Yves Deswarte deswarte@laas.fr Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte deswarte@laas.fr RAID’96 16-19 September.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

© Ravi Sandhu Introduction to Information Security Ravi Sandhu.

Introduction to IRRIIS testing platform IRRIIS MIT Conference ROME 8 February 2007 Claudio Balducelli.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

 Cyber Ecosystem & Data Security Subhro Kar CSCE 824, Spring 2013 University of South Carolina, Columbia.

Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: "Big data security evaluation" UNIFI-CNR Nicola Nostro, Andrea.

H.W. Chan, CSE Dept., CUHK1 Quantitative Evaluation for Operational Security - an Experiment [Ortalo et al., IEEE Transactions on Software Engineering,

Cryptography and Network Security Chapter 20 Intruders

Lecture 1: Overview modified from slides of Lawrie Brown.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

1 Telstra in Confidence Managing Security for our Mobile Technology.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Introducing Computer and Network Security

Network Security Testing Techniques Presented By:- Sachin Vador.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Introduction to Network Defense

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Computer Crime and Information Technology Security

NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.

Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

A Framework for Elastic Execution of Existing MPI Programs Aarthi Raveendran Graduate Student Department Of CSE 1.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Quasi-Static Binary Analysis Hassen Saidi. Quasi-Static Analysis in VERNIER Node level: –Quasi-static analysis is a detector of malicious and bad behavior.

CPT 123 Internet Skills Class Notes Internet Security Session A.

AASSA Conference 2012 Quito, Ecuador March 16 th 2012 All the rights reserved.Instructor: Francisco Bolaños, Ing. InterAmerican Academy Ethical Hacking.

Carnegie Mellon University 10/23/2015 Survivability Analysis via Model Checking Oleg Sheyner Jeannette Wing Carnegie Mellon University.

INTRUDERS BY VISHAKHA RAUT TE COMP OUTLINE INTRODUCTION TYPES OF INTRUDERS INTRUDER BEHAVIOR PATTERNS INTRUSION TECHNIQUES QUESTIONS ON INTRUDERS.

Name:Neha Madgaonkar Roll no:  What are intruders?  Types  Behavior  Techniques.

IS Network and Telecommunications Risks Chapter Six.

Frankfurt (Germany), 6-9 June 2011 G. Dondossola, F. Garrone, J. Szanto RSE  Research context  Test bed architecture  Attack model  Attack experiments.

Topic 5: Basic Security.

CSCE 548 Secure Software Development Security Operations.

Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.

Company LOGO User Authentication Threat Modelling from User and Social Perspective “Defending the Weakest Link: Intrusion.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

NETWORK INTRUSION SECURITY BREACHES, THAT MAKE NETWORKS VULNERABLE TO UNAUTHORIZED ATTACKS.

Title: Port Security Risk Assessment Tool (PSRAT) Author:Tony Regalbuto Chief, Office of International & Domestic Port Security Assessments United States.

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

INMM Nuclear Security and Physical Protection Technical Division.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Importance of IT security ->protects data ->ensures authentication and confidentiality ->preevents data theft.

Proactive Incident Response

Information Systems Security

Chapter 9 Intruders.

Risk management.

ISSeG Integrated Site Security for Grids WP2 - Methodology

System Management Issues for the Future Real-Time University Environment Tom Board September 22, 2004 Northwestern University Information Technology.

Figure 3: TSN Analysis Methodology

Detection and Analysis of Threats to the Energy Sector (DATES)

Quantitative Methods

Quantitative Methods

Quantitative Methods

Quantitative Methods

Risk Assessment Richard Newman

A Real-time Intrusion Detection System for UNIX

IS4680 Security Auditing for Compliance

بسم الله الرحمن الرحیم.

Chapter 9 Intruders.

Operating System Security

Chapter # 3 COMPUTER AND INTERNET CRIME

CSE 542: Operating Systems

Presentation transcript:

Yves Deswarte deswarte@laas.fr Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte deswarte@laas.fr RAID’96 16-19 September 1998

Security Evaluation Usual evaluation techniques: evaluation criteria (TCSEC, ITSEC,...) : ~ qualitative risk analysis: (vulnerabilities, threats, consequences) they are static analyses rather than dynamic: “How was the system designed? ” rather than “How is it used? ” Quantitative evaluation objectives: trade-off security-usability monitor security evolution wrt. configuration changes identify the best possible improvements

Quantitative Evaluation Framework Identification of security objectives: security policy Modeling vulnerabilities Building the possible intrusion process Computation of significative measures

Vulnerability Modeling: privilege graph 1) Y’s .rhosts is writable by X 2) X can guess Y's password 3) X can modify Y’s .tcshrc 4) X is a member of Y 5) Y uses a program managed by X 6) X can modify a setuid program owned by Y 7) X is in Y's .rhosts B P 1 A X admin F insider 2 4 5 6 7 3 node = a privilege set arc = a method to transfer privileges = vulnerability path = set of vulnerabilities that can be exploited by a possible intruder to reach a target weight assigned to each arc = assessment of the difficulty to exploit the vulnerability (time, expertise, equipment, collusion, ...)

Assumptions on the Intrusion Process Intrusion Process = all the possible attack scenarios Basic Assumptions: the intruder knows only the vulnerabilities exploitable with his privileges the intruder will not exploit vulnerabilities which would give him privileges he already owns. and either: Total Memory (TM): the intruder considers all the vulnerabilities he has not yet exploited MemoryLess (ML): the intruder only considers the vulnerabilities reachable from the newly acquired privileges

Example of Intrusion Process B P 1 A X admin F insider 2 4 5 6 7 3 ML Assumption TM Assumption 3 6 5 7 4 1 2 1 3 2 6 5 7 4

Quantitative Measures Identify attacker-target couples For each couple, compute: METF-ML : mean effort to reach the target with assumption ML METF-TM : mean effort to reach the target with assumption TM Shortest Path : mean effort to run through the shortest path Number of Paths : number of paths from the attacker node to the target node

Experiment Objectives Validate the approach: assess the measures pertinence wrt. security evolution study the feasibility of evaluation a “real system” Was not an objective: improve the security, correct the vulnerabilities

Experiment Context Distributed System: LAN, NFS Unix 700 users - 200 computers 21 months (June 1995 - March 1997) 13 types of vulnerabilities (.rhosts, .*rc, passwords, etc.) 4 effort levels: Objectives:

Experiment Results - Example

Comparison with other Tools (I) number of vulnerabilities METF-ML and METF-TM

Comparison with other Tools (II) vulnerability numbers in each class METF-ML and METF-TM

Relationship with Intrusion Detection Quantitative Evaluation Intrusion Detection: Privilege Graph model: to correlate user behavior with progression towards a target alarm rating according to the effort remaining to reach a target Intrusion Detection Quantitative Evaluation: to tune vulnerability weight according to user profile (Trojan Horses)