Sunday, November 24, 2013

HotNets' 13: Active Security

Presente: Ryan Hand

Today's security systems have very limited programability. They can work individually to  detect and response to attacks, but are not able to actively collect information, attribute attacks and adjust the configuration based on the observations to prevent future attacks.

We propose an active security architecture. It has a programmable control interface to automate the task of attack detection, data collection, attach attribution and system reconfiguration to react to attacks. The new architecture has four major components: 1) protection: a security infrastructure that can monitor and react to common attacks. 2) sensing: collecting alerts from an variety of sensors such as intrusion detection system or individual firewalls; 2) data collection: in case of a potential attack collecting different data from the whole system, e.g. routers, firewalls, individual devices in the network for the attribution of the attack. 3) adjust: a programmable interface to reconfigure the network to
react to the attack, and monitor future attacks.


Q: You said existing systems often leads to a step behind the attacks,  but it seems you architecture is also based on the those hard work done by others.
A: Some work has been done on dynamic malware analysis. If it can be done in almost real-time, we can do better job.

Q: What kind of data do you need to do this active security? speculate the datasets that could be useful
A: Probably not this time. Ongoing work..Couldn't comment on that fully right now

Q: Why would a victim host would trust some one to pull the memory?
A: Trust needs to be built between the supervisor and the host