Abstract
Society\'s increasing reliance on networked information systems too support critical infrastructures has prompted interest in making the information systems survivable, so that they can continue to perform critical functions even in the presence of vulnerabilities susceptible to malicious attacks, it is necessary to detect attacks and isolate failures resulting from attacks before they damage the system by impacting functionality, performance or security. The key research problems in this context include:
*detecting in-progess attacks before they cause damage, as opposed to detecting attacks after they have succeeded,
* localizing and/or minimizing damage by isolating attacked components in real-tine, and
* tracing the origin of attacks.
We address the detection problem by real-time event monitoring and comparison against events known to be unacceptable. Real-time detection differentiates our approach from previous works that focus on intrusion detection by post-attack evidence analysis. We address the isolation and tracing problems by supporting automatic initiation of reactions. Reactions are programs that we develop to respond to attacks. A reaction\'s primary goal is to isolate compromised components and prevent them from damaging other components. A reaction\'s secondary goal is to aid in tracing the origin of attack, e.g., by providing an illusion of success to the attackers (enticing them to the attack) while ensuring that the attack causes no damage.
Our approach to detecting attacks is based on specifying permissible process behaviors as logical assertions on sequences of system calls and conditions on the values of system call arguments. We compile the specifications into finite state automata for efficient runtime detection for deviations from the specified (and hence permissible) behavior. We seamlessly integrate detection and reaction by designing our specification anguage to also allow specification of reactions.
