Yesterday, DARPA and MIT announced the results of a project that has been in development which would allow an organization’s network to function even while under an active attack from a distributed denial of service or similar attack. Overly simplified, it’s a network based, whitelisting solution with the ability to baseline normal traffic patterns and automatically block traffic if it detects that it’s under attack. Think of it like an advanced IPS on steroids.
TheNewNewInternet.com reported on it Thursday and stated:
“Previously, when a system was under cyber attack, the only solution to mitigate the threat was to take the server offline. However, there may now be another option. MIT researchers have developed a system that allows servers and computers to continue to operate even while under cyber attack.
The research, predominately funded by the U.S. Defense Department’s Defense Advanced Research Projects Agency (DARPA), has stood up to outside testing. DARPA hired outside security experts to attempt to bring down the system. According to Martin Rinard, an electrical engineering and computer science professor who led the project, the system exceeded DARPA’s performance criteria in each test.
During normal operations, the system developed by the MIT team monitors any programs running on computers connected to the Internet. This allows the system to determine each computer’s normal behavior range. When an attack occurs, the system does not allow the computers to operate outside of the previously determined range.
“The idea is that you’ve got hundreds of machines out there,” Rinard says. “We’re saying, ‘Okay, fine, you can take out six or 10 of my 200 machines.’” But, he adds, “by observing what happens with the executions of those six or 10 machines, we’ll be able to deploy patches out to protect the rest of the machines (http://tr.im/Sosj).”
So why is this all so interesting and worth repeating? I think this first of all a great example of a public / private partnership in the realm of cybersecurity defense. We simply don’t see enough of this kind of activity. Secondly, I have to appreciate their focus on an automated response to cyber attacks. This has been one of the major premises of the 20 Critical Controls / Consensus Audit Guidelines for quite some time and it’s great to see these groups creating solutions in that same spirit.
Finally I think it’s interesting in light of the mission of DARPA’s National Cyber Range project, which is:
“The National Cyber Range (NCR) is DARPA’s contribution to the new federal Comprehensive National Cyber Initiative (CNCI), providing a “test bed” to produce qualitative and quantitative assessments of the Nation’s cyber research and development technologies. Leveraging DARPA’s history of cutting-edge research, the NCR will revolutionize the state of the art for large-scale cyber testing. Ultimately, the NCR will provide a revolutionary, safe, fully automated and instrumented environment for our national cyber security research organizations to evaluate leap-ahead research, accelerate technology transition, and enable a place for experimentation of iterative and new research directions (http://www.darpa.mil/sto/ia/ncr.html).”
So is this an example of a “leap-ahead” research project? We might all have different opinions. But the bottom line is that it appears that the DARPA initiatives are moving forward. Let’s all hope this is just one of many more game changing technologies that we hope to see in the near future from these teams.