A Controller-Based Autonomic Defense System Derek Armstrong ALPHATECH, Inc <derek.armstrong@dc.alphatech.com > Sam Carter ALPHATECH, Inc <sam.carter@dc.alphatech.com > Gregory Frazier ALPHATECH, Inc <glfrazier@dc.alphatech.com > Tiffany Frazier ALPHATECH, Inc <tiff@dc.alphatech.com > Abstract We will be demonstrating the results of our research into the implementation of a host-based Autonomic Defense System (ADS) using a Partially-Observable Markov Decision Process. The goal of an ADS is to “relexively” respond to an attack, thwarting it to the extent that humans have time to form a tactical response to the attack. A defensive system that automatically responds to an attack must meet two criteria: it must select the correct response in the face of an attack, and it must not take actions to attacks that are not there. This challenge is exaccerbated by the fact that, in order to detect never-before-seen attacks, the ADS must use anomally detectors for its sensor input – anomaly detectors typically have relatively high false posiive and falst negative rates. Thus, key to an ADS is a controller that can obtain a valid signal from a noisy sensor. The ALPHATECH Lightweight Autonomic Defense System (αLADS) is a prototype ADS constructed around a PO-MDP stochastic controller. The state model allows the controller to filter out the false positives from the anomaly sensor such that authorized processes are not killed and false alerts are not issued. We will demonstrate αLADS defending against Internet worms operating in real time. 1. Introduction The ALPHATECH Lightweight Autonomic Defense System (αLADS) is a prototype host-based intrusion detection and response system. The underlying technology is a stochastic feedback controller based on Partially-Observable Markov Decision Processes. The controller takes its input from a commercially-available anomaly sensor, calculates the probability that the system may be in an attack state, and invokes actuators to respond to a perceived attack. This prototype both demonstrates the facility of this system and the potential of a stochastic controller to direct the actions of an autonomic system. The technical approach adopted by this project was to develop a real-time controller that would take inputs from sensors embedded in the operating system kernel and to invoke actuators in a timely manner to defend the computing system. A controller was developed in C++. A shared-memory module was developed to provide a high-bandwidth, low-latency connection between the sensors and the controllers. In parallel with the development of the controller, an off-line system was developed in Matlab to process the training data and develop the state transition probability matrixes and observation probability matrixes that are the PO- MDP models at the core of αLADS. The off-line system is capable not only of generating the models but also of performing rudimentary simulations of the controller to assist in controller evaluation. But, given the complexity and real-time nature of αLADS, the evaluation of the performance of αLADS must be empiracal. As such, we have begun to perform series of experiments in order to investigate the intricacies of controller behavior. These experiments and their analysis is inherently complex – due to the stochastic nature of the controller’s behavior, it can be very difficult to associate controller actions with the system activity that may have caused it. Thus, we pursued as simple a design as possible to facilitate the analysis. A brief summary of the accomplishments of the αLADS program: § The development of a real-time, feedback based controller integrated with a commercial sensor package. § The implementation of actuators that protect a workstation from attack. § Development of an off-line analysis package that processes data extracted from an operational system to create a PO-MDP model. § The acquisition of a suite of system attacks that allows us to experiment with system defense. § A Cyber Workbench system for performing an empiracle analysis of controller behavior. Tracks the “ground truth” of the system, allows comparison of what was really happening with Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX’03) 0-7695-1897-4/03 $17.00 © 2003 IEEE