Living with the Enemy: Containing a Network Attacker When You Can't Afford to Eliminate Him.

摘要

The classic response to attack in computer networks has been to disconnect the effected system from the network, preserve the information on the system, and begin a forensic investigation. It can be argued that this type of response is not appropriate in many situations. Breaking contact often leaves the defender not knowing who the attacker is, what the current mission of the attacker was, what the capability of the attacker is, where else the attacker has been successful in infiltrating systems, and what the strategic goals of the attacker are. Alternatively, the computer system or network on which the attacker has established himself may be too valuable to operations to permit an aggressive intervention to remove the attacker from the system. This paper presents the foundation arguments for defensive operations involving continuing contact with the attacker, and a research project that implements an Attack Containment Filter that addresses the associated risks. In order to realise this aim a prototype Attack Containment Filter called ApateX has been developed. ApateX is an intelligent transparent bridge that controls communications traversing it.