An architecture for security engineering
Ram Dantu
University of Dallas at Texas
2601 North Floyd Road
Richardson, Texas, 75080.
Email: ram.dantu@utdallas.edu
Tele: 972 883 4653
Fax: 972 883 2710
An architecture for security engineering
Ram Dantu
University of Dallas at Texas
2601 North Floyd Road
Richardson, Texas 75080.
Email: ram.dantu@utdallas.edu
Abstract
It is almost impossible to manually detect the security breaches for complex and
dynamic environments and react in a timely fashion. On the other hand, automatic
response to security alerts is not recommended because differences between
intrusions and normal traffic cannot be resolved by predetermined rules. But by
proper specification of the expected behavior and measurements (or signatures),
error can be computed. This error signal can be used to update the security
mechanisms for achieving the required output. Towards this objective, a novel
architecture based on feedback control system is specified. We call this defendercontrol-loop. In this architecture, the micro and macroscopic view of security are
integrated to achieve an end-to-end security.
Second, we use the same methodology for modeling intrusions, suspicious probes,
scans and responses. We call it intruder-control-loop. For a secured network,
intruder-control-loop and defender-control-loops cooperate and proactively
neutralize the attacks. In summary, the feedback control system can increase the
security confidence level by accurate specification of requirements, metrics,
measurements and signatures and transfer function in the control loop.
1 Introduction:
Network perimeter is primary concern for security managers. Security managers have
focused on multiple security components to keep their networks safe. Examples are:
firewalls, intrusion detection systems, and honey pots.
Intrusion Detection Systems:
Intrusion detection systems are like burglar alarms. There are two types of intrusion
detection systems, one is network and another is host. Network intrusion detection
systems examine the network traffic and host intrusion systems detect outsider infiltration
as well as unauthorized access by users who are trusted insiders. Intrusions are
characterized into network traffic patterns that are suspicious and these are called
signatures. These signatures are compared against the network traffic patterns and
deviation generates security alerts. But these alerts can be false alarms. Due to nature of
the signatures, these systems can be as accurate as the signatures themselves. Moreover,
these systems are reactive and can not prevent the attacks.
Firewalls:
Currently there are several kinds of firewalls deployed in the perimeter of the networks.
These are: static packet filters, dynamic packet filters, circuit level packet filters, proxy
gateways, and stateful inspection firewalls. Proxy firewalls often only have the packet
filter rules applied or are used to protect just one server, such as external web server.
Hence most of these firewall rules are static and cannot respond to dynamic changes.
Firewall Routers:
Routers with firewalls are great for cost containment. However, they add complexity and
overhead to the router’s function. Many security experts are concerned in having all
security in one box.
Honey Pots:
Honey pots lure attackers by presenting a more visible and apparently vulnerable
resource than the enterprise network itself. These are also useful for forensics. But these
can be vulnerable themselves because they attract attackers special attention. Also if they
are incorrectly configured, they make network more vulnerable.
Thus firewalls, routers, Intrusion detection systems, and honey pots can be very useful as
elements for network defense but they can not protect the network by themselves. But by
careful integration and engineering of these devices, security level can be increased. To
our knowledge, no one has reported use of feedback control theory in security
engineering. We propose network security as multi-loop control system. Section 2
describes the problem and Section 3 describes the architecture. In the architecture section,
various subsections describe the various modules in the closed loop system and how to
obtain the transfer functions for these modules. Section 4 describe the conclusion. Further
work involves the derivation of the transfer functions related to each module and overall
system.
2 Problem Description
It is humanly not possible to detect the security breaches for complex and dynamic
environments and react in timely fashion. On the other hand, automated security
management is a challenging task in distributed system and is an attractive research area.
Towards this objective, the system should dynamically compute the reconfiguration and
repair plans by retrieving the information from various elements in the network. A
comprehensive architecture represents a specialized view of the overall system that
emphasizes the security services, security mechanism needed to satisfy the security
objectives and requirements. Such architecture should handle the following issues:




Meeting security requirements: How the requirements match the
metric/measurements, How can we validate the rules against the Network security
policies and the known attacks.
Security component placement: Which component to place in what location of
the network. How do we find the optimum with respect to metrics, cost, security
level, and response time. Another example, consider the protocol vulnerability.
Even a proper implementation will have security problems if the fundamental
protocol is itself exploitable. Exactly how security should be implemented in a
protocol will vary, because of the structure of the protocol itself. The precise
mechanism that is appropriate in any given situation can vary depending on the
processing element in the network. These can be IPSec, TLS, VPN tunnels,
SASL, DNSSEC, Digital signatures, S/MIME and SSH.
Interaction between different components: How do we ensure that some policy
rules do not impact the other rules/components. Most access control products are
user configurable and prone to human errors.
Understanding attackers and attacks: How do we understand the attackers
probes and reacting to them
3 Architecture
It is assumed a secured network consists of firewalls, sensors, analyzers, honey pots, and
various scanners and probes. These components are either separate elements or collocated
with hosts, servers, routers and gateways.
In this architecture, a (centralized or distributed) controller is responsible for collection
and monitoring of all the events in the network. This controller is knowledgeable about
the network topology, firewall configurations, security policies, intrusion detections and
individual events in the network elements. This controller is logical function and can be
deployed anywhere in the network.
As shown in Figure 3, the controller communicates with clients located in different
network elements. Clients are responsible for detection and collection of the events in the
node and communicate to the controller. Subsequently, controller will run through the
algorithms, rules, policies and mathematical formulas (transfer functions) for next course
of action. These actions are communicated to the clients. Some of these methods and
algorithms are described in the subsequent sections.
From the network
Mapping
Mapping security
features to a
Network element
Security
reporting
~ few minutes
Update
FW rules
Update
Signatures
Recovery
& Response
~100ms
~ 1 sec
~ one minute
New signature
and alerts
Unexpected
Pin holes
Changes in
configuration
To the Network
Filter false
positives
Protocol
vulnerabilities
Node events
Intrusion
Detection
Nodal
Anomalies
Finger prints
Auditing
Monitoring
Measurements
Preparation/Planning
Routing anomalies
Figure 1 A Controller architecture for the end to end security engineering
As described in the Figure 1, the architecture evolves from a concept of closed loop
control. Changes regarding the security behavior are captured and mixed with the
incoming network signals. This piece of information is used to formulate the next course
of action. The final result is outcome from multiple loops and integration of multiple
actions. The response times within each loop are indicated in Figure 1 (we call them
defender-loops). Response time varies from few milliseconds to several tens of minutes.
For example, nodal events like buffer overflows, performance degradation can be
detected in matter of milliseconds. On the other hand, it may take several seconds to
detect failed logins, changes to system privileges and improper file access.
3.1 Intruder Loops:
In general attackers have strategy. They also follow similar strategy as defenders. In
order to track attackers activity, it is very important to monitor and correlate the
suspicious traffic. This helps in preventing attackers getting the critical information for
launching the attacks. We use similar closed loop control (call it intruder-loop) for
understanding attackers and create a honey pot at every stage of the attack. For example,
honey pots are created in the network configuration, firewall policy rules, and intrusion
detection system. The attacker may apply port scans, NetBIOS probes, or SNMP probes.
The challenge is to find the inherent flaws in the attack process and actually stop the
attack. In summary, we plan to neutralize attackers before they even reach the firewall or
other devices.
For successful security engineering, intruder-loop and defender-loop work hand-in-hand
for overall successful security system design.
Topology,
Accessible
Network
Services,
Software version,
Valid passwords
Attacks,
Scans,
probes
Preparation/
Monitoring
Detection
Response
Analyze the probes
and scans
Figure 2 Attacker's strategy and plan of action
1.
2.
3.
4.
5.
Controller
Client
Client
Firewall
Sensor
Topology of Network
Security status
Collection and distribution
Policies, access control lists and configuration
Probes and attack related information
----- Distributed Controller
Client
Client
Analyzer
End Unit
Client
Client
Router
Server
Figure 3 Communication between various elements for meeting end to end security requirements
3.2 Mapping of Security
A number of possible mechanisms can be used to provide network security. Which one
should be selected depends on the topology, traffic patterns, cost, purpose of the network
and several other factors.
Security devices include static packet filters, dynamic packet filters, circuit level packet
filters, proxy gateways, and stateful inspection of firewalls. Intrusion detection systems
can be host based or network based. Another question is where to place ID, either in
bound or out bound of the network. Location of honey pots is another important decision.
Moreover, if security problem is inherent to the protocol and no matter how we
implement the protocol, the problem can not be eliminated. If nothing else, any network
based security mechanism can be thwarted by compromise of the end points. The precise
mechanism that is appropriate in any given situation can vary depending on the
processing element in the network. These can be Ipsec, TLS, VPN tunnels, SASL,
DNSSEC, Digital signatures, S/MIME and SSH.
3.3 Metrics based Evaluation and Reporting:
The administrators of real-time distributed computing systems may deploy several
security devices and tools for management of security. But it is imperative to find out if
these arrangements indeed met the requirements. We can make measurements and
calculate metrics for each requirement. One approach is to prepare a score card and find
out which requirements are met and which are not met (future work). In this approach,
some weight is allocated to each requirement and generate the overall security report.
Requirements with
weights
Metrics/Measurements after adding
weights to the corresponding
requirements
3
1
0
2
6
3
3
0
5
8
Figure 4 Mapping of requirements to metrics and measurements
3.4 Security Controller
This controller is a centralized device which is responsible for the real-time management
of the security in the network. This device is used for planning network, engineering the
network as well collection of measurements and detection of the intrusion. Controller
block diagram is shown in Figure 1. In addition, clients are mounted in each of the
network elements. As an example, each client is tasked for collection of protocol-specific
measurements, detection of intrusions and policy-specific measurements.
After collecting all the information from various network elements, controller may block
certain IP address, specific range of ports, or terminate the TCP connection. The exact
protocol can be extension of the MIDCOM protocol (used for controlling NAT and
firewalls) being developed in the IETF.
Controller IDS
End System
FW
Server
Honey
Pot
Status
Blocking/Signature/Signal/policy rules/terminate session or /block between specific addresses or ports
Response
Figure 5 Command and responses between controller and other elements in the network
4 Conclusions
Realizing the fully secured network is almost impossible task. Network topology,
applications and user traffic patterns continuously change and it is impossible to
control the security with static configuration and rules. Understanding and reacting to
dynamic changes is a complex and difficult task. Moreover, the changes take
anywhere from milliseconds to minutes. For a complete solution, it is important to
digest all kinds of changes.
In this paper, we have proposed a security controller based upon the feedback control
theory. Several measurements, signatures, topological changes, finger prints are
continuously extracted from the network. These measurements are fed back to the
feedback control loop and compared with the existing conditions and an error is
generated. This error signal is used to calculate the transfer function of the feedback
loop and update the security components in the network. For example, new policy
rules are added, deleted and new honey pots may be created.
To satisfy the feedback control loop, a specification and requirements for expected
output need to be specified. Also, certain measurements, benchmarks, and metrics are
specified for satisfying these requirements. Likewise, certain buffer size, CPU
utilizations are also specified. Further work involves specification of requirements,
and benchmarks, and deriving transfer functions for each module in the feedback
loop.
5 ACKNOWLEDGEMENTS
We would like to thank Prof. Farokh Bastani for his valuable comments and time in
reviewing the work.
6 REFERENCES:
1. Richard A. Kemmerer and Giovanni Vigna, “Intrusion Detection: A brief History
and Overview”, IEEE Symposium on Security and Privacy, pages 27-30, 2002.
2. Joseph S. Sherif, Tommy G. Dearmond, “Intrusion Detection: Systems and
Models”, IEEE International Workshops on Enabling Technologies: Infrastructure
for Collaborative Enterprises (WETICE’02), 2002.
3. Christopher Kruegel, Fredrik Valeur, Giovanni Vigna, and Ricahrd Kemmerer,
“Stateful Intrusion Detection for High-Speed Networks”, IEEE Symposium on
Security and Privacy, 2002.
4. Steven Bellovin, Jeffrey Schiller, “Security Mechanisms for the Internet”, IETF
draft, draft-iab-secmech-01.txt, June 2002.
5. Rosy Baruffi, Michela Milano and Rebecca Montanart, “ Planning for Security
Management”, IEEE Inteligent Systems, pages 74-80, 2001.
6. Network Security White Paper from ForeScout Technologies, Summer 2002
7. Firewalls: Verifying the facts and disputing the myths about your network first
line of defence, white paper from Redsiren Technolgoies
8. G.A. Fink, B.L. Chappell, T.G. Turner, and K.F. Donoghue, “A Metric-Based
Approach to Intrusion Detection System Evaluation for Distributed Real-Time
Systems
9. Nong Yo, Xiangyang Li, Qing Chen, Syed Masum Emran and Mingming Xu,
“Probabilistic Techniques for Intrusion Detection based on Computer Audit
Data”, IEEE Transactions on Systems, Man, and Cybernetics, Vol. 31, No. 4, July
2001.
10. David A. Nash, and Daniel J. Ragsdale, “Simulation of Self-Similarity in
Network Utilization Patterns as a Precursor to Automated Testing of Intrusion
Detection Systems”, IEEE Transactions on Systems, Man, and Cybernetics, Vol.
31, No. 4, July 2001.