Networked information systems play an increasingly important role in critical infrastructures such as power generation and distribution, transportation, commerce, and national security. The continuing spate of security incidents reported by organizations such as CERT Coordination Center demonstrates that in spite of best efforts in securing systems, "hacker" attacks will penetrate even the best defense mechanisms.

To cope with attacks that escape existing prevention mechanisms, new techniques need to be developed that can detect and respond to such attacks. Unfortunately, existing approaches focus primarily on after-the-fact detection of such attacks. Moreover, intrusion response relies primarily on human involvement. These two factors mean that fast-progressing attacks (e.g., programmed attacks) can effect significant damage before any protective response is launched. Recovery from such damage is labor-intensive, and will render the target system unavailable for hours if not days.

This project develops new approaches to automate intrusion responses so that the target system can defend itself from serious damage due to attacks. It will build on our research in specification-based intrusion detection. Key technical components of this project include:

• Specification language enhancements to express response actions,
• Process isolation techniques that ensure that compromised processes do not interfere with the rest of the system, and
• Deception techniques that can provide an illusion of success to attacker while protecting the target the system.