Gaspar Modelo-Howard

Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling

To secure todays computer systems, it is critical to have different intrusion detection sensors embedded in them. The complexity of distributedcomputer systems makes it difficult to determine the appropriate configuration of these detectors, i.e., their choice and placement. In this paper, we describe a method to evaluate the effect of the detector configuration on the accuracy and precision of determining security goals in the system. For this, we develop a Bayesian network model for the distributed system, from an attack graph representation of multi-stage attacks in the system. We use Bayesian inference to solve the problem of determining the likelihood that an attack goal has been achieved, givena certain set of detector alerts. We quantify the overall detection performance in the system for different detector settings, namely, choice and placement of the detectors, their quality, and levels of uncertainty of adversarial behavior. These observations lead us to a greedy algorithm for determining the optimal detector settings in a large-scale distributed system. We present the results of experiments on Bayesian networks representing two real distributed systems and real attacks on them.

Chapter 10 – Intrusion Response Systems: A Survey

Publisher Summary This chapter considers the distributed systems as composed of multiple services and the services interact with one another through standardized network protocols. It describes the primary Intrusion Response Systems (IRSs) and label each in one of the following four categories. IRSs, called static decision making, provides a static mapping of the alert from the detector to the response that is to be deployed. The second class, called dynamic decision making, reasons about an ongoing attack based on the observed alerts and determines an appropriate response to take. The third class, called intrusion tolerance through diverse replicas, provides masking of security failures through the use of diverse replicas concurrently for performing security critical functions. The fourth class includes IRSs meant to target specific kinds of attacks, with our focus being on distributed denial-of-service attacks. Then, we present a discussion on the nascent field of benchmarking of IRSs. Finally, the chapter presents five key areas in which IRSs need to evolve for a widespread adoption. In addition, it considers the metrics that are relevant for evaluating an IRS.

Optical Network Survivability

Publisher Summary This chapter gives a brief overview of optical network survivability. Engineering the network for survivability plays an increasingly important role in transport networks. Protection techniques are well established in Synchronous Optical Networking (SONET) and Synchronous Digital Hierarchy (SDH) and include point-to-point, dedicated protection rings, and shared protection rings. Point-to-point protection schemes work for simple systems with diverse fiber routes between node locations. In addition, optical channel layer protection is needed if some channels are to be protected while others are not. Optical multiplex section (OMS) layer protection is more cost effective for those cases where all the traffic needs to be protected. The optical layer consists of the optical channel layer (or path layer), the OMS layer (or line layer), and the optical transmission section layer. The choice of protection schemes is dictated primarily by the service classes to be supported and by the type of equipment deployed. In the SONET/SDH world, protection is performed primarily by the SONET/SDH line terminals and add/drop multiplexers and not by digital cross connects.

Secure configuration of intrusion detection sensors for changing enterprise systems

Current attacks to distributed systems involve multiple steps, due to attackers usually taking multiple actions to achieve their goals. Such attacks are called multi-stage attacks (MSA) and have the ultimate goal to compromise a critical asset for the victim. An example would be compromising a web server, then achieve a series of intermediary steps (such as compromising a developers box thanks to a vulnerable PHP module and connecting to a FTP server with gained credentials) to ultimately connect to a database where user credentials are stored. Current detection systems are not capable of analyzing the multi-step attack scenario. We present a distributed detection framework based on a probabilistic reasoning engine that communicates to detection sensors and can achieve two goals: (1) protect the critical asset by detecting MSAs and (2) tune sensors according to the changing environment of the distributed system monitored by the distributed framework. As shown in the experiments, the framework reduces the number of false positives that it would otherwise report if it were only considering alerts from a single detector and the reconfiguration of sensors allows the framework to detect attacks that take advantage of the changing system environment.

To cloud or not to cloud: A study of trade-offs between in-house and outsourced virtual private network

The question of whether to migrate IT services to a cloud computing infrastructure arises before most IT decision makers today. To enable secure access to sensitive resources a virtual private network (VPN) is almost a required piece of technology. Setting up and managing a VPN server is a non-trivial task-there are a variety of modes in which VPN can be used (IPSec, SSL/TLS, PPTP), there are a variety of software-only and software-hardware solutions, and each comes with a rich set of configuration options. Therefore, it is a perplexing question to practitioners what option to choose, with an understanding of the performance and the security implications of each choice. In this paper, we consider the various factors that should go into such decision making and exemplify this by choosing among two competitive options for protecting access to IT resources of our NSF center which has a significant number of external (i.e., non-Purdue) users. The two options are an open-source software-only VPN (pfSense) and a commercial appliance, i.e., an integrated hardware-software solution. Further, the first is managed by us while the latter is outsourced to an entity that provides VPN services to multiple consumer organizations, and hence, referred by us as the cloud-based service. We follow up with conducting a post-deployment study of the VPN users which reveals that despite a two-fold reduction in throughput, the cloud-based service is considered satisfactory due to its non-intrusiveness with respect to other network activities and ease of configuration.

Concepts in IP Security

This chapter provides an overview of some of the issues related to Internet security and shows the workings of the key security protocols. Security within an IP network can be applied at any or all of a set of different levels: (1) Physical security governs the connectivity and access to private networks; (2) protocol-level security controls and safeguards the essential protocols that make the Internet work; (3) application security can be used to protect sensitive data and to limit access to applications; and (4) transport and network layer security is used to protect data flows across public or exposed networks and connections. Network security has become an issue because of the large number of computers connected together, and the increase in quantity and sensitivity of the information held on computer and distributed across the Internet. Various techniques are used to compromise Internet security. The most obvious technique involves simply impersonating another user to access that users computer. Remote access protocols such as Telnet and File Transfer Protocol (FTP) make this particularly easy.

Security in Wireless Systems

This chapter examines the requirements needed for privacy and authentication of wireless systems and discusses how each of the cellular and personal communications services systems supports these requirements. The chapter also discusses four levels of voice privacy and then identifies requirements in the areas of privacy, theft resistance, radio system requirements, system lifetime, physical requirements as implemented in mobile stations, and law enforcement needs. In addition, it examines different methods that are in use to meet these needs. The objective of security for most wireless systems is to make the system as secure as the public switched telephone network. The technical features for security are only a small part of the security requirements; the greatest threat is from simpler attacks such as disclosure of the encryption keys, an insecure billing system, or corruption. A balance is required to ensure that these security processes meet these requirements.

Chapter 2 – Network Attacks

Publisher Summary This chapter provides an overview of issues, terminology, and techniques related to the security of the network. Network security comprises ongoing activities that assess the network for its current state of security, have in place protection and prevention mechanisms against security threats, implement detection mechanisms to rapidly identify security attacks that may have been successful, and have policies, procedures, and techniques in place to respond to attacks. These aspects are discussed in a succinct manner. Protection against attacks using firewalls and prevention mechanisms that make use of cryptography are considered with examples of Kerberos, IP Security Protocol, and Secure Sockets Layer. To block malicious packets from entering a network, it is common to employ firewalls. Firewalls in olden days were referred to as thick walls of brick constructed especially for preventing the spread of fires from one building to another. Firewalls today are being referred to as hardware, software, and policies to prevent the spread of security attacks into an organizations (or individuals) network or host.

Chapter 1 – Network Security Overview

Publisher Summary This chapter gives a brief overview on the security networks. Parties share networks, such as the Internet, with conflicting interests. The job of network security is to keep them from spying on or interfering with each others use of the network. The concept of cryptographic tools is briefly explained; there are numerous steps. The first step is the cryptographic algorithms—ciphers and cryptographic hashes. It is also described how to incorporate the cryptographic building blocks into protocols that provide secure communication between participants who possess the correct keys. To use ciphers and authenticators, the communicating participants need to know what keys to use; thus, key predistribution is also reviewed in this chapter. In addition, authentication protocols, secure systems, firewalls, and many other fundamentals are briefly explained.

Chapter 6 – IP Security in Practice

Publisher Summary This chapter discusses how authentication and security, including secure password transmission, encryption, and digital signatures on data grams, are implemented under IP through the Authentication Header and Encapsulating Security Payload options. It also provides a concise introduction to IP security issues and security goals, starting with the definition of the challenges security managers are facing and the tools at their disposal. IP Security Protocol (IPsec) provides authentication services through the use of public key encryption, digital signature, and secure hashing tools; it provides privacy services through the use of public and secret key encryption as well. Security issues, security goals, encryption and authentication algorithms, IPsec, and so on are briefly described in this chapter. IPsec as defined in RFC 2401 provides security architecture for the IP—not security architecture for the Internet. It also provides an interoperable and open standard for building security into the network layer rather than at the application or transport layer.