New version page

PhD CANDIDACY EXAM

Upgrade to remove ads

This preview shows page 1-2-3-4-5 out of 16 pages.

Save
View Full Document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience

Upgrade to remove ads
Unformatted text preview:

PhD Candidacy Exam:Host and Network Defense Systems For Intrusion ReactionMichael E. Locasto[email protected]522 CSBDepartment of Computer ScienceColumbia UniversityNew York, NY 10027November 7, 2004AbstractThe focus of this candidacy exam is the investigation of the state of the art in intrusion reaction systems. Intrusionreaction, the design and careful selection of mechanisms to automatically respond to network attacks, has recentlyreceived an amount of attention that rivals its equally difficult sibling intrusion detection. Response systems varyfrom the low–tech (manually shut down misbehaving machines) to the highly ambitious (on the fly “vaccination”,validation, and replacement of infected software). In the middle lies a wide variety of practical techniques, promisingtechnology, and nascent research.1 Purpose“The candidacyexam certifies that thestudent has demonstrated a depth of scholarshipin the literature and the methodsof the student’s chosen area of research, and has demonstrated a facility with the scholarly skills of critical evaluationand verbal expression.”1The tentative date for the exam is 30 November 2004.2 Candidate Research Area StatementIntrusion reaction is the careful, rational, and automatic selection of an appropriate response to the threat or event ofsystem penetration or subversion. This ability is predicated on the availability of a trusted computing base in hosts andnetworks – an uncorrupted environment in which recovery actions can execute.Intrusion reaction (IR) has been given less attention than it deserves due to several critical issues. First, the limitsof detection technology have historically mandated that the shortcomings of intrusion detection (false positives, fail–open nature, performance) be addressed before a reaction can take place – an attack must be detected before anyresponse can be mounted. Second, many system administrators and policy coordinators are understandably hesitantabout transferring control of the network and host systems to a machine, even though (and perhaps because) a machinecan react orders of magnitude faster than a human system administrator. Third, most reaction systems are insufficientlyadvanced enough to respond intelligently to attacks.For example, a simple response system is a packet–filter firewall that will dynamically update its rule base to closeoff certain ports in response to attack traffic recognized by an IDS2. A system with this mechanism at its core is pro-posed in [41]. Even this straightforwardmodel has its limitations: simple source address spoofing can result in denying1http://lenox.psl.cs.columbia.edu/phdczar/candidacy.html2http://www.mcafeesecurity.com/us/_tier2/products/_media/mcafee/ds_intrushieldidssensor.pdf1service to legitimate sites, and other TCP tricks can bypass the response mechanism3. Another protection mechanismis based on intercepting patterns of system calls. McAfee is marketing a product that employs this technology4.3 Faculty Candidacy Committee MembersThe candidate respectfully solicits the guidance and expertise of the following faculty members and welcomes sug-gestions for other important papers and publications in the exam research area.1. Angelos Keromytis2. Sal Stolfo3. JI4 Exam Scope and StructureThe scope of this exam is narrowly focused on state–of–the–art mechanisms that provide a basis for flexible andcorrect reaction to attacks or system subversion. The unifying theme of the systems in this study is that they contain ordescribe a mechanism that can automatically nullify or mitigate the effects of an attack or exploit during runtime. Mostof these systems can accomplish this responsewithout previous knowledge of an exploit or particular vulnerability. Weacknowledgethat these systems have as their primarygoal service and system survivability. There is a rich literature onredundancy and diversity to support system survivability, but the focus of this collection is on systems that recognizeattacks and adapt at runtime.Furthermore, the focus of this exam is not on methods of validation or verification of responses and reconfiguredsystems, nor does it examine the extensive literature on replication and fault tolerance. The closest “verification”papers are Demsky’s data structure repair [14], Naldurg’s dynamic access control policy [28], and Kreidl’s feedbackcontrol [26].The following papers are listed in groupings by title with both an abstract and a reference to the full citation in theattached bibliography.4.1 Background Material1. How Re(Pro)activeShould an IDS Be? [31]Abstract: The classical security paradigm of Protect, Detect, React has traditionally been applied to the fieldof information security with Firewalls taking on the role of protection while detection is handled by IntrusionDetection Systems (IDS). This admittedly simplistic picture leaves open two questions: who or what shouldreact? and how?2. Intrusion Reaction: Recommendations for Obtaining Reaction Capabilities [27]Abstract: The Command and Control (C2) Protect Mission-Oriented Investigation & Experimentation (MOIE)Project, sponsored by the Air Force, develops and promulgates resources to counter information warfare (IW)threats to military C2 computer networks. This report has been produced by the Intrusion Reaction task ofthe project. A growing threat to Air Force networks and computers is exploitative intrusion activity. Onetechnological countermeasure to exploitative intrusion activity is intrusion reaction capability. But intrusiondetection and reaction (IDR) systems in operation today do not provide a number of reaction features thatmight materially help the Air Force protect its networks and computers. This report develops a profile of suchfeatures. It recommends areas where the Air Force can make effective investments in research, development, andinvestigation of intrusion reaction capabilities that can improve IDR systems.3. Intrusion Detection and Isolation Protocol: Automated Response to Attacks [41]Abstract: With current intrusion detection technology, it is possible to detect attacks in real time. Typically,3http://www.securityfocus.com/infocus/15404http://www.mcafeesecurity.com/us/products/mcafee/host_ips/standard_edition.htm2when an IDS system is triggered, a human operator is notified. The system is then adjusted manually in responseto the intrusion. Many types of attacks, however, can only be thwarted if the response is quick.


Download PhD CANDIDACY EXAM
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view PhD CANDIDACY EXAM and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view PhD CANDIDACY EXAM 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?