Cognitive Enhancements to Support Dependability 1 Partha Pal, Franklin Webber, Richard Schantz BBN Technologies {ppal,fwebber,schantz}@bbn.com 1 This work is supported by DARPA in parts under AFRL Contract No. F30602-02-0134 and Navy Contract No. N00178-07-C-2003. Abstract The threat of cyber-attacks is not limited to the boundary of information systems any longer. Safety and reliability of almost any system can be compromised by exploiting the vulnerabilities in the information systems that connect with or control them. Agile and ongoing manipulation of (redundant and diverse) system components, defense mechanisms and system resources is essential for surviving attacks and continuing operation. Cyber-defense administration— dynamic management of components, defense mechanism and systems resources—is therefore a current topic of significant interest to the dependability community. In this paper, we present our ongoing work on automated support for intelligent cyber- defense administration. 1. Introduction Intrusion tolerance and survivability focuses on design, implementation and verification of information systems that can tolerate cyber attacks—i.e., maintain the Confidentiality (C), Integrity (I) and Availability (A) attributes (of information and information services) despite an adversary’s attempt to subvert or compromise them. Fault-tolerance techniques and principles (e.g., redundancy, quorum based consensus etc.) are utilized in defending availability and countering corruption-attacks, but intrusion tolerance is not exactly the same as fault tolerance. Runtime adaptive management is one key differentiator. Failures induced by malicious actions of an intelligent adversary may not follow any statistical distribution; may come in multiple numbers simultaneously; may range from a simple crash to timing failures and sophisticated Byzantine failures; and can manifest faster or slower than many accidental failures (because the adversary controls some aspects of the system). All these reinforce the need for advanced runtime manipulation of system components, defense mechanisms and resource controllers—in other words, sophisticated cyber-defense administration. Cyber-defense administration is not the same as network administration. Network administrators treat the network as an omnibus system, and typically their network view does not include any deep understanding of the information systems and applications that use the network. Survivable systems on the other hand view the network as one of the (shared) resources that various information systems and applications need. We have been developing a survivability approach that combines aspects of protection, detection and adaptive response (instead of focusing on fault detection, fault avoidance, or repair in isolation of each other) and involves dynamic manipulation of not just defense mechanisms or fault-tolerant protocols, but also the system’s resources. Work to date has achieved the initial survivability objectives of containing the attacker’s access, containing the spread of attack effects, isolating the compromised parts of the system and degrading the system’s behavior gracefully (as opposed to sudden and complete disruption). We recently demonstrated a high-water mark survivable system (called the DPASA survivable JBI [1]) in multiple rounds of adversarial red team testing. The survivable system achieved significant technical success (75% successful mission completion within stipulated time) against the intelligent and highly privileged adversary (pre-positioned attack code started as part of the system was run under direct control of the adversary). However, cyber-defense administration still significantly depends on human experts. Cyber-defense that can only be administered by highly trained experts with deep designer and implementer level knowledge about the system is too expensive to be practical. In addition, significant