Proposal Number: CCR-0098154 PI: R. Sekar Department of Computer Science SUNY @ Stony Brook NY 11794
Networked software systems are playing increasingly important roles in critical services such as commerce, banking and telecommunication. Existing techniques for protecting such systems against intruder attacks are reactive in nature, offering little protection against unknown attacks. Solutions, such as applying security patches, last only until newer attacks emerge. System administrators are thus in a constant struggle to stay ahead of a vast army of resourceful hackers. This project develops a proactive approach to protect software systems against known and unknown attacks. It is based on high-level models of security-relevant system behaviors. Actual behaviors are compared against these models to detect deviations, which are deemed to indicate attacks. In order for the approach to work with COTS software, behaviors are modeled in terms of events observable external to the software system, e.g., invocation of system calls and reception/transmission of network packets. In contrast with previous work, which was mainly concerned with post-attack detection, the proposed approach can prevent and/or contain damage due to attacks. Moreover, it addresses a wide range of threats within a single framework, including software errors in trusted programs, untrusted mobile code and malicious software.
