One of the major problems with current cybersecurity measures is that while systems can detect the erratic behavior that heralds an incoming attack, there often isn’t a whole lot those systems can do once the attack is underway short of pulling the servers offline, resulting in lost revenues and credibility for Web sites and a loss of key services for users. A new MIT system aims to change that by keeping servers and applications running even as it contains an incoming cyberattack.

The system works by observing programs as they normally run and memorizing those ranges of behavior. During an attack, the system simply locks the programs within those behavioral ranges; that is, if a program usually stores data at either location X or location Y, those are the only two places it will be allowed to store data once the security system detects that an attack is underway.

If a malicious program tries to trick the program into storing info at location Z, the security system won’t let the program deviate from its usual behavior. But it does keep the program up and running even as the attack unfolds.

The tactic is something like a strike/counter-strike battle plan, and as such there are casualties. For instance, once a program is limited to locations X and Y it may begin to store data there that doesn’t belong, which in turn could cause a server crash. But the security system learns as it goes, narrowing the space that the malicious program has to maneuver while figuring out what countermeasures are most effective. So a site that has dozens of servers will lose a few during the opening salvo of the attack, but in doing so the security system learns the enemy’s M.O. and engineers a fix for the remaining servers, sometimes in a matter of seconds.

Funded by DARPA, the MIT initiative has twice hired outside security firms to attack the system. Both times a few programs went down within the system, but overall it performed above and beyond the benchmarks set by DARPA and MIT. In the second test, it kept nine of every 10 programs running for the duration of the attack. Viewed through the complex fog of cyberwar, a 90% success rate is nothing to scoff at.

MIT News