GRASP: Global Recognition of Attacker Signatures and Policy Response

The GRASP applies application intrusion detection to detect the attacker, followed by proactive deception of the attacker to elicit information about the attacker’s skills, determination, resources and identity. GRASP analyzes the intrusion and changes the fine-grained security policy to prevent the intrusion in the future. GRASP collects its knowledge subtly over time and piece-by-piece. Machine learning techniques synthesize the attacker model from all the individual observations.

GRASP’s unique intrusion detection operates at the application level by monitoring resource consumption. GRASP automatically modifies fine-grained operating system security policy mechanisms to prevent a similar intrusion in the future. GRASP’s policy evolution approach includes several safety mechanisms to ensure critical mission resources are always accessible to those who need them. Today, creating fine-grained security policies place too great a burden on local administrators, who should be concentrating on meeting mission objectives. GRASP effectively provides a protective object-oriented operating system armor around the application. The proposed GRASP design has the following features: •Application intrusion detection, containment and automatic intelligence gathering •Proactively deceiving the attacker to elicit unique, distinguishing characteristics •Tracking attackers across multiple incursions by identifying them by their fist •Attacker fists described canonically so they can be shared with other DoD sites •Gathering intelligence about attack vectors and how they work •Evolving security policy in response to attacks without impacting the mission •Long term learning to determine the most effective deception techniques •Risk monitoring that terminates an attack when it threatens the application