Benefits of the Internet and computer networking have followed Metcalfe's law, which states that interconnecting “n” number of devices results in “n” squared potential value. Expanding in value, networks are increasingly targeted by activists, criminals, terrorists, and military forces. Attacks are escalating in frequency and sophistication. Pandemic societal dependence on computer networks has heightened the repercussion of successful attacks.
An attack in the context of this invention includes any event and associated consequence(s) which can result in network disruption or compromise. Examples include but are not limited to physical phenomena such as vandalism, theft, fire, explosions, power failure; and cyber occurrences such as packet flooding, subverting a system for unauthorized activities, and unauthorized access to information.
Protection schemes are effective at defeating attacks that are manifested through predictable behavior and consequence. Protection schemes establish contingency courses of action before an attack takes place.
The traditional methodology for defending computer networks is deterministic, where a fixed security policy based on a protection scheme leveraging prevention and detection technologies is selected, then deployed. Security policies in these environments are often absolute, where network traffic of a given type is either permitted or denied, and change to policy is only implemented following approval from a centralized authority. This methodology is rigid and equivalent to the Maginot Line, where static defenses proved ineffective in an aggressive and rapidly evolving threat environment.
Restoration schemes are needed to defeat or mitigate attacks and consequences that are not predicted and/or allocated defensive resources. Restoration schemes facilitate an extensible recovery from attacks which bypass or overwhelm system defenses. Restoration schemes identify contingency courses of action during or immediately following an attack.
Survivable networks are considered attack tolerant, enabling continued operations while under attack. Information assurance is achieved by ensuring confidentiality, integrity, and availability. The general approach to building survivable networks and providing information assurance through innovations of the prior art has focused primarily on protection schemes using prevention and detection methods. The growing trend in successful cyber attacks against enterprise and service provider networks has proven that prevention and detection technologies are increasingly defeated and therefore incapable of providing absolute immunity to attack.
Deterministic methods do not scale nor adapt to change efficiently. Complexity and operating costs increase as new software patches, rule sets, attack signatures, and additional security controls are provisioned to prevent exploitation of potential vulnerabilities associated with maintaining and/or expanding the number of users, applications, and interconnections across a computer network. Complicating network predictability and contingency planning are non-static environments with a high rate of change as is prevalent with the advent of ubiquitous Internet accessibility, wireless connectivity, and mobile computing.
Any significantly complex, heterogeneous network of networks, such as the Internet, can survive and tolerate future attacks only if defended in a non-deterministic, probabilistic manner, where behaviors of the system are difficult to predict exactly, but the probability of certain behaviors is known. Instead of considering only the most likely situations, probabilistic approaches strive to compute a decision-theoretic optimum, in which decisions are based on all possible contingencies.
Deploying the most cost-effective defense-in-depth solution for network survivability requires a combination of centrally-managed and autonomous distributed security controls using a hybrid approach of both protection and restoration schemes implemented through a security model balancing prevention, detection, and incident response in accordance with the threat environment.
Warhol worms and other flash attacks have the potential to spread across the Internet and interconnected networks to impact every attached device and application within minutes or seconds. While many conventional solutions for attack prevention and detection have been developed, comparable emphasis has not been placed on incident response. The many possible settings for firewalls, intrusion detection devices, routers, switches, virus scanners and other devices and applications that affect security result in a complexity far exceeding the capability of individuals to make optimum decisions in anything approaching near-real-time. Many organizations rely on staff and contractors to manually implement incident response actions after an attack has impacted the operation of the network. Without an effective means to immediately contain suspicious behavior or resist an attack, events that circumvent preventive defenses often inflict substantial levels of damage between the time the detrimental activity is detected and the time by which countermeasures or contingency courses of action are implemented.