DADDi
(Dependable Anomaly Detection with Diagnosis):
Objectives


Each day, the databases maintaining information about system vulnerabilities are growing with new cases. For several years, the number of new vulnerabilities discovered each year has been comprised between 1000 and 2000. A potential attacker has each day from 3 to 6 new vulnerabilities to exploit. The security administrators must thus endlessly face new forms of intrusions.

In addition to the classical prevention security tools, intrusion detection systems (IDS) are nowadays widely used by the security administrators to detect attack occurrences against their systems. All IDSes relying on the precise knowledge of attacks are facing the problem of new attack forms: it is necessary to update in real-time the known attack repository (signatures database). This approach, so named misuse detection, is similar to what is used in antivirus tools, where it has shown its limits since there are still thousands of machines that are victims of virus or worms. Moreover, these worm expansions are now quicker than ever, limiting the capabilities of human intervention and response (e.g. the Slammer virus infected in only few minutes most of the MS-SQL servers in the world, i.e. more than 100.000 machines).

Facing this problem, anomaly detection (often viewed as the only approach that provides a way to detect new forms of attack) is particularly interesting. The main principle of anomaly detection is to build a reference model of a given entity behavior (user, machine, service, or application) in order to compare it with the current observed behavior. If the observed behavior does not match the model, an alert is raised to report the anomaly.

The first objective of this ACI is to propose new anomaly detection approaches. The classical approaches use an explicit reference model: sequence of system calls, statistical values that are acceptable for a set of given observation variables, etc. This explicit approach exhibits several problems. First, it is difficult to define what is explicitly significant in the modelled behavior. Then, it is necessary to take into account the normal evolutions of the observed behavior. Enhancing the explicit approach is thus a first objective of this project.

As a second objective, we suggest introducing an implicit approach. This implicit approach is based on a classical approach of the dependability domain: the design diversity. The goal is to forward any request to several modules implementing the same functionality, but through diverse designs. Any difference between the results obtained can be interpreted as a possible corruption of one or several modules. This provides a way to detect intrusions in the diversified system.

In both cases (explicit and implicit), the dependability properties of the IDS are also a main concern. Studying these properties is the third objective of this project, in order to bring intrusion tolerance properties to the anomaly detector.

Existing anomaly detection presents however a serious drawback: it provides a way to detect an abnormal behavior, but no diagnosis on the cause of the anomaly. Hence, we must add a complementary analysis of the reported anomalies, particularly in order to diagnose the presence of a new form of attack (whose signature could then be re-injected in classical signature-based IDS). The diagnosis is the fourth objective of this ACI. To our knowledge, very few works on this aspect have currently been realized. Our objective here is twofold: first we analyze the detected anomalies in order to diagnose new malicious behaviors. Then, knowing a new malicious behavior, we try to build the underlying attack scenario.

URL: http://www.rennes.supelec.fr/DADDi/DADDi_objectives.html