Project Name
ALPHATECH Light Autonomic
Defense System
Customer
DARPA
ATO: Cyber Panel
Goals of Project
Automatically preserve
system survivability at mission-critical nodes of a networked architecture
in the face of malicious intrusive activity
- Protect local
computing assets and buy time for higher-level security decisions
- Detect, diagnose,
counter and recover from security intrusions at machine speeds
- aLADS orchestrates
security assets to maximize long-term survivability
- Adaptive, intelligent
tradeoff between host security, functionality and performance
- Detect and respond
to known and unknown attacks
- Minimize the
rate of incorrect response in the presence of sensor false alarms
Key Technologies
Technical
Approach: Real-time stochastic feedback control - combines advances
in high assurances architecture, stochastic control, real-time computing,
and optimization.S
Theory: We cast the problem of intrusion detection and response management
as a large-scale sequential decision making under uncertainty with real-time
computational requirements.
Model-based stochastic control and mathematical optimization
Stochastic control
formulation
Model-based problem definition eplicitly incorporates uncertainty
in attacks, sensors, responses
Practice: Complex
software integration with real-time, low-overhead operational requirements
Embedded architecture and experimentally-driven design
On-Line implementation
features real-time computation architecture
Sensor-driven
recursive estimator
Estimate-driven response selector
Stored models and coureses of action (control policies)
Off-line design/evaluation
features systematic empirical methodology
Experiment-driven
model development
Optimization-driven COA generation
Key Product
A prototype
host-based autonomic defense system that protects Linux servers, using
CylantSecure (a suite of operating system-based anomaly detection sensors),
a Partially Observable Markov Decision Process-based real-time controller
consisting of a sensor-driven recursive state estimator and an estimate-driven
response selector, and a variety of system controls. Results include
the ability to:
- Defense, with
subsecond response times, a Linux-based web server from Internet worm
attacks, including previously unknown attacks;
- Discriminate
between different stages of a multi-stage attack and to pick weak
attack signals out of noise via correlation of different sensor streams;
- Improve state
estimation and subsequent response effectiveness via the integrated
management of sensors and actuators;
- Remediate the
"base rate fallacy problem" through substantial decrease
in rate of unnecessary control over static response policies;
- Ability to configure
response policies to reflect desired security outcomes (survivability
properties of the system).
Key aLADS components:
CylantSecure anomaly detection suite [4]: Operating system-level behavior-based
anomaly detection
Provides real-time
reporting of anomalous network, process, and kernel activity
aLADS Workbench:
Supports data collection and experimentation
Design mode: sensor
calibration, representative normal/attack data generation tools
Test mode: emulated normal/attack data generation tools, controllers
validation
aLADS Simulator:
Evaluates alternate control policies and information assurance architectures
Analysis tools:
extract statistical models, assess observability/controllability properties
Design tools: generate optimized Courses of Action, assess survivability
properties
aLADS Prototypes:
Demonstrate operational concept & feasibility
Automated, subsec
protection of a Linux-based web server from Internet worm attacks
Automated, subsec protection of Java-based applications from (e.g.)
insider misuse
aLADS prototype components: sensors, controller, actuators
[1] O. Kreidl, and
T. Frazier, "Feedback Control Applied to Survivability: a Host-Based
Autonomic Defense System", IEEE Transactions on Reliability, Vol.
52, No. 3, September 2003.
[2] D. Armstrong, S. Carter, G. Frazier, and T. Frazier, "Autonomic
Defense: Thwarting Automated Attacks through Real-time Feedback Control",
to be submitted to DISCEX-3.
[3] T. Frazier, G. Frazier, S. Carter, and D. Armstrong, "Reconfiguration
and Adaptation of Security Policies for Autonomic Defense Systems"
Workshop on Adaptive and Resilient Defense of Computer Networks, Santa
Fe Institute, October 2002.
[4] CylandSecure is owned by and is available from Software Systems
International, Cyland Division, http://www.cylant.com/.
The CylandSecure source code base is co-owned with the Advanced Computing
Group at ALPHATECH, Arlington Division.
This work was supported
in part by the Defense Advanced Research Projects Agency and the Space
and Naval Warfare Systems Center - San Diego under Contract No. N66001-00-C-8030.
