Appears in Proc. Hawaii Int’l Conf. on System Sciences Hawaii, January 2003 Balancing Safety Against Performance: Tradeoffs in Internet Security Vu A. Ha and David J. Musliner Honeywell Technology Center 3660 Technology Drive Minneapolis, MN 55418 vu.ha,david.musliner @honeywell.com Abstract All Internet-accessible computing systems are currently faced with incessant threats ranging from simple script- kiddies to highly sophisticated criminal enterprises. In re- sponse to these threats, sites must perform extensive intru- sion monitoring. This intrusion monitoring can have signif- icant costs in terms of bandwidth, computing power, storage space, and licensing fees. Furthermore, when exploits are detected, the victims must take actions that can consume further resources and compromise their objectives (e.g., by reducing e-commerce server throughput). In this paper, we explore techniques for modeling the costs and benefits of various security monitoring and response actions. Given these models and stochastic expectations about the types of attacks that a site is likely to face, our CIRCADIA au- tomatic security control system is able to make real-time tradeoffs between the level of safety and security that is en- forced, and the level of system resources/performance that are applied to the main computational objectives (e.g., e- commerce transactions). We show how CIRCADIA is able to dynamically adjust its security activities to account for changing threat profiles and objectives. The result: a continually-optimized balance of security-maintaining ac- tivity that reduces risk while still allowing the system to meet its goals. 1. Introduction In this paper, we describe CIRCADIA, the Cooperative Intelligent Real-Time Control Architecture for Dynamic In- formation Assurance. We are developing CIRCADIA to pro- vide active real-time response to intrusions as they occur. CIRCADIA provides local, low-cost, autonomic defenses for computing resources by intelligently adapting threat mon- itoring systems and automatically responding to security threats in real time. By detecting and responding to in- trusion activities within the timescale of the attacks them- selves, CIRCADIA is able to defeat scripted attacks and pre- vent attackers from compromising protected systems. The idea of responding automatically to attacks is not new; various researchers have developed prototype systems using rule-based, case-based, and other related inferential approaches to select attack responses [2]. CIRCADIA dif- fers from prior efforts in several ways. First, CIRCADIA uses control-theoretic methods to automatically synthesize its reactive strategies, rather than relying on hand-built rules or other knowledge. This means that the system can au- tomatically adapt its responses when faced with changing system resources, changes in security policy, or an evolving computational mission (i.e., the information processing and storage tasks the network is meant to be supporting and de- fending). Second, CIRCADIA reasons explicitly about the timeliness of its responses. Using models of the attacks that may occur and the available responses, CIRCADIA syn- thesizes reactive security control rules that are guaranteed to respond quickly enough to defeat an intruder, if possi- ble. Third, when performance guarantees cannot be com- pletely ensured, CIRCADIA can automatically make princi- pled tradeoffs between the resources devoted to security and the resources devoted to handle mission processes. Finally, since CIRCADIA reasons explicitly about models of the at- tacks it faces and assesses the expected performance of the security controllers (reactions) it designs, CIRCADIA may also be used in an offline, system-design methodology to determine what level of security is achievable with a given set of assets and anticipated attack spectrum. 2. An Example Scenario We begin our discussion by describing a very simpli- fied model of a security attack on a system, modeled for CIRCADIA in Figure 1. The attack goes through sev- eral steps, modeled by “event” and “temporal” transi- tions that capture instantaneous or time-consuming pro-