SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
ACM Computing Surveys (CSUR)
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
A sense of self for Unix processes
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
GQ: practical containment for measuring modern malware systems
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.00 |
Current cyber defenses result in binary access for attackers who have compromised a host: either the attacker has full access to the machine or the intrusion is detected and the machine is removed from the network. This is the result of an apparent duality when determining if a system is compromised; i.e., either it is or it is not. However, analysts usually make decisions based upon many pieces of data and their own experience, which may lend itself to higher resolution in the decision-making process. We propose using machine-oriented indicators of compromise to trigger progressive, incremental cocooning of a machine by replacing real network services with their emulated counterparts, which are indistinguishable from real services to attackers. The emulated services will be instrumented to gather additional details about an attacker's tools and techniques. Incremental cocooning reduces the effect on normal users' experiences.