Research Direction Introduction Advisor: Professor Frank, Y.S. Lin Presented by Chi-Hsiang Chan 2011/10/111
Agenda Introduction Collaborative Attack Virtualization Problem description Scenario 2011/10/112
Agenda Introduction Collaborative Attack Virtualization Problem description Scenario 2011/10/113
Collaborative Attack Collaborative attacks are characterized by the prevalence of coordination before and during attacks. [1] Collaborative attacks in general would involve multiple human attackers or criminal organizations that have respective adversarial expertise but may not fully trust each other. Collaborative attacks are more powerful than the sum of the underlying individual attacks that can be launched by the individual attackers independently. 2011/10/114
Collaborative Attack 2011/10/115
Collaborative Attack Time-aspect of Collaborative Attack C&C Off-line coordination During the attack, there are no communications between the attackers, nor communications between the commander and attackers. On-line coordination The commander and attackers may have communications and adjustments during a attack. Real-time coordination In this case, both attackers and commanders are always updated with the current global system state information. Powerful: off-line < on-line < real-time 2011/10/116
Collaborative Attack Space-aspect of Collaborative Attack C&C Centralized C&C A single attacker that is coordinating the collaborative attacks. Distributed C&C There are multiple attackers for commanding the adversarial computers to launch attacks. May be a hierarchical structure inside. Peer-to-peer C&C The multiple attackers play equal roles. Sophisticated: centralized < distributed < peer-to-peer 2011/10/117
Collaborative Attack Effect of Collaborative Attacks Spatially collaborative attacks The set of adversarial compeers, which are located in different geographic or network places, ate coordinated to launch attacks against a target at the same time. Temporally collaborative attacks The attack may proceed in a well orchestrated fashion. Each step of the attack process may be launch by different attackers, which may reside at different geographic or network places. Hybrid collaborative attacks 2011/10/118
Collaborative Attack Information Exchange during Collaborative Attacks One-way Information may only e sent from on participant to another, but not other direction. May decrease the chance that attackers are detected. Two-way This case allow the sharing of situational awareness, which may be needed in order to launch sophisticated attacks. 2011/10/119
Collaborative Attack Privacy Aspect of Collaborative Attacks Exploiting anonymous channels Enforcing content privacy Exploiting anonymous channels and enforcing content privacy 2011/10/1110
Collaborative Attack Advantages of Collaborative Attack [2] Coordinated attacks could be designed to avoid detection. It is difficult to differentiate between decoy and actual attacks. There is a large variety of coordinated attacks. 2011/10/1111
Virtualization Definition Virtualization refers to technologies designed to provide a layer of abstraction between computer hardware systems and the software running on them.[3] Source: vmware 2011/10/1112
Virtualization Benefit cost down efficiency scalability easy to have multiple operating system environment increase the space utilization efficiency in your data center by server consolidation Virtualization is the key to cloud computing 2011/10/1113
IDS an Intrusion detection system (IDS) is a security system that monitors computer systems and network traffic and analyzes that traffic for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization.[4] Do more protect than firewall which filter incoming traffic from the Internet. 2011/10/1114
IDS Two types of IDS Host IDS(HIDS) Network IDS(NIDS) The trade-off is evident when comparing HIDS and NIDS NIDS offers high attack resistance at the cost of visibility. HIDS offers high visibility but sacrifice attack resistance. 2011/10/1115
Agenda Introduction Collaborative Attack Virtualization Problem description Scenario 2011/10/1116
Problem Description 2011/10/1117
Attacker View Commander Attackers Initial location Budget Capability Objective Steal confidential information Service disruption 2011/10/1118
Defender View Special Defense Resource Cost budget VM IDS (Signature) [5] Cloud security service Costless(Decrease QoS) VM local defense Dynamic topology reconfiguration [6] 2011/10/1119
Per Hop Decision Period decision Early stage Late stage Strategy decision by criteria compromise → risk avoidance pretend to attack → risk tolerance No. of Attackers Choose ideal attackers Aggressiveness Attack Energy Budget Capability 2011/10/1120
Time Issue Attackers Compromise time Recovery time Defender Signature generate Reconfiguration impact QoS 2011/10/1121
Synergy Pros Decrease Budget cost of each attacker Less recovery time Less compromise time Cons Probability of detected 2011/10/1122
Early Period, Risk Avoidance Purpose Try to compromise nodes as fast as they can Keep the stronger attackers for compromise core nodes 2011/10/1123
Agenda Introduction Collaborative Attack Virtualization Problem description Scenario 2011/10/1124
Scenario General nodeCore nodeCloud security agent VMM environment Third party’s defense center Cloud security provider 2011/10/1125
Scenario A B C D E F G H I J 2011/10/1126
Early Stage Attack Strategy A B C D E F G H I J 2011/10/1127
Local Defense A B C D E F G H I J 2011/10/1128
IPDS request signature A B C D E F G H I J Signature generating… 2011/10/1129
Late Stage Attack Strategy Signature generating… A B C D E F G H I J 2011/10/1130
Attack VMM Signature generating… A B C D E F G H I J 2011/10/1131
Risk Level 、 Reconfiguration Signature generating… A B C D E F G H I J 2011/10/1132
Cloud Security Service Signature generating… A B C D E F G H I J 2011/10/1133
Transfer Signature A B C D E F G H I J 2011/10/1134
Failure of Attacker A B C D E F G H I J 2011/10/1135
Failure of Defender A B C D E F G H I J 2011/10/1136
Thanks for your listening!! 2011/10/1137
Reference [1] S. Xu, “Collaborative Attack vs. Collaborative Defense”, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Volume 10, Part 2, pp , 2009 [2] S. Braynov and M. Jadliwala, “Representation and Analysis of Coordinated Attacks”, FMSE'03, 2003 [3] J. K. Waters, “Virtualization Definition and Solutions”, 2008, utions utions [4] SANS Institute InfoSec Reading Room, "Intrusion Detection Systems: Definition, Need and Challenges," [5] T. Garfinkel and M. Rosenblum, “A Virtual Machine Introspection Based Architecture for Intrusion Detection”, Proc. Network and Distributed Systems Security Symposium, /10/1138
Reference [6] M. Atighetchi, P. Pal, F. Webber and C. Jones, “Adaptive Use of Network-Centric Mechanisms in Cyber-Defense”, BBN Technologies LLC 2011/10/1139
Appendix 2011/10/1140
Host-based IDS HIDS obtains information by watching local activity on a host : processes, system calls, logs, etc. Advantages : Detailed information about system activities. Greater accuracy and fewer false positives. Weakness : Highly dependent on host systems. Can be deactivated or tampered by a successful intruder. 2011/10/1141
Network-based IDS NIDS obtains data by monitoring the traffic in the network. Advantages : Operating System-independent. Can detect attack attempts outside the firewall. Difficult for attackers to displace their evidences. Weakness : In high-traffic networks, a network monitor could potentially miss packets, or become a bottleneck. Hard to get detailed information of hosts. 2011/10/1142
Period N : The total numbers of nodes in the Defense Networks. F : The total numbers of node which is compromised in the Defense Networks. 2011/10/1143
Selection Criteria 2011/10/1144
No. of Attackers M : Number of selected candidates Success Rate (SR) = Risk Avoidance Compromised / Risk Avoidance Attacks 2011/10/1145