AWDRAT: A Cognitive Middleware System for Information Survivability

The infrastructure of modern society is controlled by software systems that are vulnerable to attacks. Many such attacks, launched by "recreational hackers" have already led to severe disruptions and significant cost. It, therefore, is critical that we find ways to protect such systems and to enable them to continue functioning even after a successful attack. This article describes AWDRAT, a prototype middleware system for providing survivability to both new and legacy applications. AWDRAT stands for architectural differencing, wrappers, diagnosis, recovery, adaptive software, and trust modeling. AWDRAT uses these techniques to gain visibility into the execution of an application system and to compare the application's actual behavior to that which is expected. In the case of a deviation, AWDRAT conducts a diagnosis that determines which computational resources are likely to have been compromised and then adds these assessments to its trust model. The trust model in turn guides the recovery process, particularly by guiding the system in its choice among functionally equivalent methods and resources.AWDRAT has been applied to and evaluated on an example application system, a graphical editor for constructing mission plans. We describe a series of experiments that were performed to test the effectiveness of AWDRAT in recognizing and recovering from simulated attacks, and we present data showing the effectiveness of AWDRAT in detecting a variety of compromises to the application system (approximately 90 percent of all simulated attacks are detected, diagnosed, and corrected). We also summarize some lessons learned from the AWDRAT experiments and suggest approaches for comprehensive application protection methods and techniques.

[1]  Daniel G. Bobrow,et al.  Common lisp object system specification , 1988, SIGP.

[2]  Jon Doyle,et al.  Agile monitoring for cyber defense , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[3]  Stefan Axelsson Research in Intrusion-Detection Systems: A Survey , 1998 .

[4]  Howard E. Shrobe,et al.  Computational vulnerability analysis for information survivability , 2002, AI Mag..

[5]  James E. Just,et al.  Review and analysis of synthetic diversity for breaking monocultures , 2004, WORM '04.

[6]  I. Kohane,et al.  Event Recognition Beyond Signature and Anomaly , 2001 .

[7]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[8]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[9]  Robert Laddaga,et al.  Probabilistic Dispatch, Dynamic Domain Architecture, and Self-adaptive Software , 2001, IWSAS.

[10]  Howard E. Shrobe,et al.  Initial Report on a Lisp Programmer's Apprentice , 1978, IEEE Transactions on Software Engineering.

[11]  Howard E Shrobe,et al.  Dependency Directed Reasoning for Complex Program Understanding , 1979 .

[12]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[13]  Sonya E. Keene,et al.  Object-oriented programming in COMMON LISP - a programmer's guide to CLOS , 1989 .

[14]  Charles Rich Inspection methods in programming , 1980 .

[15]  Rand Waltzman,et al.  The role of suspicion in model-based intrusion detection , 2004, NSPW '04.

[16]  Howard E. Shrobe,et al.  Model-Based Diagnosis for Information Survivability , 2001, IWSAS.

[17]  R. M. Balzer,et al.  Mediating connectors: a non-bypassable process wrapping technology , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.