|The goal of the ATM for ASS's
project is to develop the technology and infrastructure necessary to enable
applications to continue to deliver useful services even when the underlying
computational resources have been sucessfully compromised. There
are four major components to this project:
Perpetual Analytic Monitoring:
A monitoring infrastructure that collects evidence from a wide variety
of sources including intrusion detection systems, fire-walls and self-monitoring
applications. It collates and analyses these reports, looking for
temporal patterns suggestive of complex attacks and/or successful compromises.
Trust Models: We are not interested
in attacks per se, but rather in what they tell us about the health
of our systems. Fundamentally, we are interested in whether our computation
resources can be trusted to deliver certain properties (e.g. privacy, integrity,
quality of service). To know this we must know whether there have
been compromises to the computational resources involved in providing these
properties. Finally, the history of attacks and other unexpected
behaviors allow to make assessments about the state of compromise of the
resources. Thus, our trust model is structured in three levels: Trustability,
Compromises, Attacks, each with its own ontology.
Adaptive Survivable Systems: Survivable
systems provide useful services even after successful attacks have compromised
resources. They do so by having several different methods available
for performing each major sub-task. Each method requires a different
class of resources and guarantees a different quality of answer.
Adaptive Survivable Systems choose that method whose resources needs and
quality of answer lead to the greatest expected net benefit, given the
health status of the resources modeled in the Trust Model. In addition,
Adaptive Survivable Systems have a model of their own expected behavior:
they know the conditions that each method is expected to achieve.
If these conditions are not obtained, they diagnose the breakdown, inform
the monitoring infrastructure, and attempt to achieve the failed goal through
Rational Resource Management:
Health monitoring uses the same computational resources as do the applications
which deliver useful services. Dedicating too many resources to health
monitoring will starve the applications, causing a self-inflicted denial
of service. Dedicating too few resources to health monitoring will
allow compromises to go unnoticed, allowing attackers easier access.
Rational resouce management attempts to balance these competing needs by
using a decision theoretic analysis to allocate resources so as to
achieve maximum expected net benefit. This analysis is guided by
the trust model.