Attacks against computer systems have risen dramatically in recent years. A recent survey by the Computer Security Institute and the FBI found that the number of corporations, financial institutions, and government agencies reporting attacks through external Internet connections rose from 37% in 1996 to 57% in 1998. Interest in threats against computer security has risen accordingly. As the Internet has grown out of obscurity to become the backbone of government and corporate communications, threats against information systems have gained importance, and have risen from the domain of obscure electronic bulletin board discussions to the front pages of national newspapers.
In spite of the magnitude of the problem, today's technology is largely reactive. That is, current intrusion detection technology can only react to an intrusion once it is widely spread and known. By the time intrusion detection tools are updated, much damage may have occurred and defense assets may have been compromised.
To respond to intrusions before an information system is compromised, an intrusion tolerant system need triggers that signal when an intrusion is taking place. Our research specifically addresses this need.
We designed and built a system for automated behavior modeling of programs and information systems. Our system automatically builds finite-state models describing the normal behavior of programs and subsystems, using both source code analysis and a suite of test inputs designed to exercise specific aspects of a program's behavior. These models of normal program behavior make it possible to determine when the system is behaving abnormally.
Our approach included three major innovations:
To build this system, we used our existing technology for source code analysis, and automatic generation of structured test suites. We also took advantage of extensive experience in a closely related field—intrusion detection—as we built a system that infers the behavior of a program and diagnoses divergences from that behavior in the field.