Use of Simulation for Cyber Security Risk and Consequence Assessment

Slides:



Advertisements
Similar presentations
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
Advertisements

Elevator Scheduling Ingrid Cheh Xuxu Liu 05/05/09.
OPSM 639, C. Akkan1 Defining Risk Risk is –the undesirable events, their chances of occurring and their consequences. Some risk can be identified before.
Sensitivity and Scenario Analysis
A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Project Risk Management
Simulation.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Design of an Intrusion Response System using Evolutionary Computation Rohit Parti.
Lecture 10 Comparison and Evaluation of Alternative System Designs.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
IIT Indore © Neminah Hubballi
1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Computer Security: Principles and Practice
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
© 2010 Verizon. All Rights Reserved. PTE / DBIR.
Session 9 & 10. Definition of risk assessment and pre condition for risk assessment Establishment of clear, consistent agency objectives. Risk assessment.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Figure 10-4: Intrusion Detection Systems (IDSs) IDSs  Event logging in log files  Analysis of log file data  Alarms Too many false positives (false.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
COST BENEFITS OF IMPLEMENTING CREDIT CARD DATABASE TOKENIZATION USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE
Risk-Aware Mitigation for MANET Routing Attacks Submitted by Sk. Khajavali.
Enterprise Mobility Suite: Simplify security, stay productive Protect data and empower workers Unsecured company data can cost millions in lost research,
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.
Securing Information Systems
Supplementary Chapter B Optimization Models with Uncertainty
Brian Thompson1,2, James Morris-King1,2, and Hasan Cam1
Internet Quarantine: Requirements for Containing Self-Propagating Code
Security+ Simulations
On-line Detection of Real Time Multimedia Traffic
HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR?
Figure 3: TSN Analysis Methodology
Cima P2 Advanced Management Accounting.
COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR
Beyond Intrusion Prevention and Detection – Intrusion Tolerance
Security Engineering.
Modeling and Simulation CS 313
Securing Information Systems
Today’s Risk. Today’s Solutions. Cyber security and
Information Security: Risk Management or Business Enablement?
Monte Carlo Simulation Managing uncertainty in complex environments.
Intrusion Detection & Prevention
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
We want to hear from you! chime16.org/evals
Four Generations of Security Devices Putting IDS in Context
DECISION MODELING WITH Prentice Hall Publishers and
Floods and Flood Routing
Protect Your Ecommerce Site From Hacking and Fraud
Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.
Information Protection
DATA BREACHES 6 4 , 9 3 There were…
Dong Xuan*, Sriram Chellappan*, Xun Wang* and Shengquan Wang+
Information Protection
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Use of Simulation for Cyber Security Risk and Consequence Assessment 15 – Simulation and System Design SCIT and IDS Architectures for Reduced Data Ex-filtration

Simple Architectural View IDS VM SCIT

The Problem Verizon Business Data Breaches Investigation Report Hard to detect customized malware The average Intruder Residence Time (time between system compromise and breach containment) was more than 28 days. On average, 675 records were compromised per day. Network Solutions; Wyndham Hotels. 50% of all vulnerabilities in web apps. Half of disclosed vulnerabilities had no fixes. It has become clear that intruders were in the system for long periods. Not only did the IDS/IPS fail to prevent the intrusion, these systems were not able to detect the presence of the intruder. Any strategy that will reduce the duration of the breach would lead to better protection of data files. Thus, we focus on the estimated records ex-filtrated because of malicious activity.

SCIT / IDS Architectures Compare the performances of 4 SCIT/IDS architectures with regard to the amount of data ex-filtrated: Standalone Network Intrusion Detection System (NIDS) Standalone SCIT NIDS + Host Intrusion Detection System (HIDS) NIDS + SCIT

Methodology to calculate data ex-filtration costs Decision trees are used to represent functionality of each of the security architectures. The probabilities in the decision trees help characterize their security properties. These decision trees with probability values are incorporated into Gnumeric - an open-source spreadsheet software suitable for Monte Carlo simulation. The decision trees take incoming traffic (in terms of queries) as input and divide the traffic into 4 categories: Confirmed Intrusion (CI), No-intrusions (NI), False Alarms (FA) and Missed Intrusions (MI). Confirmed Intrusion and Missed Intrusion cases have associated Intruder Residence Times (IRT) which is used to model data ex-filtration costs.

Assumptions made to calculate data ex-filtration costs In malicious data ex-filtration process, records are stolen at a uniform rate. No records are stolen if the IDS correctly identifies an intrusion (confirmed intrusion). There is a constant cost associated with: Performing Intrusion Detection on a single query (incoming traffic) --- C(I) . SCIT processing of a query (incoming traffic) --- C(T) . Responding to one intrusion alarm --- C(R) . Our objective is to characterize the effectiveness of the security architecture in terms of least data ex filtrated and so we ignore the constant costs. However, there is provision in the decision trees to include these costs if need be.

Scenario 1: NIDS

Scenario 2: SCIT In SCIT, all potential attacks are successful since there are no IDS / IPS to check for them. The incoming traffic is classified as either being a successful attack or not. However, this is not done by the system since SCIT treats all incoming traffic in the same manner.

This is a SERIAL NIDS-HIDS setup. Scenario 3: NIDS + HIDS This is a SERIAL NIDS-HIDS setup.

Scenario 4: NIDS + SCIT Intruder Residence Time (IRT) is unbounded in NIDS. On adding SCIT, IRT is no longer unbounded. It is now bounded by SCIT’s “Exposure-Time” metric.

Monte-Carlo Simulation Assumption: Out of the 50,000 incoming queries – 500 are potential attacks . Probability values chosen for the simulation: The values of (q1...q2) and (p1...p13) are the same for NIDS and NIDS+SCIT. These values are presented in NIDS decision tree within parenthesis next to respective variables. In the case of SCIT, probability values are presented in SCIT decision tree. In case of NIDS + HIDS, the probability values are given below – variables followed by their value: q1 (0.35) | q2, q5 (0.1) | q3, p7 (0.01) p8, p9 (0.95) | p18, q4, q6, p23 (0.001) | p33 (0.9999) p1 (0.021) | p2,p6,p22,p19 (0.05) | p5,p21 (0.3) p4,p12,p14,p20,p28,p30 (0.8) | p16,p32 (0.7) p17,p3,p10,p11,p13,p15,p24,p25,p26,p27,p29,p31 (0.9)

Parameters used in the simulation Monte-Carlo Simulation Simulation Metrics Value (units) Number of queries used 50,000 Query inter arrival time 10 ms to 18 ms (uniformly distributed) Intruder Residence Time (IRT) 0 minutes to 2 months Mean IRT (modeled as Pareto distribution) against respective probabilities of occurrence. 48 hours Exposure Time of SCIT (ET) Case 1: 4 Hours Case 2: 4 minutes Mean number of records stolen per day 675 records / breach Mean number of records stolen per hour 28 records / breach Parameters used in the simulation

Monte-Carlo Simulation Case Total damage (records) No. of breaches Mean Damage (records/breach) NIDS 245,962 (100%) 192 1,281 SCIT: ET 4hrs SCIT: ET 4mins 55,364 (23%) 1,015 (0.4%) 508 109 2 NIDS + HIDS 210,578 (86%) 164 1,284 NIDS + SCIT (ET 4 hrs) (ET 4 mins) 20,931 (9%) 383 (0.16%) 191 110 Results of the simulation The potential for damage is high for stand-alone NIDS and NIDS + HIDS alternatives. The records ex-filtrated are about the same for both scenarios. If SCIT is deployed then the ex-filtration losses are significantly reduced. The loss rate is dramatically impacted by the exposure time chosen.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.