moving target defense for the
play

Moving Target Defense for the Placement of Intrusion Detection - PowerPoint PPT Presentation

Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik Sengupta, Ankur Chowdhary, Subbarao Kambhampati Dijiang Huang SNAC Secure Networking and Yochan AI Lab Computing Lab Intrusion Detection Systems?


  1. Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud Sailik Sengupta, Ankur Chowdhary, Subbarao Kambhampati Dijiang Huang SNAC Secure Networking and Yochan AI Lab Computing Lab

  2. Intrusion Detection Systems? Attacker Web SQL G1 Server Server (W) (M)

  3. Intrusion Detection Systems? Network-Based Intrusion Detection Systems - Checks payload on the network to infer if it is (going to be) malicious. Attacker NIDS Web SQL G1 Server Server (W) (M)

  4. Intrusion Detection Systems? Host-Based Intrusion Detection Systems Network-Based Intrusion Detection Systems - Analyzes a computing system to detect - Checks payload on the network to infer if it anomalous behavior on it. Can monitor is (going to be) malicious. things from read/write access of files/folders to software calls that may record keystrokes etc. Attacker NIDS Web SQL G1 Server Server (W) (M) HIDS auditd itd

  5. Contents • Motivation • Problem Description • Solution Methods • Results • Conclusions

  6. Going All-out for Security in Large Cloud Networks  NIDS increases • Processing time of a packet • Number of packets sent over the internal network  HIDS increases • Use of resources on a particular host etc. Jha, S et al. 2002, Venkatesan, S et al. 2016

  7. Going All-out for Security in Large Cloud Networks  NIDS increases • Processing time of a packet • Number of packets sent over the internal network  HIDS increases • Use of resources on a particular host etc. Jha, S et al. 2002, Venkatesan, S et al. 2016

  8. Going All-out for Security in Large Cloud Networks  NIDS increases • Processing time of a packet • Number of packets sent over the internal network  HIDS increases • Use of resources on a particular host etc. Jha, S et al. 2002, Venkatesan, S et al. 2016

  9. Contents • Motivation • Problem Description • Solution Method • Results • Conclusions

  10. Intrusion Detection Systems in Cloud Networks Internet Administrator Physical Router Management Network Internal Network eth0 eth1 eth0 eth1 eth2 eth0 eth1 NIDS br-int NIDS br-int br-int Web SQL AD FTP Network Attack G1 Server Server G2 Server Server Monitoring Analyzer (W) (M) (D) (F) HIDS HIDS HIDS Cloud Controller Cloud Server 1 Cloud Server 2

  11. Intrusion Detection Systems in Cloud Networks Attacker could be located either outside or inside Internet Administrator Physical Router Attacker (stealthy attacker) the network. Management Network Internal Network eth0 eth1 eth0 eth1 eth2 eth0 eth1 Attacker NIDS br-int NIDS br-int br-int Web SQL AD FTP Network Attack G1 Server Server G2 Server Server Monitoring Analyzer (W) (M) (D) (F) HIDS HIDS HIDS Cloud Controller Cloud Server 1 Cloud Server 2

  12. Intrusion Detection Systems in Cloud Networks Attacker could be located either outside or inside Internet Administrator Physical Router Attacker (stealthy attacker) the network. Deploy a limited ( 𝑙 ) Management Network number of IDS in the Internal Network Cloud Network (that offer protection against known vulnerabilities in eth0 eth1 the cloud system). eth0 eth1 eth2 eth0 eth1 Attacker NIDS br-int NIDS br-int br-int Web SQL AD FTP Network Attack G1 Server Server G2 Server Server Monitoring Analyzer (W) (M) (D) (F) HIDS HIDS HIDS Cloud Controller Cloud Server 1 Cloud Server 2

  13. Intrusion Detection Systems in Cloud Networks Attacker could be located either outside or inside Internet Administrator Physical Router Attacker (stealthy attacker) the network. Deploy a limited ( 𝑙 ) Management Network number of IDS in the Internal Network Cloud Network (that offer protection against known vulnerabilities in eth0 eth1 the cloud system). eth0 eth1 eth2 eth0 eth1 Attacker NIDS br-int NIDS Challenge: br-int br-int How to place these 𝑙 Intrusion Detection Web SQL AD FTP Network Attack G1 Server Server G2 Server Server Systems? Monitoring Analyzer (W) (M) (D) (F) HIDS HIDS HIDS Cloud Controller Cloud Server 1 Cloud Server 2

  14. What can we do? How to place these 𝑙 Intrusion Detection Systems? - Static placement of IDS - Attacker learns the placement over time and thereby learns how to avoid it.

  15. Moving Target Defense How to place these 𝑙 Intrusion Detection Systems? - Static placement of IDS - Attacker learns the placement over time and thereby learns how to avoid it. - Dynamic placement of IDS - Keep moving the IDS that are activated at any given point of time

  16. Moving Target Defense Attack + Exploration How to place these 𝑙 Intrusion Detection Systems? Surface Shifting Zhuang et. al. 2014 Venkatesan 2016 Exploration Surface Shifting - Dynamic placement of IDS Lei et al. 2017 Al-Shaer et. al. 2013 Jajodia et. al. 2018 - Keep moving the IDS that are activated at any given point of time - How to move? - Stackelberg Security Game (SSG) Attack Surface Shifting Manadhata et. al. 2013 Detection Surface Shifting Zhu and Bashar 2013 Venkatesan et. al. 2016 Carter et. al. 2014 Prakash and Wellman 2015 Sengupta et al. 2018 Sengupta et. al. 2016, 2017 Chowdhury et. al. 2016 B. Bohara 2017 Prevention Surface Shifting

  17. Contents • Motivations • Problem Description • Solution Methods • Results • Conclusions

  18. Moving Target Defense – A Cloud Network Scenario These attacks can be selected from the Common Vulnerabilities and Exposures Internet Administrator Physical Router (CVEs) stored in the National Vulnerability Database (NVD). Each CVE has a • list of technologies it can effect. • Expertise required for being able to use it. Management Network Internal Network 〈 192.168.0.6, CVE-2016-0128 〉 eth0 eth1 eth0 eth1 eth2 eth0 eth1 〈 192.168.0.6, CVE-2015-1635 〉 Attacker NIDS br-int NIDS br-int br-int 〈 192.168.0.6, CVE-2011-0657 〉 Web SQL AD FTP Network Attack G1 Server Server G2 Server Server 〈 192.168.0.7, CVE-2008-5161 〉 Monitoring Analyzer (W) (M) (D) (F) HIDS HIDS HIDS 〈 192.168.0.9, CVE-2008-5161 〉 Cloud Controller Cloud Server 1 Cloud Server 2

  19. Game Theoretic Modeling Selects a vulnerability to attack Number of defender strategies is 𝑜 𝑙 . Combinatorial Explosion! . . . Selects 2 nodes to deploy IDS in

  20. Game Theoretic Modeling Selects a vulnerability to attack Number of defender strategies is 𝑜 𝑙 . Combinatorial 𝑆 𝐸 , 𝑆 𝐵 Explosion! Thus, the number of utility values that need to be specified is also large! . . . Selects 2 nodes to deploy IDS in

  21. Efficient Utility Modeling Number of defender strategies is 𝑜 𝑙 . Combinatorial Explosion! Thus, the number of utility Covered Not covered Covered Not covered values that need to be specified is also large!  Break it down!  Define Utility values for each 𝐸 𝐵 𝐵 𝐸 𝑉 𝑣,𝑏 𝑉 𝑣,𝑏 𝑉 𝑑,𝑏 𝑉 𝑑,𝑏 player for each IDS placement. Allocated an IDS Did not. to detect attack a

  22. Common Vulnerability Scoring Service Common Vulnerability Scoring Systems (CVSS)* • Is a scoring matrix for CVEs maintained by security experts across the world. • It has 2 high level scores: Covered Not covered Covered Not covered • Impact Score (IS) • Exploitability Score (ES) • One can generate a Base Score for each CVE based on formulas 𝐸 𝐵 𝐵 𝐸 𝑉 𝑣,𝑏 𝑉 𝑣,𝑏 𝑉 𝑑,𝑏 𝑉 𝑑,𝑏 defined by security experts. BS = f(IS, ES)

  23. Obtaining Utility Values Common Vulnerability Scoring Systems (CVSS)* • Is a scoring matrix for CVEs maintained by security experts across the world. -1 * bet. -1*impact -1 * exp base cen. value • It has 2 high level scores: Covered Not covered Covered Not covered • Impact Score (IS) • Exploitability Score (ES) −5.7 −6.4 −8.6 +6.8 • One can generate a Base Score for each CVE based on formulas 𝐸 𝐵 𝐵 𝐸 𝑉 𝑣,𝑏 𝑉 𝑣,𝑏 𝑉 𝑑,𝑏 𝑉 𝑑,𝑏 defined by security experts. BS = f(IS, ES)

  24. Defender’s expected utility Multi-objective function maximization that, - Ensures the least impact of performance, - Maximizes the security

  25. Defender’s expected utility Multi-objective function maximization that, - Ensures the least impact on performance, - Maximizes the security Attacker selects the attack a′ that maximize their utility 𝑥 𝑏′ = 1 Inspired from P Paruchuri et al. 2008

  26. Defender’s expected utility Turns out this is equivalent to solving multiple LPs where you pre-decide the action an attacker will take. Thus, can be computed in polynomial time. We prove equivalence to a modified version of the multiple LP approach in Korzhyk et al. 2010 Attacker selects the attack a′ that maximize their utility 𝑥 𝑏′ = 1

  27. Contents • Motivations • Problem Description • Solution Methods • Results • Conclusions

  28. Experiments Administrator Physical Router Internet Management Network Internal Network eth0 eth1 eth0 eth1 eth2 eth0 eth1 Attacker NIDS br-int NIDS br-int br-int Web SQL AD FTP Network Attack G1 Server Server G2 Server Server Monitoring Analyzer (W) (M) (D) (F) HIDS HIDS HIDS Cloud Controller Cloud Server 1 Cloud Server 2

  29. Finding implementable strategies 𝑞 𝑢,𝑏

Recommend


More recommend