A New Approach for Securing Systems Using Automated Adaptive Intrusion Response

使用自动自适应入侵响应保护系统安全的新方法

• 批准号: 0208877
• 负责人: Ramasubramanian Sekar
• 金额: --
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2002
• 资助国家: 美国
• 起止时间: 2002-08-01 至 2007-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0208877&HistoricalAwards=false
• 关键词: New; Approach; Securing; Systems; Using

Networked information systems play an increasingly important role in critical infrastructures such as power generation and distribution, transportation, commerce, and national security. The continuing spate of security incidents reported by organizations such as CERT Coordination Center demonstrates that in spite of best efforts in securing systems, "hacker" attacks will penetrate even the best defense mechanisms. To cope with such attacks, new techniques need to be developed that can detect and respond to such attacks. Unfortunately, existing approaches focus primarily on after-the-fact detection of such attacks. Moreover, intrusion response relies primarily on human involvement. These two factors mean that fast-progressing attacks (e.g., programmed attacks) can effect significant damage before any protective response is launched. Recovery from such damage is labor-intensive, and will render the target system unavailable for hours if not days. This project will develop new approach that automates intrusion responses so that the target system can defend itself from serious damage due to attacks. It will build on the proposer's successful research in specification-based intrusion detection. Key technical components of this project include: specification language enhancements to express response actions, techniques for isolating compromised processes so that they do not interfere with the rest of the system, and deception techniques that can provide an illusion of success to attacker while protecting the target the system.

网络信息系统在发电和配电、交通、商业和国家安全等关键基础设施中发挥着越来越重要的作用。 CERT 协调中心等组织报告的持续大量安全事件表明，尽管尽最大努力保护系统安全，但“黑客”攻击仍会渗透到最好的防御机制。为了应对此类攻击，需要开发能够检测和响应此类攻击的新技术。不幸的是，现有方法主要关注此类攻击的事后检测。此外，入侵响应主要依赖于人的参与。这两个因素意味着快速进展的攻击（例如程序化攻击）可能会在启动任何保护响应之前造成重大损害。从此类损坏中恢复需要耗费大量人力，并且会使目标系统在数小时（甚至数天）内不可用。该项目将开发自动执行入侵响应的新方法，以便目标系统能够防御攻击造成的严重损害。它将建立在提议者在基于规范的入侵检测方面的成功研究的基础上。该项目的关键技术组件包括：表达响应操作的规范语言增强、隔离受损进程以使其不干扰系统其余部分的技术以及可以在保护目标的同时为攻击者提供成功假象的欺骗技术系统。