Automatic Intrusion Monitor Placement for Defensive Mediation in Attack Graphs

Award #: N/A
Amount Awarded: $195,000
Sponsoring Organization: Army Research Laboratory
Grant Period: 10/2011 - 09/2012
Primary Investigator(s): Trent Jaeger


In this project, we propose to develop an automated method that uses network and the mandatory access control (MAC) policies of individual hosts and VMs to place network monitors only on links reachable to adversaries. To model the attack paths across an end-to-end system consisting of a hierarchy of subnets, hosts, and virtual machines, we plan to use a well-known, software model checking representation, called a hierarchical state machine (HSM), which expresses hierarchical, encapsulated graphs. We then plan to solve the problem of placing monitors to detect intrusions by solving a cut problem over HSM graphs. Rather than trying to cover heuristically-found attack paths as proposed previously, the system’s network and MAC policies provides an accurate model of how adversaries may access host processes and propagate attacks across hosts. A key result is that a placement can be kept consistent with the policies as they evolve, as any placement is directly derivable from these policies.

Related Research Projects

Related Publications