A New Approach for Securing Systems Using Automated Adaptive Intrusion Response

使用自动自适应入侵响应保护系统安全的新方法

• 批准号: 0208877
• 负责人: Ramasubramanian Sekar
• 金额: --
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2002
• 资助国家: 美国
• 起止时间: 2002-08-01 至 2007-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0208877&HistoricalAwards=false
• 关键词: New; Approach; Securing; Systems; Using

Networked information systems play an increasingly important role in critical infrastructures such as power generation and distribution, transportation, commerce, and national security. The continuing spate of security incidents reported by organizations such as CERT Coordination Center demonstrates that in spite of best efforts in securing systems, "hacker" attacks will penetrate even the best defense mechanisms. To cope with such attacks, new techniques need to be developed that can detect and respond to such attacks. Unfortunately, existing approaches focus primarily on after-the-fact detection of such attacks. Moreover, intrusion response relies primarily on human involvement. These two factors mean that fast-progressing attacks (e.g., programmed attacks) can effect significant damage before any protective response is launched. Recovery from such damage is labor-intensive, and will render the target system unavailable for hours if not days. This project will develop new approach that automates intrusion responses so that the target system can defend itself from serious damage due to attacks. It will build on the proposer's successful research in specification-based intrusion detection. Key technical components of this project include: specification language enhancements to express response actions, techniques for isolating compromised processes so that they do not interfere with the rest of the system, and deception techniques that can provide an illusion of success to attacker while protecting the target the system.

网络信息系统在发电和配电、交通、商业和国家安全等关键基础设施中发挥着越来越重要的作用。CERT协调中心等组织报告的持续不断的安全事件表明，尽管在保护系统方面做出了最大的努力，但“黑客”攻击甚至会渗透到最好的防御机制中。为了科普这种攻击，需要开发能够检测和响应这种攻击的新技术。不幸的是，现有的方法主要集中在事后检测这种攻击。此外，入侵响应主要依赖于人的参与。这两个因素意味着快速进展的攻击（例如，程序化攻击）可以在任何保护性反应启动之前造成重大损害。从这种损坏中恢复是一项劳动密集型工作，并且会使目标系统在数小时内（如果不是数天的话）不可用。该项目将开发新的方法，自动入侵响应，使目标系统可以保护自己免受攻击造成的严重损害。它将建立在提出者的成功研究，基于规范的入侵检测。该项目的关键技术组件包括：规范语言增强以表达响应动作，隔离受损进程的技术，使它们不会干扰系统的其余部分，以及欺骗技术，可以在保护目标系统的同时为攻击者提供成功的假象。