Andreas Rasmusson, D90
Datatekniklinjen
Kungl Tekniska Högskolan
Stockholm, Sweden
23 October 1996
Available as dvi, ps, html, at http://www.sics.se/~ara/papers/thesis96.html.
Emphasis is put on how to make the assistant usable for non-security experts, how to make the Security Assistant able to monitor programs of whom it has little or no previous experience and how to quickly learn about and respond to new dangers.
We discuss and suggest an architecture with the potential to satisfy the above requirements and relate it to experiences from three prototype implementations as well as related work in Safe Languages and Intrusion Detection.
By constraining the allowed program behavior, the chances that covert malicious activities will go undetected should decrease. The Assistant uses a set of loosely coupled sensors to verify that the untrusted programs conform to the behavior the user expects it to have. Monitoring for deviation in functionality is argued to be an important sub-domain of anomaly detection since this makes it possible to pose sensible constraints also on previously unencountered programs and also gives more sensible feedback to the user. We argue that negotiation among the sensors should allow them to set up system specific monitoring of a program and to easily make use of new sensors as they become available.