Techniques in Automated Cyber-Attack Response and Recovery

Zhenkai Liang
Stony Brook University


No computer system is absolutely secure. As researchers identify solutions to existing problems, new types of problem continue to be discovered. This trend will continue for the foreseeable future due to the nature of security problems. Given that new attacks may defeat the best available detection and prevention mechanism, my research is from a different angle: finding solutions to isolate damage and accelerate recovery. In this talk, I will present the techniques developed in my dissertation research, which deal with threats arising from both external and internal sources. To defeat internal threats, such as execution of untrusted programs, I proposed a Safe Execution Environment (SEE) to isolate the effects of untrusted programs using one-way isolation: processes running within the SEE are given read-access to the environment provided by the host OS, but their write operations are prevented from escaping outside the SEE. An SEE enables users to successfully "try out" untrusted programs, configuration changes, and software patches without the fear of damaging the system in any manner. To defeat external threats, such as remote attacks launched by attackers, I developed an approach that can automatically learn the characteristics of an attack, and block future instances of the same attack and its variants. It was implemented on Linux operating system, targeting buffer overflow attacks. Without requiring the source code of the protected program, this approach is effective on real attacks collected on the Internet. Responses were made in tens of milliseconds, which enables this approach to be used to defeat fast-spreading worms.