ARTCAT: (Autonomic Response To Cyber-Attack)

Deep, autonomic runtime monitoring and mitigation

Need

Programs ship with bugs and vulnerabilities. Cybercrime exploiting those will cost the economy $10.5 trillion annually by 2025.

DevSecOps, including static and dynamic analysis and testing, cannot catch all problems. A runtime solution is needed.

Security information and event management (SIEM) and endpoint detection and response (EDR) systems focus on coarse observable signal such as network and file activity, and may miss problems. They also have a limited range of automated mitigation options.

Solution

ARTCAT automatically identifies and mitigates execution anomalies at runtime. This includes internal events, such as inappropriate values or bypassing authentication.

Users specify correct execution via policies which ARTCAT translates into runtime monitors. The monitors track program behavior and change it towards safer executions. A reasoning engine detects anomalies, directs corrective actions, and interfaces with users about system health.

Benefits:

  • Fine-grained policies catch anomalies beyond the reach of EDR/SIEM systems
  • No false positives: every policy violation is a true problem
  • Catches unknown vulnerabilities: policies specify correct behavior, rather than only known problems
  • Automatic mitigations support fast, targeted attack responses

System and Workflow

ARTCAT in practice

Identified and mitigated real vulnerabilities in Nginx (200 KLOC), Bash (250 KLOC), and tar (25 KLOC)

In the NIST Taxonomy of Software Flaws, ARTCAT can fully protect against 11 out of the 16 flaw categories, and partially against 13

ARTCAT for you

ARTCAT can be licensed as an end-to-end tool chain or as modules that integrate with your existing SIEM system, providing an additional source of signal

Our experts can supply behavioral policy templates to get you started, or work alongside your SMEs to create and refine policies

We provide end-to-end support for tuning and troubleshooting deployments

This material is based upon work supported by the Office of Naval Research under Contract No. N68335-19-C-0200. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Office of Naval Research. Approved for public release: distribution unlimited. Approved, DCN# 0543-1787-24