|
Among the list of challenges faced by IT departments, security consistently ranks as one of the top year after year as reported by the
Gartner Group. Firewalls, anti-virus software, and other similar protection mechanisms are ubiquitous in corporate networks. In spite of
this, there is little respite from the spate of worm attacks, viral infections, host compromises, spyware, etc. It is estimated that
protecting against these threats costs businesses about $67 billion a year, in the U.S. alone [8].
Among the myriad security threats that are seen today, worms and other kinds of self-propagating malware are, anecdotally at least, the
single most challenging problem that the Internet faces. The homogeneous makeup of the Internet makes it very vulnerable to these kinds
of attacks while its rich connectivity makes it very easy for worms to propagate. Thus far, state-of-the-art Intrusion Detection Systems
(IDSs) have made use of the quickly spreading nature of these attacks to identify them with high sensitivity and at low false positive
(FP) rates. However, in the race between worm designers and security vendors, the former always seem slightly ahead: there is a growing
trend towards the use of stealthy worms that use evasion techniques to cloak their presence on an infected host. Such worms render
existing IDSs ineffective. In addition, existing IDS products do not protect from day-zero exploits, which malware designers are
adopting far more than in the past.
In this paper, we first describe host-level protection, i.e., self-defending platforms, that can defeat (or at least detect) attacks
that attempt to subvert the Operating System (OS). This is done using a runtime integrity service that automatically improves the
security and robustness of networked platforms by leaving no place for malware to hide. We then describe distributed detection and
inference, a method whereby protected systems can collaborate (or "gossip") to detect (and signal) network-scale attacks (or
infections). Untrusted systems cannot benefit from such gossip protocols as this network-wide information is secured by protecting the
software on the end-point. Finally, we describe the adaptive feedback framework, a framework in which the "network state" as determined
by the distributed detection can trigger feedback mechanisms to mount an automated response to day-zero threat conditions. The rationale
for using network-wide information in our approach is also to enforce the autonomic response more intelligently, in a holistic manner,
as compared to the more ad-hoc ‘per device type' enforcement approach, and to target the most effective control points. Figure 1 shows a
schematic of the entire architecture, showing how the three different mechanisms may interact with each other.
Figure 1: Overall architecture of an Autonomic Enterprise Security system. The architecture consists of three mechanisms: (1) self-defending platforms protect individual end-hosts; (2) distributed detection correlates alarms across end-hosts; and (3) the adaptive
framework delivers security polices (as a response to a network threat) to the most effective control points.
click image for larger view
|
;)
