Background

Networks and distributed software  systems are bringing about fundamental changes in the way we conduct our commercial, educational and research activities. Critical infrastructures such as banking and commerce, telecommunication,   transportation, power distribution and medicine, are all becoming increasingly dependent on networked software systems. This has led to a surge of interest in techniques for making network and software systems survivable so that they can continue to perform their critical functions even in the face of spontaneous faults or coordinated, malicious attacks.

Objective:

Development of a programming environment for rapidly developing host-based real-time responses to known and unknown intrusions. These responses are aimed at protecting host resources against vulnerabilities in applications executing on the host.

Approach:

This project builds our earlier DARPA-supported project ``Survivable Active Networks (SAN).'' 

The key to building survivable systems is to detect and respond to problems before they impact system functionality or security. In contrast with prior research efforts aimed mainly at post-attack detection, this project proposes a new approach aimed at early attack identification, damage prevention and containment.

Assuming physical security of the different components of the information system, the only mechanism for delivering attacks is the network packets arriving at the target host. Moreover, any damage to the system must eventually be effected via the system calls made by the attacked process to obtain services from its operating system environment. Based on these observations, the approach taken in this project is to specify security-related (normal or under-attack) behaviors of processes or hosts as patterns over sequences of system calls and network packets in a high-level language called BMSL. The BMSL compiler generates optimized programs for efficient detection of deviations (and initiation of corresponding responses) from these specifications. These programs are linked with appropriate runtime environments to produce the system call monitoring system (SMS) and network-packet monitoring system (NMS) respectively. An attack is identified when a deviation from the specified normal behavior (or conformance with known attack behavior) is detected. Being based on security-relevant behaviors rather than known attack signatures, our approach can protect against unknown attacks. At the same time, it produced few false positives --- a property that is critical for automating intrusion response. 

In PARR, we develop techniques to address some of issues that are critical for building practical systems that incorporate responses to intrusion. Some of these issues are:

• Errors in intrusion detection/response code can cause serious damage to the system. To minimize this risk, PARR explores the following approaches:
  • develop a technique for splitting intrusion response/detection code in such a manner that most of the intrusion response code resides in the user space, while a small part operates from within the operating system kernel. The kernel-resident code is constrained to operate with predetermined limits on storage and execution time, and is limited to perform a small subset of operations that are deemed very safe.
  • develop language and compiler features that reduce coding errors and/or their impact. PARR intrusion detection/response programs are written in a high-level, domain-specific language called BMSL (Behavior Specification and Monitoring Language). By developing high-level language features that simplify specification of intrusion detection and response, BMSL reduces the amount of "low-level coding" needed to be performed by programmers, thereby cutting down on programming errors. Use of a strong type system, combined with techniques for detecting conflicting responses, will further minimize programming errors.
• The SAN (application-specific) approach to developing intrusion responses may not scale well in the presence of large number of applications. We therefore explore a complementary approach that is aimed at protecting resources. As compared to applications, the number of different kinds of resources on a host are smaller, thus making it possible for a programmer to cover a larger number (or classes) of attacks in a given amount of time.

The key innovations of this project include: (a) expressive and robust high-level language that simplifies specification of normal (or under-attack) behaviors of processes and hosts, as well as responses to be launched when attacks are detected, (b) compilation algorithms for generating efficient code for detecting conformance with specifications, (c) efficient techniques for runtime enforcement of behaviors (and isolation of compromised processes) by interception and modification of process-to-operating system and host-to-network interactions, and (d) resource-centric organization of responses.