Intrusion detection systems, as their name suggests, are designed simply to detect intrusions. They may, at most, recommend courses of response, and for good reason. Attacks are not always detected when and where they occur. It makes good design sense to separate the detection facility from the response facility.
Response systems to date have focused primarily on backup and recovery. Comparatively little effort has been spent on immediate response, or "first-aid" services; and what effort there has been is mainly in the area of network filtering and blocking. FACS is designed to fill the need for further services, such as suspending or disabling services and user accounts, and sequestering files for forensic analysis.
FACS will integrate these responses with local system policy, so that the system administrator's knowledge of the resources and users available on the system is taken properly into account. In this way, more important data and accounts can be given higher priority; careful attention is paid to services that have more dangerous failure modes; trust is appropriately accorded (or not) to various outside domains providing information about attacks and responses; and so forth. Note that these are not attributes accessible to the operating system, but personal knowledge that the administrator would have as a matter of course.
The FACS system will be constructed at multiple levels, enabling local host responses, responses across a local network, as well as responses between networks. FACS will design and incorporate a response prescription language enabling uniform and machine-independent specification of appropriate responses to attacks as they occur in real time. This language will also facilitate verification against the local system policy.
FACS will enable systems to present a more complete defense against attacks, by bridging the gap between attack detection and complete restoration. And from a scientific perspective, it will give us insight into the complex small-scale interactions between attacks and recovery efforts.
