Copy of Overheads - School of Computing Science

advertisement
Security Threat Assessment across
Large Network Infrastructures
Grigorios Fragkos
Research Student – Information Security Research Group
School of Computing, University of Glamorgan, UK
gfragkos@glam.ac.uk
Copyright 2005 © Fragkos Grigorios, Blyth Andrew. Security Threat Assessment across Large Network Infrastructures, Safeguarding National
Infrastructures: Integrated Approaches to Failure in Complex Networks, University of Glasgow , UK, August 2005
The Wired & Wireless Gaia
The worldwide internet population is already at 934
million in 2004 and projected to reach 1.21 billion
in 2006 [ClickZ Stats Staff 2005]
The reported security incidents have evolved from 6
in 1988 to 21,756 in 2000 and consequently to
137,529 in 2003 [CERT 2005]
Security…
Safeguarding Large Network Infrastructures
Why is still a problem?
a) why do network infrastructures still suffer from attacks and why do
we still wondering why we cannot deal efficiently with the security
related issues by taking active countermeasures against them.
b) Should today’s security, still be considered as a technology
problem?
c) How and what kind of system, built with security in mind, could
protect large network infrastructures efficiently by performing threat
assessment?
What is Security?
– The Cambridge Dictionary describes security as:
“The ability to avoid being harmed by any risk, danger or threat”
– Also, the Oxford English Dictionary describes security as:
“The state of being or feeling secure”
…where “secure” is described as “protected against attack or other
criminal activity”
Do we need a definition that describes in a more realistic and practical
way achievable goals?
Defining Security
The state of being or feeling secure, by having the ability to avoid being
harmed at an irrecoverable level, by any risk, danger or threat,
when/for protecting a specific asset.
(Author’s definition, where “secure” is defined according to the Oxford’s
dictionary definition)
NISCC, CNI and Smart Procurement
– National Infrastructure Security Co-ordination Centre (NISCC)
(To ensure the continuity of society in time of crisis) [NISCC 2005]
– Critical National Infrastructure (CNI)
(Known in the UK as the essential services and systems protected by
NISCC)
– Smart Procurement
(The financial issues arising when we have to deal with large projects. In a
similar way the MoD is applying Smart Procurement in order to calculate if
the amount of available resources needed for purchasing military
equipment, is equivalent to the amount of equipment they need to purchase)
[MoD 2001]
Approaching a solution
University
A
University
B
University
C
Corporation
A
University
D
Corporation
B
Non-Governmental
Organization
University
E (Glam)
Threat
Assessment
Intelligent
Engine
Expand existed computer and network-defensive technologies by
combining them with the information and services provided by the
NISCC in order to design a prototype architecture that could be easily
applied in large infrastructures
Threat Assessment & Threat Response
Real-Time Threat Assessment has two very important goals.
– The first goal is to minimize the time from the moment an attack
actually started until the moment our defense system is able to
identify it as an actual attack.
– The second goal which we are trying to achieve, is to minimize the
amount of time that is essential by our system to take any required
actions or deploy a set of countermeasures, before the actual attack
has finished.
Threat Assessment’s Timeframes
attacker’s data generated
that exposed him/her
Δ
δ
δ(x)
.
.
d1
a1
d2
a2
time
δ(y)
a1 - Attack Started
a2 - Attack Finished
d1 - Detected Attack
d2 - Deploy Countermeasures
δ - Lasting time of an attack
Δ - Timeframe for the moment an attack detected until the
moment the attack was blocked.
The Idea
An efficient structure of intrusion detection data into Object-Oriented
hierarchy trees, will provide to the system a similar understanding of
the events as the human brain can understand the relativity of species
or objects.
Make a system aware of what it sees, and as become conscious of the
various types of attacks that exist in the wild, along with their various
subtypes. In other words the system will not just detect an already
known or novel attack but it will have a notional understanding of the
network traffic and will be able to identify novel attacks and categorize
them based on what it knows up to that moment
Combination of Technologies
–
–
–
–
–
Multi-CPU system’s
Beowulf Clusters
Grid Computing
A.I. languages
SSH, SOAP, XML, Python
– Object-Oriented Classification of Network Events
– Footprints Repository
– State of the art Intrusion Detection Systems
Need for Real-Time Threat Assessment
Real-Time Threat Assessment
Present an architecture that can be used to perform
Real-Time Threat Assessment using IDS data
– Provide a holistic picture of an attack and thus facilitate the decision
making process associated with Computer Network Defence
– Analyse and index data from a variety of distributed heterogeneous
sources via a taxonomy of object-based attack classifications
– Perform threat assessment based on the progression of an attack
using principles derived from A.I.
Summary
– Automate the Threat Assessment process through vast amount of
information
– Identify new attacks based on patterns of behaviour using anomaly
detection.
– Prevent ongoing attacks by interchanging information in a noncentralized manner
– Protect in Real-Time Critical-Importance Infrastructures
Q&A
Thank you for your attention
Grigorios Fragkos
Information Security Research Group (ISRG)
University of Glamorgan, Wales, UK
References
•
Biermann, E., Cloete, E. and Venter, L. (2001). A Comparison of Intrusion Detection Systems. Computers & Security
•
ClickZ Stats Staff, Population Explosion, (2005), Available at:
http://www.clickz.com/stats/sectors/geographics/article.php/5911_151151
•
CERT® Coordination Center, (2005) CERT Coordination Center Statistics 1988-2003, Available at:
http://www.cert.org/stats/cert_stats.html
•
Debar H., Dacier M., Wespi A., (1999) Towards a taxonomy of intrusion detection systems, Computer Networks
•
Lippmann R.,et al., (1998) Evaluating Intrusion Detection Systems, The 1998 DARPA Off-line Intrusion Detection
Evaluation. First International Workshop on Recent Advances in Intrusion Detection (RAID), Louvain-la-Neuve, Belgium
•
Lunt, T. (1993) A survey of intrusion detection techniques, Computers and Security
•
Morakis, E., Vidalis, A., Blyth, A. J.C. (2003a). Measuring Vulnerabilities and their Exploitation Cycle, Elsevier
Information Security Technical Report, Vol. 8, No. 4
•
Morakis, E., Vidalis, S., Blyth, A.J.C. (2003b). A Framework for Representing and Analysing Cyber Attacks Using Object
Oriented Hierarchy Trees. Second European Conference in Information Warfare, UK, pp235-246
Appendices
System’s Overview
System’s Brain
Threat
• Question
What do we mean by threat when talking about security?
• Answer
A threat to a system can be defined as:
– A possible danger to the system
(Michel E. Kabay, Enterprise Security: Protecting Information Assets, McGraw-Hill, 1996)
– A circumstance that has the potential to cause loss or harm
(Charles P. Pfleeger, Security in Computing, Addison Wesley, 1997)
– A circumstance or event that could cause harm by violating security
(Rita C. Summers, Secure Computing: Threats and Safeguards, McGraw-Hill, 1997)
Threat Assessment
• Question
What is Threat Assessment?
• Answer
There are two goals in the model of Threat Assessment:
– Identify threats based on feasibility (enablers) and indicators of
potential exploitation. These threats are further categorized by the
potential likelihood they will be exploited.
– Provide an intelligence-based method of predicting, detecting, and
monitoring potential large-scale threats to business and national
security.
[Global Technology Research, Inc].
Intrusion Detection Systems (IDS)
• Technologies
–
–
–
–
Host Based
Network Based
Application Based
Stack Based
• Defence Mechanisms
– Passive
– Reactive
• Detection Mode
– Misuse Detection
– Anomaly Detection
– Specification Based
State of the Art & its limitations
Intrusion Detection Systems and security auditing systems have developed
to the point where large quantities of information relating to security
incidents can be captured, stored, indexed and classified.
•
•
•
•
•
Probabilistic Methods
Multi-pattern Search Algorithms
Hybrid neural networks
Learning program behaviour
Correlation of Intrusion alerts
All mentioned systems fall under a basic characteristic; They either follow
the path to become misuse detection systems or anomaly detection
systems
Real - Time
• Unification Process
A number of sensors running any type of IDS, as described earlier, are
logging network events into a centralized repository. The collector (or the
unification process) gathers all the information before they are sent to the
repository in order to unify the data under a single database schema
U
Execution Engine
DB
Data Repository
S1…S2……Sn
SOAP
XML / RPC
U: Unification Process
S: Sensor
System’s Architecture
load balancing
AGENT
Sensor 1
Data Repository
message
check
SOAP
Top level
Classification
Repository
XML
/ SOAP envelop
Sensor 2
.
.
.
SOAP Server
Execution Engine
Classification
Repository
Sensor n
Footprint
Repository
Countermeasures Engine
Visualization
Window
Download