Maureen Stillman VP of Engineering Odyssey Research Associates 301A Dates Drive Ithaca, NY 14850 maureen@oracorp.com Phone: (607)277-2020 Fax: (607)277-3206 Dr. Stephanie Forrest Professor University of New Mexico (visiting at MIT this year) steph@ai.mit.edu Phone: (617)253-4679 Fax: (617)253-0039 Intrusion Detection and Timely Response for the Next Generation Internet Problem Statement: We believe that the greatest challenge facing the next generation Internet is security. A scalable intrusion detection framework should be a crucial element in any computer-based large-scale system. This framework is currently missing from many computing environments. The Automated Systems Security Incident Support Team (ASSIST) of the Defense Information Systems Agency (DISA) tested the vulnerability of 12,000 DoD host computers in the unclassified domain. They found that 1-3% of the systems had exploitable front doors and that 88% could be penetrated by network trust relationships. Even more alarming, only 4% of the penetrations were detected and, of those only 5% reported. Current protocol standards and software tools, are not adequate to thwart the increasingly sophisticated hacker. Although standard efforts are underway to remedy this situation, most of them are neither currently implemented nor commercially available. The current IP protocol (IP version 4) contains almost no provisions for security. An addendum to this protocol has been defined to include two additional standards: one for authentication and one for encryption. Other standards efforts are underway which include security, IP Version 6 and ATM security, but these are not yet widely available. Our view is that protocol security standards are only a piece of internet security. Many attacks can not be prevented by additions or changes to protocols alone. A critical concern is of intrusions at the hosts, routers, switches, etc. which are the targets of many attacks. The focus of this white paper is intrusion detection systems which can be employed at distributed locations throughout the internet to detect attacks. We believe that this is a critical component of the 21st century internet. Vision: Our vision is of a global network where lightweight agents are employed in a local setting to detect intrusions and respond to attacks in a timely manner. Traditional approaches to intrusion detection are problematic for distributed large-scale information systems because they require the collection and analysis of large amounts of data. More specifically, they lack the ability to scale and they lack good methods and tools to understand and/or process this data at either single or multiple locations. We believe that a fresh approach is needed to build effective intrusion detection systems in large-scale distributed environments, to avoid the problems mentioned above. Our current effort is to extend promising new research in computational immunology to build scalable intrusion detection systems. In the world of high-speed, global communications, we envision that automatic response to intrusion is a critical component for a response. This is due to the fact that a human response will take too long in a distributed, high-speed global environment. Our vision is to take action is appropriate cases based on security policy and notify the proper authorities, be it human operator, the CERT, corporate or university management, etc. IDS Requirements: A successful intrusion detection system for a large-scale information system environment would have the following properties: low impact on the general operating environment, easily proved and evaluated, easily deployed and managed, adaptable to new or upgraded environments and dynamic. An additional requirement is that the system be "lightweight." By lightweight we mean the following: real-time detection of intrusions, low false alarm rates, low performance overhead, and a small and compact system which requires no real-time access to volumes of audit record data. Finally, the solution must work in a heterogeneous, distributed environment. Our approach is to take an immunology-inspired approach to the problem of intrusion detection and apply it to the distributed global environment in order to achieve the goals stated above. Our approach is related to an ongoing research project which is developing ideas for intrusion detection based on immunology and testing them in networked Unix systems. The validation of the immune-based approach in a large-scale distributed environment is key to determining its success. We propose to define an IDS system architecture for a distributed global environment and implement a prototype IDS system to validate these research ideas in computational immunology as they are developed. A key feature of the immune-inspired approach is to treat a wide range of computer security problems as instances of a problem solved by immunology---that of distinguishing "self" (the body's own cells and molecules) from "other" (everything else). Under this analogy, "self" represents the stable operating conditions of a computer system, and "other" represents the intrusive (or otherwise anomalous) behavior that we wish to prevent. An important aspect of this endeavor is determining an appropriate definition of "self" that compactly characterizes the normal operation of a system such that it can be distinguished from anomalous operation. Our innovative idea for the system architecture is to create small, autonomous agents running on top of ORBs to detect anomalous patterns that are matched against "self". These small agents will report their findings to a hierarchical set of decision making processes, thus handling the problem of scaling up. This system will not detect all attacks and it will sometimes identify legitimate behavior as intrusive. Its principle virtues will be its low computational overhead and scalability in distributed environments. That is, it will be a simple solution that doesn't catch everything, but is reasonably low cost to execute. We believe that the greatest gain from this effort will be the ability for each system to have a unique and evolving definition of "self" to prevent clever intruders from determining the "signature of self" and subsequently launching attacks at all sites. ORA is working on this research program with Dr. Stephanie Forrest of the University of New Mexico. We believe that this approach is a promising area of research to enable us to achieve the security goals of the 21st century network.