Explaining and Recovering from Computer Intrusions
Douglas B. Moran
Artificial Intelligence Center
SRI International
333 Ravenswood Avenue
Menlo Park CA 94025
8/27/96
Overview
- Apply AI Technology to Network-based Intrusions
- diagnosing
- repair and recovery: automated security manual
- Tool:
- manages other tools (esp. OTS) for data collection
- rule-base to guide/advise user
- add additional tools as agents
- add intrusion scenarios
Issues
- Many tools: OS, third party (OTS), custom multiple way of finding evidence:
- Incomplete evidence
- intentionally deleted
- overwritten by normal operation
- Inexperienced SysAdmins
- which tools to use when
- what does output really tell you
- speed
- prioritization
Procedural Reasoning System
- Based on Acts (procedures) instead of rules
- Declarative acts and meta-acts
- Based on Beliefs-Desires-Intentions model
- Pre-emptable scheduling
- Supporting tools (e.g. editor)
Diagnosis
- Control application of other tools to collect evidence
- Alternative sources of evidence
- Handle missing evidence (deleted, overwritten, or truly not there)
- Other application of tools to minimize destruction of evidence
- Get data quickly
- Reduce load on normal system
Explanation
- Report evidence and ambiguities to SysAdmin
- Present ramifications
- Seek guidance
Reporting
- Individual site often has incomplete evidence on intrusion
- Clearinghouse pieces together info from multiple reports
- Problem: how much to trust what SysAdmin say and don't say about what they did and what they found
- Automated report generation
- credibility level
- facilitate automatic filtering and routing
Recovery
- Goal: reduce effort and downtime to repair
- Prioritize repairs based on known scope of intrusion
- Automatically invoke any available tools (upon confirmation)
Distributed
- Intrusions achieved by spread components of attack over multiple hosts in
cluster (distributed file system)
- Share information between computers
- Within cluster
- Outsiders
- reduced info
- intruder or tracker?
- Multilevel, compositional procedures
- Build on previous, reuse
- Methods (get-root, Trojan Horse)
- Goal (install password sniffer)
- Camouflage
Security Policy: Propagating Changes
- During normal operation and during crisis, intruders will develop new tactics
Propagate rapidly
- Propagate confidentially (if reasonable): aid catching intruders
- Propagate securely: don't become vehicle for intrusions
Many Sites - Many Security Policies
- Trend: external sources represent wide range of organizations with wide range of requirements towards security
- Each site must have substantial freedom and capability to specify own policy
- all-or-nothing = nothing
- support tools critical
- provide baseline policy (augmented by each level of hierarchy)
- Dimensions
- type of attack
- category of attacker: capabilities and resources
- tolerance for loss
Approach
- Start with intrusion scenarios
- Test against multiple variants of attack
- Test for multiple site configurations
- Test for false positives
- Incrementally expand coverage
- tools
- intrusion scenarios
- Partner site (TBD) attempt to extend
Security Project Home Page
AI Center Home Page
SRI International Home Page
Pauline M. Berry berry@ai.sri.com