SECURE-RM: Security and Resource Management for Dynamic Real-Time Systems

The global Internet has made real-time computer systems world-wide vulnerable to an ever-changing array of attacks for which current defense mechanisms are insufficient. In order to combat intruders in this new environment new techniques must be developed that enable decision makers to detect unusual behavior in their systems, correlate anomalies into higher-level attacker goals, plan appropriate response actions and execute their plans. We are developing SECURE-RM, a security management system that combines an intrusion detection system (INBOUNDS) with adaptive resource management middleware (DeSiDeRaTa) for this purpose. INBOUNDS is a network-based, real-time, hierarchical software system for misuse and anomaly detection. Intrusion events, such as pre-attack probes and denial of service attacks, are detected and are reported to SECURE-RM, which employs artificial intelligence techniques for deriving impacts of attacks on operational functions and mission goals. A strong belief in an attack strategy triggers a resource reallocation by DeSiDeRaTa for response execution. 1. Overview of SECURE-RM Figure 1 depicts an overview of the SECURE-RM architecture, which will be used to describe our approach for providing security and resource management for dynamic real-time systems. INBOUNDS notifies SECURE-RM of individual intrusion events. This information is combined with knowledge of the software system attributes and the hardware system attributes [1], and information about the current allocation of (hardware) resources to the software systems [1] to ascertain the adversary’s strategic goals. The results of the analysis are presented to the decision maker in terms pertaining to system structure, QoS and mission goals. Resource & QoS Monitoring Secure-RM adversary’s strategic goals, action advice, metrics queries re-allocation actions QoS & resource metrics intrusion events Decision maker Resource Control INBOUNDS: intrusion detection svcs. DeSiDeRaTa Figure 1 – The Architecture of SECURE-RM Upon perception of an attack, a set of reflexive actions is developed by SECURE-RM. The action development strategy first considers defensive mechanisms to achieve catharsis; if these are deemed inadequate, appropriate system functional realignments are discovered by assessing QoS and resource utilization (current and projected), as well as knowledge of the software system attributes and the hardware system attributes. The actions are recommended to the human decision maker, who may approve a recommended strategic reflex action, or may make queries to determine if alternate reflexes would be more appropriate. Upon selection of a particular strategic action, SECURE-RM considers QoS and resource utilization to determine a detailed set of reallocation operations to enact the stratagem, and dispatches the set of operations to the resource control component. For a more detailed understanding of our approach, consider the internal view of the SECURE-RM component shown in Figure 2. The primary architectural components of the SECURE-RM architecture are (1) attack strategy analyzer, (2) action advisor, (3) allocation optimizer, and (4) the hierarchical belief network. attack strategy analyzer