SBIR Phase I: A New Approach for Effective Detection of Cyber Attacks Based on Anomalous Program Behaviors

SBIR第一阶段：基于异常程序行为的有效检测网络攻击的新方法

• 批准号: 0232877
• 负责人: Umamaheswari Ganapathy
• 金额: $ 10万
• 依托单位: Immunet Security Solutions, Incorporated
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2003
• 资助国家: 美国
• 起止时间: 2003-01-01 至 2003-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0232877&HistoricalAwards=false
• 关键词: SBIR; Phase; New; Approach; Effective

This Small Business Innovation Research (SBIR) Phase I project focuses on the development of an Intrusion Detection System (IDS) based on recognizing anomalous system call patterns via finite state machines. Networked information systems play critical roles in essential infrastructures such as power generation and distribution, transportation, commerce, and national security. The continuing spate of security incidents from the CERT Coordination Center (the CERT/CC was originally the Computer Emergency Response Team) demonstrates that existing approaches for securing systems against cyber attacks are not effective. These approaches are focused almost exclusively on previously exploited vulnerabilities, and offer no protection against attacks that may exploit countless (as-yet-undiscovered) vulnerabilities that continue to exist on the target systems. Whereas current threats are largely attributed to unskilled hackers (script kiddies), the future holds the threat of rapid escalation of cyber-warfare, cyber-terrorism and cyber-crime. Attackers in these cases are highly skilled, organized and well funded, and can develop new kinds of attacks very quickly. Thus there is an urgent need for developing approaches that can protect against unknown attacks launched by highly skilled attackers. In previous research conducted at SUNY, Stony Brook, the key personnel have developed a new approach for securing systems against unknown attacks. Immunet Security's approach is based on a new algorithm for learning program behaviors using finite-state automata models and detecting attacks as deviations from this model. The approach has been show to be very effective in detecting known as well as unknown attacks and produces significantly fewer false alarms than previous approaches. This proposal seeks to develop the approach into a commercial intrusion detection system (IDS). The market for commercial Intrusion Detection Systems (IDS) is large, running into billions of dollars, and is growing fast. Given the market for IDS and the heightened national interest in security, this technology offers the possibility of more sensitive detection than currently exists.

这个小型企业创新研究（SBIR）第一阶段项目的重点是通过有限状态机识别异常系统调用模式的基础上开发的入侵检测系统（IDS）。 网络信息系统在发电和配电、交通、商业和国家安全等重要基础设施中发挥着关键作用。 CERT协调中心（CERT/CC最初是计算机应急响应小组）持续发生的安全事件表明，现有的保护系统免受网络攻击的方法并不有效。 这些方法几乎完全集中在以前利用的漏洞上，并且没有提供针对可能利用目标系统上继续存在的无数（尚未发现的）漏洞的攻击的保护。 虽然目前的威胁主要归因于不熟练的黑客（脚本小子），但未来的威胁是网络战争，网络恐怖主义和网络犯罪的迅速升级。 在这些情况下，攻击者技术高超，组织严密，资金充足，可以非常迅速地开发新的攻击类型。 因此，迫切需要开发能够抵御由高技能攻击者发起的未知攻击的方法。 在纽约州立大学斯托尼布鲁克分校以前进行的研究中，关键人员开发了一种新的方法来保护系统免受未知攻击。Immunet Security的方法基于一种新的算法，该算法使用有限状态自动机模型学习程序行为，并检测攻击是否偏离该模型。该方法已被证明是非常有效的检测已知以及未知的攻击，并产生显着减少误报比以前的方法。 该建议旨在将该方法发展成商业入侵检测系统（IDS）。 商业入侵检测系统（IDS）的市场规模很大，达到数十亿美元，并且正在快速增长。 鉴于入侵检测系统的市场和国家对安全的高度关注，这项技术提供了比目前更敏感的检测的可能性。