1 / 12

Automated Intrusion Response Project

Automated Intrusion Response Project. Ivan Balepin, Karl Levitt UC Davis Computer Security Lab. Why Study Automated Response?. Immediate: contain the attack quickly Kill the offending process Slow down the attacker Roll back to a safe state, etc. Cleanup - needs to be done carefully

martinag
Download Presentation

Automated Intrusion Response Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Intrusion ResponseProject Ivan Balepin, Karl Levitt UC Davis Computer Security Lab

  2. Why Study Automated Response? • Immediate: contain the attack quickly • Kill the offending process • Slow down the attacker • Roll back to a safe state, etc. • Cleanup - needs to be done carefully • Weighing cost of response against potential attack damage • High cost of false positives – can be used for DOS attacks • Prevent the same attack from happening on this system • Report the attack to other security systems (firewalls, IDS’s, JIGSAW, HACQIT, etc). • Long term: generalize the attack and warn others • Synthesize an attack signature and report it. • Deceive and study the attacker.

  3. Example: Responses toopen() • Autonomic Responses: • not open • lock the file • delete the file • kill the process(es) • alert • Complex Responses: • start a combination of response actions • start checkpointing • change permissions • reboot the system • block the user • slow down the process(es) • roll back • return a random result • perform a random action • operate on a fake file

  4. Sample Responses

  5. Categorizing Response • Areas a Response Action Affects: • Data Integrity: deleting files, killing the process, etc. • Confidentiality: changing permissions, etc. • Availability: slowing down a process, disabling certain calls, etc. • Level of a Response Action: • Single process • Group of Processes • User • Group • System • Network

  6. Example: Selecting the Response System System System Spec-Based IDS Spec-Based IDS Spec-Based IDS Response Broker

  7. Example: Selecting the Response System System Spec-Based IDS Spec-Based IDS • Incident Data: • Resources involved • Specs violated • Suggested responses Incident Incident Response Broker

  8. Example: Selecting the Response System Spec-Based IDS • Incident Data: • Resources involved • Specs violated • Suggested responses • System Data: • Resource ownership • Level of threat, etc. System Data Incident Response Broker

  9. Example: Selecting the Response System Spec-Based IDS • Incident Data: • Resources involved • Specs violated • Suggested responses • System Data: • Resource ownership • Level of threat, etc. • Which Responses Satisfy our Rules? • Integrity • Confidentiality System Data Incident Security Principles: Integrity Confidentiality Response Broker

  10. Example: Selecting the Response System Spec-Based IDS • Incident Data: • Resources involved • Specs violated • Suggested responses • System Data: • Resource ownership • Level of threat, etc. • Which Responses Satisfy our Rules? • Integrity • Confidentiality • Pick the Least Costly One • Look at the whole chain • Estimate resources used: level hierarchy Incident Security Principles: Integrity Confidentiality Response Broker Respond

  11. Example: Selecting the Response System Spec-Based IDS • Incident Data: • Resources involved • Specs violated • Suggested responses • System Data: • Resource ownership • Level of threat, etc. • Which Responses Satisfy our Rules? • Integrity • Confidentiality • Pick the Least Costly One • Look at the whole chain • Estimate resources used: level hierarchy • …or Pick the Least Costly Way to Preserve Incident Security Principles: Integrity Confidentiality Response Broker Respond Preserve

  12. Response: Project Plan • Current progress • Defined the problem and the scope of study • Initial experiments with spec-based IDS’s: hard-coding response • Developing response hierarchy • Web page: http://wwwcsif.cs.ucdavis.edu/~balepin • Work to be done • Formalizing response model • Implementing response on a spec-based IDS • Testing and evaluating performance • Applying response model to other systems

More Related