Intrusion Management Using Configurable Architecture Models

Abstract

Software is increasingly being constructed using the component-based paradigm in which software systems are assembled using components from multiple sources. Moreover, these systems are increasingly dynamic; a core set of components is assembled and then new functionality is provided as needed by dynamically inserting additional components. A newer trend closely associated with the use of component-based software is the post development use of configurable run-time architecture models describing the structure of the software system. These models are coming out of the software engineering community and are being used to manage component-based systems at deployment and operations time. The key aspect of this trend is that these models accompany the software system and provide the basis for defining and executing run-time monitoring and reconfiguration of these systems. We believe that these models have the potential for providing a new and important source of information that can be exploited to improve the management of intrusions directed against these software systems. Our hypothesis is that they can provide a common framework for integrating and managing all phases of intrusion defenses: phases including intrusion detection, response, and analysis. We will show how these models can provide a framework around which to organize intrusion-related data. We will also show how architecture-driven reconfiguration can provide improved response, and how inconsistencies between the models and the actual system state can support application-level anomaly detection and computer forensics analysis. Our approach directly challenges the existing practice of basing intrusion management on low level features such as network packets or system call traces. The former is too far removed from the operation of application software, and the latter provides at best limited insight into the operation of the application.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Apr 05, 2002
Accession Number
ADA436737

Entities

People

  • Alexander L. Wolf
  • Dennis M. Heimbigner

Organizations

  • University of Colorado Boulder

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Anomaly Detection
  • Application Software
  • Change Detection
  • Computational Forensics
  • Computer Science
  • Computers
  • Detection
  • Detectors
  • Intrusion
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Life Cycles
  • Notation
  • Reliability
  • Software Development

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Database Systems and Applications
  • Software Engineering.