Franklin Webber

Adaptive cyberdefense for survival and intrusion tolerance

While providing some resistance against cyberattacks, current approaches to securing networked and distributed information systems are mainly concerned with static prevention measures. For example, signature-based systems can only detect known attacks and tend to provide brittle, all-or-nothing protection. New work in survivability and intrusion tolerance focuses on augmenting existing information systems with adaptive defenses. A middleware-based survivability toolkit lets applications use network-and host-based mechanisms in their own defense.

Survivability architecture of a mission critical system: the DPASA example

Many techniques and mechanisms exist today, some COTS, others less mature research products that can be used to deflect, detect, or even recover from specific types of cyber attacks. None of them individually is sufficient to provide an all around defense for a mission critical distributed system. A mission critical system must operate despite sustained attacks throughout the mission cycle, which in the case of military systems, can range from hours to days. A comprehensive survivability architecture, where individual security tools and defense mechanisms are used as building blocks, is required to achieve this level of survivability. We have recently designed a survivability architecture, which combined elements of protection, detection, and adaptive reaction; and applied it to a DoD information system. The resulting defense-enabled system was first evaluated internally, and then deployed for external Red Team exercise. In this paper we describe the survivability architecture of the system, and explain the rationale that motivated the design

Open implementation toolkit for building survivable applications

We consider two aspects of survivability namely survival by adaptation and survival by protection. We show how the quality objects (QuO) distributed adaptive middleware framework enables us to introduce these aspects of survivability in a flexible and systematic manner. We describe a toolkit for developing adaptive applications and demonstrate how more survivable applications can be built using the toolkit.

An architecture for adaptive intrusion‐tolerant applications

Applications that are part of a mission‐critical information system need to maintain a usable level of key services through ongoing cyber‐attacks. In addition to the well‐publicized denial of service (DoS) attacks, these networked and distributed applications are increasingly threatened by sophisticated attacks that attempt to corrupt system components and violate service integrity. While various approaches have been explored to deal with DoS attacks, corruption‐inducing attacks remain largely unaddressed. We have developed a collection of mechanisms based on redundancy, Byzantine fault tolerance, and adaptive middleware that help distributed, object‐based applications tolerate corruption‐inducing attacks. In this paper, we present the ITUA architecture, which integrates these mechanisms in a framework for auto‐adaptive intrusion‐tolerant systems, and we describe our experience in using the technology to defend a critical application that is part of a larger avionics system as an example. We also motivate the adaptive responses that are key to intrusion tolerance, and explain the use of the ITUA architecture to support them in an architectural framework. Copyright

Using a Cognitive Architecture to Automate Cyberdefense Reasoning

The CSISM project is designing and implementing an automated cyberdefense decision-making mechanism with expert-level ability. CSISM interprets alerts and observations and takes defensive actions to try to ensure the survivability of the computing capability of the network. The project goal is a difficult one: to produce expert-level response in realtime with uncertain and incomplete information. Our approach is to emulate human reasoning and learning abilities by using a cognitive architecture to embody the reasoning of human cyberdefense experts. This paper focuses on the cognitive reasoning component of CSISM.

Trust Assessment from Observed Behavior: Toward and Essential Service for Trusted Network Computing

Modern distributed information systems handle increasingly critical data and computation, but there is no systematic way to assess whether a given part of the system can be entrusted with such data and computation on a continuous basis. In a highly interconnected networked environment, components with varying levels of trustworthiness must interact with each other. Occurrence and spread of attack induced failure imply that hosts once trusted cannot remain equally trusted all the time. System components and human operators can benefit from a scheme that assesses the trustworthiness of hosts i.e., the confidence that individual hosts are not corrupt, on a continuous basis by adjusting and adapting their behavior when a hosts trustworthiness diminishes. In this work in progress report we present an accusation based trust assessment scheme

Anomaly and Specification Based Cognitive Approach for Mission-Level Detection and Response

In 2005 a survivable system we built was subjected to red-team evaluation. Analyzing, interpreting, and responding to the defense mechanism reports took a room of developers. In May 2008 we took part in another red-team exercise. During this exercise an autonomous reasoning engine took the place of the room of developers. Our reasoning engine uses anomaly and specification-based approaches to autonomously decide if system and mission availability is in jeopardy, and take necessary corrective actions. This extended abstract presents a brief summary of the reasoning capability we developed: how it categorizes the data into an internal representation and how it uses deductive and coherence based reasoning to decide whether a response is warranted.

An abstract interface for cyber-defense mechanisms

Defending a computer system against malicious attack depends on making many different defense mechanisms work together. In addition to protecting against intrusions, these mechanisms should provide intrusion detection and response. The semantics of input and output for these mechanisms -- what the alert from an intrusion detector means, and the implications of issuing a command in response -- can vary greatly from one mechanism to another. In this paper, we discuss the abstract interface we have developed for integrating various defense mechanisms to defend a distributed application. Our interface is more than an API: it defines not only the syntax of communication with defense mechanisms but also its meaning, thus allowing us to reason systematically about the state of attack and defense. We briefly describe our current work toward automating that reasoning and thus toward applications that defend themselves intelligently and automatically. We also argue that reasoning about attack and defense at an abstract level allows one to model and analyze whether the defense is effective.

Adaptive use of network-centric mechanisms in cyber-defense

Attacks against distributed systems frequently start at the network layer by gathering network related information (such as open TCP ports) and continue on by exhausting resources, or abusing protocols. Defending against network-based attacks is a major focus area in the APOD (Application That Participate in Their Own Defense) project, which set out to develop technologies that increase an applications resilience against cyber attacks. This paper gives an overview of APODs current set of network-level defenses. Specific network-based defense mechanisms are described first, followed by a discussion on how to use them in local defensive behavior. Defense strategies, which specify coordinated defensive behavior across a distributed system, are discussed next, followed by results from initial experimental evaluation.

Protecting Applications Against Malice Using Adaptive Middleware

A distributed application can be given increased resistance to certain types of malicious behavior, even when the environment in which it is operating contains untrustworthy elements. Recent trends in protecting applications use operating systems as only the first layer of security, anticipating that this layer may be breached. Another layer is added to react to and repair the damage done by intruders that succeed in breaching the first layer. A promising approach to designing the second layer of protection uses adaptive middleware to enable agile behavior and to coordinate protective responses across the distributed system, even in resource-depleted environments. This new approach to protection complements more traditional approaches — in which only one layer of security is used — by hardening critical components at multiple system levels. When integrated effectively, this multi-level approach makes it harder for intruders to corrupt or disable distributed systems and applications.