Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 APOD 10/5/2015 NCA 2003Christopher Jones APOD Network Mechanisms and the APOD Red-team Experiments Chris Jones Michael Atighetchi, Partha Pal, Franklin.

Published byEthan Richard Modified over 9 years ago

Similar presentations

Presentation on theme: "1 APOD 10/5/2015 NCA 2003Christopher Jones APOD Network Mechanisms and the APOD Red-team Experiments Chris Jones Michael Atighetchi, Partha Pal, Franklin."— Presentation transcript:

1 1 APOD 10/5/2015 NCA 2003Christopher Jones APOD Network Mechanisms and the APOD Red-team Experiments Chris Jones Michael Atighetchi, Partha Pal, Franklin Webber BBN Technologies QuO & APOD

2 2 APOD 10/5/2015 NCA 2003Christopher Jones Outline Motivating Scenario and APOD Overview QuO Overview APOD Description –Example APOD Strategies –Example APOD Tactics –Example APOD Mechanisms Red-team Experiments Concluding Remarks

3 3 APOD 10/5/2015 NCA 2003Christopher Jones Motivating Scenario and APOD Description Applications that Participate in their Own Defense (APOD) –Demonstrates that dynamic defense and adaptive responses increase an application’s resiliency to certain kinds of attacks. –A toolkit of mechanism wrappers and adaptation strategies that allows an application to defend itself by dynamically adapting to a hostile environment. –Uses QuO, which provides middleware support for mechanism integration and adaptation. Application Host Application Host Application Host Attacker’s Host

4 4 APOD 10/5/2015 NCA 2003Christopher Jones Outline Motivating Scenario and APOD Overview QuO Overview APOD Description –Example APOD Strategies –Example APOD Tactics –Example APOD Mechanisms Red-team Experiments Concluding Remarks

5 5 APOD 10/5/2015 NCA 2003Christopher Jones Quality Objects(QuO) Architecture Application Developer Mechanism Developer CLIENT Network operation() in args out args + return value IDL STUBS IDL SKELETON OBJECT ADAPTER ORB IIOP ORB IIOP CLIENT OBJECT (SERVANT) OBJECT (SERVANT) OBJ REF CLIENT Delegate Contract SysCond Contract Network MECHANISM/PROPERTY MANAGER operation() in args out args + return value IDL STUBS Delegate SysCond IDL SKELETON OBJECT ADAPTER ORB IIOP ORB IIOP CLIENT OBJECT (SERVANT) OBJECT (SERVANT) OBJ REF Application Developer QoS Developer Mechanism Developer CORBA DOC MODEL QUO/CORBA DOC MODEL Qosket

6 6 APOD 10/5/2015 NCA 2003Christopher Jones QuO Overview QuO is a middleware framework that supports the development and execution of adaptation and adding it to an application. Adaptation can be driven by changes in an application’s operating environment. –Host resources (CPU and memory) usage. –Network resource availability. –Host and Network Intrusion status. The adaptive code is encapsulated in a middleware component called “qosket”. –A qosket is a set of specifications and implementations that defines a reusable module of specific adaptive behavior. It can be added into a distributed object application with minimum impact on the application.

7 7 APOD 10/5/2015 NCA 2003Christopher Jones QuO Overview (cont.) Quality Description Languages (QDL) –Contract description language, adaptive behavior description language. –Code generators that generate Java and C++ code for contracts, delegates, creation, and initialization. System Condition Objects –Provide interfaces to resources, managers, and mechanisms. QuO Runtime Kernel –Contract evaluator. –Factory object which instantiates contract and system condition objects.

8 8 APOD 10/5/2015 NCA 2003Christopher Jones Outline Motivating Scenario and APOD Overview QuO Overview APOD Description –Example APOD Strategies –Example APOD Tactics –Example APOD Mechanisms Red-team Experiments Concluding Remarks

9 9 APOD 10/5/2015 NCA 2003Christopher Jones APOD Description Key Idea: by adapting to and trying to control its environment, an application can increase its chances of survival under attack. –Use QuO to integrate multiple security mechanisms into a coherent strategy for adaptive defense. –This is complementary to the usual hardening or protection of applications, resources, or services where available and practical. Ties security information to the adaptation of an application through the QuO system condition objects. APOD has sensor mechanisms that feed defense tactics and strategies. –Actuator mechanisms implement tactic and strategy reactions. APOD tactics integrate sensors and actuator mechanisms to mount a local defensive response. Combining individual mechanisms and tactics into higher-level defense strategies helps applications meet survivability requirements. The following slides are examples, not an exhaustive list of the possibilities or the mechanisms, tactics, and strategies that we are using.

10 10 APOD 10/5/2015 NCA 2003Christopher Jones APOD Strategies Use QuO middleware to coordinate all available defense mechanisms in a coherent strategy. Examples of APOD strategies have been created: –“outrun”: move application components off corrupted hosts and on to good ones at a rate faster than the hosts go bad. »Slow down the attacker’s ability to corrupt host by quarantine. –“contain”: quarantine bad hosts and bad LANs by limiting or blocking network traffic from them and, within limits, shutting them down. »Respond quickly with locally gathered information. »Can only quarantine so many hosts or LANs before application performance becomes affected. »In follow on projects we are looking at having backup hosts to replenish application capabilities depleted by quarantining bad application hosts.

11 11 APOD 10/5/2015 NCA 2003Christopher Jones APOD Tactics Examples of APOD tactics that are implemented used in strategies Block Suspicious Traffic –Combines network intrustion detection system and firewall mechanisms to catch attacker reconnaissance traffic and block further malicious traffic from the attacker host. Choking TCP Connection Floods –Joins TCP Connection counting with a firewall to block hosts that request large numbers of connections to a single port. Containing ARP Cache Poisoning –Incorporates an ARP cache poisoning sensor and firewall to monitor mapping of MAC to IP addresses and resets any mapping if they change as well as blocking traffic from offending MAC address. Squelching Insider Flooding –Uses network traffic accounting to keep track of packets/second and bits/second, and comparing means between observed and expected to determine a spike in outgoing traffic. –If spike occurs, rate limiting is applied to outgoing traffic of a LAN.

12 12 APOD 10/5/2015 NCA 2003Christopher Jones APOD Network Sensor Mechanisms Network Intrusion Detection –Attacker can run live attacks and known scripted network attacks on hosts. –Use Snort, a lightweight network intrusion detection system. –Extract the offending host addresses to pass to an APOD strategy. TCP Connection Flood sensor – Attacker can flood port with many connections making it very difficult or impossible for legitimate clients to connect. –Have a mechanism using netstat to determine number of connections to a given port. –Mechanism monitors application ports for “too many” connections and will warn an APOD strategy of any host that has gone over the connection threshold. ARP cache poisoning detection –Attacker with access to a subnet can use ARP cache poisoning to disrupt or intercept network traffic. –Tool to detect changes in MAC/IP pairings and notify an APOD tactic or strategy of changes. –Uses ping and arp commands to get pairings and compares previously collected pairing for changes.

13 13 APOD 10/5/2015 NCA 2003Christopher Jones APOD Network Actuator Mechanisms Network traffic filters –Uses iptables for blocking and rate-limiting traffic from hosts believed to be malicious. Bandwidth Management –Intserv (RSVP, SecureRSVP) »Uses an enhanced RSVP version of Darmstadt’s RSVP implementation. »Enhanced version done at North Carolina State University. –Bandwidth Broker »Tool using tc command to make changes in queuing policies of routers. Secure network traffic –Uses FreeS/WAN IPSec for protecting network traffic. –Dynamically bring up IPSec between two hosts. Dynamic endpoint mechanism –Uses a NAT gateway to hide the real endpoints, address and port, of application. –The “fake” endpoints are chosen randomly and changed periodically.

14 14 APOD 10/5/2015 NCA 2003Christopher Jones Outline Motivating Scenario and APOD Overview QuO Overview APOD Description –Example APOD Strategies –Example APOD Tactics –Example APOD Mechanisms Red-team Experiments Concluding Remarks

15 15 APOD 10/5/2015 NCA 2003Christopher Jones APOD Red-teaming Experimentation Reasons for experiments. –Validate APOD idea that dynamic adaptation defenses can prolong an applications usefulness in a hostile environment. –Also, analyzing the overhead of APOD. Sandia Labs red-team tasked with validating APOD. –Outside, independent team. –Given full knowledge of application, APOD defenses added, and test network. Red-teaming happened in two distinct experiments. –Each experiment consisted of multiple runs of the defended application. –During each run, the red-team would try different attacks. »Started with single attacks per run to multiple attacks per run.

16 16 APOD 10/5/2015 NCA 2003Christopher Jones Application Used in APOD Experiments Image Display Image Server Broker Image Display Image Server Replication group query serve image register APOD Defenses APOD Defenses APOD Defenses APOD Defenses APOD Defenses APOD Defenses APOD Defenses APOD Defenses APOD Defenses

17 17 APOD 10/5/2015 NCA 2003Christopher Jones Experimentation Configuration IPNET4 IPNET3 IPNET1 IPNET2 broker2_1broker2_2broker1_1broker1_2 server1 broker4_1 broker4_2 server4broker3_1 broker3_2 server3 client2 client3 bc_ipnet_2 router_1 attack2 attack1 bc_ipnet_1 bc_ipnet_3 bc_ipnet_4 router_2 router_3router_4 Experiment Control Host APOD Exp Network

18 18 APOD 10/5/2015 NCA 2003Christopher Jones APOD Experiment Strategies A third strategy was added, Flood prevention and Traceback. –make static SE-RSVP reservations up-front to protect network paths from being flooded. –quarantine hosts by blocking traffic from/to them closer to their source (added to contain strategy on boundary controllers). IPNET3 broker3_1 broker3_2 server3 client3 bc_ipnet_3 Outrun & Contain Strategies Outrun & Contain Strategies App. Contain Strategy App. Contain Strategy BC Contain Strategy

19 19 APOD 10/5/2015 NCA 2003Christopher Jones Red-teaming Attacks and Results APOD defenses blocked or impeded the red-team’s progress. –The APOD defenses overcame or blocked many of the single attack runs. –The red-team was forced to combine different attacks to cause a denial of service of the broker on the defense enabled application. –Of the attack runs that ended with the application in a denial of service, the average time-to-denial was approximately 45 minutes from start of attacks, with a minimum of roughly 10 minutes. Without APOD defenses, service was denied immediately. Time to Denial by Live Attack 0 10 20 30 40 50 60 70 80 90 100 Time (minutes) client 2client 3 Runs

20 20 APOD 10/5/2015 NCA 2003Christopher Jones Results The cost of adding the APOD defenses to image latency was approximately 5% to 20% depending which tactics and strategies were in place. –We concluded that most of the latency increase was caused by the containment strategy and accompanying mechanisms that ran on the boundary control routers.

21 21 APOD 10/5/2015 NCA 2003Christopher Jones Concluding Remarks Conclusion. –Dynamic adaptation has added value for an application by giving it the ability to prolong its usefulness in the presents of attacks. –This prolonged usefulness has a reasonable cost. –Red-team experiments are beneficial for validating and “stress testing” our defenses. APOD is being used in other survivability projects. –Using and expanding of APOD mechanisms, tactics, and strategies. –Other projects include ITUA, DPASA, and Dynamic Quarantine. Websites: –QuO: quo.bbn.com –APOD: apod.bbn.com –ITUA: itua.bbn.com

Download ppt "1 APOD 10/5/2015 NCA 2003Christopher Jones APOD Network Mechanisms and the APOD Red-team Experiments Chris Jones Michael Atighetchi, Partha Pal, Franklin."

Similar presentations

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 12/16/98DARPA Intrusion Detection PI Meeting BBN Technologies Toolkit for Creating Adaptable Distributed Applications Joe Loyall www.dist-systems.bbn.com/projects/OIT.

1 12/16/98DARPA Intrusion Detection PI Meeting BBN Technologies Toolkit for Creating Adaptable Distributed Applications Joe Loyall
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Common Object Request Broker Architecture (CORBA) By: Sunil Gopinath David Watkins.

Common Object Request Broker Architecture (CORBA) By: Sunil Gopinath David Watkins.
Agent Caching in APHIDS CPSC 527 Computer Communication Protocols Project Presentation Presented By: Jake Wires and Abhishek Gupta.

Agent Caching in APHIDS CPSC 527 Computer Communication Protocols Project Presentation Presented By: Jake Wires and Abhishek Gupta.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Resource Management – a Solution for Providing QoS over IP Tudor Dumitraş, Frances Jen-Fung Ning and Humayun Latif.

Resource Management – a Solution for Providing QoS over IP Tudor Dumitraş, Frances Jen-Fung Ning and Humayun Latif.
A brief look at CORBA. What is CORBA Common Object Request Broker Architecture developed by OMG Combine benefits of OO and distributed computing Distributed.

A brief look at CORBA. What is CORBA Common Object Request Broker Architecture developed by OMG Combine benefits of OO and distributed computing Distributed.
1 Quality Objects: Advanced Middleware for Wide Area Distributed Applications Rick Schantz Quality Objects: Advanced Middleware for Large Scale Wide Area.

1 Quality Objects: Advanced Middleware for Wide Area Distributed Applications Rick Schantz Quality Objects: Advanced Middleware for Large Scale Wide Area.
CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.

CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.
1 8/99 IMIC Workshop 6/22/2015 New Network ServicesJohn Zinky BBN Technologies The Need for A Network Resource Status Service IMIC Workshop 1999 Boston.

1 8/99 IMIC Workshop 6/22/2015 New Network ServicesJohn Zinky BBN Technologies The Need for A Network Resource Status Service IMIC Workshop 1999 Boston.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
OPX PI Meeting 2002 February 21 -- page 1 Applications that Participate in their Own Defense (APOD) QuO Franklin Webber BBN Technologies.

OPX PI Meeting 2002 February page 1 Applications that Participate in their Own Defense (APOD) QuO Franklin Webber BBN Technologies.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
1 4/20/98ISORC ‘98 BBN Technologies Specifying and Measuring Quality of Service in Distributed Object Systems Joseph P. Loyall, Richard E. Schantz, John.

1 4/20/98ISORC ‘98 BBN Technologies Specifying and Measuring Quality of Service in Distributed Object Systems Joseph P. Loyall, Richard E. Schantz, John.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Similar presentations

Ads by Google