
	Techniques for fast monitoring of process behaviors. A new algorithm for matching process behaviors against patterns that capture normal and/or misuse of server programs has been developed and implemented. Unlike previously known methods, the new algorithm introduces very little overhead (less than 2%) for monitoring process behavior, and this figure remains independent of the size, complexity or number of patterns. Given this algorithm, the specification writer no longer needs to worry about efficiency, but focus on correctness and clarity. A paper describing the language and the compiler will be presented at the 1999 USENIX Security Symposium.
	Development of normal-use and misuse specifications. Misuse specifications (characterizing attacks such as race conditions or stack overflow) were modelled in ASL, and they were tested against simulated attacks. The normal-use or possible behaviors style of specifications is aimed at combining the accuracy of misuse detection with the ability (of anomaly detection) to identify unknown attacks. Specifications for the server programs ftpd and telnetd were developed in this context. To ease the development of normal-use specifications, an alternative approach for generating them from program behavior specifications has been developed, and will be presented at the 1999 National Information System Security Conference.

This is a joint project involving Telcordia Technologies and SUNY, Stony Brook and is funded by DARPA-ITO.