Existing methods for detecting and reacting to security attacks rely largely on competent operators who can trace the source of an attack by analyzing network traffic. The process takes several hours, if it succeeds. The cause of this vulnerability, however, is fundamental. It is a direct product of the model of distributed computing that we have adopted over the last 25 years. In this model, intelligence is concentrated in the hosts while the communication links have the simple task of routing bits from source to destination. The communication links, therefore, act as passive conduits for attackers and cannot help legitimate users in detecting or reacting to attacks.

I will present a solution to this problem that relies on a new model of distributed systems. Network routers in this model participate in distributed protocols and offer assistance in detecting the source of an attack and possibly reacting to it on-line. The solution relies on a novel combination of formal methods, security protocols, and techniques for intrusion detection at the operating system level. This model makes it possible to detect, react and thwart several forms of attacks including denial of service, which is not possible today.

This is joint work with Avi Ruben (AT&T), Mark Segal (Bellcore) and R. Sekar (University of Iowa).