Alireza Shameli-Sendi

Taxonomy of intrusion risk assessment and response system

In recent years, we have seen notable changes in the way attackers infiltrate computer systems compromising their functionality. Research in intrusion detection systems aims to reduce the impact of these attacks. In this paper, we present a taxonomy of Intrusion Response Systems (IRS) and Intrusion Risk Assessment (IRA), two important components of an intrusion detection solution. We achieve this by classifying a number of studies published during the last two decades. We discuss the key features of existing IRS and IRA. We show how characterizing security risks and choosing the right countermeasures are an important and challenging part of designing an IRS and an IRA. Poorly designed IRS and IRA may reduce network performance and wrongly disconnect users from a network. We propose techniques on how to address these challenges and highlight the need for a comprehensive defense mechanism approach. We believe that this taxonomy will open up interesting areas for future research in the growing field of intrusion risk assessment and response systems.

Taxonomy of information security risk assessment (ISRA)

Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of protection for a companys information assets and for the company as a whole. One of the best ways to address information security problems in the corporate world is through a risk-based approach. In this paper, we present a taxonomy of security risk assessment drawn from 125 papers published from 1995 to May 2014. Organizations with different size may face problems in selecting suitable risk assessment methods that satisfy their needs. Although many risk-based approaches have been proposed, most of them are based on the old taxonomy, avoiding the need for considering and applying the important criteria in assessing risk raised by rapidly changing technologies and the attackers knowledge level. In this paper, we discuss the key features of risk assessment that should be included in an information security management system. We believe that our new risk assessment taxonomy helps organizations to not only understand the risk assessment better by comparing different new concepts but also select a suitable way to conduct the risk assessment properly. Moreover, this taxonomy will open up interesting avenues for future research in the growing field of security risk assessment.

Taxonomy of Distributed Denial of Service mitigation approaches for cloud computing

Cloud computing has a central role to play in meeting todays business requirements. However, Distributed Denial-of-Service (DDoS) attacks can threaten the availability of cloud functionalities. In recent years, many effort has been expended to detect the various DDoS attack types. In this survey paper, our concentration is on how to mitigate these attacks. We believe that cloud computing technology can substantially change the way we respond to a DDoS attack, based on a number of new characteristics, which were introduced with the advent of this technology. We first present a new taxonomy of DDoS mitigation strategies to organize the work. Then, we go on to discuss the main features of existing DDoS mitigation strategies and explain their functionalities in the cloud environment. Afterwards, we show how the existing DDoS mechanisms fit into the network topology of the cloud. Finally, we discuss some of these DDoS mechanisms in detail, and compare their behavior in the cloud. Our objective is to show how these characteristics bring a novel perspective to existing DDoS mechanisms, and so give researchers new insights into how to mitigate DDoS attacks in the cloud computing.

ARITO: Cyber-attack response system using accurate risk impact tolerance

We propose a novel approach for automated intrusion response systems to assess the value of the loss that could be suffered by a compromised resource. A risk assessment component of the approach measures the risk impact and is tightly integrated with our response system component. When the total risk impact exceeds a certain threshold, the response selection mechanism applies one or more responses. A multi-level response selection mechanism is proposed to gauge the intrusion damage (attack progress) relative to the response impact. This model proposes a feedback mechanism, which measures the response goodness and helps indicate the new risk level following application of the response(s). Not only does our proposed model constitutes a novel online mechanism for response activation and deactivation based on the online risk impact, it also addresses the factors inherent in assessing risk and calculating response effectiveness that are more complex in terms of detail. We have designed a sophisticated multi-step attack to penetrate Web servers, as well as to acquire root privilege. Our simulation results illustrate the efficiency of the proposed model and confirm the feasibility of the approach in real time. At the end of paper, we discuss the various ways in which an attacker might succeed in completely bypassing our response system.

ORCEF: Online response cost evaluation framework for intrusion response system

Abstract Response cost evaluation is a major part of the Intrusion Response System (IRS). Although many automated IRSs have been proposed, most of them use statically evaluated responses, avoiding the need for dynamic evaluation of response cost. However, by designing a dynamic evaluation for the responses we can alleviate the drawbacks of the static model. Furthermore, it will be more effective at defending a system from an attack as it will be less predictable. A dynamic model offers the best response based on the current situation of the network. Thus, the evaluation of the positive effects and negative impacts of the responses must be computed online, at attack time, in a dynamic model. We evaluate the response cost online with respect to the resources dependencies and the number of online users. In this paper, we present a practical framework with relevant factors for response cost evaluation. The proposed framework is a platform that leads us to account for the user׳s needs in terms of quality of services (QoS) and the dependencies of critical processes. Compared with other response evaluation models, the proposed framework consists of not only a novel online mechanism for response cost evaluation in complex network topologies, but also more detailed factors to evaluate responses positive effect and negative impact. In addition, we discuss the main challenges to evaluate response cost with respect to the attack type.

Fuzzy Multi-Criteria Decision-Making for Information Security Risk Assessment

Risk assessment is a major part of the ISMS process. In a complex organization which involves a lot of assets, risk assessment is a complicated process. In this paper, we present a practical model for information security risk assessment. This model is based on multi-criteria decision-making and uses fuzzy logic. The fuzzy logic is an appropriate model to assess risks and represents the practical results. The proposed risk assessment is a qualitative approach according to ISO/IEC 27005 standard. Main objectives and processes of business have been considered in this model and assessment of risk has been done in managerial and operational levels. This model was performed completely in the information technology section of a supply chain management company and the results show its efficiency and reliability.

Optimal placement of sequentially ordered virtual security appliances in the cloud

Traditional enterprise network security is based on the deployment of security appliances placed on some specific locations filtering, monitoring the traffic going through them. In this perspective, security appliances are chained in specific order to perform different security functions on the traffic. In the cloud, the same approach is often adopted using virtual security appliances to protect traffic for different virtual applications with the challenge of dealing with the flexible and elastic nature of the cloud. In this paper, we investigate the problem of placing virtual security appliances within the data center in order to minimize network latency and computing costs for security functions while maintaining the required sequential order of traversing virtual security appliances. We propose a new algorithm computing the best place to deploy these virtual security appliances in the data center. We further integrated our placement algorithm in an open source cloud framework, i.e. Openstack, in our test laboratory. The preliminary results show that we are placing the virtual security appliances in the required sequential order while improving the efficiency compared to the current default placement algorithm in Openstack.

Online Incremental Clock Synchronization

AbstractTime synchronization is a fundamental requirement for many services provided by distributed systems. For this purpose, several time synchronization protocols have been proposed. However, they either achieve high accuracy by adding further network traffic, even more than common protocols such as network time protocol and precision time protocol, or consume a lot of time in additional computations. An online distributed tracing and monitoring system, used to identify functional and performance problems in distributed systems, must offer high precision with minimum time overhead and system resource consumption. The aim of this paper is to propose an efficient algorithm for time synchronization in online mode, applicable for all distributed services. The proposed method in this paper addresses five key requirements for a practical solution in distributed systems. First, it provides microseconds scale accuracy, which is applicable for trace events with nanosecond timestamp granularity. Secondly, it does not require adding new network traffic, using the send and receive time of existing traffic. Thirdly, it synchronizes the distributed traces in average time complexity of O(1) per synchronization update. Fourthly, it updates online synchronization parameters immediately without latency. Finally, it iteratively refines the early estimates without requiring significant buffering of earlier data. Although we used this work for distributed trace synchronization, it is a general, fully incremental, continuous synchronization approach applicable to most synchronization purposes.

A Retroactive-Burst Framework for Automated Intrusion Response System

The aim of this paper is to present an adaptive and cost-sensitive model to prevent security intrusions. In most automated intrusion response systems, response selection is performed locally based on current threat without using the knowledge of attacks history. Another challenge is that a group of responses are applied without any feedback mechanism to measure the response effect. We address these problems through retroactive-burst execution of responses and a Response Coordinator (RC) mechanism, the main contributions of this work. The retroactive-burst execution consists of several burst executions of responses with, at the end of each burst, a mechanism for measuring the effectiveness of the applied responses by the risk assessment component. The appropriate combination of responses must be considered for each burst execution to mitigate the progress of the attack without necessarily running the next round of responses, because of the impact on legitimate users. In the proposed model, there is a multilevel response mechanism. To indicate which level is appropriate to apply based on the retroactive-burst execution, we get help from a Response Coordinator mechanism. The applied responses can improve the health of Applications, Kernel, Local Services, Network Services, and Physical Status. Based on these indexes, the RC gives a general overview of an attacker’s goal in a distributed environment.

Multilevel label placement for execution trace events

Automatic label assignment to graphical objects is an important problem in many applications such as cartography, online maps and graph drawings. In this paper, we present efficient algorithms for automatic label assignment to execution trace items (points or lines) in a trace visualization tool. The proposed label assignment algorithms aim to maximize the number of labeled items as well as increase the quality of assignments. The algorithms take into account both the topological and semantic relationships (e.g. level of details, repetitiveness, etc.) between the trace items in order to achieve assignments that are both quantitative and qualitative. The proposed method also supports assigning multiple labels to each trace item. The algorithms have been implemented and applied to different input traces. The experimental results show that considering the relationships between data items increases the labeling success rate and the quality.