Future
Directions for Intrusion Detection
Douglas B. Moran
Artificial Intelligence Center
SRI International
333 Ravenswood Avenue
Menlo Park CA 94025
1/18/96
SRI AIC: Current & Pending Work
- Practical Computer Security
- Apply AI Technology to Network-based Break-ins
- diagnosing
- repair and recovery: automated security manual
- future integration with intrusion detection
- Tool:
- manages other tools (esp OTS) for data collection
- rule-base to guide/advise user
- Based on Acts (procedures) instead of rules
- Declarative acts and meta-acts
- Based on Beliefs-Desires-Intentions model
- Pre-emptable scheduling
- Supporting tools (eg editor)
- Community of Agents
- Plug-and-play applications
- Distributed
- User Interface as agents
- Human in the loop
- User as alternative info source
- Access from variety of platforms: desktop, PDA, phone, ...
- Standard Procedures / Training Curriculum
- Largely ineffective in dealing with intrusion
- inadequate training: too much to learn
- too many threats
- too many tactics
- rapid evolution
- Automated tools to handle most of doctrine
- Training simulators using statement of doctrine
For computers under same management:
- Current Tactics: distributed probing & actions
- Distributed Filesystem
- probe from multiple hosts within cluster
- individual actions below threshold
- Centralized IDS: can it scale up?
- Alternative: local IDS's that query and notify siblings about suspicious
events
- parsimonious
- is sibling host still trustworthy?
- Widespread use in few years (5 years?)
- Minimizes info available to network monitor
- Each host has to collect raw data on its connections
- send to network monitor can these reports be trusted?
- Trend: use/depend on data and services from external sources
- security policy & capability of other site: unknown, different, none, ...
- intrusion at any of these other sites can be a virtual intrusion at yours
- Issue: how to estimate security status of another
- sharing info often not in interest of site
- useful to intruder
- against organizational self-interest (esp commercial)
- Trend: external sources represent wide range of organizations with wide range of requirements towards security
- Each site must have substantial freedom and capability to specify own policy
- all-or-nothing = nothing
- support tools critical
- provide baseline policy (augmented by each level of hierarchy)
- Dimensions
- type of attack
- category of attacker: capabilities and resources
- tolerance for loss
- How much info is enough
- Could this info help intruder more than defender
- Tradeoff: local protection vs greater body
- Dimensions:
- security policy
- current events
- CERT, ASSIST (DISA), CIAC (DOE), ...
- improve quantity and quality of reports
- improved reliability
- support more automated processing and correlation
- automated tool for report creation: takes output of tools for detection and analysis
- Info from unsecure or questionable sources
- Negotiation/bidding
- Beliefs, Desires, Intentions (BDI)
- Application: robot control
- Security of remote system as
- Tool to advise on risks, prioritize actions, undertake directed actions
- Tradeoff: resuming secure operation vs tracking down
intruder
- Tradeoff: continued operation vs recovery
- Exploration (curiosity or planning damage)
- Resource theft: computation, information
- Disruption
- slowdown, shutdown, scramble priorities, corrupt information
- Disinformation
- influence down specific path, divert into low productive areas (eg responding to slander)
- Define limits of legitimate use of system
- Phases: detection, diagnosis/analysis, repair
- Discovery
- events that are unexplained, anomalous, or against policy
- data fusion and interpretation
- data from multiple computers and sites
- Repair/Recovery
- Identify risks
- Prioritize repair actions
- Detect legitimate user performing improper acts
- Dynamically customize for
- site, computer, user, enemy, threat, tactics
- Dimensions
- motivation/intentions/goals
- capabilities: expertise and resources
- vulnerability to retaliation and countermeasures
- Example: by size
- small: individuals and small groups: terrorist, criminals
- middle: major criminal/terrorist orgs, commercial, LD
- large: countries
- XL: major powers
- Impersonation of normal user
- Privileged access
- Disruption by starving critical applications using innocuous applications
- Probing attacks that are meant to be detected
- Discourage use of data and services
- New network technologies: ?
- More client-server
- More connection-less services
- Multi-Agent Systems
- Encryption of network traffic
- Tripwires and honeypots to simplify monitoring
- Cascading level of tools/expertise activated
- Tradeoff: miss stealthy attack vs reduce consumption of CPU
- Implementation: community of agents
- Can formal specification of policy & doctrine be used to automatically create tripwires??
- Data collection will occur during normal times
- Simulation of crisis is of limited utility
- ID in normal times: terrorists, criminals, sneak attacks
- ID in crisis:
- Not hamper taking initiative
- redeployment
- changed job mix: planned, forced, adaptive
- Alert rates must be at reasonable, but elevated, level
- During normal operation and during crisis, intruders will develop new
tactics
- Propagate rapidly
- Propagate confidentially (if reasonable): aid catching intruders
- Propagate securely: don't become vehicle for intrusions
- Human interaction critical: too much offline info involved in decisions
- Not in most loops: tools to handle predictable situations
- Human unavailable or overloaded: tools to handle default actions
Security Project Home Page
AI Center Home Page
SRI International Home Page
Pauline M. Berry berry@ai.sri.com