One size does not fit all: 10 years of applying context-aware security

Defenders of today's critical cyber-infrastructure (e.g., the Internet) are equipped with a wide array of security techniques including network-based intrusion detection systems (IDS), host-based anti-virus systems (AV), and decoy or reconnaissance systems such as host-based honeypots or network-based telescopes. While effective at detecting and mitigating some of the threats posed to critical infrastructure, the ubiquitous nature of malicious activity (e.g., phishing, spam, DDoS) on the Internet indicates that the current deployments of these tools do not fully live up to their promise. Over the past 10 years our research group has investigated ways of detecting and stopping cyber-attacks by using the context available in the network, host, and the environment. In this paper, we explain what exactly we mean by context, why it is difficult to measure, and what one can do with context when it is available. We illustrate these points by examining several studies in which context was used to enable or enhance new security techniques. We conclude with some ideas about the future of context-aware security.

[1]  Farnam Jahanian,et al.  Shades of grey: On the effectiveness of reputation-based “blacklists” , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[2]  Niels Provos,et al.  Data reduction for the scalable automated analysis of distributed darknet traffic , 2005, IMC '05.

[3]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[4]  Jignesh M. Patel,et al.  WIND: Workload-Aware INtrusion Detection , 2006, RAID.

[5]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[6]  Thorsten Joachims,et al.  Optimizing search engines using clickthrough data , 2002, KDD.

[7]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[8]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[9]  Patrick Brézillon,et al.  Context-Aware Computing: A Guide for the Pervasive Computing Community , 2004, The IEEE/ACS International Conference on Pervasive Services.

[10]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[11]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[12]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[13]  Farnam Jahanian,et al.  Shedding Light on the Configuration of Dark Addresses , 2007, NDSS.

[14]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[15]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[16]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[17]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[18]  Richard Mortier,et al.  The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery , 2006, NSDI.

[19]  Angelos D. Keromytis,et al.  Detecting Targeted Attacks Using Shadow Honeypots , 2005, USENIX Security Symposium.

[20]  John Canavan,et al.  The evolution of malicious IRC bots , 2005 .

[21]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.