Computer Networks Div.
Research
Division People
Division Publications
Presentations
Awards
Past Research
Software
 Contact the Divsion

Postel Center for Experimental Networking
Center for Computer System Security

ISI Home
research

Computer Networks Division
Project Overview

First Aid for Computer Systems (FACS)

Principal Investigator: Brian Tung

Summary:

Intrusion detection systems, as their name suggests, are designed simply
to detect intrusions. They may, at most, recommend courses of response, and for good reason. Attacks are not always detected when and where they occur. It makes good design sense to separate the detection facility from the response facility.

Response systems to date have focused primarily on backup and recovery. Comparatively little effort has been spent on immediate response, or "first-aid" services; and what effort there has been is mainly in the area of network filtering and blocking. FACS is designed to fill the
need for further services, such as suspending or disabling services and
user accounts, and sequestering files for forensic analysis.

FACS will integrate these responses with local system policy, so that
the system administrator's knowledge of the resources and users available on the system is taken properly into account. In this way, more important data and accounts can be given higher priority; careful attention is paid to services that have more dangerous failure modes; trust is appropriately accorded (or not) to various outside domains providing information about attacks and responses; and so forth. Note that these are not attributes accessible to the operating system, but personal knowledge that the administrator would have as a matter of course.

The FACS system will be constructed at multiple levels, enabling local
host responses, responses across a local network, as well as responses
between networks. FACS will design and incorporate a response prescription language enabling uniform and machine-independent specification of appropriate responses to attacks as they occur in real time. This language will also facilitate verification against the local system
policy.

FACS will enable systems to present a more complete defense against
attacks, by bridging the gap between attack detection and complete
restoration. And from a scientific perspective, it will give us insight
into the complex small-scale interactions between attacks and recovery
efforts.

Sponsor:

 

 

 

 

 

 
 
USC Home Page ISI Home Page