Mario Golling

How to exchange security events? Overview and evaluation of formats and protocols

Network-based attacks pose a strong threat to the Internet landscape. Recent approaches to mitigate and resolve these threats focus on cooperation of Internet service providers and their exchange of security event information. A major benefit of a cooperation is that it might counteract a network-based attack at its root and provides the possibility to inform other cooperative partners about the occurrence of anomalous events as a proactive service. In this paper we provide a structured overview of existing exchange formats and protocols. We evaluate and compare the exchange formats and protocols in context of high-speed networks. In particular, we focus on flow data. In addition, we investigate the exchange of potentially sensitive data. For our overview, we review different exchange formats and protocols with respect to their use-case scenario, their interoperability with network flow-based data, their scalability in a high-speed network context and develop a classification.

Behavior-based intrusion detection in encrypted environments

In recent years the Internet has evolved into a critical communication infrastructure that is omnipresent in almost all aspects of our daily life. This dependence of modern societies on the Internet has also resulted in more criminals using the Internet for their purposes, causing a steady increase of attacks, both in terms of quantity as well as quality. Although research on the detection of attacks has been performed for several decades, todays systems are not able to cope with modern attack vectors. One of the reasons is the increasing use of encrypted communication that strongly limits the detection of malicious activities. While encryption provides a number of significant advantages for the end user like, for example, an increased level of privacy, many classical approaches of intrusion detection fail. Since it is typically not possible to decrypt the traffic, performing analysis w.r.t. the presence of certain patterns is almost impossible. To overcome this shortcoming we present a new behavior-based detection architecture that uses similarity measurements to detect intrusions as well as insider activities like data exfiltration in encrypted environments.

Towards multi-layered intrusion detection in high-speed networks

Traditional Intrusion Detection approaches rely on the inspection of individual packets, often referred to as Deep Packet Inspection (DPI), where individual packets are scanned for suspicious patterns. However, the rapid increase of link speeds and throughputs - especially in larger networks such as backbone networks - seriously constrains this approach. First, devices capable of detecting intrusions on high-speed links of 10 Gbps and higher are rather expensive, or must be built based on complex arrays. Second, legislation commonly restricts the way in which backbone network operators can analyse the data in their networks. To overcome these constraints, flow-based intrusion detection can be applied, which traditionally focuses only on packet header fields and packet characteristics. Flow export technologies are nowadays embedded in most high-end packet forwarding devices and are widely used for network management, which makes this approach economically attractive.

Security management spectrum in future multi-provider Inter-Cloud environments — Method to highlight necessary further development

The erosion of trust boundaries already happening in organizations is amplified and accelerated by Cloud computing. One of the most important security challenges is to manage and assure a secure Cloud usage over multi-provider Inter-Cloud environments with dedicated communication infrastructures, security mechanisms, processes and policies. This paper focuses on the identification of functions for different roles within future Inter-Cloud environments that belongs to the Cloud Security Management functional spectrum. Therefore, we describe all identified functional aspects and the distribution of these objects in order to define a platform independent model for the Security Management functional spectrum for Inter-Cloud called SMICS. SMICS will assist Cloud providers to analyze the necessary further development for their security management systems in order to support future Inter-Cloud environments. In addition, the better comprehension of the security management spectrum from a functional perspective will enable the Cloud provider community to design more efficient portals and gateways between Inter-Cloud providers itself respective their customer, and facilitate the adoption of this results in scientific and standardization environments.

Security Management Areas in the Inter-cloud

Within the context of Cloud Computing, one of the most important security challenges is to manage and assure a secure usage over multi-provider Inter-Cloud environments with dedicated communication infrastructures, security mechanisms, processes and policies. The aim of Security controls in Cloud computing is, for the most part, no different than security controls in any IT environment from a functional security management perspective. The adaption and reuse of existing traditional security management areas that have to be enhanced for specific Cloud computing requirements(e.g., dynamic reconfiguration, distributed services, etc.), is proposed. Based on the collection of various Inter-Cloud use cases and scenarios within the private and public sector like DMTF (Distributed Management Task Force), NIST (National Institute of Standards and Technology), GICTF (Global Inter-Cloud Technology Forum) and ENISA (European Network and Information Security Agency) we analyzed and summarized the range of requirements for security management. As these requirements are not yet fulfilled by current security management approaches, we derived a set of security management areas that describe all identified functional aspects. This set will serve as a foundation of our future development towards a security management architecture for the Inter-Cloud.

A Revised Attack Taxonomy for a New Generation of Smart Attacks

The last years have seen an unprecedented amount of attacks. Intrusions on IT-Systems are rising constantly - both from a quantitative as well as a qualitative point of view. Well-known examples like the hack of the Sony Playstation Network or the compromise of RSA are just some samples of high-quality attack vectors. Since these Smart Attacks are specifically designed to permeate state of the art technologies, current systems like Intrusion Detection Systems (IDSs) are failing to guarantee an adequate protection. In order to improve the protection, a comprehensive analysis of Smart Attacks needs to be performed to provide a basis against emerging threats.Following these ideas and inspired by the original definition of the term Advanced Persistent Threat (APT) given by U.S. Department of Defense, this publication starts with defining the terms, primarily the group of Smart Attacks. Thereafter, individual facets of Smart Attacks are presented in more detail, before recent examples are illustrated and classified using these dimensions. Next to this, current taxonomies are presented including their individual shortcomings. Our revised taxonomy is introduced, specifically addressing the latest generation of Smart Attacks. The different classes of our taxonomy are discussed, showing how to address the specifics of sophisticated, modern attacks. Finally, some ideas of addressing Smart Attacks are presented.

Towards an Accounting System for Multi-Provider Grid Environments

As of today, grids provide the technology, applications, and platforms for a seamless access to resources, services, and content in a fully decentralized world of distributed information, computing power, and information technology business. Grid systems have evolved over time from pure computational grids to service grids and therefore provide a sustainable platform for electronic service provisioning in research-oriented and commercial multi-domain environments. Dealing with complex virtual services and virtual resources where service compositions have to take place on-demand, for certain periods of time, and across organizational boundaries imposes new challenging requirements to the underlying accounting system. The paper proposes an accounting system for complex virtual services and resources in grid environments based on (i) a service model for dynamic virtual organizations, overcoming the typically static nature of traditional grids, and (ii) a detailed description of a job workflow, in order to identify accounting relevant components and interfaces within a virtual organization. Based on the insights gained, a concept is proposed to derive accounting records, documenting the usage of virtual services and resources, out of the various data sources. Since virtual services and resources are provided by several providers (real or virtual organizations), the complexity of this task is obvious. An assessment, of the proposed system is done through a prototypical implementation based upon specific data from grid middlewares such as the Globus toolkit.

Using Geolocation for the Strategic Preincident Preparation of an IT Forensics Analysis

Attack traceability and attribution are two of the main tasks of IT forensics. To support this, IT forensics is not limited to investigate data after the attack has taken place. Already before the attack, an optimal environment for a subsequent investigation has to be created. While this is primarily focused on ordinary logging, we propose to set both degree and characteristics of logging, based on geolocation. Thus, for conspicuous locations, more knowledge is gathered and stored in advance (georeputation). Next to this, due to the fact that the distribution of IP addresses is not static, additional information is stored to, e.g., determine the Internet service provider, which was responsible for the IP at the time the crime was committed. This additional data also contains geoinformation that can be used later to reconstruct attack routes and to identify and analyze distributed attacks. For these purposes, however, the IP localization mechanisms, i.e., the underlying method for geolocation, must be very accurate. Therefore, next to highlighting, the benefits of including geobased information and providing our architecture in order to do so, this publication also investigates accuracy and reliability of geoinformation and provides its own geolocation architecture and a corresponding prototype, including an evaluation.

How Anonymous Is the Tor Network? A Long-Term Black-Box Investigation

A popular choice for anonymous Internet communication, the Tor network uses entry, relay, and exit nodes to hide the traffics origin. However, an investigation that involved running real applications and website requests through Tor revealed numerous agglomerations of exiting traffic that an attacker could exploit.

Blackout and now? Network Centric Warfare in an anti-access area-denial theatre

The advance of information and communication technology nowadays offers worldwide broadband communication with high data rates. Motivated by the benefits of real-time distributed information shared between units as well as different levels of command for the purpose of fast and reliable decision-making, numerous nations have been working hard over the past years to implement Network Centric Warfare (NCW). By that, information superiority can be gained and translated into command superiority and finally into force superiority. Being strongly dependent on fast and reliable communication, electrical power outages or disruptions of network nodes like SatCom systems respectively links can have a severe impact on information gathering and in turn on the decision making process and the capacity of forces to act. As a consequence, questions arise about the robustness of the NCW doctrine. The ability of power projection is strongly hampered by anti-access/area denial (A2/AD) capabilities. In order to successfully conduct military operations against technologically advanced opponents, forces must address A2/AD as an important element of todays battle-field, comprehend the associated operational implications, and eliminate any imbalances between military objectives and the means by which to achieve them. Following these considerations, this paper - on a technical level - analyses capabilities and weaknesses of NCW with regard to modern theatres. Based on that, recommendations in order to strengthen the performance and reliability for the further development of NCW are given.