Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research Direction Introduction

Published byΒίων Ανδρεάδης Modified over 5 years ago

Similar presentations

Presentation on theme: "Research Direction Introduction"— Presentation transcript:

1 Research Direction Introduction
HSU, Chia-Yang OPLab

2 Agenda Introduction Problem Description Mathematical Formulation OPLab
2019/4/28

3 Introduction OPLab 2019/4/28

4 Background Attacks on network infrastructure presently are main threats against network and information security. Service unavailability can result in severe financial loss or in reputation cost. With rapidly growing unauthorized activities in network, Intrusion Detection (ID) as a component of defense-in- depth is very necessary because traditional firewall techniques cannot provide complete protection against intrusion. OPLab 2019/4/28

5 Definition of Intrusion Detection System
An Intrusion Detection System (IDS) is a security system that monitors computer systems and network traffic and analyzes that traffic for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization. [1] SANS (System Administration, Networking and Security) OPLab 2019/4/28

6 More about Intrusion Detection System
Strictly speaking, an IDS does not include preventing the intrusion from occurring, only detecting it and reporting it to an operator. There are more and more IDSs that try to react when they detect an unauthorized action. The reaction usually includes trying to: provide an early alarm of dangers for attack events. contain or stop the damage. OPLab 2019/4/28

7 Host-based IDS HIDS obtains information by watching local activity on a host: processes, system calls, logs, etc. Advantages: Detailed information about system activities. Greater accuracy and fewer false positives.  Weakness: Highly dependent on host systems. Can be deactivated or tampered by a successful intruder. OPLab 2019/4/28

8 Network-based IDS NIDS obtains data by monitoring the traffic in the network. Advantages: Operating System-independent. Can detect attack attempts outside the firewall. Difficult for attackers to displace their evidences. Weakness: In high-traffic networks, a network monitor could potentially miss packets, or become a bottleneck. Hard to get detailed information of hosts. OPLab 2019/4/28

9 Trade-off between HIDS and NIDS
Intrusion detection systems are defeated either through attack or evasion. Directly inspecting the state of monitored systems provides better visibility. Increasing the visibility frequently comes at the cost of weaker isolation between the IDS and OS the IDS and attacker, The trade-off is evident when comparing HIDS and NIDS: NIDS offers high attack resistance at the cost of visibility. HIDS offers high visibility but sacrifice attack resistance. OPLab 2019/4/28

10 Virtual Machine-based IDS!!
New Directions of IDS Keep good visibility as HIDS. Must be more attack resistant. Stronger OS/System isolation. Virtual Machine-based IDS!! OPLab 2019/4/28

11 Definition of Virtualization
Virtualization refers to technologies designed to provide a layer of abstraction between computer hardware systems and the software running on them. [2] OPLab 2019/4/28

12 Good Properties of Virtual Machine
Isolation: Each VM (Virtual Machine) runs in its own hardware protection domain. Strong isolation between VMs and the VMM(Virtual Machine Monitor). Encapsulation: A VM entirely encapsulates the state of the guest operating system running inside it as a file. Encapsulated machine state can be copied and shared over networks. References [3] T. Garfinkel and M. Rosenblum, "A Virtual Machine Introspection Based Architecture for Intrusion Detection," in NDSS, ed, 2003. [4] Y. Bai and H. Kobayashi, "Intrusion Detection Systems: technology and development," in Advanced Information Networking and Applications, AINA th International Conference on, 2003, pp OPLab 2019/4/28

13 Two Types of Virtual Machine Environment
OPLab 2019/4/28

14 Commercial Product VMware vShield Endpoint 可強化虛擬機器 (VM) 與虛 擬主機 (host) 的安全性,大幅提升虛擬機器防護的效 能,將惡意程式防護作業移到 VMware 合作夥伴所提 供的安全防護專用虛擬機器當中執行。 由於Deep Security本身也是一個虛擬機器上的H-IPS (主機端入侵偵測防禦系統),戴燊指出,高科技業 者面對許多生產線上的電腦修補程式更新不易,面對 越來越多的零時差攻擊(Zero Day Attack),例如先 前的IE漏洞攻擊,可以透過H-IPS功能,在官方修補程 式推出前,提供虛擬機器的安全防護。  [5] html OPLab 2019/4/28

15 Problem Description OPLab 2019/4/28

16 Problem Description Environment: Role:
A government or enterprise network with multiple servers to provide services. Role: Defender Perfect knowledge of the topology. Attacker Only one hop information. OPLab 2019/4/28

17 Defender Attributes: Nodes:VM-IDS, general nodes, core nodes. Budget:
Planning phase: Set up VM-IDS (including cost of hardware and software). Add general defense to VM-IDS, general nodes, core nodes (firewall, IPS...). Defending phase: Use budget to do defense when intrusion occurs, discuss later. OPLab 2019/4/28

18 Attacker Attributes: Capability:normal distribution. Proficiency:
Description on each attacker. Proficiency: Each attacking method has its own proficiency. Budget:normal distribution. Preparing phase: Get attack tools (Buy or develop cost). Training: Training is needed before attack for each attack method. Training cost is inversely proportional to attacker’s capability. Attacking phase: Attacker will pick a method to attack depending on proficiency and the tool. The attack cost required to compromise one node will depend on proficiency of each method, the tool quality and the defense resources of that node. OPLab 2019/4/28

19 Attacker (Cont.) Attributes: Next hop selection criteria:
Based on attack cost ratio. Prefer high. Prefer low. Random. OPLab 2019/4/28

20 Contest success function
[6] Skaperdas, S., Contest success functions. Economic Theory 7, 283–290. [7] G. Levitin, and K. Hausken, “False targets efficiency in defense strategy,” European Journal of Operational Research, Vol. 194, Issue 1, Pages , 1 April 2009. 𝑇 𝑚 𝑇 𝑚 + 𝑡 𝑚 Attacker decides a value of T to make the probability of success greater than 90%. OPLab 2019/4/28

21 Scenario VM defense center Core node
Consider attacker can only see 1 hop far. Attacker Defender’s Network VM-IDS OPLab 2019/4/28

22 Scenario (Cont.) VM defense center Core node Defender’s Network VM-IDS
OPLab 2019/4/28

23 Scenario (Cont.) VM defense center Intrusion detected!! Core node
Defender’s Network VM defense center will ask defender whether to generate signature or not. VM-IDS OPLab 2019/4/28

24 Scenario (Cont.) VM defense center Core node
Generate signature and update to VM-IDSs. Defender’s Network VM-IDS OPLab 2019/4/28

25 Scenario (Cont.) VM defense center Core node
VM-IDS becomes immune to that attack method. Defender’s Network VM-IDS OPLab 2019/4/28

26 Scenario (Cont.) VM defense center Core node
Signature is transformed for general and core node and will increase attack costs. Defender’s Network VM-IDS OPLab 2019/4/28

27 Scenario (Cont.) VM defense center Core node
VM-IDS may make mistakes!! The more expensive one makes lesser mistakes. Defender’s Network VM-IDS OPLab 2019/4/28

28 Scenario (Cont.) Attacker attacks another VM-IDS, won’t succeed.
VM defense center Attacker attacks another VM-IDS, won’t succeed. Core node When the intrusion is fail, attacker believes that the node is a VM-IDS. Defender’s Network After a successful intrusion into VM, attacker may find out that the node is a VM. The probability is related to attacker’s capability. VM-IDS OPLab 2019/4/28

29 Scenario (Cont.) VM defense center Core node
Attacker changes attack method and target. Defender’s Network Note that when attacker changes attack method, VM-IDSs are no longer immune, and cost of attacking nodes become normal!! VM-IDS OPLab 2019/4/28

30 Scenario (Cont.) VM defense center Core node
Attacker will keep attacking until there’s no more budget. Defender’s Network VM-IDS OPLab 2019/4/28

31 Mathematical Formulation
OPLab 2019/4/28

32 Assumption VM-IDS can transform signatures to other formats for general and core node to use. We take the concept of false positive and false negative on detecting into consideration. Defender has perfect knowledge of the entire topology. Attackers only have imperfect knowledge of the target network. Signatures can be generated and transmitted in nearly real time. OPLab 2019/4/28

33 Given Parameters Notation Description The index set of all nodes.
The index set of VM-IDSs. The index set of attack methods. Cost function of buying a VM-IDS. Cost of generating a signature. Cost function of training an attack method. Cost function of buying an attack method. Attack cost function of attacking a node using certain method. Attacker’s total budget. Defender’s total budget. The ratio of increased defense force after VM-IDS identified attacking method j. OPLab 2019/4/28

34 Decision Variables Notation Description
1 if node i is a VM-IDS, otherwise 0. The defense resources on node i. The total times of generating signatures. 1 if attacker buys method j, otherwise 0. Proficiency level of method j. Total times of attacking node i using method j. The ratio of attacking times after VM-IDS identified attacking method j. OPLab 2019/4/28

35 Objective Function (IP 1) 這個 objective 是錯的! OPLab 2019/4/28

36 Constraints Defender’s budget constraints: (IP 1.1) (IP 1.2) (IP 1.3)
OPLab 2019/4/28

37 Constraints (Cont.) Attacker’s budget constraints: (IP 1.5) (IP 1.6)
OPLab 2019/4/28

38 Thanks for your listening!
Q & A OPLab 2019/4/28

39 References [1] SANS Institute InfoSec Reading Room, "Intrusion Detection Systems: Definition, Need and Challenges," 2001. [2] John K. Waters, "Virtualization Definition and Solutions," 2008, at  Solutions. [3] T. Garfinkel and M. Rosenblum, "A Virtual Machine Introspection Based Architecture for Intrusion Detection," in NDSS, ed, 2003. [4] Y. Bai and H. Kobayashi, "Intrusion Detection Systems: technology and development," in Advanced Information Networking and Applications, AINA th International Conference on, 2003, pp [5] html OPLab 2019/4/28

40 References (Cont.) [6] Skaperdas, S., Contest success functions. Economic Theory 7, 283–290. [7] G. Levitin, and K. Hausken, “False targets efficiency in defense strategy,” European Journal of Operational Research, Vol. 194, Issue 1, Pages , 1 April 2009. [8] M. Laureano, et al., "Intrusion Detection in Virtual Machine Environments," presented at the Proceedings of the 30th EUROMICRO Conference, 2004. [9] T. Garfinkel and M. Rosenblum, "When virtual is harder than real: security challenges in virtual machine based computing environments," presented at the Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10, Santa Fe, NM, 2005. [10] T. Garfinkel, et al., "Terra: a virtual machine-based platform for trusted computing," presented at the Proceedings of the nineteenth ACM symposium on Operating systems principles, Bolton Landing, NY, USA, OPLab 2019/4/28

Download ppt "Research Direction Introduction"

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.

Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Towards Modelling Information Security with Key-Challenge Petri Nets Teijo Venäläinen

Towards Modelling Information Security with Key-Challenge Petri Nets Teijo Venäläinen
March 24, 2003Upadhyaya – IWIA 20031 A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.

March 24, 2003Upadhyaya – IWIA A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.

Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

Similar presentations

Ads by Google