Computer Virus Response Using Autonomous Agent Technology
22.12.2012 Views
Share Embed Flag

Computer Virus Response Using Autonomous Agent Technology

Computer Virus Response Using Autonomous Agent Technology

Computer Virus Response Using Autonomous Agent Technology

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
csrc.nist.gov

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

<strong>Computer</strong> <strong>Virus</strong> <strong>Response</strong> <strong>Using</strong><br />

<strong>Autonomous</strong> <strong>Agent</strong> <strong>Technology</strong><br />

Changing the Paradigm<br />

Christine M. Trently<br />

ctrently@mitretek.org<br />

S<br />

26

Outline<br />

0 Brief Perspective on <strong>Computer</strong> <strong>Virus</strong> <strong>Response</strong><br />

0 Overview of <strong>Autonomous</strong> <strong>Agent</strong> <strong>Technology</strong><br />

0 <strong>Agent</strong>s for <strong>Computer</strong> <strong>Virus</strong> <strong>Response</strong><br />

0 Example <strong>Using</strong> <strong>Agent</strong>s for <strong>Virus</strong> <strong>Response</strong><br />

0 Comparison - Current versus Future<br />

0 Future Considerations<br />

0 Conclusions<br />

S<br />

26

Brief Perspective - <strong>Computer</strong> <strong>Virus</strong> <strong>Response</strong><br />

0 <strong>Virus</strong>es ?<br />

0 Current <strong>Response</strong><br />

0 Trends<br />

0 Need for Change<br />

0 Automated <strong>Response</strong><br />

S<br />

26

<strong>Autonomous</strong> <strong>Agent</strong> (AA) <strong>Technology</strong><br />

0 <strong>Agent</strong> Characteristics<br />

- Simple, singular task<br />

- Mobile<br />

- Intelligence - Reasoning<br />

- Cooperation<br />

0 Operating Environment<br />

S<br />

26

<strong>Autonomous</strong> <strong>Agent</strong> (AA) <strong>Technology</strong><br />

(concluded)<br />

0 <strong>Agent</strong> Coordination Engine (ACE)<br />

- Launch<br />

- Authenticate<br />

- Repair<br />

- Communicate<br />

<strong>Agent</strong> Programs<br />

Launch Authenticate Repair Communicate<br />

<strong>Agent</strong> Coordination Engine<br />

Operating System<br />

Communication Protocol<br />

S<br />

26

The <strong>Agent</strong>s of <strong>Virus</strong> <strong>Response</strong><br />

external<br />

activities<br />

external<br />

activities<br />

Compile Report<br />

Dete ct <strong>Virus</strong><br />

Identify <strong>Virus</strong><br />

Make Report<br />

Capture Sample<br />

Remove <strong>Virus</strong><br />

S<br />

26

Responding to Boot Sector <strong>Virus</strong> <strong>Using</strong> <strong>Agent</strong>s<br />

0 Detect<br />

- Trigger: Insertion of diskette<br />

- Activity: Check for boot sector virus on<br />

diskette<br />

- Notification: <strong>Virus</strong> found message sent to ACE<br />

0 Identify<br />

- Trigger: ACE<br />

- Activity: Identify virus detected or<br />

Verify (virus) signature from detection<br />

- Notification: <strong>Virus</strong> identification to ACE<br />

0 Sample<br />

- Trigger: ACE<br />

- Activity: Make copy of Boot sector / disk image<br />

- Notification: <strong>Virus</strong> sample sent to repository and<br />

completion status sent to ACE<br />

S<br />

26

<strong>Response</strong> for Boot Sector <strong>Virus</strong> <strong>Using</strong> <strong>Agent</strong>s<br />

(concluded)<br />

0 Recovery<br />

- Trigger: ACE<br />

- Activity: Remove virus from boot sector using<br />

appropriate technique<br />

- Notification: Completion status to ACE<br />

0 Report<br />

- Trigger: ACE<br />

- Activity: Generate incident report<br />

- Notification: 1) Report sent to administrator;<br />

2) Report sent to repository<br />

3) Completion status to ACE<br />

S<br />

26

<strong>Virus</strong> <strong>Response</strong> - Comparison<br />

Current vs. Future<br />

0 Current (User Activity)<br />

- Scan computer<br />

periodically<br />

- Notified by AVS that BS<br />

virus detected<br />

- Boot from known clean,<br />

write-protected diskette<br />

- Take a sample by<br />

inserting new diskette<br />

- Use Recovery diskette or<br />

Run Clean-Up routine for<br />

given virus to remove<br />

virus<br />

- Re-scan<br />

- Return to Work<br />

0 Future (<strong>Agent</strong> Activity)<br />

- Activity on computer is<br />

checked by agents<br />

- BS virus found on diskette<br />

inserted into computer<br />

- <strong>Virus</strong> identified, if<br />

applicable<br />

- Sample taken<br />

- <strong>Virus</strong> removed<br />

- Report generated and<br />

administrator notified<br />

S<br />

26

Future Considerations and Conclusions<br />

0 Reduce Processing Overhead<br />

0 Prevent Misuse<br />

0 Maintain <strong>Agent</strong> Integrity<br />

0 Identify Target <strong>Response</strong><br />

0 Provide Identification and<br />

Recovery Techniques I’ve got what?!?<br />

-------------------------------------------<br />

0 Changing the Paradigm<br />

0 Providing a loaded gun<br />

S<br />

26

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!