Behavior-dependent Routing: Responding to Anomalies with Automated Low-cost Measures

As cyber attacks on enterprise systems and critical infrastructure increase in prevalence and severity, persistent presence of adversaries in these systems is a common theme. While there are many efforts and tools focused on locating and removing adversaries from cyber systems, there is an increasing need for automated, steerable response that happens in attack-relevant time scales-an active cyber defense. The research presented here describes design and implementation of a system (SEQUESTOR) to achieve a form of active defense at the network layer by using the output of multiple behavior models to drive differential routing of traffic through a core network. This approach is based on two assertions: 1) methods for detecting behavior that are inconsistent with a user's past are a proxy for compromised systems or credentials, but are subject to high rate of false positives; and 2) automatically changing the logical route taken by future traffic emanating from the potentially compromised system provides a means for graded response that makes is possible to balance the cost of false positive with the risk of allowing the behavior to continue. The presented system is a framework that combines behavior models in a modular way and allows for future models and responses to be incorporated. Ultimately, this is a model for how real-time situational awareness technologies can be coupled to automated responses as well as supporting steerable responses that provide decision support to human operators.