navigating internet neighborhoods reputation its impact
play

Navigating Internet Neighborhoods: Reputation, Its Impact on - PowerPoint PPT Presentation

Navigating Internet Neighborhoods: Reputation, Its Impact on Security, and How to Crowd-source It Mingyan Liu Department of Electrical Engineering and Computer Science University of Michigan, Ann Arbor, MI November 6, 2013 Intro Motivation


  1. Navigating Internet Neighborhoods: Reputation, Its Impact on Security, and How to Crowd-source It Mingyan Liu Department of Electrical Engineering and Computer Science University of Michigan, Ann Arbor, MI November 6, 2013

  2. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion Acknowledgment Collaborators: • Parinaz Naghizadeh Ardabili • Yang Liu, Jing Zhang, Michael Bailey, Manish Karir Funding from: • Department of Homeland Security (DHS) Liu (Michigan) Network Reputation November 6, 2013 2 / 52

  3. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion Threats to Internet security and availability From unintentional to intentional, random maliciousness to economic driven: • misconfiguration • mismanagement • botnets, worms, SPAM, DoS attacks, . . . Typical operators’ countermeasures: filtering/blocking • within specific network services (e.g., e-mail) • with the domain name system (DNS) • based on source and destination (e.g., firewalls) • within the control plane (e.g., through routing policies) Liu (Michigan) Network Reputation November 6, 2013 3 / 52

  4. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion Host Reputation Block Lists (RBLs) Commonly used RBLs: • daily average volume (unique entries) ranging from 146M (BRBL) to 2K (PhishTank) RBL Type RBL Name Spam BRBL, CBL, SpamCop, WPBL, UCEPROTECT Phishing/Malware SURBL, PhishTank, hpHosts Active attack Darknet scanners list, Dshield Liu (Michigan) Network Reputation November 6, 2013 4 / 52

  5. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion Potential impact of RBLs 1.4e+12 100 6e+07 100 Total NetFlow Number of total Netflow % of the traffic are blocked by size Tainted Traffic Number of tainted traffic Netflow 1.2e+12 Traffic volume per hour (Bytes) % of traffic are tainted by volume 5e+07 % of NetFlow are tainted % of the Netflow are blocked Number of NetFlow per hour 80 80 1e+12 4e+07 60 60 8e+11 3e+07 6e+11 40 40 2e+07 4e+11 20 20 1e+07 2e+11 0 0 0 0 20 40 60 80 100 120 140 160 20 40 60 80 100 120 140 160 Time (hour) Time (hour) (a) By traffic volume (bytes). (b) By number of flows. NetFlow records of all traffic flows at Merit Network • at all peering edges of the network from 6/20/2012-6/26/2012 • sampling ratio 1:1 • 118.4TB traffic: 5.7B flows, 175B packets. As much as 17% (30%) of overall traffic (flows) “tainted” Liu (Michigan) Network Reputation November 6, 2013 5 / 52

  6. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion How reputation lists should be/are used Strengthen defense: • filter configuration, blocking mechanisms, etc. Strengthen security posture: • get hosts off the list • install security patches, update software, etc. Retaliation for being listed: • lost revenue for spammers • example: recent DDoS attacks against Spamhaus by Cyberbunker Aggressive outbound filtering: • fixing the symptom rather than the cause • example: the country of Mexico Liu (Michigan) Network Reputation November 6, 2013 6 / 52

  7. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion Limitations of host reputation lists Host identities can be highly transient: • dynamic IP address assignment • policies inevitably reactive, leading to significant false positives and misses • potential scalability issues RBLs are application specific: • a host listed for spamming can initiate a different attack Lack of standard and transparency in how they are generated • not publicly available: subscription based, query enabled Liu (Michigan) Network Reputation November 6, 2013 7 / 52

  8. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion An alternative: network reputation Define the notion of “reputation” for a network (suitably defined) rather than for hosts A network is typically governed by consistent policies • changes in system administration on a much larger time scale • changes in resource and expertise on a larger time scale Policies based on network reputation is proactive • reputation reflects the security posture of the entire network, across all applications, slow changing over time Enables risk-analytical approaches to security; tradeoff between benefits in and risks from communication • acts as a proxy for metrics/parameters otherwise unobservable Liu (Michigan) Network Reputation November 6, 2013 8 / 52

  9. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion An illustration 100 Fraction of IPs that are blacklisted (%) 80 60 BAD ? GOOD 40 20 0 1 10 100 1000 10000 ASes Figure: Spatial aggregation of reputation • Taking the union of 9 RBLs • % Addrs blacklisted within an autonomous system (est. total of 35-40K) Liu (Michigan) Network Reputation November 6, 2013 9 / 52

  10. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion Many challenges to address • What is the appropriate level of aggregation • How to obtain such aggregated reputation measure, over time, space, and applications • How to use these to design reputation-aware policies • What effect does it have on the network’s behavior toward others and itself • How to make the reputation measure accurate representation of the quality of a network Liu (Michigan) Network Reputation November 6, 2013 10 / 52

  11. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion Outline of the talk Impact of reputation on network behavior • Can the desire for good reputation (or the worry over bad reputation) positively alter a network’s decision in investment • Within the context of an inter-dependent security (IDS) game: positive externality Incentivizing input – crowd-sourcing reputation • Assume a certain level of aggregation • Each network possesses information about itself and others • Can we incentivize networks to participate in a collective effort to achieve accurate estimates/reputation assessment, while observing privacy and self interest Liu (Michigan) Network Reputation November 6, 2013 11 / 52

  12. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion Interdependent Security Risks • Security investments of a network have positive externalities on other networks. • Networks’ preferences are in general heterogeneous: • Heterogeneous costs. • Different valuations of security risks. • Heterogeneity leads to under-investment and free-riding. Liu (Michigan) Network Reputation November 6, 2013 12 / 52

  13. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion Network Security Investment Game Originally proposed by [Jiang, Anantharam & Walrand, 2011] • A set of N networks. • N i ’s action: invest x i ≥ 0 in security, with increasing effectiveness. • Cost c i > 0 per unit of investment (heterogeneous). • f i ( x ) security risk/cost of N i where: • x vector of investments of all users. • f i ( · ) decreasing in each x i and convex. • N i chooses x i to minimize the cost function h i ( x ) := f i ( x ) + c i x i . • Analyzed the suboptimality of this game. Liu (Michigan) Network Reputation November 6, 2013 13 / 52

  14. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion Example: a total effort model A 2-player total effort model: f 1 ( x ) = f 2 ( x ) = f ( x 1 + x 2 ), with c 1 = c 2 = 1. h 1 ( x ) = f 1 ( x 1 + x 2 ) + x 1 , h 2 ( x ) = f 2 ( x 1 + x 2 ) + x 2 : • Let x o be the Nash Equilibrium, and x ∗ be the Social Optimum. • At NE: ∂ h i /∂ x i = f ′ ( x o 1 + x o 2 ) + 1 = 0. • At SO: ∂ ( h 1 + h 2 ) /∂ x i = 2 f ′ ( x ∗ 1 + x ∗ 2 ) + 1 = 0. • By convexity of f ( · ), x o 1 + x o 2 ≤ x ∗ 1 + x ∗ 2 ⇒ under-investment. Liu (Michigan) Network Reputation November 6, 2013 14 / 52

  15. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion An illustration 2.5 −2 f’(y) 2 2(1−R’) 1.5 − f’(y) 1 0.5 0 y NR y R y * y: = x 1 +x 2 Figure: Suboptimality gap Liu (Michigan) Network Reputation November 6, 2013 15 / 52

  16. Intro Motivation Security investment Crowd sourcing Environments Discussion Conclusion The same game with reputation The same model, with the addition: • N i will be assigned a reputation based on its investment. • Valuation of reputation given by R i ( x ): increasing and concave. • N i chooses x i to minimize the cost function h i ( x ) := f i ( x ) + c i x i − R i ( x ) . Liu (Michigan) Network Reputation November 6, 2013 16 / 52

Recommend


More recommend