Security Threat Assessment across Large Network Infrastructures Grigorios Fragkos Research Student – Information Security Research Group School of Computing, University of Glamorgan, UK gfragkos@glam.ac.uk Copyright 2005 © Fragkos Grigorios, Blyth Andrew. Security Threat Assessment across Large Network Infrastructures, Safeguarding National Infrastructures: Integrated Approaches to Failure in Complex Networks, University of Glasgow , UK, August 2005 The Wired & Wireless Gaia The worldwide internet population is already at 934 million in 2004 and projected to reach 1.21 billion in 2006 [ClickZ Stats Staff 2005] The reported security incidents have evolved from 6 in 1988 to 21,756 in 2000 and consequently to 137,529 in 2003 [CERT 2005] Security… Safeguarding Large Network Infrastructures Why is still a problem? a) why do network infrastructures still suffer from attacks and why do we still wondering why we cannot deal efficiently with the security related issues by taking active countermeasures against them. b) Should today’s security, still be considered as a technology problem? c) How and what kind of system, built with security in mind, could protect large network infrastructures efficiently by performing threat assessment? What is Security? – The Cambridge Dictionary describes security as: “The ability to avoid being harmed by any risk, danger or threat” – Also, the Oxford English Dictionary describes security as: “The state of being or feeling secure” …where “secure” is described as “protected against attack or other criminal activity” Do we need a definition that describes in a more realistic and practical way achievable goals? Defining Security The state of being or feeling secure, by having the ability to avoid being harmed at an irrecoverable level, by any risk, danger or threat, when/for protecting a specific asset. (Author’s definition, where “secure” is defined according to the Oxford’s dictionary definition) NISCC, CNI and Smart Procurement – National Infrastructure Security Co-ordination Centre (NISCC) (To ensure the continuity of society in time of crisis) [NISCC 2005] – Critical National Infrastructure (CNI) (Known in the UK as the essential services and systems protected by NISCC) – Smart Procurement (The financial issues arising when we have to deal with large projects. In a similar way the MoD is applying Smart Procurement in order to calculate if the amount of available resources needed for purchasing military equipment, is equivalent to the amount of equipment they need to purchase) [MoD 2001] Approaching a solution University A University B University C Corporation A University D Corporation B Non-Governmental Organization University E (Glam) Threat Assessment Intelligent Engine Expand existed computer and network-defensive technologies by combining them with the information and services provided by the NISCC in order to design a prototype architecture that could be easily applied in large infrastructures Threat Assessment & Threat Response Real-Time Threat Assessment has two very important goals. – The first goal is to minimize the time from the moment an attack actually started until the moment our defense system is able to identify it as an actual attack. – The second goal which we are trying to achieve, is to minimize the amount of time that is essential by our system to take any required actions or deploy a set of countermeasures, before the actual attack has finished. Threat Assessment’s Timeframes attacker’s data generated that exposed him/her Δ δ δ(x) . . d1 a1 d2 a2 time δ(y) a1 - Attack Started a2 - Attack Finished d1 - Detected Attack d2 - Deploy Countermeasures δ - Lasting time of an attack Δ - Timeframe for the moment an attack detected until the moment the attack was blocked. The Idea An efficient structure of intrusion detection data into Object-Oriented hierarchy trees, will provide to the system a similar understanding of the events as the human brain can understand the relativity of species or objects. Make a system aware of what it sees, and as become conscious of the various types of attacks that exist in the wild, along with their various subtypes. In other words the system will not just detect an already known or novel attack but it will have a notional understanding of the network traffic and will be able to identify novel attacks and categorize them based on what it knows up to that moment Combination of Technologies – – – – – Multi-CPU system’s Beowulf Clusters Grid Computing A.I. languages SSH, SOAP, XML, Python – Object-Oriented Classification of Network Events – Footprints Repository – State of the art Intrusion Detection Systems Need for Real-Time Threat Assessment Real-Time Threat Assessment Present an architecture that can be used to perform Real-Time Threat Assessment using IDS data – Provide a holistic picture of an attack and thus facilitate the decision making process associated with Computer Network Defence – Analyse and index data from a variety of distributed heterogeneous sources via a taxonomy of object-based attack classifications – Perform threat assessment based on the progression of an attack using principles derived from A.I. Summary – Automate the Threat Assessment process through vast amount of information – Identify new attacks based on patterns of behaviour using anomaly detection. – Prevent ongoing attacks by interchanging information in a noncentralized manner – Protect in Real-Time Critical-Importance Infrastructures Q&A Thank you for your attention Grigorios Fragkos Information Security Research Group (ISRG) University of Glamorgan, Wales, UK References • Biermann, E., Cloete, E. and Venter, L. (2001). A Comparison of Intrusion Detection Systems. Computers & Security • ClickZ Stats Staff, Population Explosion, (2005), Available at: http://www.clickz.com/stats/sectors/geographics/article.php/5911_151151 • CERT® Coordination Center, (2005) CERT Coordination Center Statistics 1988-2003, Available at: http://www.cert.org/stats/cert_stats.html • Debar H., Dacier M., Wespi A., (1999) Towards a taxonomy of intrusion detection systems, Computer Networks • Lippmann R.,et al., (1998) Evaluating Intrusion Detection Systems, The 1998 DARPA Off-line Intrusion Detection Evaluation. First International Workshop on Recent Advances in Intrusion Detection (RAID), Louvain-la-Neuve, Belgium • Lunt, T. (1993) A survey of intrusion detection techniques, Computers and Security • Morakis, E., Vidalis, A., Blyth, A. J.C. (2003a). Measuring Vulnerabilities and their Exploitation Cycle, Elsevier Information Security Technical Report, Vol. 8, No. 4 • Morakis, E., Vidalis, S., Blyth, A.J.C. (2003b). A Framework for Representing and Analysing Cyber Attacks Using Object Oriented Hierarchy Trees. Second European Conference in Information Warfare, UK, pp235-246 Appendices System’s Overview System’s Brain Threat • Question What do we mean by threat when talking about security? • Answer A threat to a system can be defined as: – A possible danger to the system (Michel E. Kabay, Enterprise Security: Protecting Information Assets, McGraw-Hill, 1996) – A circumstance that has the potential to cause loss or harm (Charles P. Pfleeger, Security in Computing, Addison Wesley, 1997) – A circumstance or event that could cause harm by violating security (Rita C. Summers, Secure Computing: Threats and Safeguards, McGraw-Hill, 1997) Threat Assessment • Question What is Threat Assessment? • Answer There are two goals in the model of Threat Assessment: – Identify threats based on feasibility (enablers) and indicators of potential exploitation. These threats are further categorized by the potential likelihood they will be exploited. – Provide an intelligence-based method of predicting, detecting, and monitoring potential large-scale threats to business and national security. [Global Technology Research, Inc]. Intrusion Detection Systems (IDS) • Technologies – – – – Host Based Network Based Application Based Stack Based • Defence Mechanisms – Passive – Reactive • Detection Mode – Misuse Detection – Anomaly Detection – Specification Based State of the Art & its limitations Intrusion Detection Systems and security auditing systems have developed to the point where large quantities of information relating to security incidents can be captured, stored, indexed and classified. • • • • • Probabilistic Methods Multi-pattern Search Algorithms Hybrid neural networks Learning program behaviour Correlation of Intrusion alerts All mentioned systems fall under a basic characteristic; They either follow the path to become misuse detection systems or anomaly detection systems Real - Time • Unification Process A number of sensors running any type of IDS, as described earlier, are logging network events into a centralized repository. The collector (or the unification process) gathers all the information before they are sent to the repository in order to unify the data under a single database schema U Execution Engine DB Data Repository S1…S2……Sn SOAP XML / RPC U: Unification Process S: Sensor System’s Architecture load balancing AGENT Sensor 1 Data Repository message check SOAP Top level Classification Repository XML / SOAP envelop Sensor 2 . . . SOAP Server Execution Engine Classification Repository Sensor n Footprint Repository Countermeasures Engine Visualization Window