A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics and Security Institute Mississippi State University Starkville, Mississippi Summarized by Pranav Veldurthy Sherif Abdelwahed Department of Electrical and Computer Engineering Mississippi State University Starkville, Mississippi 2016 IEEE International Conference on Autonomic Computing
20
Embed
A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A Probabilistic Approach to Autonomic Security
Management
Stefano Iannucci
Distributed Analytics and Security Institute
Mississippi State University
Starkville, Mississippi
Summarized by Pranav Veldurthy
Sherif Abdelwahed
Department of Electrical and Computer Engineering
Mississippi State University
Starkville, Mississippi
2016 IEEE International Conference on Autonomic Computing
Presentation Summary
• Introduction• System Overview• Contributions and Organizations
• System Model• States Characterization• Reward Function• Response Actions• Termination Function
• Performance Evaluation • Experimental Results
• Vulnerabilities • Snort Configuration • Simulation of Controller Behavior
• Conclusion and Future Works
Introduction
• Increase in the attack frequency (more than doubled) compared to the previous year.
• Intrusion Detection System (IDS) – Complexity and Number of alerts; Probability success resulting to constant damage.
• Intrusion Response Systems (IRS) • Static Mapping – Detected Attack and Countermeasure.• Dynamic Evaluation of All Response Time.
• Markov Decision Process (MDP) – To compose response policies using atomic response actions.
• CVE-2004-2687 –distcc 2.x; executed by the server without authorization checks.
• CVE-2011-3556 –RMI Registry and RMI Activation loads classes from remote URL.
Snort Configuration • Snort helps in detecting malicious traffic but cannot stop it. • Three rule set :
• Community Set - Publicly Available.• Registered Rules – Freely Available.• Subscribes Rules – Cisco Subscription plan.
• CVE – 2012 – 2335 was detected.
• Wireshark is implemented to find characteristic signatures.
• OSBVD – 73753 Exploit Analysis
• Result = “ :) “ for every suspicious login alert.
•
Simulation of Controller Behavior
• Three simulations are run 1000 times to use VI algorithm. • Portscan Attack :
• Response time optimization and discount factor = 0.9 yields 14 equivalent policies such as : generateAlert, increaseLogVerb, increaseLogVerb, increaseLogVerb, increaseLogVerb, increaseLogVerb, activateFirewall, blockSrcIP, unblockScrip, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb.
• Policies are split into i) Preparation, ii) Response, iii) Conclusion.
Simulation of Controller Behavior
• Vulnerability Exploit :
• Response time optimization and discount factor = 0.9 yields 15 equivalent policies such as : increaseLogVerb , generateAlert, activateFirewall, increaseLogVerb, increaseLogVerb, increaseLogVerb, increaseLogVerb, systemReboot, backup, software-Update, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb.
• Policies are split into i) first preparation, ii) first response attempt, iii) second preparation, iv) second response attempt, v) conclusion.
Simulation of Controller Behavior
• Combined Vulnerability and Response Time
• Response time optimization and discount factor = 0.9 yields 17 equivalent policies such as : generateAlert, increaseLogVerb, activateFirewall, increaseLogVerb, blockSrcIP, increaseLogVerb, increaseLogVerb, increaseLogVerb, systemReboot, backup, softwareUpdate, unblockSrcip, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb.
• Policies are split into i) first preparation, ii) first response attempt, iii) second preparation, iv) second response attempt, v) third response, vi) third response attempt, vii) conclusion.
Conclusions and Future Work
• During the last decade many IRSs have been proposed to face the increasing frequency and complexity of attacks.
• All the proposed approaches, however, only considered either a static mapping of the best response action to the currently detected attack or the dynamic evaluation of the available response actions according to a set of pre-defined attributes.
• This paper introduced MDP-based controller which helps in long-term planning by exploiting the concept of system state by decoupling the attack from the response.
• Experimental results show that long-term planned policies provide better results than short-term ones and the threat resolution time can be reduced up to 56% in the considered scenario.
• For future work, a meta-model is realized in which we will define standard components and connections that could be used by the system administrators to visually design the model of their system.
• Having such a meta-model will enable the development of standard attacks and response libraries that, integrated with the personalized system model, will allow the IRS to provide response policies tailored for the specific system.