S ecurity T hreat A ssessment across L arge N etwork I nfrastructures Grigorios Fragkos Research Student – Information Security Research Group School of.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SSecurity ecurity TThreat hreat AAssessment across ssessment across LLarge arge NNetworketwork I Infrastructuresnfrastructures
Grigorios FragkosGrigorios Fragkos
Research Student – Information Security Research GroupResearch Student – Information Security Research Group
School of Computing, University of Glamorgan, UKSchool of Computing, University of Glamorgan, UK
The Wired & Wireless GaiaThe Wired & Wireless Gaia
The worldwide internet population is already at 934 The worldwide internet population is already at 934 million in 2004 and projected to reach 1.21 billion million in 2004 and projected to reach 1.21 billion
The reported security incidents have evolved from The reported security incidents have evolved from 6 in 1988 to 21,756 in 2000 and consequently to 6 in 1988 to 21,756 in 2000 and consequently to
137,529 in 2003 [CERT 2005]137,529 in 2003 [CERT 2005]
Security…Security…
Safeguarding Large Network InfrastructuresSafeguarding Large Network Infrastructures
Why is still a problem?Why is still a problem?
a) why do network infrastructures still suffer from attacks and why do a) why do network infrastructures still suffer from attacks and why do we still wondering why we cannot deal efficiently with the we still wondering why we cannot deal efficiently with the securitysecurity related issues by taking active countermeasures against them.related issues by taking active countermeasures against them.
b) Should today’s b) Should today’s securitysecurity, still be considered as a technology , still be considered as a technology problem?problem?
c) How and what kind of system, built with c) How and what kind of system, built with securitysecurity in mind, could in mind, could protect large network infrastructures efficiently by performing threat protect large network infrastructures efficiently by performing threat assessment?assessment?
What is Security?What is Security?
– The Cambridge Dictionary describes security as:The Cambridge Dictionary describes security as:““The ability to avoid being harmed by any risk, danger or threatThe ability to avoid being harmed by any risk, danger or threat””
– Also, the Oxford English Dictionary describes security as:Also, the Oxford English Dictionary describes security as:““The state of being or feeling secureThe state of being or feeling secure””…where “secure” is described as “…where “secure” is described as “protected against attack or other protected against attack or other criminal activitycriminal activity””
Do we need a definition that describes in a more realistic and practical Do we need a definition that describes in a more realistic and practical way achievable goals?way achievable goals?
Defining SecurityDefining Security
The state of being or feeling secure, by having the ability to avoid being The state of being or feeling secure, by having the ability to avoid being harmed at an irrecoverable level, by any risk, danger or threat, harmed at an irrecoverable level, by any risk, danger or threat,
when/for protecting a specific asset. when/for protecting a specific asset.
(Author’s definition, where “secure” is defined according to the Oxford’s (Author’s definition, where “secure” is defined according to the Oxford’s dictionary definition)dictionary definition)
NISCC, CNI and Smart NISCC, CNI and Smart ProcurementProcurement
– National Infrastructure Security Co-ordination Centre (NISCC)National Infrastructure Security Co-ordination Centre (NISCC)(To ensure the continuity of society in time of crisis) [NISCC 2005]
– Critical National Infrastructure (CNI)Critical National Infrastructure (CNI)(Known in the UK as the essential services and systems protected by NISCC)
– Smart ProcurementSmart Procurement(The financial issues arising when we have to deal with large projects. In a (The financial issues arising when we have to deal with large projects. In a similar way the MoD is applying Smart Procurement in order to calculate if similar way the MoD is applying Smart Procurement in order to calculate if the amount of available resources needed for purchasing military the amount of available resources needed for purchasing military equipment, is equivalent to the amount of equipment they need to purchase) equipment, is equivalent to the amount of equipment they need to purchase) [MoD 2001][MoD 2001]
Approaching a solutionApproaching a solution
UniversityA
UniversityA
UniversityB
UniversityB
UniversityC
UniversityC
UniversityD
UniversityD
CorporationA
CorporationA
UniversityE (Glam)
UniversityE (Glam)
Intelligent Engine
ThreatAssessment
CorporationB
CorporationB
Non-Governmental Organization
Non-Governmental Organization
Expand existed computer and network-defensive technologies by Expand existed computer and network-defensive technologies by combining them with the information and services provided by the combining them with the information and services provided by the
NISCC in order to design a prototype architecture that could be easily NISCC in order to design a prototype architecture that could be easily applied in large infrastructuresapplied in large infrastructures
Real-Time Threat Assessment has two very important goals.Real-Time Threat Assessment has two very important goals.
– The first goal is to minimize the time from the moment an attack The first goal is to minimize the time from the moment an attack actually started until the moment our defense system is able to actually started until the moment our defense system is able to identify it as an actual attack. identify it as an actual attack.
– The second goal which we are trying to achieve, is to minimize the The second goal which we are trying to achieve, is to minimize the amount of time that is essential by our system to take any required amount of time that is essential by our system to take any required actions or deploy a set of countermeasures, before the actual attack actions or deploy a set of countermeasures, before the actual attack has finished.has finished.
δδ - Lasting time of an attack - Lasting time of an attackΔΔ - Timeframe for the moment an attack detected until the - Timeframe for the moment an attack detected until the moment the attack was blocked.moment the attack was blocked.
The IdeaThe Idea
An efficient structure of intrusion detection data into Object-Oriented An efficient structure of intrusion detection data into Object-Oriented hierarchy trees, will provide to the system a similar hierarchy trees, will provide to the system a similar understanding of understanding of the events as the human brainthe events as the human brain can understand the relativity of can understand the relativity of species or objects.species or objects.
Make a system aware of what it sees, and as become conscious of the Make a system aware of what it sees, and as become conscious of the various types of attacks that exist in the wild, along with their various various types of attacks that exist in the wild, along with their various subtypes. In other words the system will not just detect an already subtypes. In other words the system will not just detect an already known or novel attack but it will have a known or novel attack but it will have a notional understandingnotional understanding of the of the network trafficnetwork traffic and will be able to identify novel attacks and categorize and will be able to identify novel attacks and categorize them based on what it knows up to that momentthem based on what it knows up to that moment
Combination of Combination of TechnologiesTechnologies
– Object-Oriented Classification of Network EventsObject-Oriented Classification of Network Events– Footprints RepositoryFootprints Repository– State of the art Intrusion Detection SystemsState of the art Intrusion Detection Systems
Need for Real-Time Threat Need for Real-Time Threat AssessmentAssessment
Present an architecture that can be used to performPresent an architecture that can be used to perform
Real-Time Threat Assessment using IDS dataReal-Time Threat Assessment using IDS data
– Provide a holistic picture of an attack and thus facilitate the decision Provide a holistic picture of an attack and thus facilitate the decision making process associated with Computer Network Defencemaking process associated with Computer Network Defence
– Analyse and index data from a variety of distributed heterogeneous Analyse and index data from a variety of distributed heterogeneous sources via a taxonomy of object-based attack classificationssources via a taxonomy of object-based attack classifications
– Perform threat assessment based on the progression of an attack Perform threat assessment based on the progression of an attack using principles derived from A.I.using principles derived from A.I.
SummarySummary
– Automate the Threat Assessment process through vast amount of Automate the Threat Assessment process through vast amount of informationinformation
– Identify new attacks based on patterns of behaviour using anomaly Identify new attacks based on patterns of behaviour using anomaly detection. detection.
– Prevent ongoing attacks by interchanging information in a non-Prevent ongoing attacks by interchanging information in a non-centralized mannercentralized manner
– Protect in Real-Time Critical-Importance InfrastructuresProtect in Real-Time Critical-Importance Infrastructures
Q & AQ & A
Thank you for your attentionThank you for your attention
Grigorios FragkosGrigorios Fragkos
Information Security Research Group (ISRG)Information Security Research Group (ISRG)
University of Glamorgan, Wales, UKUniversity of Glamorgan, Wales, UK
References
• Biermann, E., Cloete, E. and Venter, L. (2001). Biermann, E., Cloete, E. and Venter, L. (2001). A Comparison of Intrusion Detection Systems. Computers & SecurityA Comparison of Intrusion Detection Systems. Computers & Security
• ClickZ Stats Staff, ClickZ Stats Staff, Population ExplosionPopulation Explosion, (2005), Available at: , (2005), Available at: http://www.clickz.com/stats/sectors/geographics/article.php/5911_151151http://www.clickz.com/stats/sectors/geographics/article.php/5911_151151
• CERT® Coordination Center, (2005) CERT Coordination Center Statistics 1988-2003, Available at: CERT® Coordination Center, (2005) CERT Coordination Center Statistics 1988-2003, Available at: http://www.cert.org/stats/cert_stats.html http://www.cert.org/stats/cert_stats.html
• Debar H., Dacier M., Wespi A., (1999) Debar H., Dacier M., Wespi A., (1999) Towards a taxonomy of intrusion detection systemsTowards a taxonomy of intrusion detection systems , Computer Networks, Computer Networks
• Lippmann R.,et al., (1998) Lippmann R.,et al., (1998) Evaluating Intrusion Detection SystemsEvaluating Intrusion Detection Systems, The 1998 DARPA Off-line Intrusion Detection , The 1998 DARPA Off-line Intrusion Detection Evaluation. First International Workshop on Recent Advances in Intrusion Detection (RAID), Louvain-la-Neuve, BelgiumEvaluation. First International Workshop on Recent Advances in Intrusion Detection (RAID), Louvain-la-Neuve, Belgium
• Lunt, T. (1993) Lunt, T. (1993) A survey of intrusion detection techniquesA survey of intrusion detection techniques , Computers and Security, Computers and Security
• Morakis, E., Vidalis, A., Blyth, A. J.C. (2003a). Morakis, E., Vidalis, A., Blyth, A. J.C. (2003a). Measuring Vulnerabilities and their Exploitation CycleMeasuring Vulnerabilities and their Exploitation Cycle , Elsevier , Elsevier Information Security Technical Report, Vol. 8, No. 4Information Security Technical Report, Vol. 8, No. 4
• Morakis, E., Vidalis, S., Blyth, A.J.C. (2003b). Morakis, E., Vidalis, S., Blyth, A.J.C. (2003b). A Framework for Representing and Analysing Cyber Attacks Using Object A Framework for Representing and Analysing Cyber Attacks Using Object Oriented Hierarchy TreesOriented Hierarchy Trees. Second European Conference in Information Warfare, UK, pp235-246. Second European Conference in Information Warfare, UK, pp235-246
AppendicesAppendices
System’s OverviewSystem’s Overview
System’s BrainSystem’s Brain
ThreatThreat
• QuestionQuestion
What do we mean by threat when talking about security?What do we mean by threat when talking about security?
• AnswerAnswer
A threat to a system can be defined asA threat to a system can be defined as::
– A possible danger to the systemA possible danger to the system(Michel E. Kabay, Enterprise Security: Protecting Information Assets, McGraw-Hill, 1996)(Michel E. Kabay, Enterprise Security: Protecting Information Assets, McGraw-Hill, 1996)
– A circumstance that has the potential to cause loss or harmA circumstance that has the potential to cause loss or harm(Charles P. Pfleeger, Security in Computing, Addison Wesley, 1997)(Charles P. Pfleeger, Security in Computing, Addison Wesley, 1997)
– A circumstance or event that could cause harm by violating securityA circumstance or event that could cause harm by violating security(Rita C. Summers, Secure Computing: Threats and Safeguards, McGraw-Hill, 1997)(Rita C. Summers, Secure Computing: Threats and Safeguards, McGraw-Hill, 1997)
Threat AssessmentThreat Assessment
• QuestionQuestion
What is Threat Assessment?What is Threat Assessment?
• AnswerAnswer
There are two goals in the model of Threat Assessment:There are two goals in the model of Threat Assessment:
– Identify threats based on feasibility (enablers) and indicators of Identify threats based on feasibility (enablers) and indicators of potential exploitation. These threats are further categorized by the potential exploitation. These threats are further categorized by the potential likelihood they will be exploited.potential likelihood they will be exploited.
– Provide an intelligence-based method of predicting, detecting, and Provide an intelligence-based method of predicting, detecting, and monitoring potential large-scale threats to business and national monitoring potential large-scale threats to business and national security.security.
State of the Art & its State of the Art & its limitationslimitations
Intrusion Detection Systems and security auditing systems have developedIntrusion Detection Systems and security auditing systems have developed
to the point where large quantities of information relating to securityto the point where large quantities of information relating to security
incidents can be captured, stored, indexed and classified.incidents can be captured, stored, indexed and classified.
• Probabilistic MethodsProbabilistic Methods• Multi-pattern Search AlgorithmsMulti-pattern Search Algorithms• Hybrid neural networksHybrid neural networks• Learning program behaviour Learning program behaviour • Correlation of Intrusion alertsCorrelation of Intrusion alerts
All mentioned systems fall under a basic characteristic; They either follow All mentioned systems fall under a basic characteristic; They either follow the path to become misuse detection systems or anomaly detection the path to become misuse detection systems or anomaly detection
systemssystems
Real - TimeReal - Time
• Unification ProcessUnification Process
A number of sensors running any type of IDS, as described earlier, areA number of sensors running any type of IDS, as described earlier, are
logging network events into a centralized repository. The collector (or thelogging network events into a centralized repository. The collector (or the
unification process) gathers all the information before they are sent to theunification process) gathers all the information before they are sent to the
repository in order to unify the data under a single database schemarepository in order to unify the data under a single database schema