Speaker:
R. C. Sekar, Computer Science, Iowa State U.
Abstract: Our increasing reliance on networked information systems to support critical infrastructures (e.g, telecommunication, commerce and banking, power distribution, and transportation) has prompted interest in making the information systems {\em survivable,} so that they continue to perform their primary functions even in the face of coordinated attacks and spontaneous failures. Of particular importance are techniques that can enhance the survivability of today's systems, as opposed to requiring them to be completely redesigned and/or reimplemented.
Most attacks on current networked information systems exploit vulnerabilities that can ultimately be traced to software flaws. Consequently, recent research has focussed on analysis techniques to determine whether such errors lead to exploitable vulnerabilities ({\em vulnerability analysis}), and detection techniques to identify actual exploitation of these vulnerabilities ({\em intrusion detection}). Whereas previous efforts could only detect attacks after the fact, our approach can {\em prevent} large classes of attacks before they cause damage. Our approach can also launch automatic responses aimed at isolating and containing damage. The key observation behind our approach is that regardless of how an intrusion takes place, damage must ultimately be effected via system calls provided by the operating system or network packets delivered to the system. We therefore develop a high-level language in which normal system behaviors can be specified in terms of interactions of processes with the operating system kernel, and network packets received or transmitted by the system. We then develop algorithms for compiling these specifications into efficient extended finite-state automata that can recognize deviations from specified behaviors, indicating potential intrusions. We discuss our implementation of these techniques into a high-performance intrusion detection system, and the results of its participation in a recent competition of intrusion detection systems organized by MIT Lincoln Laboratories and DARPA.
We then describe a new {\em model-based} approach for vulnerability analysis of networked information systems. In our approach, the security-related behavior of each system component is modelled in a high-level specification language. Finding system vulnerabilities can now be accomplished by analyzing the composite behavior of the system using automated verification techniques ({\em model-checking} in particular) to identify scenarios where security-related properties are violated.
Short Bio: R. C. Sekar received his Ph.D. in computer science from State University of New York (SUNY) at Stony Brook in 1991. He was a research scientist at Bellcore from 1991 through 1996 in Computer Networking Research department. He currently holds the position of an assistant professor of computer science at Iowa State University, where he heads the Secure and Reliable Systems Laboratory.