We present SABER (Survivability Architecture: Block, Evade, React), a proposed survivability architecture that blocks, evades and reacts to a variety of attacks by using several security and survivability mechanisms in an automated and coordinated fashion. Contrary to the ad hoc manner in which contemporary survivable systems are built-using isolated, independent security mechanisms such as firewalls, intrusion detection systems and software sandboxes-SABER integrates several different technologies in an attempt to provide a unified framework for responding to the wide range of attacks malicious insiders and outsiders can launch.

This coordinated multi-layer approach will be capable of defending against attacks targeted at various levels of the network stack, such as congestion-based DoS attacks, software-based DoS or code-injection attacks, and others. Our fundamental insight is that while multiple lines of defense are useful, most conventional, uncoordinated approaches fail to exploit the full range of available responses to incidents. By coordinating the response, the ability to survive successful security breaches increases substantially.

We discuss the key components of SABER, how they will be integrated together, and how we can leverage on the promising results of the individual components to improve survivability in a variety of coordinated attack scenarios. SABER is currently in the prototyping stages, with several interesting open research topics.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	2001 Economic Impact of Malicious Code Attacks. http : //www. computereconomics, com/cei/press/pr9210 i. html.
	2	DARPA OASIS (Organically Assured and Survivable Information System). http://www.tolerantsystems,org/index,html.
	3	Malicious- and Accidental-Fault Tolerance for Intemet Applications. RTD Research Project IST-1999-11583, IST Programme. http://maftia.org/.
	4	Microsoft Security Tool Kit: Installing and Securing a New Windows 2000 System. Microsoft TechNet. http://www.microsoft.com/technet/security/tools/tools/w2knew, asp.
	5	Microsoft Windows Software Update Services. http://www.microsoft.com/windows2000/windowsupdate/sus/.
	6	OC48 Analysis - Trace Data Stratified by Applications. http://www.caida,org/analysis/workload/byappli\-cation/oc48/pott\_analy%sis\_app.xml.
	7	RedHat 9 Security Advisories. https://rhn.redhat.com/errata/rh9-errata-security,html.
	8	The Code Security Analysis Kit (CoSAK). http://serg.cs.drexel,edu/cosak/index,shtml/.
	9	Using Network-Based Application Recognition and Access Control Lists for Blocking the "Code Red" Worm at Network Ingress Points. Technical report, Cisco Systems, Inc.
	10	Web Server Survey. http://www.securityspace.com/s_survey/data/200304/.
	11	Intrusion Tolerant Server Infrastructure. http://www.tolerantsystems,org/ProjectSummaries /Intrusion_Tol erant_Serv%er_Infrastructure.html,2000.
	12	CERT Advisory CA-2001-19: 'Code Red' Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-200i-19.html, July 2001.
	13	Cert Advisory CA-2003-04: MS-SQL Server Worm. http://www.cert.org/advisories/CA-2003-04.html, January 2003.
	14	The Spread of the Sapphire/Slammer Worm. http://www.silicondefense,com/research/worms/slammer, php, February 2003.
	15	William Aiello , Steven M. Bellovin , Matt Blaze , John Ioannidis , Omer Reingold , Ran Canetti , Angelos D. Keromytis, Efficient, DoS-resistant, secure key exchange for internet protocols, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586118]
	16	F. Apap, A. Honig, S. Hershkop, E. Eskin, and S. J. Stolfo. Detecting malicious software by monitoring anomalous windows registry accesses. In Proceedings of the 23rd International Symposium on Recent Advances in Intrusion Detection (RAID-2002), Zurich, Switzerland, October 2002.
	17	Michael Atighetchi , Partha P. Pal , Christopher C. Jones , Paul Rubel , Richard E. Schantz , Joseph P. Loyall , John A. Zinky, Building Auto-Adaptive Distributed Applications: The QuO-APOD Experience, Proceedings of the 23rd International Conference on Distributed Computing Systems, p.104, May 19-22, 2003
	18	R. Balzer. Mediating connectors. In 19th IEEElnternational Conference on Distributed Computing Systems Workshop, 1994.
	19	V. Barnett and T. Lewis. Outliers in Statistical Data. John Wiley and Sons, 1994.
	20	S. M. Bellovin. Distributed Firewalls. ;login: magazine, special issue on security, pages 37-39, November 1999.
	21	John Brunner, Shockwave Rider, Del Rey, 1984
	22	Design and evaluation of a wide-area event notification service, ACM Transactions on Computer Systems (TOCS), v.19 n.3, p.332-383, Aug. 2001  [doi>10.1145/380749.380767]
	23	Hao Chen , David Wagner, MOPS: an infrastructure for examining security properties of software, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586142]
	24	D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra, and D. Rubenstein. WebSOS: Protecting Web Servers From DDoS Attacks. In Proceedings of the IEEE International Conference on Networks (ICON), September/October 2003.
	25	C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, January 1998.
	26	Dorothy E. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering, v.13 n.2, p.222-232, Feb. 1987  [doi>10.1109/TSE.1987.232894]
	27	T. Dierks and C. Allen. The TLS protocol version 1.0. RFC 2246, January 1999.
	28	Eleazar Eskin, Anomaly Detection over Noisy Data using Learned Probability Distributions, Proceedings of the Seventeenth International Conference on Machine Learning, p.255-262, June 29-July 02, 2000
	29	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
	30	Fyodor. The art of port scanning. Phrack 51, 7, September 1997. http://www.phrack,com/phrack/5 i/P51-ii.
	31	Anup K. Ghosh , Jeffrey M. Voas, Inoculating software for survivability, Communications of the ACM, v.42 n.7, p.38-44, July 1999  [doi>10.1145/306549.306563]
	32	S. Hershkop, R. Ferster, L. H. Bui, K. Wang, and S. J. Stolfo. Host-based anomaly detection by wrapping file system accesses. Technical report, Columbia University Department of Computer Science, April 2003.
	33	S.A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detect using sequences of system calls. Journal of Computer Security, 6:151-180, 1998.
	34	Sotiris Ioannidis , Angelos D. Keromytis , Steve M. Bellovin , Jonathan M. Smith, Implementing a distributed firewall, Proceedings of the 7th ACM conference on Computer and communications security, p.190-199, November 01-04, 2000, Athens, Greece  [doi>10.1145/352600.353052]
	35	Ramaprabhu Janakiraman , Marcel Waldvogel , Qi Zhang, Indra: A peer-to-peer approach to network intrusion detection and prevention, Proceedings of the Twelfth International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, p.226, June 09-11, 2003
	36	H. S. Javitz and A. Valdes. The nides statistical component: Description and justification. Technical report, SRI International, 1993.
	37	J.E. Just, L. A. Clough, M. Danforth, K. N. Levitt, R. Maglich, J. C. Reynolds, and J. Rowe. Learning Unknown Attacks - A Start. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), October 2002.
	38	G. Kaiser, J. Parekh, P. Gross, and G. Valetto. Kinesthetics eXtreme: An external infrastructure for monitoring distributed legacy systems. In Proceedings of the Autonomic Computing Workshop, F~h Annual Workshop on Active Middleware Services, 2003.
	39	S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, Nov. 1998.
	40	Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, SOS: secure overlay services, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
	41	A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: An Architecture For Mitigating DDoS Attacks. IEEE Journal on Selected Areas of Communications (JSAC), 2003. (to appear).
	42	C. Ko, G. Fink, and K. Levitt. Automated detection of vulnerabilifies in privileged programs by execution monitoring. In lOth Annual Computer Security Applications Conference, pages 134-144, December 1994.
	43	O. Kreidl and T. Frazier. Feedback control applied to survivability: a host-based autonomic defense system. IEEE Transactions on Reliability, Vol. 52, No. 3, September 2003.
	44	D. Larochelle and D. Evans. Statically Detecting Likely Buffer Overflow Vulnerabilities. In Proceedings of the lOth USENIX Security Symposium, pages 177-190, August 2001.
	45	W. Lee, S. Stolfo, and K. Mok. A data mining framework for building intrusion detection models. 1999.
	46	W. Lee, S. J. Stolfo, and P. K. Chan. Learning patterns from unix processes execution traces for intrusion detection, pages 50-56. AAAI Press, 1997.
	47	Wenke Lee , Salvatore J. Stolfo , Kui W. Mok, Mining in a data-flow environment: experience in network intrusion detection, Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining, p.114-124, August 15-18, 1999, San Diego, California, United States  [doi>10.1145/312129.312212]
	48	M. Mahoney and P. Chan. Detecting novel attacks by identifying anomalous network packet headers. Technical Report CS-2001-2, Florida Institute of Technology, Melbourne, FL, 2001.
	49	Matthew V. Mahoney , Philip K. Chan, Learning nonstationary models of normal network traffic for detecting novel attacks, Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, July 23-26, 2002, Edmonton, Alberta, Canada  [doi>10.1145/775047.775102]
	50	D. Milojicic, E Douglis, and R. Wheeler. Mobility: Pro-cesses, Computers, and Agents. Addison Wesley Longman, February 1999.
	51	D. Moore, C. Shannon, G. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code. In Proceedings of the IEEE lnfocom Conference, April 2003.
	52	D. Moore, G. M. Voelker, and S. Savage. Inferring intemet Denial-of-Service activity. In Proceedings of the lOth Usenix Security Symposium, pages 9-22, 2001.
	53	D. Newman, J. Snyder, and R. Thayer. Crying wolf: False alarms hide attacks. Network WorM, June 2002. http://www.nwfusion,tom/techinsider/2002/0624securityl.html.
	54	D. Nojiri, J. Rowe, and K. Levitt. Cooperative Response Strategies for Large Scale Attack Mitigation. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX), pages 293-302, April 2003.
	55	Stephen Northcutt , Stephen Northcult, Network Intrusion Detection: An Analyst's Handbook, New Riders Publishing, Thousand Oaks, CA, 1999
	56	Steven Osman , Dinesh Subhraveti , Gong Su , Jason Nieh, The design and implementation of Zap: a system for migrating computing environments, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060323]
	57	Michael Atighetchi , Partha Pal , Franklin Webber , Christopher Jones, Adaptive Use of Network-Centric Mechanisms in Cyber-Defense, Proceedings of the Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC'03), p.183, May 14-16, 2003
	58	P. Pal, M. Atighetchi, F. Webber, R. Schantz, and C. Jones. Reflections on Evaluating Survivability: The APOD Experiments. In Proceedings of the 2nd IEEE International Symposium on Network Computing and Applications, April 2003.
	59	L. Perrochon. Using context-based correlation in network operations management. Technical report, Stanford University Department of Computer Science, 1999. http://pavg.stanford,edu/cep/cidf,ps.gz.
	60	M. Prasad and T. Chiueh. A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks. In Proceedings of the USENIX Annual Technical Conference, June 2003.
	61	James C. Reynolds , James Just , Larry Clough , Ryan Maglich, On-Line Intrusion Detection and Attack Prevention Using Diversity, Generate-and-Test, and Generalization, Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9, p.335.2, January 06-09, 2003
	62	James C. Reynolds , James E. Just , Ed Lawson , Larry A. Clough , Ryan Maglich , Karl N. Levitt, The Design and Implementation of an Intrusion Tolerant System, Proceedings of the 2002 International Conference on Dependable Systems and Networks, p.285-292, June 23-26, 2002
	63	S. Robertson, E. V. Siegel, M. Miller, and S. J. Stolfo. Surveillance detection in high bandwidth environments. In Proceedings of the 2003 DARPA DISCEX III Conference, April 2003.
	64	B. Segall, D. Arnold, J. Boot, et al. Content-based routing with Elvin4. In Proceedings of AUUG2K, June 2000.
	65	John F. Shoch , Jon A. Hupp, The “worm” programs—early experience with a distributed computation, Communications of the ACM, v.25 n.3, p.172-180, March 1982  [doi>10.1145/358453.358455]
	66	Stelios Sidiroglou , Angelos D. Keromytis, A Network Worm Vaccine Architecture, Proceedings of the Twelfth International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, p.220, June 09-11, 2003
	67	S. Staniford, J. Hoagland, and J. McAlemey. Practical automated detection of stealthy portscans. In Proceedings of the Seventh ACM Conference on Computer and Communications Security, Athens, Greece, 2000.
	68	Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
	69	R. Sterritt and D. Bustard. Autonomic computing-a means of achieving dependability? In Proceedings of IEEE International Conference on the Engineering of Computer Based Systems (ECBS'03), pages 247-251, April 2003.
	70	J. D. Strunk, G. R. Goodson, A. G. Pennington, C. A. Soules, and G. R. Ganger. Intrusion detection, diagnosis, and recovery with self-secunng storage. Technical report, Carnegie Mellon University, 2002.
	71	P. Thompson. Web services - beyond http tunneling. In W3C Workshop on Web Services, April 2001.
	72	Giuseppe Valetto , Gail Kaiser, Using process technology to control and coordinate software adaptation, Proceedings of the 25th International Conference on Software Engineering, May 03-10, 2003, Portland, Oregon
	73	F. Wang, F. Gong, C. Sargor, K. Goseva-Popstojanova, K. Trivedi, and F. Jou. Sitar: A scalable intrusion tolerance architecture for distributed servers. In Proceedings of the IEEE 2nd SMC Information Assurance Workshop, 2001.
	74	E Wang and R. Uppalli. SITAR: A Scalable Intrusion-Tolerant Architecture for Distributed Services. In Volume H of the Proceedings of DISCEX III, pages 153-155, April 2003.
	75	C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: alternative data models, pages 133-145. IEEE Computer Society, 1999.
	76	A. Wolf, D. Heimbigner, A.Carzaniga, J. Knight, E Devenbu, and M. Gertz. Bend, don't break: Using reconfiguration to achieve survivability. In Proceedings of the Third Information Survivability Workshop (ISW2000), pages 187-190, October 2000.
	77	A. Wolf, D. Heimbigner, A. Carzaniga, J. Knight, E Devenbu, and M. Gertz. Bend, Don't Break: Using Reconfiguration to Achieve Survivability. In Proceedings of the 3rd Information Survivability Workshop, pages 187-190, October 2000.
	78	E. Zadok and I. Badulescu. A stackable file system interface for Linux. In LinuxExpo 99, May 1999.
	79	Cliff Changchun Zou , Weibo Gong , Don Towsley, Code red worm propagation modeling and analysis, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586130]