Abstract:

Prevalence of new attacks or attack variants presents an interesting challenge for autonomic cyber-defense: how does the autonomic defense mechanism learn from previous failures, acquiring immunity with experience, and do so as rapidly as possible. In the limiting case, only a single a single observed failure may be available for learning. In this paper, we describe an approach to the problem of learning rapidly from failures through a process of controlled experimentation. To sidestep the limited observations available to the learner, experimentation takes place using simulation and/or emulation of the defended systems. We give two examples of this approach. The first, Cortex, is a system that autonomously defends a critical service, in this case a MySQL database. Cortex operating without direct human intervention, can correctly generalize from a single novel attack, and immunize the database service from a wide range of similar attacks. The second example, Cognitive Support for Intelligent Survivability Management, CSISM here-after, is a reasoning system that can mount a knowledge-based defense of an entire network of defended machines. One of the learning components for CSISM, currently under development, also uses learning by experimentation to characterize the attack and evaluate alternative defensive tactics. In both cases, machine learning techniques add a level of intelligence by deriving or identifying information that is key to effective defense.

Attachment	Size
haigh-harp-csiirw.pdf	166.62 KB