Networks and distributed software systems are bringing about fundamental changes in the way we conduct our commercial, educational and research activities. Critical infrastructures such as banking and commerce, telecommunication, transportation, power distribution and medicine, are all becoming increasingly dependent on networked software systems. This has led to a surge of interest in techniques for making network and software systems survivable so that they can continue to perform their critical functions even in the face of spontaneous faults or coordinated, malicious attacks.
To develop techniques to prevent or proactively detect a variety of attacks, initiate responses to contain any damage, track down the attack, and stop it close to its source. Preventive and (automated) response capabilities are necessary to ensure continued availability of mission-critical systems.
The key to building survivable systems is to detect and respond to problems before they impact system functionality or security. In contrast with prior research efforts aimed mainly at post-attack detection, this project proposes a new approach aimed at early attack identification, damage prevention and containment, tracing of attack origin, and stopping it close to its source.
Assuming physical security of the different components of the information system, the only mechanism for delivering attacks is the network packets arriving at the target host. Moreover, any damage to the system must eventually be effected via the system calls made by the attacked process to obtain services from its operating system environment. Based on these observations, the approach taken in this project is to specify security-related (normal or under-attack) behaviors of processes or hosts as patterns over sequences of system calls and network packets in a high-level language called ASL. The ASL compiler generates optimized programs for efficient detection of deviations (and initiation of corresponding responses) from these specifications. These programs are linked with appropriate runtime environments to produce the system call monitoring system (SMS) and network-packet monitoring system (NMS) respectively. An attack is identified when a deviation from the specified normal behavior (or conformance with known attack behavior) is detected.
The simplest response to an attack is to deny the attacker any access to the system. Instead, this project provides the option of continued access, but ensures that the compromised process is run in an isolated environment where it cannot damage the rest of the system. If the attackers think that they are being successful, they would continue on, thus providing an opportunity to observe and track them down. The isolation mechanisms are built as a software layer that intercepts process-to-OS interactions (and in some cases, host-to-network interactions) and modifies them as needed to ensure the integrity of the rest of the system.
In a distributed environment, this project uses active networking technology to trace the source of attacks, and then isolate the offending hosts or sites from the rest of the network. The coordination among the host-based and network-based components will be implemented using the CIDF framework.
The key innovations of this project include: (a) expressive and robust high-level language that simplifies specification of normal (or under-attack) behaviors of processes and hosts, (b) compilation algorithms for generating efficient code for detecting conformance with specifications, (c) efficient techniques for runtime enforcement of behaviors (and isolation of compromised processes) by interception and modification of process-to-operating system and host-to-network interactions, and (d) use of active networking technology for identification and isolation of attack source.