Host and Network Defense Systems For Intrusion Reaction

Ph.D. Candidacy Exam

Michael Locasto
522 CSB
Department of Computer Science
Columbia University
New York, NY 10027

Abstract

The focus of this candidacy exam is the investigation of the state of the art in intrusion reaction systems. Intrusion reaction, the design and careful selection of mechanisms to automatically respond to network attacks, has recently received an amount of attention that rivals its equally difficult sibling intrusion detection. Response systems vary from the low--tech (manually shut down misbehaving machines) to the highly ambitious (on the fly "vaccination", validation, and replacement of infected software). In the middle lie a wide variety of practical techniques, promising technology, and nascent research.

Files

You should read the PDF version of this candidacy exam proposal, as this web page is just a collection of the information relevant to the exam.

A Bibtex bibliography file of the papers is available.

The presentation is available in both PDF and OpenOffice SXI (Impress) formats.

Committee

Paper List

Papers were chosen because they covered either theory or practice of current defense and reaction systems, provided some infrastructure for such a system, or gave background on these systems.

Background Material

  1. How Re(Pro)active Should an IDS Be? (Richard Overill)
  2. Intrusion Reaction: Recommendations for Obtaining Reaction Capabilities (Leonard J. LaPadula)
  3. Intrusion Detection and Isolation Protocol: Automated Response to Attacks (Jeff Rowe et al.)
  4. The Proactive Security Toolkit and Applications (Boaz Barak et al.)
  5. A Holistic Approach to Service Survivability (Keromytis et al.)
  6. Architecture for an Artificial Immune System (Steven Hofmeyr and Stephanie Forrest)
  7. Innoculating Software for Survivability (Anup K. Ghosh and Jeffrey M. Voas)
  8. Crash-Only Software (George Candea and Armando Fox)
  9. Building Diverse Computer Systems (Stephanie Forrest, Anil Somayaji, David Ackley)
  10. Feedback Control Applied to Survivability: A Host-Based Autonomic Defense System (O. Patrick Kreidl and Tiffany M. Frazier)

On Host Defense Systems

  1. Improving Host Security with System Call Policies (Niels Provos)
  2. Automated Response Using System-Call Delays (Anil Somayaji and Stephanie Forrest)
  3. Using Specification-Based Intrusion Detection for Automated Response (Ivan Balepin et al.)
  4. Operating System Stability and Security through Process Homeostasis (Anil Buntwal Somayaji) [PhD thesis]
  5. Automatic Data Structure Repair for Self-Healing Services (Brian Demsky and Martin Rinard)
  6. Enhancing Server Availability and Security Through Failure-Oblivious Computing (Martin Rinard et al.)
  7. Continual Repair for Windows Using the Event Log (James Reynolds and Lawrence Clough) [forthcoming]
  8. Secure Execution Via Program Shepherding (Vladimir Kiriansky, Derek Bruening, Saman Amarasinghe)
  9. Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits (Helen Wang et al.)
  10. AngeL: a tool to disarm computer systems (Danilo Bruschi and Emilia Rosti)
  11. Access Control Based on Execution History (Martin Abadi and Cedric Fournet)

On Network Defense Systems

  1. A Network Worm Vaccine Architecture (Stelios Sirdigolou-Douskos and Angelos Keromytis)
  2. An Automated Defense System to Counter Internet Worms (Riccardo Scandariato and John C. Knight)
  3. A Hybrid Quarantine Defense (Phillip Porras et al.)
  4. On Achieving Software Diversity for Improved Network Security Using Distributed Coloring Algoritms (Adam J. O'Donnell and Harish Sethu)
  5. Implementing Pushback: Router-Based Defense Against DDoS Attacks (John Ioannidis and Steven M. Bellovin)
  6. Tracing Based Active Intrusion Response (X. Wang, D. Reeves, S.F. Wu)
  7. Dynamic Access Control: Preserving Safety and Trust for Network Defense Operations (Prasad Naldurg and Roy H. Campbell)
  8. Anomalous Payload-based Network Intrusion Detection (Ke Wang and Sal Stolfo)
  9. Adaptive Use of Network-Centric Mechanisms in Cyber Defense (Michael Atighetchi, Partha Pal, et al.)
  10. On-Line Intrusion Detection and Attack Prevention Using Diversity, Generate-and-Test, and Generalization (James C. Reynolds, James Just, Larry Clough, and Ryan Maglich)

Other Work

Not necessarily part of the candidacy exam, these papers represent other versions of work summerized by a paper in the above lists, supporting information about the area in general, and further reading on the subject. These papers were considered for the main list but rejected because the particular topic was already covered or summerized by another paper. They are included here for completeness.

Background on Automated Response and Intrusion Tolerance

  1. Adaptation Techniques for Intrusion Detection and Intrusion Response Systems (Ragsdale, Carver, Humphries, Pooch)
  2. http://www.securityfocus.com/infocus/1540
  3. Strike Back: Offensive Actions in Information Warfare (Donald Welch et al.)
  4. Intrusion-detection for incident-response, using a military battlefield-intelligence process (J. Yuill, S.F. Wu, et al.)
  5. Intrusion Tolerant Systems (Partha Pal et al.)
  6. Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage (John D. Strunk et al.)
  7. NIDAR: The Design and Implementation of an Intrusion Detection System (Tan Yong Tai et al.)
  8. Micael: An Autonomous Mobile Agent System to Protect New Generation Networked Applications (Queiroz et al.)
  9. Survival by Defense-Enabling (Partha Pal et al.)

Computer Immunology

  1. Internet Quarantine: Requirements for Containing Self-Propagating Code (David Moore, Colleen Shannon, G. M. Voelker, S. Savage)
  2. A Hybrid IDS Architecture Based on the Immune System (Marcelo Reis et al.)
  3. Principles of a Computer Immune System (Anil Somayaji, Steven Hofmeyr, Stephanie Forrest)
  4. Computer Immunology (Stephanie Forrest, Steven Hofmeyr, Anil Somayaji)
  5. The Human Immune System and Network Intrusion Detection (Jungwon Kim and Petere Bentley)
  6. A Cooperative Immunization System for an Untrusting Internet (Anagnostakis, Greenwald, Ioannidis, Keromytis, Li)
  7. Cooperative Response Strategies for Large Scale Attack Mitigation (D. Nojiri, J. Rowe, K. Levitt)

System Call Interposition and Sandboxes

  1. Hardening COTS Software with Generic Software Wrappers (Timothy Fraser, Lee Badger, Mark Feldman)
  2. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. (Tal Garfinkel)
  3. Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications (R. Sekar and P. Uppuluri)
  4. Detecting and Countering System Intrusions Using Software Wrappers (Calvin Ko et al.)
  5. Operating System Enhancements to Prevent the Misuse of System Calls (M. Bernaschi et al.)

Misc.

  1. A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks (Manish Prasad, Tzi-cker Chiueh)
  2. Bend, Don't Break: Using Reconfiguration to Achieve Survivability (Wolf et al.)
  3. Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits (Sandeep Bhatkar, D.C. DuVarney, R. Sekar)
  4. On the Effectiveness of Address-Space Randomization (H. Shacham et al.)
  5. Countering Code-Injection Attacks With Instruction-Set Randomization (Gaurav S. Kc, Angelos Keromytis, and Vassilis Prevelakis)
  6. Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks (E. G. Barrantes et al.)
  7. SQLRand: Preventing SQL Injection Attacks (Stephen W. Boyd and Angelos Keromytis)
  8. Transparent Run-Time Defense Against Stack Smashing Attacks (Arash Baratloo et al.)