Research Direction Introduction
Advisor: Professor Frank, Y.S. Lin
Presented by Chi-Hsiang Chan
1
2011/10/11
Agenda
Introduction



Collaborative Attack
Virtualization
Problem description
Scenario


2
2011/10/11
Agenda
Introduction



Collaborative Attack
Virtualization
Problem description
Scenario


3
2011/10/11
Collaborative Attack
Collaborative attacks are characterized by the
prevalence of coordination before and during attacks.
[1]
Collaborative attacks in general would involve
multiple human attackers or criminal organizations
that have respective adversarial expertise but may not
fully trust each other.
Collaborative attacks are more powerful than the
sum of the underlying individual attacks that can be
launched by the individual attackers independently.



4
2011/10/11
Collaborative Attack
5
2011/10/11
Collaborative Attack

Advantages of Collaborative Attack [2]



11
Coordinated attacks could be designed to avoid detection.
It is difficult to differentiate between decoy and actual
attacks.
There is a large variety of coordinated attacks.
2011/10/11
Virtualization

Definition

12
Virtualization refers to technologies designed to provide a
layer of abstraction between computer hardware systems
and the software running on them.[3]
2011/10/11
Source: vmware
Virtualization

Benefit






cost down
efficiency
scalability
easy to have multiple operating system environment
increase the space utilization efficiency in your data center by
server consolidation
Virtualization is the key to cloud computing
13
2011/10/11
IDS

an Intrusion detection system (IDS) is a security system
that monitors computer systems and network traffic and
analyzes that traffic for possible hostile attacks originating
from outside the organization and also for system misuse
or attacks originating from inside the organization.[4]

Do more protect than firewall which filter incoming
traffic from the Internet.
14
2011/10/11
IDS

Two types of IDS



Host IDS(HIDS)
Network IDS(NIDS)
The trade-off is evident when comparing HIDS and NIDS


15
NIDS offers high attack resistance at the cost of visibility.
HIDS offers high visibility but sacrifice attack resistance.
2011/10/11
Agenda

Introduction




Collaborative Attack
Virtualization
Problem description
Scenario
16
2011/10/11
Problem Description
17
2011/10/11
Attacker View


Commander
Attackers




Initial location
Budget
Capability
Objective


18
Steal confidential information
Service disruption
2011/10/11
Defender View

Special Defense Resource

Cost budget



Costless(Decrease QoS)


19
VM IDS (Signature) [5]
Cloud security service
VM local defense
Dynamic topology reconfiguration [6]
2011/10/11
Per Hop Decision

Period decision



Strategy decision by criteria




Early stage
Late stage
compromise → risk avoidance
pretend to attack → risk tolerance
No. of Attackers
Choose ideal attackers


Aggressiveness
Attack Energy


20
Budget
Capability
Tm
m
m
T t
2011/10/11
Time Issue

Attackers



Compromise time
Recovery time
Defender


21
Signature generate
Reconfiguration impact QoS
2011/10/11
Synergy

Pros




Decrease Budget cost of each attacker
Less recovery time
Less compromise time
Cons

22
Probability of detected
2011/10/11
Early Period, Risk Avoidance

Purpose


23
Try to compromise nodes as fast as they can
Keep the stronger attackers for compromise core nodes
2011/10/11
Agenda

Introduction




Collaborative Attack
Virtualization
Problem description
Scenario
24
2011/10/11
Scenario
General node
Core node
Cloud security agent
Third party’s defense center
VMM environment
25
Cloud security provider
2011/10/11
Scenario
A
E
B
C
F
I
G
D
J
H
26
2011/10/11
Early Stage Attack Strategy
A
E
B
C
F
I
G
D
J
H
27
2011/10/11
Local Defense
A
E
B
C
F
I
G
D
J
H
28
2011/10/11
Signature generating…
IPDS request signature
A
E
B
C
F
I
G
D
J
H
29
2011/10/11
Signature generating…
Late Stage Attack Strategy
A
E
B
C
F
I
G
D
J
H
30
2011/10/11
Signature generating…
Attack VMM
A
E
B
C
F
I
G
D
J
H
31
2011/10/11
Signature generating…
Risk Level、Reconfiguration
A
E
B
C
F
I
G
D
J
H
32
2011/10/11
Signature generating…
Cloud Security Service
A
E
B
C
F
I
G
D
J
H
33
2011/10/11
Transfer Signature
A
E
B
C
F
I
G
D
J
H
34
2011/10/11
Failure of Attacker
A
E
B
C
F
I
G
D
J
H
35
2011/10/11
Failure of Defender
A
E
B
C
F
I
G
D
J
H
36
2011/10/11
Thanks for your listening!!
37
2011/10/11
Reference




[1] S. Xu, “Collaborative Attack vs. Collaborative Defense”, Lecture
Notes of the Institute for Computer Sciences, Social Informatics and
Telecommunications Engineering, Volume 10, Part 2, pp.217-228, 2009
[2] S. Braynov and M. Jadliwala, “Representation and Analysis of
Coordinated Attacks”, FMSE'03, 2003
[3] J. K. Waters, “Virtualization Definition and Solutions”, 2008,
http://www.cio.com/article/40701/Virtualization_Definition_and_Sol
utions
[4] SANS Institute InfoSec Reading Room, "Intrusion Detection
Systems: Definition, Need and Challenges," 2001.

[5] T. Garfinkel and M. Rosenblum, “A Virtual Machine Introspection
Based Architecture for Intrusion Detection”, Proc. Network and
Distributed Systems Security Symposium, 2003
38
2011/10/11
Reference

[6] M. Atighetchi, P. Pal, F. Webber and C. Jones, “Adaptive Use of
Network-Centric Mechanisms in Cyber-Defense”, BBN Technologies
LLC
39
2011/10/11
Appendix
40
2011/10/11
Host-based IDS

HIDS obtains information by watching local activity on a
host：


Advantages：



processes, system calls, logs, etc.
Detailed information about system activities.
Greater accuracy and fewer false positives.
Weakness：

Highly dependent on host systems.

41
Can be deactivated or tampered by a successful intruder.
2011/10/11
Network-based IDS


NIDS obtains data by monitoring the traffic in the
network.
Advantages：




Operating System-independent.
Can detect attack attempts outside the firewall.
Difficult for attackers to displace their evidences.
Weakness：


42
In high-traffic networks, a network monitor could potentially
miss packets, or become a bottleneck.
Hard to get detailed information of hosts.
2011/10/11
Period


N：The total numbers of nodes in the Defense
Networks.
F：The total numbers of node which is compromised in
the Defense Networks.
43
2011/10/11
Selection Criteria
44
2011/10/11
No. of Attackers


M ： Number of selected candidates
Success Rate (SR) = Risk Avoidance Compromised / Risk
Avoidance Attacks
45
2011/10/11