Digital Defense(2)
The Intelligent Security Systems Research Lab at The University of Memphis has built software prototypes that address that weakness. It's Security Agents for Network Traffic Analysis uses mobile software agents for intrusion detection in a network of computers. Agents monitor at multiple levels——packet, process, system and user——using neural networks to spot anomalous behavior and “fuzzy rules” to decide what action the agents should take in the face of an attack.
Stephanie Forrest, a computer science professor at The University of New Mexico, points out that diversity in biological and ecological systems leads to robustness and resilience. She's working on“automated diversity for security,” in which each system is made unique by arbitrary random changes.“That increases the cost of attack, because the attack has to be adapted for each computer,” she says.
Diversity can be created in a number of ways, such as by adding nonfunctional code, reordering code or randomizing memory locations, file names or system calls.
Other researchers are experimenting with a measure called Kolmogorov Complexity, the minimum number of bits a character string can be compressed into without losing information. Scott Evans, a researcher at GE Global Research, has used it to study attack scenarios.
Evans analyzed file transfer protocol logs and found that attacks, such as a stealth port scan, tend to be more or less complex than normal behavior by predictable amounts, allowing a defense tool to identify and block the attacks. The technique is attractive because it is adaptive and requires no attack signature database, Evans says.
Real-world application of some of these ideas lies years in the future, but Steven Hofmeyr, a former graduate student under Forrest, has already commercialized some of them. He's developed Primary Response, which monitors and protects applications at the operating system kernel level. It uses agents to build a profile of an application's normal behavior based on the code paths of a running program, then continually monitors those code paths for deviations from the norm.(The End)
参考译文
数字防御 (2)
孟菲斯大学的智能安全系统研究实验室建立了能解决这种弱点的软件原型。它的 “网络流量分析的安全代理”使用了移动的软件代理,检测计算机网络中的入侵。代理在多个级别上——包、过程、系统和用户——进行监视,利用神经网络找出反常行为和用“模糊规则”决定代理在面临攻击时采取哪种行动。
新墨西哥州大学计算机科学教授 Stephanie Forrest指出:生物和生态系统的多样性成就了强健性和恢复性。她在从事“安全的自动多样性”研究,其中每个系统通过任意的随机改动而具有性。她认为: “这就增加了攻击的成本,因为攻击必须适应每个系统。”
多样性可有多种方法生成,如加入不起作用的代码、重新排序的代码或者存储位置、文件名或系统调用的随机化等。
其他的研究人员在对一个叫 Kolmogorov复杂度的措施做试验,即在不丢失信息的情况下一个字符串能压缩成的最小位数。通用电气公司全球研究部的Scott Evans就利用它研究攻击情景。
Evans分析文件传递协议纪录,以发现攻击,如秘密的端口扫描,这种扫描比正常的行为多少要复杂些,这就让防御工具能识别和阻断攻击。Evans称,由于它是自适应的,不需要攻击特征数据库,所以该技术很有吸引力。
其中有些设想变成真正的应用还要几年时间,但 Forrest 以前的研究生 Steven Hofmeyr 已将它们中间的一部分实现了商品化。他开发了一个叫 “ 初步响应 ” 的产品,它在操作系统内核级上监视和保护应用程序。它采用代理来建立应用程序正常行为剖析,而该剖析是基于运行中程序的代码路径,然后连续监视代码路径,看看有没有偏离。