Bingrui Foo

ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment

Distributed systems with multiple interacting services, especially e-commerce systems, are suitable targets for malicious attacks because of the potential financial impact. Compared to intrusion detection, automated response has received relatively less attention. In this paper, we present the design of automated response mechanisms in an intrusion tolerant system called ADEPTS. Our focus is on enforcing containment in the system, thus localizing the intrusion and allowing the system to provide service, albeit degraded. ADEPTS uses a graph of intrusion goals, called I-GRAPH, as the underlying representation in the system. In response to alerts from an intrusion detection framework, ADEPTS executes algorithms to determine the spread of the intrusion and the appropriate responses to deploy. A feedback mechanism evaluates the success of a deployed response and uses that in guiding future choices. ADEPTS is demonstrated on a distributed e-commerce system and evaluated using a survivability metric.

Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS

We present the design and implementation of a collaborative intrusion detection system (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers - network, kernel and application - and a manager based framework for aggregating the alarms from the different detectors to provide a combined alarm for an intrusion. The premise is that a carefully designed and configured CIDS can increase the accuracy of detection compared to individual detectors, without a substantial degradation in performance. In order to validate the premise, we present the design and implementation of a CIDS which employs Snort, Libsafe, and a new kernel level IDS called Sysmon. The manager has a graph-based and a Bayesian network based aggregation method for combining the alarms to finally come up with a decision about the intrusion. The system is evaluated using a Web-based electronic store front application and under three different classes of attacks - buffer overflow, flooding and script-based attacks. The results show performance degradations compared to no detection of 3.9% and 6.3% under normal workload and a buffer overflow attack respectively. The experiments to evaluate the accuracy of the system show that the normal workload generates false alarms for Snort and the elementary detectors produce missed alarms. CIDS does not flag the false alarm and reduces the incidence of missed alarms to 1 of the 7 cases. CIDS can also be used to measure the propagation time of an intrusion which is useful in choosing an appropriate response strategy.

Automated adaptive intrusion containment in systems of interacting services

Large scale distributed systems typically have interactions among different services that create an avenue for propagation of a failure from one service to another. The failures being considered may be the result of natural failures or malicious activity, collectively called disruptions. To make these systems tolerant to failures it is necessary to contain the spread of the occurrence automatically once it is detected. The objective is to allow certain parts of the system to continue to provide partial functionality in the system in the face of failures. Real world situations impose several constraints on the design of such a disruption tolerant system of which we consider the following - the alarms may have type I or type II errors; it may not be possible to change the service itself even though the interaction may be changed; attacks may use steps that are not anticipated a priori; and there may be bursts of concurrent alarms. We present the design and implementation of a system named Adepts as the realization of such a disruption tolerant system. Adepts uses a directed graph representation to model the spread of the failure through the system, presents algorithms for determining appropriate responses and monitoring their effectiveness, and quantifies the effect of disruptions through a high level survivability metric. Adepts is demonstrated on a real e-commerce testbed with actual attack patterns injected into it.

Chapter 10 – Intrusion Response Systems: A Survey

Publisher Summary This chapter considers the distributed systems as composed of multiple services and the services interact with one another through standardized network protocols. It describes the primary Intrusion Response Systems (IRSs) and label each in one of the following four categories. IRSs, called static decision making, provides a static mapping of the alert from the detector to the response that is to be deployed. The second class, called dynamic decision making, reasons about an ongoing attack based on the observed alerts and determines an appropriate response to take. The third class, called intrusion tolerance through diverse replicas, provides masking of security failures through the use of diverse replicas concurrently for performing security critical functions. The fourth class includes IRSs meant to target specific kinds of attacks, with our focus being on distributed denial-of-service attacks. Then, we present a discussion on the nascent field of benchmarking of IRSs. Finally, the chapter presents five key areas in which IRSs need to evolve for a widespread adoption. In addition, it considers the metrics that are relevant for evaluating an IRS.

Optical Network Survivability

Publisher Summary This chapter gives a brief overview of optical network survivability. Engineering the network for survivability plays an increasingly important role in transport networks. Protection techniques are well established in Synchronous Optical Networking (SONET) and Synchronous Digital Hierarchy (SDH) and include point-to-point, dedicated protection rings, and shared protection rings. Point-to-point protection schemes work for simple systems with diverse fiber routes between node locations. In addition, optical channel layer protection is needed if some channels are to be protected while others are not. Optical multiplex section (OMS) layer protection is more cost effective for those cases where all the traffic needs to be protected. The optical layer consists of the optical channel layer (or path layer), the OMS layer (or line layer), and the optical transmission section layer. The choice of protection schemes is dictated primarily by the service classes to be supported and by the type of equipment deployed. In the SONET/SDH world, protection is performed primarily by the SONET/SDH line terminals and add/drop multiplexers and not by digital cross connects.

Concepts in IP Security

This chapter provides an overview of some of the issues related to Internet security and shows the workings of the key security protocols. Security within an IP network can be applied at any or all of a set of different levels: (1) Physical security governs the connectivity and access to private networks; (2) protocol-level security controls and safeguards the essential protocols that make the Internet work; (3) application security can be used to protect sensitive data and to limit access to applications; and (4) transport and network layer security is used to protect data flows across public or exposed networks and connections. Network security has become an issue because of the large number of computers connected together, and the increase in quantity and sensitivity of the information held on computer and distributed across the Internet. Various techniques are used to compromise Internet security. The most obvious technique involves simply impersonating another user to access that users computer. Remote access protocols such as Telnet and File Transfer Protocol (FTP) make this particularly easy.

Security in Wireless Systems

This chapter examines the requirements needed for privacy and authentication of wireless systems and discusses how each of the cellular and personal communications services systems supports these requirements. The chapter also discusses four levels of voice privacy and then identifies requirements in the areas of privacy, theft resistance, radio system requirements, system lifetime, physical requirements as implemented in mobile stations, and law enforcement needs. In addition, it examines different methods that are in use to meet these needs. The objective of security for most wireless systems is to make the system as secure as the public switched telephone network. The technical features for security are only a small part of the security requirements; the greatest threat is from simpler attacks such as disclosure of the encryption keys, an insecure billing system, or corruption. A balance is required to ensure that these security processes meet these requirements.

Chapter 2 – Network Attacks

Publisher Summary This chapter provides an overview of issues, terminology, and techniques related to the security of the network. Network security comprises ongoing activities that assess the network for its current state of security, have in place protection and prevention mechanisms against security threats, implement detection mechanisms to rapidly identify security attacks that may have been successful, and have policies, procedures, and techniques in place to respond to attacks. These aspects are discussed in a succinct manner. Protection against attacks using firewalls and prevention mechanisms that make use of cryptography are considered with examples of Kerberos, IP Security Protocol, and Secure Sockets Layer. To block malicious packets from entering a network, it is common to employ firewalls. Firewalls in olden days were referred to as thick walls of brick constructed especially for preventing the spread of fires from one building to another. Firewalls today are being referred to as hardware, software, and policies to prevent the spread of security attacks into an organizations (or individuals) network or host.

Chapter 1 – Network Security Overview

Publisher Summary This chapter gives a brief overview on the security networks. Parties share networks, such as the Internet, with conflicting interests. The job of network security is to keep them from spying on or interfering with each others use of the network. The concept of cryptographic tools is briefly explained; there are numerous steps. The first step is the cryptographic algorithms—ciphers and cryptographic hashes. It is also described how to incorporate the cryptographic building blocks into protocols that provide secure communication between participants who possess the correct keys. To use ciphers and authenticators, the communicating participants need to know what keys to use; thus, key predistribution is also reviewed in this chapter. In addition, authentication protocols, secure systems, firewalls, and many other fundamentals are briefly explained.

Chapter 6 – IP Security in Practice

Publisher Summary This chapter discusses how authentication and security, including secure password transmission, encryption, and digital signatures on data grams, are implemented under IP through the Authentication Header and Encapsulating Security Payload options. It also provides a concise introduction to IP security issues and security goals, starting with the definition of the challenges security managers are facing and the tools at their disposal. IP Security Protocol (IPsec) provides authentication services through the use of public key encryption, digital signature, and secure hashing tools; it provides privacy services through the use of public and secret key encryption as well. Security issues, security goals, encryption and authentication algorithms, IPsec, and so on are briefly described in this chapter. IPsec as defined in RFC 2401 provides security architecture for the IP—not security architecture for the Internet. It also provides an interoperable and open standard for building security into the network layer rather than at the application or transport layer.