Introduction

Automating detection of and response to attacks in the real world--that is the subject. Friends of mine wrote the paper high-lighting why it is a bad idea for intrusion detection systems to trigger automated response [Newsham, Ptacek], so why am I talking about it? Because they are right, unless we change a few things about how we do intrusion detection and response. So, that is what I am really here to do: show a different way to approach the problem--adaptive response. My goal is to get people thinking about this with a new sense of vigor and to really think through the issues and solutions I present today.

Before any of you go on thinking I might be smart, everthing I am going to talk about was directly inspired by people like Steven Hofmeyr, Anil Somayaji, Stephanie Forrest, Teresa Lunt, and my friends who let me bounce ideas and thoughts off of them (you know who you are). I am hanging onto the coat tails of giants.

Related Projects--http://pinky.hexop.org/id/

Adding short-sequence of system call analysis to systrace (adapted from Somayaji's pH)
Adaptive-response daemon for Linux systems