S ecurity T hreat A ssessment across L arge N etwork I nfrastructures Grigorios Fragkos Research Student – Information Security Research Group School of.

SSecurity ecurity TThreat hreat AAssessment across ssessment across LLarge arge NNetworketwork I Infrastructuresnfrastructures

Grigorios FragkosGrigorios Fragkos

Research Student – Information Security Research GroupResearch Student – Information Security Research Group

School of Computing, University of Glamorgan, UKSchool of Computing, University of Glamorgan, UK

[email protected]@glam.ac.uk

Copyright 2005 © Fragkos Grigorios, Blyth Andrew. Security Threat Assessment across Large Network Infrastructures, Safeguarding National Infrastructures: Integrated Approaches to Failure in Complex Networks, University of Glasgow , UK, August 2005

The Wired & Wireless GaiaThe Wired & Wireless Gaia

The worldwide internet population is already at 934 The worldwide internet population is already at 934 million in 2004 and projected to reach 1.21 billion million in 2004 and projected to reach 1.21 billion

in 2006in 2006 [ClickZ Stats Staff 2005] [ClickZ Stats Staff 2005]

The reported security incidents have evolved from The reported security incidents have evolved from 6 in 1988 to 21,756 in 2000 and consequently to 6 in 1988 to 21,756 in 2000 and consequently to

137,529 in 2003 [CERT 2005]137,529 in 2003 [CERT 2005]

Security…Security…

Safeguarding Large Network InfrastructuresSafeguarding Large Network Infrastructures

Why is still a problem?Why is still a problem?

a) why do network infrastructures still suffer from attacks and why do a) why do network infrastructures still suffer from attacks and why do we still wondering why we cannot deal efficiently with the we still wondering why we cannot deal efficiently with the securitysecurity related issues by taking active countermeasures against them.related issues by taking active countermeasures against them.

b) Should today’s b) Should today’s securitysecurity, still be considered as a technology , still be considered as a technology problem?problem?

c) How and what kind of system, built with c) How and what kind of system, built with securitysecurity in mind, could in mind, could protect large network infrastructures efficiently by performing threat protect large network infrastructures efficiently by performing threat assessment?assessment?

What is Security?What is Security?

– The Cambridge Dictionary describes security as:The Cambridge Dictionary describes security as:““The ability to avoid being harmed by any risk, danger or threatThe ability to avoid being harmed by any risk, danger or threat””

– Also, the Oxford English Dictionary describes security as:Also, the Oxford English Dictionary describes security as:““The state of being or feeling secureThe state of being or feeling secure””…where “secure” is described as “…where “secure” is described as “protected against attack or other protected against attack or other criminal activitycriminal activity””

Do we need a definition that describes in a more realistic and practical Do we need a definition that describes in a more realistic and practical way achievable goals?way achievable goals?

Defining SecurityDefining Security

The state of being or feeling secure, by having the ability to avoid being The state of being or feeling secure, by having the ability to avoid being harmed at an irrecoverable level, by any risk, danger or threat, harmed at an irrecoverable level, by any risk, danger or threat,

when/for protecting a specific asset. when/for protecting a specific asset.

(Author’s definition, where “secure” is defined according to the Oxford’s (Author’s definition, where “secure” is defined according to the Oxford’s dictionary definition)dictionary definition)

NISCC, CNI and Smart NISCC, CNI and Smart ProcurementProcurement

– National Infrastructure Security Co-ordination Centre (NISCC)National Infrastructure Security Co-ordination Centre (NISCC)(To ensure the continuity of society in time of crisis) [NISCC 2005]

– Critical National Infrastructure (CNI)Critical National Infrastructure (CNI)(Known in the UK as the essential services and systems protected by NISCC)

– Smart ProcurementSmart Procurement(The financial issues arising when we have to deal with large projects. In a (The financial issues arising when we have to deal with large projects. In a similar way the MoD is applying Smart Procurement in order to calculate if similar way the MoD is applying Smart Procurement in order to calculate if the amount of available resources needed for purchasing military the amount of available resources needed for purchasing military equipment, is equivalent to the amount of equipment they need to purchase) equipment, is equivalent to the amount of equipment they need to purchase) [MoD 2001][MoD 2001]

Approaching a solutionApproaching a solution

UniversityA

UniversityA

UniversityB

UniversityB

UniversityC

UniversityC

UniversityD

UniversityD

CorporationA

CorporationA

UniversityE (Glam)

UniversityE (Glam)

Intelligent Engine

ThreatAssessment

CorporationB

CorporationB

Non-Governmental Organization

Non-Governmental Organization

Expand existed computer and network-defensive technologies by Expand existed computer and network-defensive technologies by combining them with the information and services provided by the combining them with the information and services provided by the

NISCC in order to design a prototype architecture that could be easily NISCC in order to design a prototype architecture that could be easily applied in large infrastructuresapplied in large infrastructures

Threat Assessment & Threat Threat Assessment & Threat ResponseResponse

Real-Time Threat Assessment has two very important goals.Real-Time Threat Assessment has two very important goals.

– The first goal is to minimize the time from the moment an attack The first goal is to minimize the time from the moment an attack actually started until the moment our defense system is able to actually started until the moment our defense system is able to identify it as an actual attack. identify it as an actual attack.

– The second goal which we are trying to achieve, is to minimize the The second goal which we are trying to achieve, is to minimize the amount of time that is essential by our system to take any required amount of time that is essential by our system to take any required actions or deploy a set of countermeasures, before the actual attack actions or deploy a set of countermeasures, before the actual attack has finished.has finished.

Threat Assessment’s Threat Assessment’s TimeframesTimeframes

timetime

δδ

a1a1 a2a2

a1a1 - Attack Started - Attack Starteda2a2 - Attack Finished - Attack Finishedd1d1 - Detected Attack - Detected Attackd2d2 - Deploy Countermeasures - Deploy Countermeasures

attack attacker’s er’s data data

gener generated atedthat that

expos exposed ed

him/h him/her er

.. ..

δδ(x)(x)

d1d1 d2d2

δδ(y)(y)

ΔΔ

δδ - Lasting time of an attack - Lasting time of an attackΔΔ - Timeframe for the moment an attack detected until the - Timeframe for the moment an attack detected until the moment the attack was blocked.moment the attack was blocked.

The IdeaThe Idea

An efficient structure of intrusion detection data into Object-Oriented An efficient structure of intrusion detection data into Object-Oriented hierarchy trees, will provide to the system a similar hierarchy trees, will provide to the system a similar understanding of understanding of the events as the human brainthe events as the human brain can understand the relativity of can understand the relativity of species or objects.species or objects.

Make a system aware of what it sees, and as become conscious of the Make a system aware of what it sees, and as become conscious of the various types of attacks that exist in the wild, along with their various various types of attacks that exist in the wild, along with their various subtypes. In other words the system will not just detect an already subtypes. In other words the system will not just detect an already known or novel attack but it will have a known or novel attack but it will have a notional understandingnotional understanding of the of the network trafficnetwork traffic and will be able to identify novel attacks and categorize and will be able to identify novel attacks and categorize them based on what it knows up to that momentthem based on what it knows up to that moment

Combination of Combination of TechnologiesTechnologies

– Multi-CPU system’sMulti-CPU system’s– Beowulf ClustersBeowulf Clusters– Grid ComputingGrid Computing– A.I. languagesA.I. languages– SSH, SOAP, XML, PythonSSH, SOAP, XML, Python

– Object-Oriented Classification of Network EventsObject-Oriented Classification of Network Events– Footprints RepositoryFootprints Repository– State of the art Intrusion Detection SystemsState of the art Intrusion Detection Systems

Need for Real-Time Threat Need for Real-Time Threat AssessmentAssessment

Real-Time Threat Real-Time Threat AssessmentAssessment

Present an architecture that can be used to performPresent an architecture that can be used to perform

Real-Time Threat Assessment using IDS dataReal-Time Threat Assessment using IDS data

– Provide a holistic picture of an attack and thus facilitate the decision Provide a holistic picture of an attack and thus facilitate the decision making process associated with Computer Network Defencemaking process associated with Computer Network Defence

– Analyse and index data from a variety of distributed heterogeneous Analyse and index data from a variety of distributed heterogeneous sources via a taxonomy of object-based attack classificationssources via a taxonomy of object-based attack classifications

– Perform threat assessment based on the progression of an attack Perform threat assessment based on the progression of an attack using principles derived from A.I.using principles derived from A.I.

SummarySummary

– Automate the Threat Assessment process through vast amount of Automate the Threat Assessment process through vast amount of informationinformation

– Identify new attacks based on patterns of behaviour using anomaly Identify new attacks based on patterns of behaviour using anomaly detection. detection.

– Prevent ongoing attacks by interchanging information in a non-Prevent ongoing attacks by interchanging information in a non-centralized mannercentralized manner

– Protect in Real-Time Critical-Importance InfrastructuresProtect in Real-Time Critical-Importance Infrastructures

Q & AQ & A

Thank you for your attentionThank you for your attention

Grigorios FragkosGrigorios Fragkos

Information Security Research Group (ISRG)Information Security Research Group (ISRG)

University of Glamorgan, Wales, UKUniversity of Glamorgan, Wales, UK

References

• Biermann, E., Cloete, E. and Venter, L. (2001). Biermann, E., Cloete, E. and Venter, L. (2001). A Comparison of Intrusion Detection Systems. Computers & SecurityA Comparison of Intrusion Detection Systems. Computers & Security

• ClickZ Stats Staff, ClickZ Stats Staff, Population ExplosionPopulation Explosion, (2005), Available at: , (2005), Available at: http://www.clickz.com/stats/sectors/geographics/article.php/5911_151151http://www.clickz.com/stats/sectors/geographics/article.php/5911_151151

• CERT® Coordination Center, (2005) CERT Coordination Center Statistics 1988-2003, Available at: CERT® Coordination Center, (2005) CERT Coordination Center Statistics 1988-2003, Available at: http://www.cert.org/stats/cert_stats.html http://www.cert.org/stats/cert_stats.html

• Debar H., Dacier M., Wespi A., (1999) Debar H., Dacier M., Wespi A., (1999) Towards a taxonomy of intrusion detection systemsTowards a taxonomy of intrusion detection systems , Computer Networks, Computer Networks

• Lippmann R.,et al., (1998) Lippmann R.,et al., (1998) Evaluating Intrusion Detection SystemsEvaluating Intrusion Detection Systems, The 1998 DARPA Off-line Intrusion Detection , The 1998 DARPA Off-line Intrusion Detection Evaluation. First International Workshop on Recent Advances in Intrusion Detection (RAID), Louvain-la-Neuve, BelgiumEvaluation. First International Workshop on Recent Advances in Intrusion Detection (RAID), Louvain-la-Neuve, Belgium

• Lunt, T. (1993) Lunt, T. (1993) A survey of intrusion detection techniquesA survey of intrusion detection techniques , Computers and Security, Computers and Security

• Morakis, E., Vidalis, A., Blyth, A. J.C. (2003a). Morakis, E., Vidalis, A., Blyth, A. J.C. (2003a). Measuring Vulnerabilities and their Exploitation CycleMeasuring Vulnerabilities and their Exploitation Cycle , Elsevier , Elsevier Information Security Technical Report, Vol. 8, No. 4Information Security Technical Report, Vol. 8, No. 4

• Morakis, E., Vidalis, S., Blyth, A.J.C. (2003b). Morakis, E., Vidalis, S., Blyth, A.J.C. (2003b). A Framework for Representing and Analysing Cyber Attacks Using Object A Framework for Representing and Analysing Cyber Attacks Using Object Oriented Hierarchy TreesOriented Hierarchy Trees. Second European Conference in Information Warfare, UK, pp235-246. Second European Conference in Information Warfare, UK, pp235-246

AppendicesAppendices

System’s OverviewSystem’s Overview

System’s BrainSystem’s Brain

ThreatThreat

• QuestionQuestion

What do we mean by threat when talking about security?What do we mean by threat when talking about security?

• AnswerAnswer

A threat to a system can be defined asA threat to a system can be defined as::

– A possible danger to the systemA possible danger to the system(Michel E. Kabay, Enterprise Security: Protecting Information Assets, McGraw-Hill, 1996)(Michel E. Kabay, Enterprise Security: Protecting Information Assets, McGraw-Hill, 1996)

– A circumstance that has the potential to cause loss or harmA circumstance that has the potential to cause loss or harm(Charles P. Pfleeger, Security in Computing, Addison Wesley, 1997)(Charles P. Pfleeger, Security in Computing, Addison Wesley, 1997)

– A circumstance or event that could cause harm by violating securityA circumstance or event that could cause harm by violating security(Rita C. Summers, Secure Computing: Threats and Safeguards, McGraw-Hill, 1997)(Rita C. Summers, Secure Computing: Threats and Safeguards, McGraw-Hill, 1997)

Threat AssessmentThreat Assessment

• QuestionQuestion

What is Threat Assessment?What is Threat Assessment?

• AnswerAnswer

There are two goals in the model of Threat Assessment:There are two goals in the model of Threat Assessment:

– Identify threats based on feasibility (enablers) and indicators of Identify threats based on feasibility (enablers) and indicators of potential exploitation. These threats are further categorized by the potential exploitation. These threats are further categorized by the potential likelihood they will be exploited.potential likelihood they will be exploited.

– Provide an intelligence-based method of predicting, detecting, and Provide an intelligence-based method of predicting, detecting, and monitoring potential large-scale threats to business and national monitoring potential large-scale threats to business and national security.security.

[[Global Technology Research, IncGlobal Technology Research, Inc]]. .

Intrusion Detection Systems Intrusion Detection Systems (IDS) (IDS)

• TechnologiesTechnologies– Host BasedHost Based– Network BasedNetwork Based– Application BasedApplication Based– Stack BasedStack Based

• Defence MechanismsDefence Mechanisms– PassivePassive– ReactiveReactive

• Detection ModeDetection Mode– Misuse DetectionMisuse Detection– Anomaly DetectionAnomaly Detection– Specification BasedSpecification Based

State of the Art & its State of the Art & its limitationslimitations

Intrusion Detection Systems and security auditing systems have developedIntrusion Detection Systems and security auditing systems have developed

to the point where large quantities of information relating to securityto the point where large quantities of information relating to security

incidents can be captured, stored, indexed and classified.incidents can be captured, stored, indexed and classified.

• Probabilistic MethodsProbabilistic Methods• Multi-pattern Search AlgorithmsMulti-pattern Search Algorithms• Hybrid neural networksHybrid neural networks• Learning program behaviour Learning program behaviour • Correlation of Intrusion alertsCorrelation of Intrusion alerts

All mentioned systems fall under a basic characteristic; They either follow All mentioned systems fall under a basic characteristic; They either follow the path to become misuse detection systems or anomaly detection the path to become misuse detection systems or anomaly detection

systemssystems

Real - TimeReal - Time

• Unification ProcessUnification Process

A number of sensors running any type of IDS, as described earlier, areA number of sensors running any type of IDS, as described earlier, are

logging network events into a centralized repository. The collector (or thelogging network events into a centralized repository. The collector (or the

unification process) gathers all the information before they are sent to theunification process) gathers all the information before they are sent to the

repository in order to unify the data under a single database schemarepository in order to unify the data under a single database schema

U

S1…S2……Sn

DB

U: Unification ProcessS: Sensor

Data Repository SOAP XML / RPC

Execution Engine

System’s ArchitectureSystem’s Architecture

Data RepositorySensor 1

Sensor 2

Sensor n

.

.

.

SOAP

AGENT

message

XML / SOAP envelop

SOAP Server

Execution Engine

VisualizationWindow

VisualizationWindowCountermeasures EngineCountermeasures Engine

ClassificationRepository

FootprintRepository

check Top levelClassificationRepository

load balancing