Automated Intrusion Response for Distributed Applications

Research Areas: Network Security,

Principal Investigator: Saurabh Bagchi; Eugene Spafford

Distributed systems comprising multiple services interacting among themselves to provide end-user functions are becoming an increasingly important platform. Many of the platforms, such as distributed e-commerce systems, have huge financial stakes involved in them. This has long led to interest in securing distributed systems through detection of intrusions and of late, through automated responses to intrusions. The rudimentary response mechanisms often bundled with anti-virus or intrusion detection system (IDS) products overwhelmingly consider only immediate local responses that are directly suggested by the detected symptom. For example, anti-virus software can restrict access to virus infected files. For distributed systems with exponentially growing number of interaction effects among multiple components, pre-configuring these static pairs of detector alarm and response is laborious and can be shown to have inferior runtime performance due to the dynamic workload on the system and the changing nature of attacks.

Our model for the target attack is an external multi-stage attack which first compromises the services that have external interfaces and subsequently compromises internal services. We have developed a system called ADEPTS to reason about the global optimality of a chosen set of responses in a distributed system of interacting services. The optimality criterion takes into account the impact of a deployed response on the services in the system and the impact of not deploying a response which could result in further spread of the attack. This framework is probabilistic since the future spread of the attack and the effectiveness of a response are unknowns and can only be estimated. The optimality of a response set is a global or system-wide property and thus optimizing the response choice on each compromised service individually as seen in prior work may not be sufficient. The reason behind this is that there exist dependencies between responses available at the different services. For example, blocking all traffic from a specific subnet at the ingress point will make it redundant to impose restrictions at an internal service on traffic from a host within the subnet. Also the effectiveness of a response depends on the time to deploy the response, which may be impacted by the presence or absence of other responses.

We prove that solving the optimal response determination problem is NP-hard. This is fundamentally because of the dependencies that exist between responses and between services in a distributed system. To solve the approximate problem, we use genetic algorithm (GA) based search through the universe of possible responses. As multiple attack instances of an attack type or its variants are seen, ADEPTS updates the effectiveness of the deployed responses and the quality of the chromosome pool used to initiate the GA-based search. Thus, ADEPTS adapts to provide better responses as history builds up in the system. ADEPTS can respond to attack variants through an approximate graph matching algorithm and population of chromosomes from the approximate match.

In more recent work, we have developed ADEPTS to respond to zero-day attacks, i.e., attacks whose signatures are not even approximately known to the system. ADEPTS conceptualizes the steps behind the zero-day attacks, i.e., identifies the concept behind each attack step rather than the mechanism of the step (which is likely unknown for a zero-day attack). Through this, it can find similarities between the zero-day attack and previously seen attacks and then apply the learning to identify optimal responses for the previously seen attacks in order to select optimal responses for the zero-day attack as well.

Personnel

  • Gaspar Howard
  • Abhisek Pan

Keywords: intrusion response, attack, automated, ADEPTS