A suite of software tools was developed to enable networks composed of many hundreds, thousands, or even millions of commodity computers to protect themselves against a variety of security threats. These tools include Anagram, a content-based anomaly detection (AD) tool; ASSURE, which provides automatic software self-healing; and Aeolos, a distributed intrusion detection and event correlation infrastructure.

The work demonstrated that it is possible to construct a software self-healing mechanism that identifies new instances of known classes of failures (e.g., buffer overflows, input-drive application crashes), creates candidate fixes, tests them in an isolated environment, and (if successful) applies them to the production system.

Anagram models a mixture of highorder n-grams (n > 1) designed to detect anomalous and “suspicious” network packet payloads. By using higher-order n-grams, Anagram can detect significant anomalous byte sequences, and can generate robust signatures of validated malicious packet content. The Anagram content models are implemented using Bloom filters, reducing space requirements and enabling privacy-preserving cross-site correlation.

ASSURE (Automatic Software Self-healing Using REscue points) introduces rescue points to retrofit legacy applications with exception-handling capabilities that mimic system behavior under anticipated error conditions. This behavior is induced to recover from unanticipated software faults while maintaining system integrity and availability. Rescue points are locations in existing application code for handling programmer-anticipated failures, which are automatically repurposed and tested for safely enabling general fault recovery. When a fault occurs at an arbitrary location in the program, ASSURE restores execution to the closest rescue point and induces the program to recover execution by virtualizing and using its existing error-handling facilities.

Aeolos is a new framework for Collaborative Distributed Intrusion Detection, or CIDS, that relies on the combination of a decentralized, robust, and scalable P2P architecture, paired with compression algorithms, anonymity, and privacy mechanisms to detect attacks accurately and rapidly while encouraging participation. It uses a hierarchical distributed hash table (HDHT), which scales well for large-scale alert dissemination; multiple federations of HDHTs to ensure resiliency, provide verifiability, and detect uncooperative peers; Bloom filters for effective data privacy and an efficient source of keys for the HDHT; and anonymous but differentiable cryptographic signatures to preserve anonymity.

This work was done by Steven M. Bellovin, Salvatore J. Stolfo, and Angelos D. Keromytis of Columbia University for the Air Force Research Laboratory. AFRL-0120

This Brief includes a Technical Support Package (TSP).
Software Suite for a Large Defense System

(reference AFRL-0120) is currently available for download from the TSP library.

Don't have an account? Sign up here.