Living with the Enemy: Containing a Network Attacker When You Can't Afford to Eliminate Him

Abstract

The classic response to attack in computer networks has been to disconnect the effected system from the network, preserve the information on the system, and begin a forensic investigation. It can be argued that this type of response is not appropriate in many situations. Breaking contact often leaves the defender not knowing who the attacker is, what the current mission of the attacker was, what the capability of the attacker is, where else the attacker has been successful in infiltrating systems, and what the strategic goals of the attacker are. Alternatively, the computer system or network on which the attacker has established himself may be too valuable to operations to permit an aggressive intervention to remove the attacker from the system. This paper presents the foundation arguments for defensive operations involving continuing contact with the attacker, and a research project that implements an Attack Containment Filter that addresses the associated risks. In order to realise this aim a prototype Attack Containment Filter called ApateX has been developed. ApateX is an intelligent transparent bridge that controls communications traversing it.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Nov 01, 2010
Accession Number
ADA584046

Entities

People

  • David Vessey
  • Pat Smith
  • Scott Knight
  • Sylvain Leblanc

Organizations

  • Royal Military College of Canada

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Command And Control
  • Computer Networks
  • Computers
  • Computing System Architectures
  • Cyber Defense Techniques
  • Cybersecurity
  • Detectors
  • Filters
  • Information Operations
  • Infrastructure
  • Network Architecture
  • Network Protocols
  • Networks
  • Risk
  • Security
  • Surveillance
  • Vulnerability

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Systems Analysis and Design