Reasoning about timeliness for computer security reactions: CIRCA and AIA experiment 001

DARPA´s Autonomic Information Assurance (AIA) program is exploring the use of automatic systems to detect and respond, at computer speeds, to high-speed computer security attacks. The first formal experiment of the AIA program, termed AIA Experiment 001, explored the relationship between the effectiveness of responses to scripted security attacks and the speed of those responses. This paper discusses how the CIRCA (Cooperative Intelligent Real-Time Control Architecture) system for automatic controller synthesis can reason about the problem explored in AIA Experiment 001, can automatically predict the results of the experiment, and can exploit those predictions itself. By modeling the individual steps of the attack and the potential response actions, CIRCA can explicitly compute the response-time threshold distinguishing effective responses from ineffective responses. In fact, CIRCA can use this knowledge to build a reactive security controller that guarantees to respond quickly enough to prevent the attacker from succeeding. To show how CIRCA does this reasoning, we begin with a brief review of Experiment 001 and its results, then provide a short review of how CIRCA works. We then illustrate how CIRCA models the experiment and builds a controller that will always defeat the attack. The intent is to clearly illustrate CIRCA´s reasoning processes that build guaranteed controllers, and how they relate to information assurance