A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Welcome to DEAS 2005 Design and Evolution of Autonomic Application Software David Garlan, CMU Marin Litoiu, IBM CAS Hausi A. Müller, UVic John Mylopoulos,

Autonomic Systems Justin Moles, Winter 2006 Security in an Autonomic Computing Environment Paper by: D. M. Chess, C. C. Palmer S. R. White Presentation.

Fabián E. Bustamante, Winter 2006 Autonomic Computing The vision of autonomic computing, J. Kephart and D. Chess, IEEE Computer, Jan Also - A.G.

1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD OASIS,

Access Control Chapter 3 Part 5 Pages 248 to 252.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

IDS/IPS Definition and Classification

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Intrusion Detection Systems and Practices

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

1 A Queuing Formulation of Intrusion Detection with Active and Passive Responses Wei T. Yue, Metin Cakanyildirim, Young U. Ryu Department of Information.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Design of an Intrusion Response System using Evolutionary Computation Rohit Parti.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

seminar on Intrusion detection system

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.

Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.

IIT Indore © Neminah Hubballi

WELCOME. AUTONOMIC COMPUTING PRESENTED BY: NIKHIL P S7 IT ROLL NO: 33.

23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Kittiphan Techakittiroj (25/10/58 12:06 น. 25/10/58 12:06 น. 25/10/58 12:06 น.) Intrusion Detection System Kittiphan Techakittiroj

Cryptography and Network Security (CS435) Part One (Introduction)

1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

7.5 Intrusion Detection Systems Network Security / G.Steffen1.

THE VISION OF AUTONOMIC COMPUTING. WHAT IS AUTONOMIC COMPUTING ? “ Autonomic Computing refers to computing infrastructure that adapts (automatically)

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.

A Systematic Survey of Self-Protecting Software Systems

Cryptography and Network Security Sixth Edition by William Stallings.

Artificial Intelligence Center,

1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”

CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.

Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.

A Blackboard-Based Learning Intrusion Detection System: A New Approach

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Some Great Open Source Intrusion Detection Systems (IDSs)

Security Methods and Practice CET4884

Application Intrusion Detection

IDS/IPS Intrusion Detection System/ Intrusion Prevention System.

Security Methods and Practice CET4884

Intrusion Detection & Prevention

Intrusion Detection system

Intrusion Detection.

Self-Managed Systems: an Architectural Challenge

Presentation transcript:

A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of Management, U C Riverside T. S. Raghu W. P. Carey School of Business, Arizona State University

Overview Background Research Objective Approach Model Results Extensions

Threats to Information Security Are Increasing Source:CERT Report

Background Two Orientations –Technical aspects of IDS –Business aspects of IDS Technical aspects –Network IDS Scan patterns: known attacks and abnormal traffic –Host based IDS Anomaly: based on normal behavior, Misuse: signature based

Business orientation Value of IDS –Low detection rates –High false alarm rates Base rate fallacy (Axellson 2000) –Low hacker to user population Focus on preventive controls –Firewalls, access controls

Human Intervention IDS profile –Technology, design parameters, configuration (Lippmann 2000) Receiver Operating Characteristics (ROC) curve (Trees 2001) –Detection and false alarm probabilities

Good

Case for autonomic computing Manual investigation is expensive High false alarm rates not going away High volume attack/traffic can overwhelm human resources Move to automated detection, response and healing is beneficial

Research objective High level systems objectives drive self- protection and self-healing properties Self-configuration is inherent in autonomic computing concept Allocation of computing resources to detect and counter attacks How do we best model intrusion game to optimally determine broad system level objectives? –Can autonomic systems automatically reconfigure in response to change in hacker patterns?

Approach Game theoretic approach Inspection games –Applied in piracy control, auditing, arms control Focus on detection and verification Stylistic model of intrusion detection and verification

Approach Three models Case 1: Manual intervention (base case) Case 2: Computational effort allocation on investigating alarms Case 3: Dynamic configuration of IDS to impact detection and false alarm probabilities

Assumption Exponential distribution Yields the relation Other distributions can be used, implicit relation between detection and false alarm probabilities through t is needed.

Model (Case 2) Threshold parameter fixed exogenously Hacker maximizes his expected utility Similarly the autonomic agent maximizes

Case 2 Consider D=d*E

Results (Case 2): Damages incurred Damage potential (d max ) increases damages incurred Detection penalty (β) decreases damages caused to the system –Deterrence improves IDS performance Increase in threshold parameter (t) and distribution parameter for hacking (θ) increases damages incurred

Results For a given IDS quality profile and damage potential –Low enforcement penalty possibility on hackers leads to higher threshold level for detection (low detection and low false alarms) –Higher enforcement penalty possibility on hackers leads to lower threshold level for detection (high detection and high false alarms)

Computational Effort Allocation of computational effort to detect and heal intrusions –Reduces with reduced convexity of cost function (parameter α) Increased cost of false alarm detection (or true alarm detection) decrease overall computational effort allocation to detection efforts Allocation of effort reduces with reduced damage potential

Implications Autonomic systems can adapt to different environmental and system conditions by varying the computational resources dedicated to self-healing and self-protection efforts Damages incurred by systems still depend on deterrence impact of detection efforts

Results (Case 3) t

Continuous adaptation Self-tuning or self-configuration –Adapt to changing event conditions through a gaming framework Optimization with respect to both computational effort allocation and threshold parameter Analytical solution not tractable Numerical solutions, however, are possible

Further work Numerical experiments currently underway How do we set effective policies to detect changes in the system environment to affect threshold changes? What are the implications of threshold parameter changes in an adaptive system? Can parameters used to specify threshold be domain independent?