Counterplanning Deceptions to Foil Cyber-Attack Plans

Proceedings of the 2003 IEEE Workshop in Information Assurance, West Point, NY, June 2003Tactics involving deception are important in military strategies. We have been exploring deliberate deception in defensive tactics by information systems under cyber-attack as during information warfare. We have developed a tool to systematically "counterplan" or find ways to foil a particular attack plan. Our approach is to first find all possible atomic "ploys" that can interfere with the plan. Ploys are simple deceits the operating system can do such as lying about the status of a file. We analyze ploys as to the degree of difficulty they cause to the plan wherever they can be applied. We then formulate a "counterplan" by selecting the most cost-effective set of ploys and assign appropriate presentation methods for them, taking into account the likelihood that, if we are not careful, the attacker will realize they are being deceived and will terminate our game with them. The counterplan can be effected by a modified operating system. We have implemented our counterplanner in a tool MECOUNTER that uses multi-agent planning coupled with some novel inference methods to efficiently find a best counterplan. We apply the tool to an example of a rootkit-installation plan and discuss the results.supported by the U.S. Department of Justice Office of Justice Programs and Office for Domestic PreparednessApproved for public release; distribution is unlimited

An Intelligent Tutor for Intrusion Detection on Computer Systems

Computers and Education, pp. 395-404, 1998Intrusion detection is the process of identifying unauthorized usage of a computer system. It an important skill for computer-system administrators. It is difficult to learn on the job because it is needed only occasionally but can be critical. We describe a tutor incorporating two programs. The first program uses artificial-intelligence planning methods to generate realistic audit files reporting actions of a variety of simulated users (including intruders) of a Unix computer system. The second program simulates the system afterwards, and asks the student to inspect the audit and fix the problems caused by the intruders. This program uses intrusion-recognition rules to itself infer the problems, planning methods to figure how best to fix them, plan-inference methods to track student actions, and tutoring rules to tutor intelligently. Experiments show that students using the tutor learn a significant amount in a short time.Approved for public release; distribution is unlimited

An Intelligent Tutor for Intrusion Detection on Computer Systems

Intrusion detection is the process of identifying unauthorized usage of a computer system. It an important skill for computer-system administrators. It is difficult to learn on the job because it is needed only occasionally but can be critical. We describe a tutor incorporating two programs. The first program uses artificial-intelligence planning methods to generate realistic audit files reporting actions of a variety of simulated users (including intruders) of a Unix computer system. The second program simulates the system afterwards, and asks the student to inspect the audit and fix the problems caused by the intruders. This program uses intrusion-recognition rules to itself infer the problems, planning methods to figure how best to fix them, plan-inference methods to track student actions, and tutoring rules to tutor intelligently. Experiments show that students using the tutor learn a significant amount in a short time