Research Progress Report

Slides:



Advertisements
Similar presentations
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Advertisements

Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Towards Modelling Information Security with Key-Challenge Petri Nets Teijo Venäläinen
Intrusion Detection System Marmagna Desai [ 520 Presentation]
A Survey on Interfaces to Network Security
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
A Research Agenda for Accelerating Adoption of Emerging Technologies in Complex Edge-to-Enterprise Systems Jay Ramanathan Rajiv Ramnath Co-Directors,
Use Case for Distributed Data Center in SUPA
Network Aware Resource Allocation in Distributed Clouds.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Web Application Firewall (WAF) RSA ® Conference 2013.
An Autonomic Framework in Cloud Environment Jiedan Zhu Advisor: Prof. Gagan Agrawal.
Improving Capacity and Flexibility of Wireless Mesh Networks by Interface Switching Yunxia Feng, Minglu Li and Min-You Wu Presented by: Yunxia Feng Dept.
Research Direction Introduction Advisor: Professor Frank, Y.S. Lin Presented by Chi-Hsiang Chan 2011/10/111.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Maximization of Network Survivability against Intelligent and Malicious Attacks (Cont’d) Presented by Erion Lin.
OOI CI LCA REVIEW August 2010 Ocean Observatories Initiative OOI Cyberinfrastructure Architecture Overview Michael Meisinger Life Cycle Architecture Review.
Protection vs. false targets in series systems Reliability Engineering and System Safety(2009) Kjell Hausken, Gregory Levitin Advisor: Frank,Yeong-Sung.
How to Integrate Security Tools to Defend Data Assets Robert Lara Senior Enterprise Solutions Consultant, GTSI.
Research Direction Introduction Advisor: Professor Frank Y.S. Lin Present by Hubert J.W. Wang.
SR: A Cross-Layer Routing in Wireless Ad Hoc Sensor Networks Zhen Jiang Department of Computer Science West Chester University West Chester, PA 19335,
Redundancy and Defense Resource Allocation Algorithms to Assure Service Continuity against Natural Disasters and Intelligent Attackers Advisor: Professor.
Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB.
ASSIGNMENT, DISTRIBUTION AND QOS PROVISIONING IN COMMUNICATION NETWORKS.
Research Direction Introduction Advisor: Professor Frank Y.S. Lin Present by Hubert J.W. Wang.
E FFECTIVE N ETWORK P LANNING AND D EFENDING S TRATEGIES TO M INIMIZE S ERVICE C OMPROMISED P ROBABILITY UNDER M ALICIOUS C OLLABORATIVE A TTACKS Advisor:
Slide 1/20 Defending Against Strategic Adversaries in Dynamic Pricing Markets for Smart Grids Paul Wood, Saurabh Bagchi Purdue University
Research Direction Introduction
Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.
Research Direction Introduction Advisor: Frank, Yeong-Sung Lin Presented by Hui-Yu, Chung 2011/11/22.
Presented by Yu-Shun Wang Advisor: Frank, Yeong-Sung Lin Near Optimal Defense Strategies to Minimize Attackers’ Success Probabilities for networks of Honeypots.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Creating the Network Design Designing and Supporting Computer Networks – Chapter.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
HCNA-Security Huawei Certified Network Associate Security (HCNA-Security) validates the basics of network security knowledge and skills to support the.
Successfully Implementing The Information System Systems Analysis and Design Kendall and Kendall Fifth Edition.
SELF-DEFENDING NETWORK. CONTENTS Introduction What is Self Defending Network? Types of Network Attacks Structure of Self Defending Network Conclusion.
RESERVOIR Service Manager NickTsouroulas Head of Open-Source Reference Implementations Unit Juan Cáceres
SDN and Security Security as a service in the cloud
Use Case for Distributed Data Center in SUPA
Examples based on draft-cheng-supa-applicability-00.txt
University of Maryland College Park
Real-time protection for web sites and web apps against ATTACKS
Security of Grid Computing Environments
Protecting your mobile devices away from virus by a cloud-based approach Wei Wu.
Adaptive Cloud Computing Based Services for Mobile Users
Anna Giannakou Christine Morin, Jean-Louis Pazat, Louis Rilling
Chapter 9.3 Security Access Control
Concept of VLAN (Virtual LAN) and Benefits
Network Optimization Research Laboratory
Detecting Targeted Attacks Using Shadow Honeypots
Research Progress Report
Considering Multi-objective Resource Allocation Strategies under Attack-Defense Roles and Collaborative Attacks 考慮攻防雙角色與協同攻擊情況下之多目標資源分配策略 Advisor: Frank,Yeong-Sung.
Research Progress Report
Advisor: Frank Yeong-Sung Lin, Ph.D. Presented by Yu-Jen Hsieh 謝友仁
IP Control Gateway (IPCG)
Presented by Yu-Shun Wang
Advisor: Yeong-Sung, Lin, Ph.D. Presented by Yu-Ren, Hsieh
Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan
Research Direction Introduction
Autonomous Network Alerting Systems and Programmable Networks
Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan
Zhihui Sun , Fazhi Qi, Tao Cui
Chapter 21 Successfully Implementing The Information System
Presentation transcript:

Research Progress Report HSU, Chia-Yang OPLab

Agenda Problem Description Mathematical Formulation OPLab 2018/10/13

Problem Description OPLab 2018/10/13

Problem Description Environment: Role: A government or enterprise network with multiple servers to provide services. Role: Defender Complete information of the topology. There is a defense center for defender to control all the network. Attacker Only one hop information. OPLab 2018/10/13

Defender Nodes:general nodes, core nodes. We can set up many VMs on a VMM-IDPS, each VM can be a general or core node. General and core nodes can be out of VMM-IDPS, too. General node Core node VMM-IDPS is integrated in VMM. OPLab 2018/10/13

Defender (Cont.) Different view of topology: Logical links and logical nodes. Different view of topology: Physical link Virtual link Physical link (invisible) Physical topology Defender’s view Logical topology Logical link Core node General node VMM-IDPS OPLab 2018/10/13

Defender (Cont.) Planning phase: Set up VMM-IDPS. How many VMM-IDPS and decide their positions. How many VMs each VMM-IDPS supports, What is each VMM-IDPS’s level. Decide positions of core nodes. Link settings. Connect physical links. Set virtual links of each VM and decide their link capacity. Decide link capacity of physical links. Set up cloud security agent to logical nodes. Add general defense to logical nodes. Firewall, antivirus… OPLab 2018/10/13

Defender (Cont.) Defending phase: Generate signature. Triggered when VMs got attacked. Need time for generation and distribution. All VMMs and VMs will be immune to the attack method when signature is updated. False positive or wrong signatures will make all virtual link capacity decrease certain ratio!! Local VMM-IDPS protection. Increase defense effect of VMs on the same VMM, including VMM. Decrease certain ratio of virtual link capacity. OPLab 2018/10/13

Defender (Cont.) Defending phase: Cloud security service. Triggered when any logical node got attacked. Only logical nodes equipped with cloud security agent can request cloud security service. Cloud security agent will forward suspicious traffic to SaaS cloud security provider, with clean traffic coming back. Different level of security inspecting charges differently. False positive will result in decreasing certain ratio of link capacity. OPLab 2018/10/13

Defender (Cont.) Defending phase: Dynamic topology reconfiguration: Triggered when any logical node got attacked. With core node loading, link capacity, user satisfaction constraints. Remove or reconnect some links to make core nodes more secure. OPLab 2018/10/13

Defender (Cont.) OPLab 2018/10/13

Defender (Cont.) OPLab 2018/10/13

Defender (Cont.) OPLab 2018/10/13

Attacker Capability:general distribution. Risk Tolerance: Proficiency: Description on each attacker. Associated with training cost and the probability of seeing through VM environment. May affect the false negative rate of VMM-IDPS. Risk Tolerance: A description on each attacker. Together with left budget will affect: Target selection strategy, i.e. attack VMM? Change method and next hop criteria? Preferred success probability of compromising a node. Proficiency: Each attacking method has its own proficiency. Will affect effectiveness of attack costs. OPLab 2018/10/13

Attacker (Cont.) Strategies: More budget used in preparing phase or attacking phase? Holding how many tools is better? What proficiency level of training each tool? Next hop selection criteria before and after attack. Next hop target candidates, all neighbors or deeper is better? Attack VMM or not when discovering a VMM? Switch to another method? Repeat attack on the same node? Risk tolerance after discovering existence of VMM-IDPS. What value should the preferred successfully attack probability be set. Change the value during attack or keep the same? Associated with budget left and attacker’s risk tolerance. OPLab 2018/10/13

Contest success function (Cont.) Attacker decides a value of T to make greater than a certain value. According to risk tolerance an budget left. transforms attack cost T to attack effectiveness. Depending on proficiency of each method the tool quality. is the defense effectiveness of defense resource t. OPLab 2018/10/13

Scenario Defender’s View Core node General node VMM-IDPS VM defense center Defender’s View Attackers Core node General node VMM-IDPS OPLab 2018/10/13

Scenario (Cont.) Physical Links Core node General node VMM-IDPS VM defense center Physical Links Attackers Core node General node VMM-IDPS OPLab 2018/10/13

Scenario (Cont.) Logical Topology Core node General node VMM-IDPS VM defense center Logical Topology Attackers Core node General node VMM-IDPS OPLab 2018/10/13

Scenario (Cont.) Core node General node VM defense center Attackers Core node General node VMM-IDPS Attackers can see only one hop away. OPLab 2018/10/13

Scenario (Cont.) Intrusion detected! Generate signature. Core node VM defense center Intrusion detected! Generate signature. Attackers Core node General node VMM-IDPS Select a target to attack. OPLab 2018/10/13

Scenario (Cont.) Local defense on. It can make other VMs and the VMM itself more secure. VM defense center Attackers Core node General node VMM-IDPS OPLab 2018/10/13

Scenario (Cont.) Reset links to make core nodes more secure. Core node VM defense center Attackers Core node General node VMM-IDPS Compromise the target successfully. OPLab 2018/10/13

Scenario (Cont.) Signature generation needs a long time. Core node VM defense center Signature generation needs a long time. Attackers Core node General node VMM-IDPS No new links found. OPLab 2018/10/13

Scenario (Cont.) Same attack method. No need for another signature. VM defense center Attackers Core node General node VMM-IDPS Select another target. Attacker needs more effort to attack due to local defense. OPLab 2018/10/13

Scenario (Cont.) Reset links to make core nodes more secure. Core node VM defense center Reset links to make core nodes more secure. Attackers Core node General node VMM-IDPS Compromise the target successfully. Found the existence of VMM. OPLab 2018/10/13

Scenario (Cont.) Core node VM defense center Attackers Core node General node VMM-IDPS Decide to attack VMM. Need more effort than normal nodes. Also local defense should be considered. OPLab 2018/10/13

Scenario (Cont.) Reset links to make core nodes more secure. Core node VM defense center Reset links to make core nodes more secure. Attackers Core node General node VMM-IDPS Compromise VMM and find it’s a IDPS. See all virtual and physical links. OPLab 2018/10/13

Scenario (Cont.) Signature updated!! Core node VM defense center Signature updated!! Attackers Core node General node VMM-IDPS Decide to use the same attack method to attack another node. OPLab 2018/10/13

VMs are now immune to the attack method, so it’s safe to relink. Scenario (Cont.) VM defense center Attackers Core node General node VMM-IDPS Compromise the target. OPLab 2018/10/13

Scenario (Cont.) Core node General node Keep on attacking. VMM-IDPS VM defense center Attackers Core node General node VMM-IDPS Keep on attacking. OPLab 2018/10/13

Scenario (Cont.) Core node General node VMM-IDPS VM defense center Attackers Core node General node VMM-IDPS OPLab 2018/10/13

Mathematical Formulation OPLab 2018/10/13

Assumptions Defender has complete information about the network. topology, defense resource allocation, node attribute. There is a defense center for defender to control all the network. Set nodes, links, decide defense strategies. Attackers have incomplete information about the network. Only one hop information. OPLab 2018/10/13

Given parameters Notation Description N The index set of all physical nodes O The index set of all physical nodes equipped with VMM-IDPS V The index set of all virtual machine nodes G The index set of all logical nodes C The index set of all logical nodes equipped with cloud security agent Xi The virtual link index set of virtual machine node i, where i∈V K The physical link index set M The index set of all VMM-IDPS levels OPLab@IM, NTU 2018/10/13

Given parameters Notation Description E All possible defense configuration, including defense resources allocation and defending strategies B The defender’s total budget S The index set of all kinds of services Z All possible attacker’s categories, including attacker’s attributes, corresponding strategies and transition rules An attack configuration, comprising attacker’s detailed information, possible strategies and transition rules, where i∈S, 1≤ j ≤ Fi The total attacking times on ith service for all attackers, where i∈S 1 if the attacker can achieve his goal successfully, and 0 otherwise, where i∈S, 1≤ j ≤ OPLab@IM, NTU 2018/10/13

Given parameters Notation Description h(mi) The numbers of VMs supported by mith VMM-IDPS level, where i∈N and mi∈M v(mi , li ) The cost of virtualization on node i with VMM-IDPS of level mi and li virtual machines(run time cost), where i∈N and 0 ≤ li ≤ h(mi) g(qi) The cost of constructing physical link i with capacity qi, where i∈K e The cost of setting a cloud security agent to one node OPLab@IM, NTU 2018/10/13

Decision variables Notation Description The configuration regarding resources allocating and defending, where i∈S ui 1 if node i is virtualized and equipped with VMM-IDPS, 0 otherwise, where i∈N mi The level of VMM-IDPS equipped on node i, where i∈N and mi∈M li The number of virtual machines implemented on virtualized node i, where i∈N OPLab@IM, NTU 2018/10/13

Decision variables Notation Description pijk 1 if the jth virtual link of virtual machine node i passes physical link k, 0 otherwise, where i∈V, j∈Xi, k∈K qi The capacity of physical link i, where i∈K rij The capacity of the jth virtual link of virtual machine node i, where i∈V, j∈Xi ci 1 if logical node i is equipped with cloud security agent, 0 otherwise, where i∈G ni The general defense resources allocated on node i, where i∈G OPLab@IM, NTU 2018/10/13

Objective function (IP 1) OPLab@IM, NTU 2018/10/13

Constraints Supported virtual machine numbers constraint Virtual link capacity constraint (IP 1.1) (IP 1.2) (IP 1.3) (IP 1.4) OPLab@IM, NTU 2018/10/13

Constraints Defender’s budget constraints (IP 1.5) OPLab@IM, NTU 2018/10/13

Constraints Defender’s budget constraints (IP 1.6) (IP 1.7) (IP 1.8) OPLab@IM, NTU 2018/10/13

Constraints QoS constraint Budget constraint QoS is a function of : Link utilization, core node loading, hops to core node. Served users ratio. At the end of attack, the following constraint must be satisfied. The defender has to guarantee at least one core node is not compromised at any time. Budget constraint Budget should be considered when all defense strategies used. (IP 1.10) (IP 1.11) (IP 1.12) OPLab@IM, NTU 2018/10/13

Constraints Dynamic topology reconfiguration constraint Topology reconfiguration will result in traffic shift, link capacity and core node loading and hops to core node must be considered. Local defense constraint Only nodes with VMM-IDPS have local defense function. The capacity of all the VMs’ virtual links on the VMM-IDPS will decrease certain ratio. Signature request constraint Only nodes with VMM-IDPS have signature request function. False positive and wrong signatures will result in all virtual link capacity decrease certain ratio. Cloud security constraint Only nodes with cloud security agent have cloud security function. Traffic forwarding to cloud security provider for inspecting will decrease link capacity when false positive occurs (links connect to the node). (IP 1.13) (IP 1.14) (IP 1.15) (IP 1.16) (IP 1.17) (IP 1.18) (IP 1.19) OPLab@IM, NTU 2018/10/13

Constraints (IP 1.20) (IP 1.21) (IP 1.22) OPLab@IM, NTU 2018/10/13

Thanks for your listening! Q & A OPLab 2018/10/13

References [1] SANS Institute InfoSec Reading Room, "Intrusion Detection Systems: Definition, Need and Challenges," 2001. [2] John K. Waters, "Virtualization Definition and Solutions," 2008, at http://www.cio.com/article/40701/Virtualization_Definition_and_ Solutions. [3] T. Garfinkel and M. Rosenblum, "A Virtual Machine Introspection Based Architecture for Intrusion Detection," in NDSS, ed, 2003. [4] Y. Bai and H. Kobayashi, "Intrusion Detection Systems: technology and development," in Advanced Information Networking and Applications, 2003. AINA 2003. 17th International Conference on, 2003, pp. 710-715. [5] http://tw.trendmicro.com/tw/about/news/pr/article/20100909143814. html OPLab 2018/10/13

References (Cont.) [6] Skaperdas, S., 1996. Contest success functions. Economic Theory 7, 283–290. [7] G. Levitin, and K. Hausken, “False targets efficiency in defense strategy,” European Journal of Operational Research, Vol. 194, Issue 1, Pages 155-162, 1 April 2009. [8] M. Laureano, et al., "Intrusion Detection in Virtual Machine Environments," presented at the Proceedings of the 30th EUROMICRO Conference, 2004. [9] T. Garfinkel and M. Rosenblum, "When virtual is harder than real: security challenges in virtual machine based computing environments," presented at the Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10, Santa Fe, NM, 2005. [10] T. Garfinkel, et al., "Terra: a virtual machine-based platform for trusted computing," presented at the Proceedings of the nineteenth ACM symposium on Operating systems principles, Bolton Landing, NY, USA, 2003. OPLab 2018/10/13

References (Cont.) [11] Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention Systems (IDPS)". Computer Security Resource Center (National Institute of Standards and Technology) (800-94). [12] Robert C. Newman (19 February 2009). Computer Security: Protecting Digital Resources. Jones & Bartlett Learning. pp. 273. [13] Michael E. Whitman; Herbert J. Mattord (2009). Principles of Information Security. Cengage Learning EMEA. pp. 289. OPLab 2018/10/13

References (Cont.) [14] M. Locasto, et al., "FLIPS: Hybrid Adaptive Intrusion Prevention," in Recent Advances in Intrusion Detection. vol. 3858, A. Valdes and D. Zamboni, Eds., ed: Springer Berlin / Heidelberg, 2006, pp. 82-101. OPLab 2018/10/13