Digital Defense(2)

The Intelligent Security Systems Research Lab at The University of Memphis has built software prototypes that address that weakness. It's Security Agents for Network Traffic Analysis uses mobile software agents for intrusion detection in a network of computers. Agents monitor at multiple levels——packet, process, system and user——using neural networks to spot anomalous behavior and “fuzzy rules” to decide what action the agents should take in the face of an attack.

Stephanie Forrest, a computer science professor at The University of New Mexico, points out that diversity in biological and ecological systems leads to robustness and resilience. She's working on“automated diversity for security,” in which each system is made unique by arbitrary random changes.“That increases the cost of attack, because the attack has to be adapted for each computer,” she says.

Diversity can be created in a number of ways, such as by adding nonfunctional code, reordering code or randomizing memory locations, file names or system calls.

Other researchers are experimenting with a measure called Kolmogorov Complexity, the minimum number of bits a character string can be compressed into without losing information. Scott Evans, a researcher at GE Global Research, has used it to study attack scenarios.

Evans analyzed file transfer protocol logs and found that attacks, such as a stealth port scan, tend to be more or less complex than normal behavior by predictable amounts, allowing a defense tool to identify and block the attacks. The technique is attractive because it is adaptive and requires no attack signature database, Evans says.

Real-world application of some of these ideas lies years in the future, but Steven Hofmeyr, a former graduate student under Forrest, has already commercialized some of them. He's developed Primary Response, which monitors and protects applications at the operating system kernel level. It uses agents to build a profile of an application's normal behavior based on the code paths of a running program, then continually monitors those code paths for deviations from the norm.(The End)

參考譯文

數(shù)字防御 (2)

孟菲斯大學(xué)的智能安全系統(tǒng)研究實(shí)驗(yàn)室建立了能解決這種弱點(diǎn)的軟件原型。它的 “網(wǎng)絡(luò)流量分析的安全代理”使用了移動(dòng)的軟件代理，檢測(cè)計(jì)算機(jī)網(wǎng)絡(luò)中的入侵。代理在多個(gè)級(jí)別上——包、過(guò)程、系統(tǒng)和用戶(hù)——進(jìn)行監(jiān)視，利用神經(jīng)網(wǎng)絡(luò)找出反常行為和用“模糊規(guī)則”決定代理在面臨攻擊時(shí)采取哪種行動(dòng)。

新墨西哥州大學(xué)計(jì)算機(jī)科學(xué)教授 Stephanie Forrest指出：生物和生態(tài)系統(tǒng)的多樣性成就了強(qiáng)健性和恢復(fù)性。她在從事“安全的自動(dòng)多樣性”研究，其中每個(gè)系統(tǒng)通過(guò)任意的隨機(jī)改動(dòng)而具有性。她認(rèn)為: “這就增加了攻擊的成本，因?yàn)楣舯仨氝m應(yīng)每個(gè)系統(tǒng)?！?/P>

多樣性可有多種方法生成，如加入不起作用的代碼、重新排序的代碼或者存儲(chǔ)位置、文件名或系統(tǒng)調(diào)用的隨機(jī)化等。

其他的研究人員在對(duì)一個(gè)叫 Kolmogorov復(fù)雜度的措施做試驗(yàn)，即在不丟失信息的情況下一個(gè)字符串能壓縮成的最小位數(shù)。通用電氣公司全球研究部的Scott Evans就利用它研究攻擊情景。

Evans分析文件傳遞協(xié)議紀(jì)錄，以發(fā)現(xiàn)攻擊，如秘密的端口掃描，這種掃描比正常的行為多少要復(fù)雜些，這就讓防御工具能識(shí)別和阻斷攻擊。Evans稱(chēng)，由于它是自適應(yīng)的，不需要攻擊特征數(shù)據(jù)庫(kù)，所以該技術(shù)很有吸引力。

其中有些設(shè)想變成真正的應(yīng)用還要幾年時(shí)間，但 Forrest 以前的研究生 Steven Hofmeyr 已將它們中間的一部分實(shí)現(xiàn)了商品化。他開(kāi)發(fā)了一個(gè)叫 “ 初步響應(yīng) ” 的產(chǎn)品，它在操作系統(tǒng)內(nèi)核級(jí)上監(jiān)視和保護(hù)應(yīng)用程序。它采用代理來(lái)建立應(yīng)用程序正常行為剖析，而該剖析是基于運(yùn)行中程序的代碼路徑，然后連續(xù)監(jiān)視代碼路徑，看看有沒(méi)有偏離。