Transcript Detection Group Day 2

Intrusion Tolerant Systems
Workshop: Anomaly Detection
Group
Group Chair: Roy Maxion
October 5-6, 1999
Williamsburg, VA
Group’s charter and response



Can FT techniques be adapted to intrusion tolerance?
– Yes
Does the use of these techniques introduce additional
vulnerabilities that can be exploited by attackers?
– Sometimes, but not always
How can these additional vulnerabilities be countered?
– Introduce randomness and redundancy
– Use watchdog timers
– Early warning indicators
– Data mining offline
– Collect data slowly
– Trend analysis
– Identify the right problem
Boundaries of ITS program





Use existing intrusion detection
components, including low-level
correlaters
Explore error-detection techniques
Explore automated tolerance methods
Explore correlation logic based on error
detection and intrusion detection reports
Deliver reports to an automated situationassessment component (Cathy)
Goals

Maintain shorter decision cycle than
adversary
 Keep the system running despite attack
Stages of attack (& responses)

Surveillance (trend analysis, early
detection)
 Blitz (detect, tolerate, respond to, survive)
 Aftermath (attacker attempts to hide his
tracks)
Stages of response
Detect
 Assess
 React

Detection

Out of band monitors and co-processors
 From outside (e.g. IDS program)
 From internal monitors
– Anomaly detection on local resources
QOS violations, etc.
– Heartbeats
– Tripwires / self test
– Application specific (including OS)
checks for timing, data, and control flow
Situation assessment
Need models of attacks, missions,
system resources
 Predict near-future outcomes, guard
against them
 Report conditions to higher level
(Cathy)

React

Decide how to tolerate attack
– Pre-planned
– Adaptive
– Use of sparing, redundancy, fwd/bkwd
recovery
Use fault tolerance techniques to
enhance survivability
 Respond based on a (dynamic)
policy

Ideas for intrusion-tolerant
architecture

Integrity checking of critical files;
compensate for unexpected events
 Out-of-band monitor for audit data
 Out-of-band processing/mining/trend
analysis of audit data
 Enhancing the survivability of sensors
– who is monitoring the monitor, hard
core (countering the added
vulnerabilities)
Evaluation (incremental and
operational)







Incremental - marks progress
– Metrics
– Experiments
– Simulations
– Benchmarks
– Fault injection
– Taxonomy
Operational - aids on-line decision
Metrics
Benchmarks
Experiments
Simulation
Analytical methods - formal methods