Feedback control applied to survivability: a host-based autonomic defense system

We address the problem of information system survivability, or dynamically preserving intended functionality & computational performance, in the face of malicious intrusive activity. A feedback control approach is proposed which enables tradeoffs between the failure cost of a compromised information system and the maintenance cost of ongoing defensive countermeasures. Online implementation features an inexpensive computation architecture consisting of a sensor-driven recursive estimator followed by an estimate-driven response selector. Offline design features a systematic empirical procedure utilizing a suite of mathematical modeling and numerical optimization tools. The engineering challenge is to generate domain models and decision strategies offline via tractable methods, while achieving online effectiveness. We illustrate the approach with experimentation results for a prototype autonomic defense system which protects its host, a Linux-based web-server, against an automated Internet worm attack. The overall approach applies to other types of computer attacks, network-level security and other domains which could benefit from automatic decision-making based on a sequence of sensor measurements.

[1]  Michael Athans,et al.  Optimal Control , 1966 .

[2]  Harry L. Van Trees,et al.  Detection, Estimation, and Modulation Theory, Part I , 1968 .

[3]  James P. Egan,et al.  Signal detection theory and ROC analysis , 1975 .

[4]  A.H. Haddad,et al.  Applied optimal estimation , 1976, Proceedings of the IEEE.

[5]  John N. Tsitsiklis,et al.  The Complexity of Markov Decision Processes , 1987, Math. Oper. Res..

[6]  Ronald R. Willis,et al.  Software quality engineering: a total technical and management approach , 1988 .

[7]  K. Shanmugan,et al.  Random Signals: Detection, Estimation and Data Analysis , 1988 .

[8]  W. Lovejoy A survey of algorithmic methods for partially observed Markov decision processes , 1991 .

[9]  Ari Arapostathis,et al.  On the average cost optimality equation and the structure of optimal policies for partially observable Markov decision processes , 1991, Ann. Oper. Res..

[10]  J. Tsitsiklis Decentralized Detection' , 1993 .

[11]  Martin L. Puterman,et al.  Markov Decision Processes: Discrete Stochastic Dynamic Programming , 1994 .

[12]  A. D. Pouliezos,et al.  Real time fault monitoring of industrial processes , 1994 .

[13]  Michael J. Cramer New Methods of Intrusion Detection using Control-Loop Measurement , 1995 .

[14]  Robert G. Gallager,et al.  Discrete Stochastic Processes , 1995 .

[15]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[16]  Dimitri P. Bertsekas,et al.  Dynamic Programming and Optimal Control, Two Volume Set , 1995 .

[17]  T. Longstaff,et al.  Quality Attributes , 1995 .

[18]  Cannady,et al.  New Methods of Intrusion Detection Using Control-Loop Measurement , 1996 .

[19]  Algirdas Avizienis,et al.  Toward Systematic Design of Fault-Tolerant Systems , 1997, Computer.

[20]  Karsten Schwan,et al.  Software approach to hazard detection using on-line analysis of safety constraints , 1997, Proceedings of SRDS'97: 16th IEEE Symposium on Reliable Distributed Systems.

[21]  E. Fernández-Gaucherand,et al.  Risk-sensitive optimal control of hidden Markov models: structural results , 1997, IEEE Trans. Autom. Control..

[22]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.

[23]  Christian Steger,et al.  Autonomous agents for online diagnosis of a safety-critical system based on probabilistic causal reasoning , 1999, Proceedings. Fourth International Symposium on Autonomous Decentralized Systems. - Integration of Heterogeneous Systems -.

[24]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[25]  Sebastian G. Elbaum,et al.  Intrusion Detection Through Dynamic Software Measurement , 1999, Workshop on Intrusion Detection and Network Monitoring.

[26]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[27]  Brian Randell,et al.  Fundamental Concepts of Dependability , 2000 .

[28]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[29]  Kymie M. C. Tan,et al.  Benchmarking anomaly-based detection systems , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[30]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[31]  Nong Ye,et al.  Statistical process control for computer intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[32]  Ulf Lindqvist,et al.  eXpert-BSM: a host-based intrusion detection solution for Sun Solaris , 2001, Seventeenth Annual Computer Security Applications Conference.

[33]  Nong Ye,et al.  A process control approach to cyber attack detection , 2001, Commun. ACM.

[34]  I. Kohane,et al.  Event Recognition Beyond Signature and Anomaly , 2001 .

[35]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[36]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .