RheoStat : Real-time Risk Management Ashish Gehani and Gershon Kedem Department of Computer Science, Duke University 1
PROBLEM : Intrusion response � Manual response decreasingly tenable: – High attack frequency – Great attack diversity – Rapid attack execution – Protection Time < Detection Time + Response Time � False positives preclude retaliation � Network connections encrypted 2
SOLUTION STRATEGY � Automate response: – Model runtime risk – Build vulnerability management primitives – Dynamically manage risk – Minimize impact on performance � Passive response - limit to owner’s domain � Host-based 3
RISK MODEL : Management Likelihood Threat Vulnerabilities Safeguards Risk Risk Assets Consequences Threshold Reconfigure Yes 4
RHEOSTAT : Signatures Timeouts : Event Event Event Event e3 e4 Time e1 e2 t4 Time Time Time Time Alarm t0 t1 t2 t3 System Initialized t2−t1 > t_pre t3−t1 > t_pre Time t5 t5−t4 > t_post 5
RISK MODEL : Threat � � Events : f e g E = ; e ; : : : 1 2 � Threats : T f t ; t ; : : : g = 1 2 � � Signature : f s g ; 2 2 S ( t ) = ; s ; : : : s E ; t T � 1 2 i � � � Likelihood : T ( t � ( t ; E \ S ( t )) ; t 2 T ) = � � � � Matching function : � j E \ ) j S ( t � � \ � ( t ; E S ( t )) = � � j S ) j ( t � 6
ARM : Active Reference Monitor (i,j,k) σ Intrusion Detector MonitorException: Timer Expired Threat Level: l True False Benefit[ (i,j,k), l] σ True MonitorException: > Cost[ (i,j,k)] σ σ (i,j,k) False True Undefined Defined D(i,j,k) Predicate Default for False σ (i,j,k) p(i,j,k) Access Control: M Permission p(i,j,k) Denied Right: k Object: j Subject: i Permission Request Permission p(i,j,k) p(i,j,k) Granted Application 7
RISK MODEL : Vulnerability � Weaknesses : f w g ; � 2 W = ; w ; : : : W ( t ) W ; t T 1 2 � � � Permissions : f p g ; � 2 P = ; p ; : : : P ( w ) P ; w W 1 2 � � ^ � Safeguards : S P ( t P ( w ) ; t 2 T ) = � � � w 2 W ( t ) � � � Static Exposure: 2 f 0 ; 1 g ; 2 v ( p ) p P � � 0 � Dynamic Exposure: 2 2 v ( p ) [0 ; 1℄ ; p P � � 0 � v ( p ) v ( p ) � � X � Vulnerability : V 2 ( t ) = ; t T � � ^ j ) j P ( t � ^ p P ( t ) 2 � � 8
RISK MODEL : Consequence � Objects : f o g O = ; o ; : : : 1 2 � Assets : A ( t � O ) � � Confidentiality : 2 ( o ) ; o O � � � Integrity : 2 i ( o ) ; o O � � � Availability : a ( o ) ; o 2 O � � X � Consequence : C 2 ( t ( o ) + i ( o ) + a ( o ) ; t T ) = � � � � � o 2 A ( t ) � � 9
RISK MODEL : Unmanaged Risk X � Unmanaged Risk : R T � V � C = ( t ) ( t ) ( t ) � � � t 2 T � � Computation Time : ( j T j � j P j � j O j ) O 10
RISK MODEL : Vulnerability Management � Auxiliary safeguards : � �( P ) P � Static checks : �( P � P ) � \ [ �( P ) �( P ) = �; �( P ) �( P ) = P 11
ARM : Skeleton of Auxiliary Safeguard public abstract class PredicateThread extends Thread{ protected PredicateThread(Permission permission, Object lock); public void run(){ if(condition) result=true; synchronized(lock){ lock.notify(); } } public boolean getResult(); } 12
RISK MODEL : Managed Risk 0 � Managed Vulnerability : V ( t ) = � 0 v ( p v ( p � v ( p ) ) ) � � � X X ; t 2 T + � ^ ^ j ) j j ) j P ( t P ( t � � ^ ^ p P ( t ) \ �( P ) p P ( t ) \ �( P ) 2 2 � � � � X 0 0 � Managed Risk : R T � V � C = ( t ) ( t ) ( t ) � � � t 2 T � 13
RISK MODEL : Risk Tolerance � Event : e � Risk before : R b � Risk change : � 6 = 0 � Risk after : R R � = + a b � Risk threshold : R 0 � ^ R R ) � > 0 > R edu e () a 0 � ^ R � R ) � > 0 � 0 a � ) R R R R ) � < � < < R el ax () 0 = + a b b 0 14
RISK MODEL : Risk Recalculation � Threat change : � � ( T [ \ � \ Æ ( t ) ; e ) = � ( t ; ( E e ) S ( t )) � ( t ; E S ( t )) � � � � � � Threats affected : ( T ) 2 �( T ; e ) Æ ( t ) ; e ) t �( T ; e ) : 6 = 0 � � 0 � Update cost : ) cached O ( j T j ) V ( t ) ; C ( t * � � 15
RISK MODEL : Risk Reduction � Enable safeguards : � � (�( P )) �( P ) 00 � Find : ) R R � (�( P )) < 0 � Reduced Vulnerability : v ( p ) X � 00 V ( t ) = + � ^ j P ( t ) j � ^ p 2 ( P ( t ) \ �( P ) � � (�( P ))) � � 0 � v ( p ) v ( p ) � � X ^ j P ( t ) j � ^ p 2 ( P ( t ) \ �( P ) [ � (�( P ))) � � X 00 00 � Reduced Risk : R T � V � C ( t ( t ( t = ) ) ) � � � t 2 T � 16
RISK MODEL : Cost and Complexity � Increase of Risk Reduction Cost : X � ( � (�( P ))) = f ( p ) � 2 � (�( P )) p � � Problem : 00 R � R min � ( � (�( P ))) ; 0 ( j P j ) � Choices of )) : � (�( P O (2 ) � Equivalent : NP-Hard 0-1 Knapsack Problem ) Use greedy heuristic 1 � Yields 2 approximation of optimal choice 17
RHEOSTAT : Response Heaps Activate response Disabled Enabled Deactivate response Responses Responses Heap Heap Safeguard Safeguard Risk Relaxation Frequency in Workload Key = Key = Frequency in Workload Risk Reduction 18
RHEOSTAT : Pre-Processing Step 1 8 p 2 ) , calculate Benefit-to-Cost ratio: �( P � � ( p ) = � 0 � � v ( p ) (1 v ( p )) � � X 0 T � � C ( t ) ( t ) � � ^ j P ( t ) j � ^ t : p 2 ( P ( t ) \ �( P )) � � � f ( p ) � 19
RHEOSTAT : Safeguard Selection Step 2 Set � (�( P )) = � Step 3 Choose: 2 r = max � ( p ) ; p �( P ) � � Step 4 Add r to � (�( P )) Step 5 Recalculate Risk : X 00 R R � � = � ( p ) f ( p ) a � � p 2 � (�( P )) � 20
RHEOSTAT : Response Completion 00 R R ) Step 3 > 0 Step 6 00 R � R ) Utilize Response : � (�( P )) 0 � Time Complexity : ( j � (�( P )) j ) O � Worst Case : O ( j P j ) � Response Initiation Time : O (1) 21
RHEOSTAT : Example Intrusion Response � Servlet accepts uploads via HTTP POST � Limits total size of multiple parts ) Prevent denial of service (disk overflow) � No cumulative limit per source IP address ) Design error leaves system vulnerable � Event 21 causes risk to rise over threshold � RheoStat finds optimal permission to safeguard ) Chooses upload directory’s write permission � Enables predicate OperationalHours : During working hours ) Grant permission, Send alert After hours ) Deny permission 22
RHEOSTAT : Risk Driven Response 23
Recommend
More recommend
