Digital Defense(2)

The Intelligent Security Systems Research Lab at The University of Memphis has built software prototypes that address that weakness. It's Security Agents for Network Traffic Analysis uses mobile software agents for intrusion detection in a network of computers. Agents monitor at multiple levels——packet, process, system and user——using neural networks to spot anomalous behavior and “fuzzy rules” to decide what action the agents should take in the face of an attack.

Stephanie Forrest, a computer science professor at The University of New Mexico, points out that diversity in biological and ecological systems leads to robustness and resilience. She's working on“automated diversity for security,” in which each system is made unique by arbitrary random changes.“That increases the cost of attack, because the attack has to be adapted for each computer,” she says.

Diversity can be created in a number of ways, such as by adding nonfunctional code, reordering code or randomizing memory locations, file names or system calls.

Other researchers are experimenting with a measure called Kolmogorov Complexity, the minimum number of bits a character string can be compressed into without losing information. Scott Evans, a researcher at GE Global Research, has used it to study attack scenarios.

Evans analyzed file transfer protocol logs and found that attacks, such as a stealth port scan, tend to be more or less complex than normal behavior by predictable amounts, allowing a defense tool to identify and block the attacks. The technique is attractive because it is adaptive and requires no attack signature database, Evans says.

Real-world application of some of these ideas lies years in the future, but Steven Hofmeyr, a former graduate student under Forrest, has already commercialized some of them. He's developed Primary Response, which monitors and protects applications at the operating system kernel level. It uses agents to build a profile of an application's normal behavior based on the code paths of a running program, then continually monitors those code paths for deviations from the norm.(The End)

參考譯文

數字防御 (2)

孟菲斯大學的智能安全系統研究實驗室建立了能解決這種弱點的軟件原型。它的 “網絡流量分析的安全代理”使用了移動的軟件代理，檢測計算機網絡中的入侵。代理在多個級別上——包、過程、系統和用戶——進行監視，利用神經網絡找出反常行為和用“模糊規則”決定代理在面臨攻擊時采取哪種行動。

新墨西哥州大學計算機科學教授 Stephanie Forrest指出：生物和生態系統的多樣性成就了強健性和恢復性。她在從事“安全的自動多樣性”研究，其中每個系統通過任意的隨機改動而具有性。她認為: “這就增加了攻擊的成本，因為攻擊必須適應每個系統。”

多樣性可有多種方法生成，如加入不起作用的代碼、重新排序的代碼或者存儲位置、文件名或系統調用的隨機化等。

其他的研究人員在對一個叫 Kolmogorov復雜度的措施做試驗，即在不丟失信息的情況下一個字符串能壓縮成的最小位數。通用電氣公司全球研究部的Scott Evans就利用它研究攻擊情景。

Evans分析文件傳遞協議紀錄，以發現攻擊，如秘密的端口掃描，這種掃描比正常的行為多少要復雜些，這就讓防御工具能識別和阻斷攻擊。Evans稱，由于它是自適應的，不需要攻擊特征數據庫，所以該技術很有吸引力。

其中有些設想變成真正的應用還要幾年時間，但 Forrest 以前的研究生 Steven Hofmeyr 已將它們中間的一部分實現了商品化。他開發了一個叫 “ 初步響應 ” 的產品，它在操作系統內核級上監視和保護應用程序。它采用代理來建立應用程序正常行為剖析，而該剖析是基于運行中程序的代碼路徑，然后連續監視代碼路徑，看看有沒有偏離。