Project Title: Explaining and Recovering from Computer Break-ins

System Name: DERBI: Diagnosis, Explanation and Recovery from computer Break-Ins

A research project funded by the Information Survivability program (subprogram: "Survivability of Large Scale Systems") in the Information Technology Office (ITO) of DARPA under Information Systems Security Sol BAA95-15.

Program Managers:

Index


Background

One of the big obstacles to improving computer security is that too many SysAdmins (system administrators) do not attend to computer security issues until after their computers have been compromised. They then have to acquire and learn to use tools that will help them analyze the situation and recover from it, often under intense time pressure. In addition, properly interpreting the output of these tools may require a deeper understanding of the computer system and of computer security issues than can be expected of the typical SysAdmin. Thus, it is not surprising that the results often leave much to be desired.


Objectives

To build a prototype computer security tool that will be targeted at diagnosing and recovering from network-based break-ins. Our prototype will interact with the user analyzing the break-in and advising on recovery. The technology adopted has the ability to handle multiple methods (often with different costs) of obtaining desired information, and the ability to work around missing information. The prototype will not be an independent program, but will invoke and coordinate a suite of third-party computer security programs (COTS or public) and utility programs. A critical part of our tool will be the generation of a standardised report and an explanation of what it discovers and its path of reasoning and actions. The explanation will be produced for the user and the report sent to an organization that collects and coordinates security incident reports from a range of sites (eg, CERT, ASSIST).


Approach

The key features of the prototype will be:

Status

This project has been completed.

For a description of the results of the DARPA 1999 Off-line Intrusion Detection Evaluation, please see the MIT/Lincoln Lab DISCEX 2000 paper.

Project Quad Viewgraph ( GIF, M-S Powerpoint: 4.0 & 97, PostScript )


Project Staff

Principal Investigator: Dr. W. Mabry Tyson
AI Center, SRI International

 Principal Team Members:
Dr. Pauline Berry, Artificial Intelligence Center, SRI
Dr. W. Mabry Tyson, Artificial Intelligence Center, SRI
Nate Williams, ???, SRI (Montana)
 

Previous Team Members:
Dr. Douglas Moran, Artificial Intelligence Center, SRI  (now at Recourse Technologies)
David Blei, Artificial Intelligence Center, SRI (now at UC Berkeley)
Jim Carpenter, Systems Technology Division, SRI
Ruth Lang, Systems Technology Division, SRI (now in the AI Center)

Additional Team Members:
Dr. John D. Lowrance, Artificial Intelligence Center, SRI
Dr. Karen L. Myers, Artificial Intelligence Center, SRI
Dr. Peter Neumann, Computer Science Laboratory, SRI


Back to AI Center Home Page
Back to SRI International Home Page