Today's enterprise networks are extremely complex entities, containing a very large number of hosts and spread over many locations. Intrusion attempts due to self-propagating code are becoming an increasingly urgent problem, in part due to the homogeneous makeup of the Internet. Recent advances in anomaly-based IDSs have made use of the quickly spreading nature of these attacks to identify them with high sensitivity and at low FP rates. However, slowly propagating attacks are much more difficult to detect because they are cloaked under the veil of normal network traffic, yet can be just as dangerous due to their exponential spread pattern. We describe a framework where hosts running local IDS instances can corroborate the likelihood of an attack in an autonomous, decentralized fashion, by gossiping their local beliefs to other participating hosts. Securing such a network and ensuring the correct operation of its component elements is an extremely challenging task. A large part of the complexity lies in the sheer heterogeneity of enforcement points, each of which must be configured and managed in slightly different ways. The state of the art is quite lacking: enterprise policy management is still largely a manual, localized process, lacking a higher level, network-wide view. There is an urgent need for a framework to unify the disparate components to allow for a more autonomic operation and maintenance of the network.

In this paper, we described three building blocks that move us closer to realizing the ultimate goal, that of "autonomic operation" of the enterprise. First, we described the notion of self defending platforms, which enable an end-host to detect program-level anomalies and unauthorized modifications. Next, we described the concept of distributed detection and inference, where end-hosts collaborate among themselves to reason about the state of the entire network. Finally, we discussed an adaptive policy management architecture that can supplement the previously discussed capabilities. At a high level, the policy framework can support and complement the other two building blocks. It can do this by providing a channel for anomalies signaled by these building blocks to percolate up to entities that have a system-wide view of the network and to translate remedial actions determined at the system level into actionable tasks at the lower-level building blocks. That is, they can serve as a feedback channel from higher-level entities to the host-based mechanisms. To demonstrate the efficacy of our framework, we use the example of a DoS attack on a synthetic network and show how it can be stopped by means of our feedback mechanism.