Today's cyber defense tools are mostly watchers. They are not active doers. To be sure, watching too is a demanding affair. These tools monitor the traffic and events; they detect malicious signatures, patterns and anomalies; they might classify and characterize what they observe; they issue alerts, and they might even learn while doing all this. But they don't act. They do little to plan and execute responses to attacks, and they don't plan and execute recovery activities. Response and recovery - core elements of cyber resilience are left to the human cyber analysts, incident responders and system administrators. We believe things should change. Cyber defense tools should not be merely watchers. They need to become doers - active fighters in maintaining a system's resilience against cyber threats. This means that their capabilities should include a significant degree of autonomy and intelligence for the purposes of rapid response to a compromise - either incipient or already successful - and rapid recovery that aids the resilience of the overall system. Often, the response and recovery efforts need to be undertaken in absence of any human involvement, and with an intelligent consideration of risks and ramifications of such efforts. Recently an international team published a report that proposes a vision of an autonomous intelligent cyber defense agent (AICA) and offers a high-level reference architecture of such an agent. In this paper we explore this vision.
翻译:今天的网络防御工具大多是观察者。 它们不是积极的操作者。 诚然, 观察也是一件要求很高的事情。 这些工具监测交通和事件; 它们检测恶意的信号、模式和异常; 它们可能对其观察到的事物进行分类和定性; 它们发布警报, 甚至是在做这一切时学习。 但是它们不采取行动。 它们很少规划和实施对攻击的反应, 它们不规划和实施恢复活动。 反应和复苏—— 网络复原力的核心要素应该留给人类网络分析员、 事件应对者和系统管理员。 我们认为, 网络防御工具应该改变。 网络防御工具不应该仅仅是观察者。 它们需要成为操作者—— 活跃的战士, 以保持系统对网络威胁的应变能力。 这意味着它们的能力应该包括相当程度的自主和情报, 以便对妥协作出迅速反应( 无论是初步的还是已经成功的), 以及有助于整个系统的抗御力的快速恢复。 反应和复原努力的核心要素应该留给人类的网络分析员, 并且明智地考虑这种努力的风险和影响。 最近, 一个国际小组公布了一份高层次的网络防御的远景图。
相关内容
微信扫码咨询专知VIP会员