Learning unknown attacks - a start

Since it is essentially impossible to write large-scale software without errors, any intrusion tolerant system must be able to tolerate rapid, repeated unknown attacks without exhausting its redundancy. Our system provides continued application services to critical users while under attack with a goal of less than 25% degradation of productivity. Initial experimental results are promising. It is not yet a general open solution. Specification-based behavior sensors (allowable actions, objects, and QoS) detect attacks. The system learns unknown attacks by relying on two characteristics of network-accessible software faults: attacks that exploit them must be repeatable (at least in a probabilistic sense) and, if known, attacks can be stopped at component boundaries. Random rejuvenation limits the scope of undetected errors. The current system learns and blocks single-stage unknown attacks against a protected web server by searching and testing service history logs in a Sandbox after a successful attack. We also have an initial classbased attack generalization technique that stops webserver buffer overflow attacks. We are working to extend both techniques.

[1]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[2]  Karl N. Levitt,et al.  The design and implementation of an intrusion tolerant system , 2002, Proceedings International Conference on Dependable Systems and Networks.

[3]  Wenliang Du,et al.  Categorization of Software Errors that led to Security Breaches , 1998 .

[4]  Craig A. N. Soules,et al.  Self-securing storage: protecting data in compromised systems , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[5]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[6]  Andreas Reuter,et al.  Transaction Processing: Concepts and Techniques , 1992 .

[7]  R. M. Balzer,et al.  Mediating connectors , 1999, Proceedings. 19th IEEE International Conference on Distributed Computing Systems. Workshops on Electronic Commerce and Web-based Applications. Middleware.

[8]  D. L. Lough,et al.  A taxonomy of computer attacks with applications to wireless networks , 2001 .

[9]  Calvin Ko,et al.  Logic induction of valid behavior specifications for intrusion detection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[10]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[11]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[12]  Craig A. N. Soules,et al.  Survivable storage systems , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[13]  Butler W. Lampson,et al.  31. Paper: Computer Security in the Real World Computer Security in the Real World , 2022 .

[14]  James A. Davis,et al.  The development of a database taxonomy of vulnerabilities to support the study of denial of service attacks , 2001 .

[15]  Karl N. Levitt,et al.  System Health and Intrusion Monitoring Using a Hierarchy of Constraints , 2001, Recent Advances in Intrusion Detection.