Project Title: Explaining and Recovering from Computer Break-ins
System Name: DERBI: Diagnosis, Explanation and Recovery from computer Break-Ins
A research project funded by the Information
Survivability program (subprogram: "Survivability of Large Scale Systems")
in the Information Technology Office
(ITO) of DARPA under Information
Systems Security Sol BAA95-15.
One of the big obstacles to improving computer security is that too many
SysAdmins (system administrators) do not attend to computer security issues
until after their computers have been compromised. They then have to acquire
and learn to use tools that will help them analyze the situation and recover
from it, often under intense time pressure. In addition, properly interpreting
the output of these tools may require a deeper understanding of the computer
system and of computer security issues than can be expected of the typical
SysAdmin. Thus, it is not surprising that the results often leave much
to be desired.
To build a prototype computer security tool that will be targeted at diagnosing
and recovering from network-based break-ins. Our prototype will interact
with the user analyzing the break-in and advising on recovery. The technology
adopted has the ability to handle multiple methods (often with different
costs) of obtaining desired information, and the ability to work around
missing information. The prototype will not be an independent program,
but will invoke and coordinate a suite of third-party computer security
programs (COTS or public) and utility programs. A critical part of our
tool will be the generation of a standardised report and an explanation
of what it discovers and its path of reasoning and actions. The explanation
will be produced for the user and the report sent to an organization that
collects and coordinates security incident reports from a range of sites
(eg, CERT, ASSIST).
The key features of the prototype will be:
A Reasoning System
The underlying technology for our prototype is the Procedural Reasoning
System (PRS). PRS allows knowledge of intrusion scenarios to be coded to
form a powerful abstraction of the intrusion side of the computer network
security problem. PRS is designed to operate in a changing environment,
and it combines goal-directed and reactive behavior. It pursues longer-range
goals while responding to alarms and changes in the environment. As events
change the system's database, new goals can be created and the current
goals may be temporarily or permanently preempted by these new ones.
The Use of Third Party Programs
Exisiting programs (e.g. COPS) and utilities will be used to collect
data and otherwise probe the intruded system. Since new programs and improved
versions of existing programs appear periodically, we believe that it is
both impractical and undesirable to even try to replicate their capabilities.
We will create programs only when functionality is not readily available.
Explanation and Reporting
The generation of explanations and reports is central to this tool.
The SysAdmin and any security oversight organization (eg, ASSIST) needs
to be made aware of what happened, both what is known and what is suspected.
In doing the diagnosis, the tool may produce multiple diagnoses of what
happened and ask the SysAdmin whether any of these should be discarded
or temporarily ignored. In the recovery phase, the SysAdmin will be presented
with suggested recovery actions and fixes for vulnerabilities. He needs
to understand the implications of making and not making the suggested changes
This project has been completed.
For a description of the results of the DARPA 1999 Off-line Intrusion Detection Evaluation, please see the
MIT/Lincoln Lab DISCEX 2000 paper.
Project Quad Viewgraph (
GIF, M-S Powerpoint:
Principal Investigator: Dr. W. Mabry Tyson
AI Center, SRI
Principal Team Members:
Dr. Pauline Berry, Artificial Intelligence Center,
Dr. W. Mabry Tyson, Artificial Intelligence
Nate Williams, ???, SRI (Montana)
Previous Team Members:
Dr. Douglas Moran, Artificial
Intelligence Center, SRI (now at Recourse Technologies)
David Blei, Artificial Intelligence
Center, SRI (now at UC Berkeley)
Jim Carpenter, Systems Technology
Ruth Lang, Systems Technology
Division, SRI (now in the AI Center)
Additional Team Members:
Dr. John D. Lowrance, Artificial Intelligence
Dr. Karen L. Myers, Artificial Intelligence
Dr. Peter Neumann,
Computer Science Laboratory, SRI
Center Home Page
International Home Page