Enabling Dynamic Security Management of Networked Systems via Device- Embedded Security (Self-Securing Devices)

摘要

This report summarizes the results of the work on the AFOSR's Critical Infrastructure Protection Program project, entitled Enabling Dynamic Security Management of Networked Systems via Device-Embedded Security (Self- Securing Devices), funded by the Air Force Research Laboratory contract number F49620-01-1-0433. The scientific goal of this CIP/URI effort was to fundamentally advance the state-of-the-art in network security and digital intrusion tolerance by exploring a new paradigm in which individual devices erect their own security perimeters and defend their own critical resources (e.g., network links or storage media). Together with conventional border defenses (e.g., firewalls), such self-securing devices provide a flexible infrastructure for dynamic prevention, detection, diagnosis, isolation, and repair of successful breaches in borders and device security perimeters. More specifically, the research sought to understand the costs, benefits and appropriate realization of (1) multiple, increasingly-specialized security perimeters placed between attackers and specific resources; (2) independent security perimeters placed around distinct resources, isolating each from compromises of the others; (3) rapid and effective intrusion detection, tracking, diagnosis, and recovery, using the still-standing security perimeters as a solid foundation from which to proceed; (4) the ability to dynamically shut away compromised systems, throttling their network traffic at its sources and using secure channels to reactively advise their various internal components to increase their protective measures; and (5) the ability to effectively manage and dynamically update security policies within and among the devices and systems in a networked environment. The underlying motivation throughout this research was to go beyond the 'single perimeter' mindset that typifies today's security solutions and results in highly brittle protections.