Presentation on theme: "S ecurity T hreat A ssessment across L arge N etwork I nfrastructures Grigorios Fragkos Research Student – Information Security Research Group School of."— Presentation transcript:
The Wired & Wireless Gaia The worldwide internet population is already at 934 million in 2004 and projected to reach 1.21 billion in 2006 [ClickZ Stats Staff 2005] The reported security incidents have evolved from 6 in 1988 to 21,756 in 2000 and consequently to 137,529 in 2003 [CERT 2005]
Security… Safeguarding Large Network Infrastructures Why is still a problem? a) why do network infrastructures still suffer from attacks and why do we still wondering why we cannot deal efficiently with the security related issues by taking active countermeasures against them. b) Should todays security, still be considered as a technology problem? c) How and what kind of system, built with security in mind, could protect large network infrastructures efficiently by performing threat assessment?
What is Security? –The Cambridge Dictionary describes security as:The ability to avoid being harmed by any risk, danger or threat –Also, the Oxford English Dictionary describes security as:The state of being or feeling secure …where secure is described as protected against attack or other criminal activity Do we need a definition that describes in a more realistic and practical way achievable goals?
Defining Security The state of being or feeling secure, by having the ability to avoid being harmed at an irrecoverable level, by any risk, danger or threat, when/for protecting a specific asset. (Authors definition, where secure is defined according to the Oxfords dictionary definition)
NISCC, CNI and Smart Procurement –National Infrastructure Security Co-ordination Centre (NISCC) –National Infrastructure Security Co-ordination Centre (NISCC) (To ensure the continuity of society in time of crisis) [NISCC 2005] –Critical National Infrastructure (CNI) –Critical National Infrastructure (CNI) (Known in the UK as the essential services and systems protected by NISCC) –Smart Procurement (The financial issues arising when we have to deal with large projects. In a similar way the MoD is applying Smart Procurement in order to calculate if the amount of available resources needed for purchasing military equipment, is equivalent to the amount of equipment they need to purchase) [MoD 2001]
Approaching a solution University A University A University B University B University C University C University D University D Corporation A Corporation A University E (Glam) University E (Glam) Intelligent Engine Threat Assessment Corporation B Corporation B Non-Governmental Organization Expand existed computer and network-defensive technologies by combining them with the information and services provided by the NISCC in order to design a prototype architecture that could be easily applied in large infrastructures
Threat Assessment & Threat Response Real-Time Threat Assessment has two very important goals. –The first goal is to minimize the time from the moment an attack actually started until the moment our defense system is able to identify it as an actual attack. –The second goal which we are trying to achieve, is to minimize the amount of time that is essential by our system to take any required actions or deploy a set of countermeasures, before the actual attack has finished.
Threat Assessments Timeframes time δ a1a2 a1 - Attack Started a2 - Attack Finished d1 - Detected Attack d2 - Deploy Countermeasures attackers data generated that exposed him/her.. δ(x) d1d2 δ(y) Δ δ - Lasting time of an attack Δ - Timeframe for the moment an attack detected until the moment the attack was blocked.
The Idea An efficient structure of intrusion detection data into Object-Oriented hierarchy trees, will provide to the system a similar understanding of the events as the human brain can understand the relativity of species or objects. Make a system aware of what it sees, and as become conscious of the various types of attacks that exist in the wild, along with their various subtypes. In other words the system will not just detect an already known or novel attack but it will have a notional understanding of the network traffic and will be able to identify novel attacks and categorize them based on what it knows up to that moment
Combination of Technologies –Multi-CPU systems –Beowulf Clusters –Grid Computing –A.I. languages –SSH, SOAP, XML, Python –Object-Oriented Classification of Network Events –Footprints Repository –State of the art Intrusion Detection Systems
Real-Time Threat Assessment Present an architecture that can be used to perform Real-Time Threat Assessment using IDS data –Provide a holistic picture of an attack and thus facilitate the decision making process associated with Computer Network Defence –Analyse and index data from a variety of distributed heterogeneous sources via a taxonomy of object-based attack classifications –Perform threat assessment based on the progression of an attack using principles derived from A.I.
Summary –Automate the Threat Assessment process through vast amount of information –Identify new attacks based on patterns of behaviour using anomaly detection. –Prevent ongoing attacks by interchanging information in a non- centralized manner –Protect in Real-Time Critical-Importance Infrastructures
Q & A Thank you for your attention Grigorios Fragkos Information Security Research Group (ISRG) University of Glamorgan, Wales, UK
References Biermann, E., Cloete, E. and Venter, L. (2001). A Comparison of Intrusion Detection Systems. Computers & SecurityBiermann, E., Cloete, E. and Venter, L. (2001). A Comparison of Intrusion Detection Systems. Computers & Security ClickZ Stats Staff, Population Explosion, (2005), Available at: http://www.clickz.com/stats/sectors/geographics/article.php/5911_151151ClickZ Stats Staff, Population Explosion, (2005), Available at: http://www.clickz.com/stats/sectors/geographics/article.php/5911_151151 CERT® Coordination Center, (2005) CERT Coordination Center Statistics 1988-2003, Available at: http://www.cert.org/stats/cert_stats.htmlCERT® Coordination Center, (2005) CERT Coordination Center Statistics 1988-2003, Available at: http://www.cert.org/stats/cert_stats.html Debar H., Dacier M., Wespi A., (1999) Towards a taxonomy of intrusion detection systems, Computer NetworksDebar H., Dacier M., Wespi A., (1999) Towards a taxonomy of intrusion detection systems, Computer Networks Lippmann R.,et al., (1998) Evaluating Intrusion Detection Systems, The 1998 DARPA Off-line Intrusion Detection Evaluation. First International Workshop on Recent Advances in Intrusion Detection (RAID), Louvain-la-Neuve, BelgiumLippmann R.,et al., (1998) Evaluating Intrusion Detection Systems, The 1998 DARPA Off-line Intrusion Detection Evaluation. First International Workshop on Recent Advances in Intrusion Detection (RAID), Louvain-la-Neuve, Belgium Lunt, T. (1993) A survey of intrusion detection techniques, Computers and SecurityLunt, T. (1993) A survey of intrusion detection techniques, Computers and Security Morakis, E., Vidalis, A., Blyth, A. J.C. (2003a). Measuring Vulnerabilities and their Exploitation Cycle, Elsevier Information Security Technical Report, Vol. 8, No. 4Morakis, E., Vidalis, A., Blyth, A. J.C. (2003a). Measuring Vulnerabilities and their Exploitation Cycle, Elsevier Information Security Technical Report, Vol. 8, No. 4 Morakis, E., Vidalis, S., Blyth, A.J.C. (2003b). A Framework for Representing and Analysing Cyber Attacks Using Object Oriented Hierarchy Trees. Second European Conference in Information Warfare, UK, pp235-246Morakis, E., Vidalis, S., Blyth, A.J.C. (2003b). A Framework for Representing and Analysing Cyber Attacks Using Object Oriented Hierarchy Trees. Second European Conference in Information Warfare, UK, pp235-246
Threat QuestionQuestion What do we mean by threat when talking about security? AnswerAnswer A threat to a system can be defined as: –A possible danger to the system (Michel E. Kabay, Enterprise Security: Protecting Information Assets, McGraw-Hill, 1996) –A circumstance that has the potential to cause loss or harm (Charles P. Pfleeger, Security in Computing, Addison Wesley, 1997) –A circumstance or event that could cause harm by violating security (Rita C. Summers, Secure Computing: Threats and Safeguards, McGraw-Hill, 1997)
Threat Assessment QuestionQuestion What is Threat Assessment? What is Threat Assessment? AnswerAnswer There are two goals in the model of Threat Assessment: –Identify threats based on feasibility (enablers) and indicators of potential exploitation. These threats are further categorized by the potential likelihood they will be exploited. –Provide an intelligence-based method of predicting, detecting, and monitoring potential large-scale threats to business and national security. [Global Technology Research, Inc].
Intrusion Detection Systems (IDS) TechnologiesTechnologies –Host Based –Network Based –Application Based –Stack Based Defence MechanismsDefence Mechanisms –Passive –Reactive Detection ModeDetection Mode –Misuse Detection –Anomaly Detection –Specification Based
State of the Art & its limitations Intrusion Detection Systems and security auditing systems have developed to the point where large quantities of information relating to security incidents can be captured, stored, indexed and classified. Probabilistic MethodsProbabilistic Methods Multi-pattern Search AlgorithmsMulti-pattern Search Algorithms Hybrid neural networksHybrid neural networks Learning program behaviourLearning program behaviour Correlation of Intrusion alertsCorrelation of Intrusion alerts All mentioned systems fall under a basic characteristic; They either follow the path to become misuse detection systems or anomaly detection systems
Real - Time Unification ProcessUnification Process A number of sensors running any type of IDS, as described earlier, are logging network events into a centralized repository. The collector (or the unification process) gathers all the information before they are sent to the repository in order to unify the data under a single database schema U S 1 …S 2 ……S n DB U: Unification Process S: Sensor Data Repository SOAP XML / RPC Execution Engine
Systems Architecture Data Repository Sensor 1 Sensor 2 Sensor n...... SOAP AGENT message XML / SOAP envelop SOAP Server Execution Engine Visualization Window Visualization Window Countermeasures Engine Classification Repository Footprint Repository checkTop level Classification Repository load balancing