Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beyond Intrusion Prevention and Detection – Intrusion Tolerance

Published byGilbert Gary West Modified over 6 years ago

Similar presentations

Presentation on theme: "Beyond Intrusion Prevention and Detection – Intrusion Tolerance"— Presentation transcript:

1 Beyond Intrusion Prevention and Detection – Intrusion Tolerance
Arun Sood International Cyber Center and Department of Computer Science

2 Introducing a new paradigm for server security—Intrusion Tolerance
The Problem Hacker (Actual Photo) Enterprise Server Firewall Introducing a new paradigm for server security—Intrusion Tolerance

3 Intrusion Tolerance allows malware and hackers into a server…
The SCIT Solution Intrusion Tolerance allows malware and hackers into a server… …but uses virtualization to restore the OS and application to a pristine state after attack! Hacker (Actual Photo) Enterprise Server SCIT Virtual Partition SCIT Virtual Server Firewall Every 55 seconds SCIT software cleans and restores the virtual server to its pristine state

4 Multi-National Security Breach
“A huge campaign to poison web searches and trick people into visiting malicious websites has been thwarted.” If a user searched Google for terms such as "hospice", "cotton gin and its effect on slavery", "infinity" and many more The first result pointed to a website from which malicious software was downloaded and embedded on user system. Criminals in country A created domains that were mostly bought by companies in country B and hosted in country C. Tens of thousands of domains were used. These domains tricked the indexing strategy of Google to believe that these web pages were good and reliable source of information. Targeted and organized attacks.

5 Cross Sector Cyber Threats Strategy
Securing Servers Servers and endpoints have to be protected Verizon Data Breach Investigation shows that 99% of the compromised records were from servers A key step in these attacks was the installation of customized malware, which cannot be detected by current systems Current protection can take place at the network level and for important asset protection at the host level Intrusion Prevention Systems including Firewalls Intrusion Detection Systems: statistical, anomaly and behavior based White list and Black lists: IP addresses and software Intrusion Tolerance – intrusions will happen, focus on minimizing losses Arun Sood will present the next few slides. We cannot depend on systems internal controls and security foundations; we are forced to protect at the boundary’s edge Ineffective long term because these controls are dependent on human intervention to implement, manage, update 5 5

6 Multi layered Approach to Security
Cross Sector Cyber Threats Strategy Multi layered Approach to Security IPS depend on inspection of incoming packets IDS depend on inspection of incoming and outgoing packets With increasing bandwidth and more matching requirements, the cycles devoted to packet inspection will keep increasing Threat independent approaches are needed for protection Other approaches should be included in the mix, including approaches that do not rely on packet inspection and have potential for threat independent performance: White list of software Time dependent intrusion tolerance 6 6

7 Key Intrusion Tolerance Approaches
SITAR MAFTIA SCIT Detection Based Structure Based Time Dependent Payload Inspection Yes No Voting Algorithm Yes, used to detect faulty replica and survive attacks Yes, used to detect faulty replica and survive attacks. Deterministic Performance Impact Impact on response time. Some impact on computing cycles for starting a new server instance. Execution of ITS algorithm In Application Data Flow Out-of-band Diversity Required Optional, but diversity will make scheme more robust Recovery Adaptive recovery performed upon detecting intrusion detection. Performed upon detecting intrusion. Faulty replica recovered according to healthy ones. Periodic recovery performed by Controller, based on master copy.

8 Self Cleansing Intrusion Tolerance
Next Generation Server Security Technology Infrastructure Servers Including those in DMZ Short Transactions Reduce Exposure Time

9 Intrusion Tolerance Introducing SCIT, the Intrusion Tolerance System
Optimizes application-specific exposure windows (AEW) Targets “overexposed” applications (transactions) Servers are sitting ducks Focus initially on Websites, DNS, Single Sign On Ongoing R&D Authentication (LDAP), Firewall Not targeted at applications with inherently long transaction times (FTP, VPN, etc) Leverages virtualization technology to reduce intrusion risk and costs Reduces exposure time to limit intrusion losses Adds time-based exposure control to intrusion prevention and detection solutions SCIT is based on a new paradigm, but is easy to integrate with existing systems New level of “Day-Zero” protection Increases security through real-time server rotation and cleansing: Enhances security of high availability systems Enables more flexible patch scheduling

10 SCIT Software SCIT deploys on existing servers - does not require additional physical servers SCIT is cost effective, uses virtualization technology and increases system security SCIT does not interfere with existing IPS and IDS solutions SCIT is an additional layer of defense

11 Anatomy of an Hack Identify Target Install Malicious Code
Foot print analysis Who is NSLookup Search Engines Enumeration Scanning Machines Ports Applications Exploitation Buffer Overflow Spoofing Password DOS Manual Approach Analyze publicly available info. Set scope of attack and identify key targets Damage “Owning” IP Theft, Blackmail, Graffiti, Espoinage Destruction Check for vulnerabilities on each target Attack targets using library of tools and techniques Foot print analysis Who is NSLookup Search Engines Enumeration Automated Scanning Machines Ports Applications Deliver Payload Custom Trojan Rootkit Hacking approaches have become more automated. Our focus is on understanding the attacks on servers. For example, custom viruses are often used to attack client stations to retrieve address in the address book. Typically dedicated servers do not have address books. Attacks are motivated by financial or political gain, and there are more organized attacks with criminal intent. Damage “Owning” IP Theft, Blackmail, Graffiti, Espoinage Destruction Automated Approach Identify Target Install Malicious Code Hack Other Machines Take over Domain Controller Attack targets using installed software Richard Stiennon, May 2006,

12 How Does SCIT Provide Additional Security?
SCIT servers Regularly restored to a known state and remove malicious software installed by attackers. Provide protection while manufacturer is developing a patch, i.e. SCIT servers are protected in the time period between vulnerability detection and patch distribution.  Gives data center managers an additional level of freedom in developing a systematic plan for patch management. SCIT DNS servers  Domain name / IP address mapping is protected from malicious alteration, thus avoiding improper redirection of the traffic. SCIT Web servers Protect the corporate crown jewels, front ends for sensitive information, e.g. customer or employee data sets, IP, and informational web sites.   Regularly restores the sites to known states, and makes it difficult for intruders to undertake harmful acts such as deleting files. Avoid long term defacements. Reduces the risk of large scale data ex-filtration.

13 Comparison of IDS, IPS, IT
Issue Firewall, IDS, IPS Intrusion tolerance Risk management. Reactive. Proactive. A priori information required. Attack models. Software vulnerabilities. Reaction rules. Exposure time selection. Length of longest transaction. Protection approach. Prevent all intrusions. Impossible to achieve. Limit losses. System Administrator workload. High. Manage reaction rules. Manage false alarms. Less. No false alarms generated. Design metric. Unspecified. Exposure time: Deterministic. Packet/Data stream monitoring. Required. Not required. Higher traffic volume requires. More computations. Computation volume unchanged. Applying patches. Must be applied immediately. Can be planned.

14 Server Rotations Example: 5 online and 3 offline servers
-Virtual Physical Server Rotation Online servers; potentially compromised To demonstrate how SCIT works, we take a simple example of 5 online servers and 3 offline servers. SCIT applies to situations that have virtual or physical servers. Current SCIT products use virtual servers. Online servers are potentially compromised. At regular intervals an online server is swapped with an offline clean server. The offline servers go through a cleaning process, and are returned to a known state before being brought online. This swapping process is referred to as a server rotation. In this example, we show the swapping of the servers with small black dots. For this to work, the swapping must take place without user service interruption. Our attempt is to reduce exposure time. For example, for DNS, in a lab setting we have achieved 2 second exposure time using SUN server. In a commercial setting for DNS and webservers, we are planning a sub-minute exposure time. Offline servers; in self-cleansing

15 Server Rotations Example: 5 online and 3 offline servers
-Virtual Physical Server Rotation Online servers; potentially compromised To demonstrate how SCIT works, we take a simple example of 5 online servers and 3 offline servers. SCIT applies to situations that have virtual or physical servers. Current SCIT products use virtual servers. Online servers are potentially compromised. At regular intervals an online server is swapped with an offline clean server. The offline servers go through a cleaning process, and are returned to a known state before being brought online. This swapping process is referred to as a server rotation. In this example, we show the swapping of the servers with small black dots. For this to work, the swapping must take place without user service interruption. Our attempt is to reduce exposure time. For example, for DNS, in a lab setting we have achieved 2 second exposure time using SUN server. In a commercial setting for DNS and webservers, we are planning a sub-minute exposure time. Offline servers; in self-cleansing

16 Server Rotations Example: 5 online and 3 offline servers
-Virtual Physical Server Rotation Online servers; potentially compromised To demonstrate how SCIT works, we take a simple example of 5 online servers and 3 offline servers. SCIT applies to situations that have virtual or physical servers. Current SCIT products use virtual servers. Online servers are potentially compromised. At regular intervals an online server is swapped with an offline clean server. The offline servers go through a cleaning process, and are returned to a known state before being brought online. This swapping process is referred to as a server rotation. In this example, we show the swapping of the servers with small black dots. For this to work, the swapping must take place without user service interruption. Our attempt is to reduce exposure time. For example, for DNS, in a lab setting we have achieved 2 second exposure time using SUN server. In a commercial setting for DNS and webservers, we are planning a sub-minute exposure time. Offline servers; in self-cleansing

17 Server State Transitions
17

18 Intrusion Tolerance Increase security by reducing exposure window
Exposure window is the time a server is online between rotations Optimizes application-specific exposure windows to servers Decreasing available time for intrusion, reduces potential losses T T Cost

19 Value for Exposure Window Management
Target Applications E-Commerce payments – long session of multiple short transactions Streaming media Web servers DNS services Single Sign On Firewalls Authentication (LDAP) Transaction Processors Long Short Transaction Length VPN Complex Database Queries Back end processing File Transfer (size dependent) Low High Value for Exposure Window Management

20 Exposure Time Reductions
Application Current Server SCIT Server Websites – Windows Server 1 day to 3 month 60 seconds Websites – UNIX Server 1 month to 6 months DNS services – Linux Server 3 months to 1 year 30 seconds In the following slides we show that: Reducing Exposure Time Significantly Reduces Expected Loss

21 Security Risk Assessment
Follows SecurityFocus.com (Symantec), Microsoft

22 SCIT vs Traditional Cumm Single Loss Expectancy
Multi Tier Architecture Web server DNS server Content Manager Database server SCIT Exposure Time Reducing Exposure Time Significantly Reduces Expected Loss

23 Avoidance is Better Than Cleaning
You cannot clean a compromised system by patching it. removing the back doors. using some vulnerability remover. using a virus scanner. reinstalling the operating system over the existing installation. You cannot trust any data copied from a compromised system. the event logs on a compromised system. your latest backup. The only proper way to clean a compromised system is to flatten and rebuild. CLEANING COMPROMISED SYSTEMS IS DIFFICULT. IT IS BETTER TO AVOID HACKING.

24 Sample Requirements Met by SCIT Servers
Web site should not be defaced longer than 1 minute DNS tables should be restored within 1 minute Security architecture should reduce data ex-filtration – SCIT server along with IDS will reduce the volume of data that can be maliciously retrieved To ensure clean servers, remove malware every minute Use diversity to change the face of the webserver every minute

25 Performance & Functionality Stress Tests
Workload: number of user sessions/minute (50,100,125) User session: Series of request and response from server Select item from drop down list and add it to persistent storage OpenSTA is used to generate workload 3 runs per case. Duration of run = 3 * Exposure time for the run each VM is tested at least once Workload consists of N requests every 10 secs. Exposure times of 2,3 and 4 minutes, No Rotation Stand alone web server for Non-SCIT test.

26 Performance Test Results
Exp Time (minutes) User Sessions Avg. Response Time (secs) STD Dev 2 m 50 6.16 0.07 100 6.24 0.01 125 6.27 0.02 3 m 6.10 0.04 6.15 6.31 0.05 4 m 6.08 6.14 No Rotation 6.03 0.00 6.04 SCIT Server Environment Entry Level DELL System Dual processor – 4 cores each Memory: 4 GB Slackware OS Apache, Tomcat, Shopping Cart (Java)

27 Response Times for Different Exposure Times

28 Preliminary Performance Data
Each user session includes a series of requests and responses. Average “think” time = 2 seconds between requests. Each session involves selecting an item from a drop down list and adding it into the persistent storage. Repeated 3 times. DEPEND 2009, June 09

29 SCIT Parameters Active window Wo: server accepts requests from the network Grace period Wg: server stops accepting new requests and fulfills outstanding requests in its queue. Exposure window: W = Wo + Wg. Ntotal : total nodes in the cluster. Ntotal, W, and the cleansing-time Tcleansing are inter-related. Copyright slide 29 29

30 SCIT State Transition Diagram
V A F 1 1–Pa Pa Pc 1-Pc G: Good V: Vulnerable A: Successful Attack F: Failed Simple diagram. Pa: probability of successful attack. Pc: probability of cleansing when in A. F: low chance of occurrence, but still possible: Virtual machine and/or the host machine no longer responds to the Controller. Controller itself fails due to a hardware fault. Copyright slide 30 30

31 MTTSF and W W ↓ → (Pa ≤ 1 - e-λW) ↓ W ↓ → (Pc ≥ e-λW) ↑
Then: W ↓ → MTTSFscit ↑ MTTSFSCIT ≥ F(W), where F(W) is a decreasing function of W: Significance: engineer instance of SCIT architecture by tuning W in order to increase or decrease the value of MTTSFSCIT. Copyright slide 31 31

32 MTTSF and Grace Period Grace period used by Controller to issue cleansing mode signal. Noutstanding : average # of outstanding requests in the queue when the server enters the grace period. Entire incoming traffic ̴ Poisson(α). It is known: λ = k.α, with k ≤ 1. Noutstanding ≤ α Wo. S: service rate in terms of number of serviced requests per unit time: Wg = Noutstanding /S ≤ (α Wo ) / S Since α/S < 1, estimate for grace period: Wg < Wo . Then: control MTTSFSCIT by online window Wo Copyright slide 32 32

33 Observations and Thoughts
Specifying security without a time framework is very hard It is easier to assess risk for proactive systems as compared to reactive systems Threat independent protection is critical Protect while patches are being developed We need easy to understand metrics and / or benchmarks SCIT makes it harder for intruder, but how much harder? Cost vs hardening assessment

34 Conclusion SCIT significantly reduces risk levels for targeted application using virtualization technology Augments existing IPS and IDS solutions – another layer of defense – no interference Completed SCIT web server and SSO server, SCIT DNS server in Q4 Research issues: long duration transactions, randomized defensive strategies, scalability, functionality under load, “penetration” testing, other servers (e.g. )

35 SCIT technical publications
SCIT Publications + Contact Info SCIT technical publications Links to media reports Links to demo videos Questions? Arun Sood

36 Questions SCIT goal is to make it harder for an intruder to do damage. We need a way to say that by having an exposure time of X the task will become Y times harder. Are there ways of assessing this without the use of red teams? What is a good enough exposure time? What metrics and benchmarks are more meaningful to decision makers? Given limited knowledge of future attack methodologies, how does one justify a multi-layered security architecture? Can SCIT simplify the constraints on IDS and thus reduce false alarms?

Download ppt "Beyond Intrusion Prevention and Detection – Intrusion Tolerance"

Similar presentations

Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Chapter 12 Network Security.

Chapter 12 Network Security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Data Security.

Data Security.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Similar presentations

Ads by Google