<%BANNER%>

Integrating Access Control with Real-Time Assessment

Permanent Link: http://ufdc.ufl.edu/UFE0024262/00001

Material Information

Title: Integrating Access Control with Real-Time Assessment Adaptive Security Through the Acquisition, Analysis and Application of Context Data
Physical Description: 1 online resource (141 p.)
Language: english
Creator: Rasheed, Hassan
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2009

Subjects

Subjects / Keywords: access, awareness, context, control, distributed, information, security, systems
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: The need for adaptive security mechanisms is growing, driven by the increasing automation and modularity of attack tools, the prevalence of dynamic service-oriented architectures and the greater availability of network analysis data. In order to facilitate the evaluation and enforcement of access control policies based on real-time analysis data, a framework for the collection, analysis and dissemination of security data is proposed. In demonstrating its implementation, the framework is integrated with a web server and is used to provide a quantitative risk assessment based on data from vulnerability exploitation attempts. While maintaining high availability for non-affected entities, the percentage of denied intrusive requests is increased by triggering more restrictive permissioning in the face of escalating risk from external nodes and to system resources. A detailed performance analysis is also conducted that compares the proposed framework with an ordinary webserver and demonstrates the ability of the framework to handle high request loads in excess of one million transactions per day.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Hassan Rasheed.
Thesis: Thesis (Ph.D.)--University of Florida, 2009.
Local: Adviser: Chow, Yuan-Chieh R.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2009
System ID: UFE0024262:00001

Permanent Link: http://ufdc.ufl.edu/UFE0024262/00001

Material Information

Title: Integrating Access Control with Real-Time Assessment Adaptive Security Through the Acquisition, Analysis and Application of Context Data
Physical Description: 1 online resource (141 p.)
Language: english
Creator: Rasheed, Hassan
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2009

Subjects

Subjects / Keywords: access, awareness, context, control, distributed, information, security, systems
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: The need for adaptive security mechanisms is growing, driven by the increasing automation and modularity of attack tools, the prevalence of dynamic service-oriented architectures and the greater availability of network analysis data. In order to facilitate the evaluation and enforcement of access control policies based on real-time analysis data, a framework for the collection, analysis and dissemination of security data is proposed. In demonstrating its implementation, the framework is integrated with a web server and is used to provide a quantitative risk assessment based on data from vulnerability exploitation attempts. While maintaining high availability for non-affected entities, the percentage of denied intrusive requests is increased by triggering more restrictive permissioning in the face of escalating risk from external nodes and to system resources. A detailed performance analysis is also conducted that compares the proposed framework with an ordinary webserver and demonstrates the ability of the framework to handle high request loads in excess of one million transactions per day.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Hassan Rasheed.
Thesis: Thesis (Ph.D.)--University of Florida, 2009.
Local: Adviser: Chow, Yuan-Chieh R.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2009
System ID: UFE0024262:00001


This item has the following downloads:


Full Text

PAGE 1

INTEGRATINGACCESSCONTROLWITHREAL-TIMEASSESSMENT:ADAPTIVE SECURITYTHROUGHTHEACQUISITION,ANALYSISANDAPPLICATIONOF CONTEXTDATA By HASSANRASHEED ADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOL OFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENT OFTHEREQUIREMENTSFORTHEDEGREEOF DOCTOROFPHILOSOPHY UNIVERSITYOFFLORIDA 2009 1

PAGE 2

2009HassanRasheed 2

PAGE 3

HetheCreatoristheEverLiving,nonehastherighttobeworshippedbutHe;soinvoke HimmakingyourworshippureforHimalone.AllthepraiseandthanksbetoAllah,the Lordofallthatexists.Qur'an40:65 3

PAGE 4

ACKNOWLEDGMENTS IthanktheCreatorforHiscontinuousmercyandfavorandmyparentsfortheir continualsupportandself-lesscare;andIthankallofthosewhohavecontributedtomy intellectualdevelopmentthroughoutmystudies. 4

PAGE 5

TABLEOFCONTENTS page ACKNOWLEDGMENTS.................................4 LISTOFTABLES.....................................9 LISTOFFIGURES....................................10 ABSTRACT........................................15 CHAPTER 1INTRODUCTION..................................16 1.1Motivation:ParadigmShiftsinSystemSecurity...............16 1.1.1ChangingNatureofAttacks......................16 1.1.2ChangingDeploymentEnvironments.................17 1.1.3GreaterEmphasisonDistributedDataAnalysis...........18 1.2ChallengesFaced................................19 1.2.1TheNatureofContextInformation..................19 1.2.2ApplyingSecurityDataforImprovedAccessControl........20 1.3Approach....................................21 1.4SummaryofResults..............................21 1.5SignicanceandImpact............................22 1.6OrganizationofthisReport..........................23 2RELATEDWORK..................................24 2.1ContextInformation..............................24 2.1.1ExistingDenitionsofContext.....................24 2.1.2RedeningContext...........................24 2.1.3ContextRepresentation.........................26 2.2SystemsIntegration...............................26 2.2.1HorizontalIntegration..........................27 2.2.2VerticalIntegration...........................29 2.2.3SummaryonIntegration........................30 2.3IntegrationofSecurityControls........................31 2.4UseofThreat,RiskandTrustinAccessControl...............33 2.5IntrusionResponse...............................33 3GENERALAPPROACHPART1:CONTEXTACQUISITION.........35 3.1IntroductionandDesignGoals.........................35 3.2SurveyofContextAcquisitionApproaches..................36 3.2.1Closed/CoalitionApproach.......................37 3.2.2Open/FederationApproach.......................39 3.3ACoalition-BasedSystemforContextAcquisition..............41 5

PAGE 6

3.3.1InformationModel...........................41 3.3.1.1Accesscontrol.........................41 3.3.1.2Intrusiondetection......................43 3.3.1.3Intrusionresponse......................44 3.3.1.4Modeloverview........................45 3.3.1.5Securityevent.........................45 3.3.1.6Accessrequest.........................46 3.3.1.7Intrusionattempt.......................46 3.3.1.8Intrusionresponse......................46 3.3.2Implementation.............................47 3.3.3SummaryoftheCoalitionApproachtoContextAcquisition.....49 3.4AFederatedSystemforContextAcquisition.................49 3.4.1Approach.................................49 3.4.2TheUseofEventCorrelationinFederatedSystem..........50 3.4.3AvailableCorrelationMethods:ATaxonomyofEventCorrelation ApproachesforSecurityData.....................50 3.4.3.1Taxonomyofalertcorrelationmethodsbasedonoutcome.50 3.4.3.2Taxonomyofalertcorrelationmethodsbasedonmeans..52 3.4.4SelectinganEectiveOntologyApproach...............54 3.4.5AHybridEventOntology.......................55 3.4.5.1Thebasisforacommonontology..............55 3.4.5.2Theproposedontology....................56 3.5Summary....................................59 4GENERALAPPROACHPART2:CONTEXTANALYSIS...........67 4.1IntroductionandDesignGoals.........................67 4.2AHigh-LevelOntologyofSecurityAssessmentInformation.........68 4.2.1CoreAssessments............................69 4.2.1.1Risk..............................69 4.2.1.2Trust..............................69 4.2.1.3Dependabilityandimportance................70 4.2.2CompositeAssessments.........................71 4.2.2.1Threat.............................71 4.2.2.2Impact.............................72 4.3Summary....................................72 5GENERALAPPROACHPART3:CONTEXTAPPLICATION.........75 5.1Introduction...................................75 5.2Context-BasedPolicyEvaluation.......................75 5.2.1AccessControlSchemaExtension...................76 5.2.2ApplicationScenarios..........................78 5.3Context-BasedThreatResponse........................79 5.4Summary....................................81 6

PAGE 7

6ADAPTIVERISK-AWAREACCESSCONTROLFORWEBSERVERS....87 6.1Introduction...................................87 6.1.1ConnectionBetweentheImplementationandPreviousChapters..87 6.1.2ImplementationOverview........................88 6.2IntrusionResponseandAttackResistance..................89 6.2.1StrategySelection............................89 6.2.2ResponseTriggering...........................90 6.3NotionofRiskandaPreliminaryRiskAssessmentModel..........90 6.3.1AnalysisModel.............................90 6.4TriggeringRestrictedPermissioningWithRiskData.............93 6.5AbacusFrameworkArchitecture........................94 6.6UpdatesandModicationstotheInitialModelandArchitecture......99 6.6.1PerformanceIssuesWiththeInitialArchitecture...........99 6.6.2Solution1:Caching...........................99 6.6.3Solution2:RedesigningtheAnalysisAlgorithmandRefactoring theArchitecture.............................100 6.6.4RevisedRiskAssessmentModel....................100 6.6.5RestructuredArchitecture.......................101 6.7Summary....................................101 7RESULTS.......................................106 7.1TestingSetup..................................106 7.2ValidationofAnalysisModel..........................106 7.3WebServerAttackResistanceResults....................108 7.4PerformanceAnalysis..............................111 7.4.1PerformanceTestingMethodology...................111 7.4.2PerformanceofInitialAbacusFramework...............112 7.4.3PerformanceofAbacusFrameworkwithRecursiveAnalysisModel.113 7.4.4PerformanceComparisonforABACUSFrameworkandOrdinary ApacheWebserver...........................113 8CONCLUSIONS...................................130 8.1ConclusionsProducedByExaminationoftheGeneralApproach......130 8.1.1DataAcquisition............................130 8.1.2DataAnalysis..............................130 8.2ConclusionsOntheImplementationandTestingoftheConcreteImplementation....................................131 8.2.1DataQuality...............................131 8.2.2ChangesFromtheGeneralApproachtotheConcreteImplementation132 8.2.3EectivenessandPerformance.....................133 8.3FutureWork...................................133 7

PAGE 8

REFERENCES.......................................135 BIOGRAPHICALSKETCH................................141 8

PAGE 9

LISTOFTABLES Table page 5-1Escalationofthreatinsubsequentrequestsbytwodierentsources.Whenthe threatisassignedtoindividualsourcesseperately,thesystemisabletodistinguishbetweenmaliciousandnon-malicioussubjects................83 5-2Escalationofthreatinsubsequentrequestsbythreedierenthostsonacommontarget.Whentheeectofrequestsfromdierentsubjectstothesameobjectareconsideredinaggregate,thesystemisabletocontextualizeindividual requestsintoanoverallpatternofinteractionwiththeobject...........83 5-3Selectedintrusionresponsestrategies.Eachgeneralresponsestrategyislisted alongwithitsappropriateusecase,itsimplementationattheaccesscontrol levelandthecontextualpropertiesthatconstrainitsapplication.........86 7-1Asummaryofthesimulationresultsforscenarioonesimulatinganattackfrom asinglesourceonmultiplesystemresources.....................119 7-2Asummaryofthesimulationresultsfromscenariotwowhilesimulatinganattackfrommultiplesourcesonasinglesystemresource...............120 7-3Asummaryofthesimulationresultsfromscenariothreewhilesimulatingan attackfrommultiplesourcesonmultiplesystemresources.............121 7-4TracstatisticsforthreetopwebsitesinDecember2008..............129 7-5EstimatedpeakperformanceforABACUSframeworkwithcurrenttestingconstraints.........................................129 9

PAGE 10

LISTOFFIGURES Figure page 3-1Diagramofasecuritycoalition.Eachsecuritycomponenthastointeractwith alloftheothercomponentsinordertoaccesstheirdata.Thisarchitectureis limitedinextensibilitybecauseeachtimeanewmemberisaddedtothecoalition,alloftheothermembersmustbeadaptedtouseitsinterface........60 3-2Theanatomyofasecuritycomponentinanopenarchitecture.Thecoredecisionmechanismisresponsibleforplacingneweventsintothemechanismsevent datastorewhichsubsequentlyprovidesthedatatootherconsumers.Thecore decisionmechanismalsopullsdatafromthecomponent'seventconsumermoduleinordertoenforcepolicybasedonexternaleventinformation.Theevent consumermoduleincludesapolicydescribingthedierenttypesofeventsthat shouldbedrawnfromtheeventproviderthisinteractionisdepictedinFigure 3-3...........................................61 3-3Securitycomponentswithacommoneventprovider.Ratherthanhavingtointeractwitheachothermemberofthesystem,thecomponentscannowaccess datathroughacommoneventprovider.......................62 3-4Theanatomyofasecuritycomponentinanopenarchitecture.Thecoredecisionmechanismisresponsibleforplacingneweventsintothecommonevent providerthatisnowanexternalserviceinsteadofthepreviousdatastorethat wascontainedinthemechanismitself.Thecoredecisionmechanismalsopulls datafromthecomponent'seventconsumermoduleinordertoenforcepolicy basedonexternaleventinformation.Theeventconsumermoduleincludesa policydescribingthedierenttypesofeventsthatshouldbedrawnfromthe eventproviderthisinteractionisdepictedinFigure3-3..............63 3-5Securityeventinformationmodel..........................64 3-6TheowofdatabetweenanIDSandawebserverunderthecoalition-based implementation.....................................64 3-7Taxonomyofthemeansusedtoachievealertcorrelation..............65 3-8Ontologyforinter-domaineventcorrelation....................66 4-1Coreassessmentclasses.Importance,trustanddependabilityassessmentsfor entities.Threatandimpactassessmentsforaccessrequests.Valueandriskassessmentsfortheactionofanaccessrequest.....................73 10

PAGE 11

4-2Assessmentfactorsforthreeassessmenttypes:trust,riskanddependability. TheclassAssessmentisalsoasubclassofAssessmentFactorbecauseofthecompositeassessmentsthatarederivedfromotherassessments.Theassessmentfactorsforthreataretheriskoftherequestandthetrustgrantedtothesubject. Theassessmentfactorsfortheimpactarethedependabilityandimportanceof theobjectandtheriskoftherequest.........................74 5-1XACMLruleincludingsource-centeredthreat.ThisruledemonstratestheextensionoftheXACMLschemawithanewproperty total-source-threat. This propertyisdesignatedasanattributeofthesubjectoftherequest.Aninteger functionisusedtocomparethevaluereturnedforthispropertywiththedesignatedvalueof20.Ifthetotal-source-threatpropertyisgreaterthanorequalto thisvalue,thentherulehastheeectofcausingtherequesttobedenied....83 5-2XACMLruleincludingtarget-centeredthreat.ThisruledemonstratestheextensionoftheXACMLschemawithanewproperty total-target-threat. This propertyisdesignatedasanattributeoftheresourcebeingaccessed.Anintegerfunctionisusedtocomparethevaluereturnedforthispropertywiththe designatedvalueof30.Ifthetotal-target-threatpropertyisgreaterthanorequal tothisvalue,thentherulehastheeectofcausingtherequesttobedenied...84 5-3XACMLruleincludinganattributeindicatingthataresourceislocked.This ruledemonstratestheextensionoftheXACMLschemawithanewproperty resource-lock-status. Thispropertyisdesignatedasanattributeoftheresource beingaccessed.Abooleanfunctionisusedtocomparethevaluereturnedfor thispropertywiththedesignatedvalueof'true'.Iftheresource-lock-statuspropertyistrue,thentherulehastheeectofcausingallrequeststothisresource tobedenied......................................84 5-4XACMLruleincludinganattributeindicatingthatauseraccountislocked. ThisruledemonstratestheextensionoftheXACMLschemawithanewproperty resource-lock-status. Thispropertyisdesignatedasanattributeofthesubjectinitiatingtherequest.Abooleanfunctionisusedtocomparethevaluereturnedforthispropertywiththedesignatedvalueof'true'.Iftheuser-accountlock-statuspropertyistrue,thentherulehastheeectofcausingallrequests fromthissourcetobedenied.............................85 5-5XACMLruleincludingapropertytorestrictaspecicpermission.Thisrule demonstratestheextensionoftheXACMLschemawithanewproperty userwrite-prohibit. Thispropertyisdesignatedasanattributeofthesubjectinitiatingtherequest.ThePolicyDecisionPointwillbeextendedwithanewmodule thatprovidesthelogictoprovideacurrentvalueforthisproperty.Anboolean functionisusedtocomparethevaluereturnedforthispropertywiththedesignatedvalueof'true'.Iftheuser-write-prohibitpropertyistrue,thentherule hastheeectofcausingtherequesttobedenied..................85 11

PAGE 12

6-1Sampleriskprogressionforanintruderexecutingintrusiverequestsofmoderate severity......................................103 6-2ArchitecturefortheABACUSframework......................103 6-3Apachecongurationdirectivethatestablishesa SourcePermissionRestrict accesshandlertoevaluateallrequeststoresourcesinthedirectory'/s'.Thedirectivealsoestablishesfourriskthresholds,eachforadierentaction.These thresholdsaresubsequentlyusedbytheaccesshandlertocompareagainstthe currentriskevaluationforthesourceoftherequest,withtherequestbeingdeniedifthesource'sriskexceedsthethreshold.Thenalvariable SourceLockoutThreshold establishesthatonetheriskattachedtothesourceexceeds41,all requestsfromthatsourcewillbedenied.......................104 6-4Psuedocodefortheaccesscontrolmodelthatperformsrestrictionofsourcepermissionsbasedonariskassessmentobtainedfromananalysisserver.Itretrieves ariskassessmentforthesourcefromtheanalysisserverandthencomparesit withtheappropriatethresholdfortheactionbeingperformed...........104 6-5Apachecongurationdirectiveforacustomauthenticationhandler.Threedifferentthresholds,orpropertiesareestablishedwhichcouldbeusedtotrigger theuseofauthentication.Avalueisalsosetfor AuthExpiration whichensures that,oneauthenticated,usersareonlyre-authenticatedevery300secondve minutesatmost....................................105 6-6Pseudocodeforauthenticationmodule.Authenticationisrequiredifanyofthe establishedriskthresholdsareexceeded.......................105 7-1Simulationresultsfromthevalidationoftheanalysismodelshowingriskestimatesforthesourcesdetectedasintrusive.Ausingonlyconcretevulnerability lteringBusingconcretevulnerabilitylteringandcongurationverication..118 7-2Simulationresultsfromthevalidationoftheanalysismodelshowingriskestimatesfortargetsbeingattackedbyintrusiverequests.Ausingonlyconcrete vulnerabilitylteringBusingconcretevulnerabilitylteringandconguration verication.......................................119 7-3Accesscontrolpoliciesforthetwoserversduringscenarioonewhilesimulatinganattackfromasinglesourceonmultiplesystemresources.Aservertwo Bserverone.TherstpolicyAestablishesanaccesshandlerthatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusessourceriskdataandsetsathresholdof45forthesourcerisk,beyond which,requestsfromthatsourcewillbedenied...................120 7-4Thegrowthoftheriskfromtheintruderinscenarioone..............120 12

PAGE 13

7-5Accesscontrolpoliciesforthetwoserversduringscenariotwowhilesimulatinganattackfrommultiplesourcesonasinglesystemresource.Aservertwo Bserverone.TherstpolicyAestablishesanaccesshandlerthatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusestargetriskdataandsetsathresholdof45forthetargetrisk,beyond which,requeststothattargetwillbedenied.....................121 7-6Thegrowthofriskforthetargetedresourceinscenariotwo............121 7-7Accesscontrolpoliciesforthetwoserversduringscenariothreewhilesimulatinganattackfrommultiplesourcesonmultiplesystemresources.Aservertwo Bserverone.TherstpolicyAestablishesanaccesshandlerthatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusesthreedierentriskpropertiestotriggertherequirementofauthentication.Thesystemriskthresholdis65,thesourceriskthresholdis33andthe targetriskthresholdis45.Atimelimitfortheexpirationofavalidauthenticationissetat300secondsusingthe AuthExpiration property...........122 7-8StatisticsforABACUSframeworkversion1duringasimulationwithtenconcurrentusers,oneofwhichwasanintruder.Graphsshowtimetoserverequests fordierentbreakdownsofthesetofrequestingusers.Arequestsfromallusers BrequestsfromtheintruderCrequestsfromnon-intrusiveusers.Thesegraphs establishthatthetimetoprocessrequestswasincreasingthroughoutthesimulationandthatthiswasduetotheincreasedtimeintooktoprocessrequests fromtheintruderthatrequiredmoredatatobeaggregatedandanalyzedinordertoproduceariskassessment...........................123 7-9StatisticsforABACUSframeworkversiontwo.Atimetoserverequestsfor thewebserverBtimetoserverequestsfortheanalysisserver.Thegraphscorrespondtoasimulationwith100concurrentusersfortheentiredurationofthe test10minutestresstest...............................124 7-10StatisticsforABACUSframeworkversiontwo.AalertprocessingtimeBalert receivingtime.Thegraphscorrespondtoasimulationwith100concurrentusers fortheentiredurationofthetest10minutestresstest..............125 7-11AdditionalstressteststatisticsforABACUSframeworkversiontwo.Ausing 110concurrentclientsBusing175concurrentclientsCusing200concurrent clients.........................................126 7-12Webservercomparisonusingarandomizeddelayfrom0and1secondbetween requests.AresponsetimeBconcurrencyCtransactionrate..........127 7-13Webservercomparisonusingarandomizeddelayfrom0and10secondsbetweenrequests.AresponsetimeBconcurrencyCtransactionrate.......128 13

PAGE 14

7-14SummaryofthefactorincreaseinwebserverresponsetimefortheABACUS frameworkversiontwocomparedtotheperformanceofanunmodiedwebserver.129 14

PAGE 15

AbstractofDissertationPresentedtotheGraduateSchool oftheUniversityofFloridainPartialFulllmentofthe RequirementsfortheDegreeofDoctorofPhilosophy INTEGRATINGACCESSCONTROLWITHREAL-TIMEASSESSMENT:ADAPTIVE SECURITYTHROUGHTHEACQUISITION,ANALYSISANDAPPLICATIONOF CONTEXTDATA By HassanRasheed May2009 Chair:RandyY.C.Chow Major:ComputerEngineering Theneedforadaptivesecuritymechanismsisgrowing,drivenbytheincreasing automationandmodularityofattacktools,theprevalenceofdynamicservice-oriented architecturesandthegreateravailabilityofnetworkanalysisdata.Inordertofacilitate theevaluationandenforcementofaccesscontrolpoliciesbasedonreal-timeanalysisdata, aframeworkforthecollection,analysisanddisseminationofsecuritydataisproposed. Indemonstratingitsimplementation,theframeworkisintegratedwithawebserver andisusedtoprovideaquantitativeriskassessmentbasedondatafromvulnerability exploitationattempts.Whilemaintaininghighavailabilityfornon-aectedentities, thepercentageofdeniedintrusiverequestsisincreasedbytriggeringmorerestrictive permissioninginthefaceofescalatingriskfromexternalnodesandtosystemresources. Adetailedperformanceanalysisisalsoconductedthatcomparestheproposedframework withanordinarywebserveranddemonstratestheabilityoftheframeworktohandlehigh requestloadsinexcessofonemilliontransactionsperday. 15

PAGE 16

CHAPTER1 INTRODUCTION Oneofthemostsignicantchallengesinthesecuritydomainisthedevelopmentof securitymechanismswiththecapabilitiesofdynamic,contextawarebehavior.Theword contextawarenessmeansdierentthingsinvariousdomains,butherewerefertothe generalabilityofasoftwaredevicetoadjustitsbehaviorbasedonitsperceptionofthe environmentitoperatesin.Thisisstillaverybroadconcept,butwillbefurtherspecied inthecourseofthediscussion. Securitymechanismsoftenoerassessmentsorevaluationsofvariousrequestsand events,forexample:evaluatingthevalidityofarequestforauthorizationoranalyzingan eventforintrusivecharacteristics.Anyassessmentisbasedonassumptionsbothimplicit andexplicitaboutthecurrentenvironment:explicitassumptionsmayoftenbemodeled inapolicywhereasimplicitassumptionsaresubsumedintheunderlyingmodelusedfor decisionmaking.Theroleofcontextdataisthentoeitherkeepthoseexplicitassumptions accurateiftheyexist,ortointroduceimportantparametersinthedecision-makingprocess iftheyhavebeenleftout.Therearethreeprimarymotivationsforthecurrentapproach: theenvironmentsinwhichsecuritymechanismsaredeployedarechanging,theattacks themselvesthatmustbeguardedagainstarechanging,andtheemergingopportunityto leveragedatasourcesprovidingvaluablesecuritydata. 1.1Motivation:ParadigmShiftsinSystemSecurity 1.1.1ChangingNatureofAttacks Therearetwoprimarymotivatingsub-factorstowardsproducingsecuritymechanisms withanimprovedabilitytodealwithachangingenvironment:thechangingnatureof attacks,andmovetowardsutilizingsecuritymechanismsinserviceorientedarchitectures. Thechangingnatureofattackswasnotedin[1]andhassincebeenconrmedinvarious otherreports.Amongstthefactorsnotedinthereportwerethefollowing: 1. Theautomationandspeedofattacktools -eachofthefourcommonphasesofautomatedattacksscanning,compromising,propagatingandcoordinatedmanagement 16

PAGE 17

arebeingdonemorequicklyandeectively.Attacktoolsuseexploitsinthemidst ofscanningandautomaticallyinitiateattackcycles.Coordinatedmanagementis facilitatedbywidelyusedcommunicationsprotocolssuchasinstantmessaging.As aresult,thewindowofresponsebeforeanattackmovesontothenextstageisno longerbasedontheresponsetimeofahumanattackerandthereforeeasilyoutpaces ahumanadministratorsabilitytorespond. 2. Theincreasingsophisticationofattacktools -attackersincreasinglyusetechniques toconcealthenatureofthetoolstheyuse.Toolsthemselvesaremoremodular andexhibitmoredynamicbehavior.Becauseoftheanti-forensicbehavior,previous detectionmethodsusinglow-levelorisolatedindicatorsmayfailtodetectattacks thatotherwisemightbeevidentusingmultiplerelatedpiecesofevidence. 3. Fasterdiscoveryofvulnerabilities -thenumberofnewvulnerabilitiesreported morethandoubleseachyear,oftenduetoexaminationofexistingcodefornewly discoveredvulnerabilityclasses.Thisimpliesawidernumberofavailableattack vectorsatanygivenpointintime.Italsoimpliesthatthepotentialforpublicizing vulnerabilitieswillcreatemoreoccurrencesofwidespreadexploitationofthesame vulnerability.Inits2007annualreportIBM'sInternetSecuritySystemsISSgroup reportedthatvulnerabilitiesin2007weredownvepercentcomparedto2006. However,thenumberofthosevulnerabilitiesthatwereclassiedasseverehigh impactroseby28percent[2].Highimpactvulnerabilitiesarethosethatallow immediateremoteorlocalaccess,orimmediateexecutionofcodeorcommands withunauthorizedprivileges.Thereportalsonotedthatofallofthevulnerabilities newlydiscoveredin2007,thatonly50%ofthemarecorrectablewithavendor patch,meaningthatmoreandmorevulnerabilitiesareofasevere,uncorrectable nature. 4. Increasinglyasymmetricthreat -attackscannowbelaunchedusinglargenumbers ofdistributedsystems,meaningthatthetraditionalone-to-onerelationshipbetween victimandattackerwillincreasinglybeaone-to-manyrelationship. 1.1.2ChangingDeploymentEnvironments Thesecondmotivatingfactoristheneedforsecuritytasksimplementedundera serviceabstractionthatcanbeusedindistributedserviceorientedarchitectures.Service orientedcomputinghasgrownduetothegrowthoftheWebandWebServices.Withthis growth,hascomeagreaterneedfordatasecurity.In[3]severalchallengestoproviding securityservicesarediscussed.Anumberofthesechallengesarerelatedtothenotionof context-awarenessandcontextdatasharing.Thechallengesinthisregardfallinthree 17

PAGE 18

mainareas:contextdataacquisition,analysisandapplication.Amongthequestionsraised arethefollowing: Shoulddecisionpointtodecisionpointinteractionsforshareddecisionmakingbe directormediated Howwillsharedcontextinformationbemanaged Howcanwebuildservicesthatcanmakeuseofpastcontexthistoryandgetaround thestatelessinput/outputmodelforservices Howcaninherentlycontext-dependentservicessuchasintrusiondetectionbe implementedasservices Allofthesechallenges,however,leadtotheconclusionthatcontextinformationand consequentlymechanismsadaptedtousecontextdataarecriticaltothedevelopmentof secureserviceorientedarchitectures.Asoneofthethreeprimarysystemsecurityfunctions notedin[4],therequirementsplacedonaccesscontrolsystems,andconsequentlytheir needtoexhibitcontextawarenessareamongthehighestofanysecuritymechanism. Accesscontrol,morethanperhapsanyothersecuritymechanism,isalsoinneedofthis capabilityasitoftenservesastherstlineofdefenseagainstattacksandintrusionsboth attheapplicationandnetworklevel. 1.1.3GreaterEmphasisonDistributedDataAnalysis Astherealizationhasgrownthattherearesomefundamentallimitationswith individualintrusiondetectionsystems[5],interesthasgrowninleveragingmultiple intrusiondetectionsystemswiththeexpectationthatmoredatawillleadtomoreaccurate analyses.Theseeortsbeganwithcorrelationresearch[6,7,8,9,10,11,12]whichfocused onrelativelysmallsetsofdatacontributors.Ithasalsorecentlygrowntoincludewideareaorglobaldataanalysiseortsthatutilizelargesetsofintrusiondetectionsystems [13,14,15,16]inlookingfornewandemergingthreats.Thequestionofwhattodowith thesevastamountsofdataoncewehavethemhaslargelygoneignoredhowever-the primaryassumptionbeingthatadministratornoticationistheonlydependableway 18

PAGE 19

tomakeuseofsuchdata.Thereis,however,anopportunityforthedesignofsecurity mechanismssuitedtousingsuchdatathatcanperformsomelimitedtaskstoimprove responsetime. 1.2ChallengesFaced Therearechallengesontwomainlevelstotheconstructionofeectivecontext-aware securitysystems.Thersttyperelatetoalltypesofsystemsinwhichcontext-awareness isadesigngoal.Thesearedicultiesrelatedtotheacquisition,analysisandapplication ofthecontextinformation.Theseproblemsarisefromthenatureofthedatabeing collectedandthesensorsprovidingthedata:thefactthattheyarelargelyautonomous, heterogeneousanddistributed. Thesecondtypeofchallengearethosearisingfromtheparticularapplicationdomain. Theseproblemsincludetherateofincomingdata,thehighrateofinaccuracieswith securitydataandtheresultinguncertaintyforaectingresponsestointrusions.Another challengeatthislevel-becauseweareseekingtoutilizecontextdataattheaccesscontrol level-isensuringthatadaptingthesystemtorelyoncontextualinformationdoesnot proveprohibitivelyslowfromaperformanceperspective.Thechallengesforapplying contextdataalsoincludepreventingandmitigatingthenegativeeectsofintrusionswhile maintainingahighlevelofserviceavailability. 1.2.1TheNatureofContextInformation Dealingwithrepresentationsofcontextdatatomakesuchresponsivenesspossible,is inherentlycomplex.Thereareseveralinherentdicultiesdealingwithcontextinformation discussedin[17]includingthefollowing:therangeoftemporalcharacteristicsexhibited, highdegreeofinterrelatedness,inaccuraciesorimperfectionsinthedataandlarge numberofalternaterepresentations.Addtothis,thefactthatservicestodealwith contextareapplicationspecic[18]andthetaskofmanagingcontextdatabecomeseven moreimposing.Thesediculties,however,haveonlybeenconfrontedintherealmof securityinaverylimitedway.Someapproachestoalertcorrelationdealwithreceiving 19

PAGE 20

heterogeneous,interdependentandpossiblyimperfectpiecesofdata,butthegoalhasyet tobemakingthatdatausablebyothersecuritycomponents. Tofurtherspecifythechallengesinthisarena,webreakthetaskofcontext-awareness downintothreesub-tasks:acquisition,analysisandapplication.Contextdataacquisition iscomplicatedbythefactthatthesourcesforcontextdatainthisdomainarevery diverse,sometimespossessingtheirownspecializeddomain-specicstandards.Thisisa somewhatuniquechallengeastheapproachestoacquiringcontextdatainapervasive computingenvironmentrelyondatasourcesthatarepassivesensorsproducingrelatively low-leveldata.Morespecically,aneectiveapproachtowardscontextdataacquisition amongstsecurityservicesmustdealwiththeinherentautonomy,heterogeneityand distributionpresentincurrentsecuritymechanisms. Asaresultoftheintricaciesanduniquenessesinsecuritydata,ecientcontext analysistechniquessuitedtosecuritydatamustalsobedesignedtoderivekeysecurity measuresfromdatathathassignicantsemanticheterogeneities.Thesecontextanalysis techniquesmustalsobefocusedonproducing actionabledata :informationthatcan subsequentlybeusedtoadaptpolicies,behaviorsandenactresponsestochanging circumstances. 1.2.2ApplyingSecurityDataforImprovedAccessControl Thenotionofusingsecuritydataforpolicyenforcementassumesalevelofaccuracy forthesensorsthatisoftennotpresentforsecuritysensors.Inparticular,considering theclassofintrusiondetectionsystems,anumberofissueswithdatainaccuracyhave beennotedintheresearch,bothonapracticalandtheoreticallevel[5].Generically,the problemsaredividedintotwotypes:1falsepositives,whichareincidentsdetectedas intrusivethatareinrealitybenignand2falsenegatives,whichareincidentsthatare intrusivebutarecategorizedasbenignorsimplymissedaltogether.Anotherissueisthe sheernumberofalertsthataregeneratedbyintrusiondetectionsystems-thisplaces 20

PAGE 21

constraintsontheperformanceofthetechniquesusedforstorageanalysistobeableto keepupwiththeincomingstreamofdata. 1.3Approach Inordertoaddressthegeneralissuesregardingarchitectingcontext-awaresystems, wedevelopageneralframeworkforthecollection,analysisanddisseminationofsecurity data.Theacquisitionapproachwillfocusonthedierentarchitecturesandmechanism thatcanbeemployedforintegratingdatafrommultiplesources.Onesuchsolutionwill beatightlyintegratedsystemsuitedtosmalldeploymentsbutlackinginextensibility. Theotheracquisitionarchitecturewillprovidegreaterextensibilitybyutilizingaserviceorientedabstraction.Theanalysisapproachwilldevelopasetofcriticalanalysismeasures afterexamingthereasonabletechniquesforanalyzingsecuritydata.Theapproachto applicationwillbemoredomain-specic,surveyingtheavailableintrusionresponse controlsandthetechniquesforactivatingthem. Animplementationwillbedicussedthatfocusesonaddressingsomeoftheconcerns specictotheuseofsecuritydataincludingperformanceanddatainaccuracies.This systemwillalsoprovideaplatformfortestingtheenforcementofaccesscontrolpolicies basedonreal-timeanalysisdata.Theimplementationframeworkwillincludeawebserver astheprimaryaccesscontrolmechanism.Theanalysisprocesswillthenproduceentityspecicriskassessmentsbasedondatafromvulnerabilityexploitationattempts.Thedata willthenbeappliedtoresolvecontextdependenciesattheaccesscontrolpolicyleveland regulatepermissionsbasedonestablishedriskthresholds. 1.4SummaryofResults Whilemaintaininghighavailabilityfornon-aectedentities,weareabletoshowan increasedratioofdeniedintrusiverequestsbytriggeringmorerestrictivepermissioningin thefaceofescalatingriskfromexternalnodesandtosystemresources.Wealsoprovide performanceanalysiscomparingtheproposedframeworkwithanordinarywebserverand 21

PAGE 22

demonstratingtheabilityoftheframeworktohandlehighrequestloadsinexcessofone milliontransactionsperday. 1.5SignicanceandImpact Thisapproachdemonstratesthefeasibilityofsuchadaptivesecuritymeasuresboth intermsofeectivenessatlimitingattacksandinmaintaininghighrequestthroughput. Theimpactoftheapproachisprimarilyindemonstratingmorecareful,tailoredresponse usageasaresultofmoredetaileddataanalysis.Previousapproachesthatuseddatafrom assessmentmechanismsintheperformanceofaccesscontrolwereprimarilyfocusedon integratingtheperformanceofintrusiondetectionandaccesscontrolinonemechanismasaresult,thedataanalysiswasminimalandtheresultingresponsesbasedoncontext datawereappliedatasystemwidelevel.Bygeneratingcontextanalysisdataforspecic sourcesandtargets,preventativemeasuressuchasforcingadditionalauthenticationare appliedmoreecientlyandonlywhennecessary.Strongerresponsemethodssuchas lockingoutuseraccountscanalsobeutilizedbecausethescopeismoregranular. Experimentationwillfocusontheutilizationofafewkeyresponsesattheaccess controllevel:forcingadditionalauthentication,restrictinguserpermissions,lockinguser accountsandrestrictingaccesstothreatenedservices.Wewillshowthattheresultant systemisableto: 1.Useresponsemethodsmoreeciently-decreasethenumberofrequestsforadditionalauthenticationthatmustbehandledinsituationsofelevatedthreat,by elevatingthreatlevelsonlyforspecicsourcesandtargets 2.Limitintrusivebehaviorwhilemaintainingresourceavailability-decreasethe numberofrequestscomingfromthreateningsourcesthatarepermittedusing permissionrestrictionandaccountlockingwhilemaintainingresourceavailability forlegitimaterequests. 3.Ensuregreaterintegrityandcondentialityprotectionforselectresources-limit riskstocondentialityandintegritybyrestrictingaccesstoselectedservicesincases wherecondentialityandintegrityareofgreaterconcernthancompleteavailability 22

PAGE 23

1.6OrganizationofthisReport Therstsectionwillfocusonrelatedwork.Inthissectionpreviousresearchin contextinformation,systemsintegrations,theintegrationofsecuritycontrols,theuse ofkeyassessmentsinaccesscontrolandintrusionresponsewillbeaddressed.Thenext threesectionswilleachaddressoneaspectofthegeneralchallengesdiscussedrelatedto architectingcontext-awaresystems:dataacquisition,dataanalysisanddataapplication. Followingthiswillbeadiscussionofthesystemimplentation:theanalysismodel,the architectureandtheintegrationbetweentheframeworkandthepre-existingaccesscontrol system.Nextacomprehensivesetoftestingresultsfromexperimentationwiththesystem implementationwillbepresented.Concludingthesections,willbeachapteronthe conclusionsdrawnfromtheresearchandastatementonfuturework. 23

PAGE 24

CHAPTER2 RELATEDWORK 2.1ContextInformation 2.1.1ExistingDenitionsofContext Therearetwodenitionsofcontextthatwillbeconsideredwhendeningcontext forthepurposesofthisstudy:alinguisticdenitionandadenitionfromthepervasive computingarea. Linguistic. TheAmericanHeritageDictionarydenescontextasThepartofatext orstatementthatsurroundsaparticularwordorpassageanddeterminesitsmeaning.[19] TheMerriuamWebsterDictionarydenescontextas,Theinterrelatedconditionsin whichsomethingexistsoroccurs[20]. Pervasivecomputing. SchilitandTheimerrstmentionedtheterm context-aware morethanadecadeagowiththeexplanationthatsuchsystems,[adapt]accordingtothe locationofuse,thecollectionofnearbypeople,hosts,andaccessibledevices,aswellas tochangesinsuchthingsovertime.Otherdenitionshavetakenahumanuser-centric viewofcontext,deningitas:anyinformationthatcanbeusedtocharacterizethe situationofanentity.Anentityisaperson,placeorobjectthatisconsideredrelevantto theinteractionbetweenauserandanapplication[21].Broaderdenitionsalsoexistsuch as,alltheknowledgethatconstrainsproblemsolvingatagivenstepwithoutintervening initexplicitly[22]. 2.1.2RedeningContext Thereareafewproblemswithdenitionssuchasthosestatedabove.Firstlythey areeitherareoverlybroad,lumpingmanytypesofinformationtogetherascontext:or theyareoverlyspecic,restrictingcontexttotypesofinformationusefulintheparticular applicationbeingdeemed context-aware Intuitivelycontextisnecessarybecauseitclariesmeaning-butdenitionsthat neglectthiswilladoptinformationascontextthatdoesnotaddtomeaning.Denitions 24

PAGE 25

thatonlyconsidercontexttobeinformationusedinaparticularapplicationwillnot bewidelyusable,andcouldpossiblymisssomeinformationthatmightimprovethe application. Anotherissueisthenotionofcontextownership.Mostofthesedenitionsview contextualinformationasbelongingtoanobjectorentity.Butevents-theoccurrences thatchangethecontextofanobjectorentityalsohavetheirowncontext:timeof occurrence,initiatingentity,receivingentity,location,etc.Consideringeventsseparately fromobjectsallowsustostoretemporalinformationdirectly,andtobeginusingthe abstractionofaneventhistorywithinagivendomain.Thiswouldallowustodescribe thesemanticsattachedtoothereventsinclosespatialortemporalproximitytotheevent underexamination. Manyapplicationsinthesecuritydomainforinstancetypicallyconsiderpatternsof behaviorovertimetobeaprimarytypeofcontext.Foranapplicationsuchasintrusion detection,thephysicalcontextofasystemwiththeexceptionofnetworktopologyis actuallyirrelevant.Inadditionwewouldliketodevelopawayofdescribingcontextand context-ownershipthatfacilitatescontext-sharingamongentitiesinagivendomain.This wouldbedicultifweconsideramodelwhereonlyobjectspossesscontext.Ifwewere todevelopamodelbasedontheadditionalabstractionofaneventalongwithobjects, thenwecouldbegintodescribethecontextofanevent:itstime,itsactor,itssubject. Andcontext-sharingbecomesaseasyasprovidingeventinformationtoallobjectsinthe domainwheretheeventoccurred. Logicalcontextdenition. Contextisthesetofinterrelatedconditionssurroundinganentityorevent,suchthatwhentheyareconsideredtogethergiveafulland complete usage or applied meaningtoanentityorsituation.Thesepropertiesare notinherenttotheentityoreventandmaybechangedwithoutaectingthesemantics inherenttotheitem. 25

PAGE 26

2.1.3ContextRepresentation Strangetal.[23]citethefollowingsixmodelsforrepresentingcontext:keyvalue, markupscheme,graphical,objectoriented,logicbasedandontologybased. Theyalsoestablishsixtypesofrequirementsthataubiquitouscomputingapplication wouldneedfromacontextmodelingapproach.Thesixpropertiesofacontextmodelthat aremostappropriateare: distributedcomposition-theabilitytocomposecontextinformationintheabsence ofacentralentityresponsibleforthe partialvalidation-thecapabilityofvalidatingcontextdatawithoutalloftherelated databeingpresentatthesamenode formality-theoveralllevelofstructureusedtoorganizethecontextdata applicability-thecontextmodelshouldttheapplicationitisbeingusedin incompletenessandambiguityinthedomainofasecuritysystemincompleteness canbemanifestedthroughthemissingofeventsbyanintrusiondetectionsystem qualityofinformationtheconcernaboutthequalityofinformationdeliveredby asinglesensorvaryingovertimeislessofaconcernforwell-connectedintrusion detection,buttheneedforacontextmodelthatcanaccommodatevaryinglevelsof informationqualitybetweensensorsisvalid.Dierentintrusiondetectionsystems providedierenttypesandamountsofdataoneventsinthesystemandthecontext modelmustbeabletoaccommodatethis. Basedontheserequirements,themostappropriatecontext-modelingstrategyisontology based.ThisisalsoconrmedbyKemmereretal.[24]whonotethatacommonontology isanimportantadditiontheeortsbytheInternetEngineeringTaskForceIETFto establishanintrusiondetectionmessageformatandprotocol. 2.2SystemsIntegration Beforeactuallyaddressingtheissuesneededtoachieveanintegratedsecuritysystem, thequestionastowhatconstitutesintegrationmustbeaddressed.Inthisrespect,there 26

PAGE 27

aretwomajorphilosophies,bothofwhichhavehadasignicantamountofattentionin theareasofsystemintegrationandmicroeconomics. Therstideaistopreservetheexistingsystems,sometimescalledlegacysystems, andapplytechnologiestomaketheminteroperableandachievethedesiredoverallsystem, albeitaheterogeneousone.Wewillrefertothisashorizontalintegration.Agreatdealof researchonthistopichasbeendoneintheareaofInformationSystemscalledSystems IntegrationorApplicationIntegration. Thesecondideaistotaketherequirementsfullledbyeachofthelegacysystems anddevelopanentirelynewsystemthatfulllstherequirementsofalloftheoldsystems, butishomogeneous.Wewillcallthisverticalintegration.Althoughtheobjectstobe integratedinourcasearesomewhatdierentthanthoseintheeldswhoseresearchwill becited,manyofthesameanalyzeshold. 2.2.1HorizontalIntegration Therearethreemaincharacteristicsthatdistinguishahorizontallyintegratedsystem [25]:1heterogeneity,2autonomyand3distribution.Fromtheperspectiveofsystems integration,alloftheseissuesareriskswhichmustbemitigated;inotherwords,theyare thingsstandinginthewayofanintegratedsystem.Themitigationprocessoftendoes notchangethefundamentalcharacteristicsoftheconstituentsystemsandsothesame characteristicsareusuallypresentbeforeandafterintegration.Systemsintegrationviews horizontalintegrationasagoalthatmustbefacilitated,whereaseconomicstheoryviews verticalintegrationasaphenomenonthatoccurswhencertainfactorsarepresent.Thus, thedeterminantstobediscussedlaterareusuallydescribedasstrategiesforovercoming thesecharacteristics,buttheyarefactorsthatleadtoahorizontallyintegratedsystem nonetheless.Heterogeneitycanmanifestitselfintwomainareas:technicalandconceptual [26].Technicalheterogeneitycancomefromdierencesinthingssuchas:hardware platforms,operatingsystems,databasemanagementsystemsandprogramminglanguages. Conceptualheterogeneitycanbeproducedbydieringprogramminganddatamodels 27

PAGE 28

ordierencesinmodelingreal-worldconcepts.Autonomyusuallyoccursintheareasof designorcommunicationandexecution. Architecturesforhorizontalintegration. Therstintegrationarchitectureis termedacomponentcoalition.Thearchitectureintegratesindependentcomponentsby providingacustomsolutionthatwilllinktheinterfacesofthetwocomponents.These coalitionsmaintaintheindependenceoftheindividualcomponentsinthefollowingways: eachcomponenthasitsowninterface eachcomponenthasindependentcontrolofitsdataandprocessing componentsmayprovideoverlappingorconict Thesecondtypeofintegrationarchitectureisacomponentfederation.Themainconcept underlyingcomponentfederationsisthecreationofaplatformwhichcansupporta myriadofcomponentsaslongastheyconformtoasetofstandards.Thefederation providesinfrastructureforinter-componentcommunicationanddatasharing.Thereforein contrastwithcomponentcoalitions,componentfederationsaremoregeneral-purposeand moreexible. Mechanismsforhorizontalintegration. Therearetwoprimarymechanism tofacilitatethe persistence aspectofdataintegration:coversionandacommondata store.Undertheconversionapproach,componentsmaintainseparatedatastoresand dataistranslatedtoaformatconsumablebyothercomponents.Withacommondata store,however,thereisasinglesourcethataccumulatesdatafromallofthecomponents. Therearealsotwomechanismscommonlyusedtoensure semantics indataintegration: acommonschemaandcommondataformats.Themainmethodforachieving control integration ismessagepassing.Thismessagepassingsolutionisactuallytheproductofa mechanismtoenablecommunicationandaprotocoltodenethecommunicationpattern. 28

PAGE 29

2.2.2VerticalIntegration Oneofthemaincharacteristicsthatdistinguishesverticalintegrationistheuseof internalexchangeswithinarm,insteadofmarketorcontractualexchanges[27].Contractualexchangesarethoseinwhichthecharacteristicsoftheexchangebetweenthetwo partiestypicallyprice,quantity,etcareregulatedbyacontractualrelationship.Another characteristicofaverticalintegratedprocessiscentralizedcontroloverneighboringstages ofproductionordistribution.Anextensionofthisisthewayinwhichdecisionmakingin averticallyintegratedrmdiersfromdecisionmakinginaverticallydisintegratedone. Determinantsofverticalintegration. Therearethreemainfactorsthatproduce orleadtoverticalintegration:technologicaleconomies,transactioneconomies,andmarket imperfections.Technologicaleconomiesaresituationswherelessofanintermediateinput isnecessarytoproducethesamedownstreamoutput,whentheexchangeiscontrolledby thesamerm.Thisleadstoverticalintegrationbecausebytakingonacertaintaskofa productionprocess,agivencompanycanlessenitsneedforcertainresources.Transaction economiesaresituationswherecostsassociatedwiththeexchangeofcertaininputscan belessenedbyinternalizingtheprocess.Itisverysimilarphenomenontotechnological economies. Advantages. Thetypicallycitedadvantagestoverticalintegrationthatareapplicableherearelowertransactioncostsandsynchronizationofsupplyanddemandalong achainofproducts.Thedisadvantagesarerigidorganizationalstructure,andhigher organizationalcostsofswitchingtoothersuppliers. Manifestationsofverticalintegrationinsoftwaresystems. Thetheoretical pointsmentionedabovehaveimplicationsinsecurityintegrationaswell.Wewillusethe characteristicsofaverticallyintegratedbusinessrmtoestablishwhatwemeanbya verticalintegrationapproachtosecurity.Namelythat: 1.Theexchangeofdatabetweenthemodulesresponsiblefordierenttasksisviewed asaninternaloperation,andutilizesaformatthatisstandardacrosstheentire application 29

PAGE 30

2.Thesameprogrammaticentityisresponsibleforeachphaseofthesecurityassurance process,oreachsecuritytask. 2.2.3SummaryonIntegration AVerticalapproachtointegratedsecuritywouldperformthefunctionsofaccess control,intrusiondetectionandintrusionresponseinabsenceofinterfacesandprotocols betweenthethreemodules.Eachofthesetaskswouldinsteadbeperformedbymodules withasharedorcentralizedcontrolmechanism.Averticallyintegratedarchitecturewould takeadvantageoflowcostdataexchangesbetweenallofthemodulesandwouldalsooer ahigherdegreeofsynchronization. Theapproachdescribedaboveasverticalintegrationroughlycorrespondstothe approachtosecurityintegrationknownasmergedpolicy:theoperationsofaccesscontrol, intrusiondetectionandintrusionresponseareallperformedbyasinglepolicyevaluation mechanism,workingwithasingleuniformpolicy.Theabsenceofdataexchangesbasedon interfacesorprotocolsalsopointtothefactthatalloftheoperationsinamergedpolicy solutionareinternalanddonotrequirecommunicationbetweendierentindependent modules.Consequentlymanyofthedrawbackscitedforverticalintegrationarealso apparentinthemergedpolicysolution:primarilytherigidstructureofthesolutionand theprohibitivecostofusingadataprovideroutsideofthosepackagedintheevaluation mechanism. Thedrawbacksofaverticallyintegratedsolutionhaveseriousimplicationsfora securitysystem.Intrusiondetectionbeganasameanstodetectintrusivebehaviorthat couldnotbeexplicitlyprohibitedinanaccesscontrol-likespecication.Inaddition, manycurrentmethodsforintrusiondetectionusingmethodssuchasneuralnetworks,or immunologymodelscouldnotbesatisfactorilyrepresentedinarule-basedspecication.So therearetheoreticalaswellaspracticallimitstoaverticallyintegratedsecuritysystem. AHorizontalapproachtointegratedsecuritywouldfacilitateinteroperabilitywhile preservingautonomyandconsequentlysomedegreeofheterogeneity.Dependingupon 30

PAGE 31

thearchitecture,itmightbenecessarytodeviseandenforce contractualrelationships betweentheaccesscontrol,intrusiondetectionandintrusionresponsemodulessodata exchangeisperformedinanagreeduponway.Thiscouldtaketheformofinterfaces betweeneachtwomodulesinquestion.Itwouldalsobenecessarytoprovidecontroland dataintegrationtopreservethegranularityofthesystemcomponentsandstillprovidean integratedsolution. AHorizontallyintegratedsolutionismoreconsistentwiththecharacteristicsand needsofadistributedsystemincluding:distribution,heterogeneityandautonomyfor theinvolvedsystems.Itcouldalsoenableavariedsetofintrusiondetectionsystems tointeractwithoutnecessarilyenforcingaparticulardetectionmethodoneachofthe systems.Suchasystemwould,however,havehigherdatatransactionandprocessing costs. Forthosereasons,therefore,theprimaryapproachtointegrationwillbeahorizontal one.Bothofthedatapersistencemethodsmentionedearlierinthischapterconversion andacommondatastorewillbeusedforthissolution.Acommonschemawillbeused toprovidesemantics,andaformofmessagepassingwillbeusedtoprovidesomecontrol integration. 2.3IntegrationofSecurityControls Wewilldenesecurityintegrationlooselytobe:theperformanceofasinglesecurity functionortaskutilizingthedataorfunctionalityfromwhataretraditionallyconsidered dierentsecuritymechanisms.Thisnotionofsoftwarecomponentsthatperformmultiple securitytasksisnotnecessarilynew,buttheformalitywithwhichitisbeingdealt withisincreasing.Franqueria[28]notesthreebasicstrategiesfor`narrowingthegap' betweenaccesscontrolandintrusiondetection:mergedpolicyasinglecomponentfor ACandIDSusingauniformpolicy,correlationbothonlineandoineinlogsand additionalinformationusingaccesscontrolpoliciestomodelnormalbehavior.Withthe exceptionofthemergedpolicyinvestigation,alloftheresearchcitedundercorrelationand 31

PAGE 32

additionalinformationareimplementationsoftherespectivetechnologies,notattemptsto performaccesscontrolandintrusiondetectioninacoordinatedway. Ryutovetal.[29,30,31]takethemergedpolicyapproachandproduceanimplementationthatseekstoperformaccesscontrolandintrusiondetectioninacoordinated manner.Theydevelopamulti-stagepolicyevaluationmechanismthatoperatesonpolicies writteninalanguagethathasconstructsforapplicationlevelaccesscontrolandintrusion detection.Unaddressedinthiseortisatransparentmethodforageneralaccesscontrol mechanismtointerfacewithdataprovidedbydierentintrusiondetectionsystems.In addition,althoughtherehasbeensomerecentworkonspecication-basedIDS[32,33] mostIDSsystemsstilldonotworkonspecications,andtheinabilitytospecifytotraits ofattackscouldbeapotentiallyrestrictivelimitation. Theclassicationwewilluseforapproachestosecurityintegrationwillbebased onthestrategyusedforintegration,ofwhichtherearetwo:horizontalandvertical integration.Wewilldeneaverticallyintegratedsecuritysystemasonewhere:athe exchangeofdatabetweenthemodulesresponsiblefordierenttasksisviewedasan internaloperation,andutilizesaformatthatisstandardacrosstheentireapplicationand bthesameprogrammaticentityisresponsibleforeachphaseofthesecurityassurance process,oreachsecuritytask.Ahorizontallyintegratedsystemthen,wouldbeonewhere: asecuritytasksareperformedbyrelativelyautonomousprogrammaticentitiesandbthe exchangeofinformationbetweenthoseentitiesisbasedonstandardsandanarchitecture tomitigatetheeectsofdistributionandheterogeneity. Verticallyintegratedsystemscanbesomewhatrigidanddiculttoexpandtoinclude newcomponentsorfunctionalityfromoutsidesystems. Inreality,alloftheapproachestoperformingaccesscontrolandintrusionthathave beendonethusfarreectaverticalapproachtointegrationwiththeexceptionof[34] wherethefocusisusingalertcorrelationtopreventlocalsystemresourcesfrombeingused 32

PAGE 33

toassistinadistributedorcoordinatedattack.Thereisstillaneedforanexplorationof anopenapproachtointegratingsecuritycomponents. 2.4UseofThreat,RiskandTrustinAccessControl Inordertoutilizedatafromintrusiondetectionsystemsatanaccesscontrollevel,it isnecessarytohaveafoundationuponwhichthederivedcontextdatacanberelatedto traditionalaccesscontrolconcepts.Solutionstothisissuecanbemanifestedatthepolicy level,orattheimplementationlevel. In[35]anextensiontoRBACisdevelopedtoincorporatethenotionoftrust.They focusontrustbasedauthorizationandmakeprovisionstoadjustthetrustgiventoauser dynamicallybasedontheattributesoftheuserandenvironmentaswellasthepastaccess behavioroftheuser. Thenotionofriskisusedinconjunctionwiththreatin[36,37].Theriskthatagiven requestmightposetothesystemandthetrustthatshouldbeaordedtotherequesting entityareassessedsimultaneously.Basedontheriskoftherequest,atrustthresholdis establishedwhichallrequestingentitiesmustmeetorexceedinorderfortheirrequeststo begranted. Anassessmentofthreatisusedtomakeaccesscontroldecisionsin[38],byassigning athreatthresholdwhichcannotbeexceededtoeachnetworkresourceandthenmaintainingathreatlevelforalloutsidenodesthatisdynamicallyupdatedwhentheydisplay suspiciousbehavior. Whatismissingfromtheprecedingeortsisanimplementationthatcanenable accesscontrolsystemstousetheassessmentdataproducedbyintrusiondetectionsystems tomakedecisionsthatareawareofsystemcontext. 2.5IntrusionResponse In[39]oneofthefactorsusedtoclassifyresponsesystemsistheirmethodfor selectingresponses.Theyaredividedintothreeclasses:thosethatmapattacksstatically, thosethatdosodynamicallybasedonsomeparametersandthosethatuseacalculation 33

PAGE 34

oftherelativecostoftheintrusionwiththecostoftheresponse.Staticresponseselection matchesaparticularattackwithapre-determinedresponse.Dynamicmappingsystems selectanappropriateresponsebasedonattackmetrics.Atdesigntime,eachattackis associatedwithasetofresponsesandtheninrealtimeoneoftheresponsesischosen basedonthecharacteristicsoftheattack.Cost-sensitiveresponseselectiondeterminesthe bestresponsebasedonseveralcostandriskfactors.Thesevaluesmayincludemonetary values,probabilisticmeasurementorotherobjectivemetrics.Theymayalsoinclude relativemeasurementsoforganizationalsecurityandriskfactors. 34

PAGE 35

CHAPTER3 GENERALAPPROACHPART1:CONTEXTACQUISITION 3.1IntroductionandDesignGoals Therstnecessarystageinarchitectingcontext-awarebehavioristogatherthedata whichwillinuencethebehaviorofthemechanism.Becausethedatainquestioniscomingfromlargelyautonomousassessmentmechanismswithhighdegreesofheterogeneity, theacquisitionofcontextdataispartiallyanintegrationproblem.Systemsintegration approachestypicallydiscussthearchitecture,dataintegrationandcontrolintegration strategiesusedtoreduceheterogeneitywhilepreservingtheautonomyoftheinvolved systems.Theotherfacetofthecontextacquisitionmethodisthemeansfordiscovering relevantcontextinformationonceheterogeneityhasbeenreduced.Designgoalsforthe approachforcontextacquisitioninclude: DynamicContextDiscovery-Oneoftheprimarycharacteristicsoftheapproach forcontextacquisitionwillbetoprovidesupportforwhatwewillcalldynamic contextframing.Usingthenotionthatthecontextofaneventconsistsofother, relatedeventswethenestablishacriteriaforrelatednessthatisappropriatefor eachindividualsecuritymechanismandthenframethecontextofaneventbasedon thosetwofactors.Thiscontextacquisitionstrategymustallowsecuritycomponents toselectandreceive only thatdatathatisrelevanttothedecisiontheyaretryingto make.Becausesecuritymechanismsdealwithevents,theyshouldbeabletoselect theothereventsthatrelatetotheeventunderconsiderationwithoutnecessarily havingtoprocessanddealwitheveryeventthatoccursinthedomain.Asnotedin [40]thispropertyisnotsomuchadesiredtraitasarequiredoneasthevolumeof eventsprocessedsolelybyintrusiondetectionsystemscanreachtensofthousands perday.Thisimpliesalsothatthestrategyforcontextacquisitionmustbeableto searchforeventsbasedoncharacteristicsofrelevance.Sotherstrequiredproperty ofthecontextacquisitionapproachisthatitmustproviderelevantdata. 35

PAGE 36

ImplementationTransparency-Anothergoalofourapproachwithregardsto acquisitionofcontextdataistoallowsecuritymechanismstoacquiredatafrom othersecuritycontrolswhileremainingagnosticoftheirimplementationdetails:that asecuritycomponentcanacquirecontextdatamerelybyknowingthefeaturesofthe dataitwouldliketoreceive.Inthiscasethatwillentailthefeaturesoftheevent thatisbeingevaluatedandthedomainsfromwhichthedatashouldbegathered. ProviderandConsumerDecoupling-Anothernecessaryfeatureisthattheprovider andconsumershouldbedecoupledintimeandspace.Wewouldliketoprovide functionalitywhereaneventprovidercanregisterorpublisheventinformationand thenconsumerscanaccessthatdataaccordingtotheirownconstraintsaround whatconstitutesrelevantcontextdata.Thisalsoimpliesthattheaccessesofthe provideraretobeasynchronous,whilethoseoftheconsumerswillbesynchronous. Decouplinginspaceisalsonecessarytosupportdistribution. AllowingPolicyLevelDescriptionofRelevantContext-Beforewecananalyze contextdata,orevensearchforit,wemusthaveameanstodescribeitsfeaturesand characteristics.Oneprimarywayofachievingthisisthroughpolicy-specications thatincludethefeaturesofcontextdata. 3.2SurveyofContextAcquisitionApproaches Inthissectionweoutlinetwoapproachesforarchitectingasystemcapableofprovidingon-demandcontextdataandthendiscussspecicissuesrelatingtohowaccess controlandintrusiondetectioncanbebroughtclosertogether.Bothoftheapproaches arewithintheclassicationofhorizontalintegrationapproachesasdiscussedpreviously. Theydierprimarilyinwhetherornotdataexchangesarecarriedoutwiththeuseofan externalthirdparty.Therstarchitecturalapproachisaclosedone,basedaroundacomponentcoalition.Thisapproachisappropriateforenvironmentswheretheparticipants inthearchitecturearefewandwillnotneedtobeextended.Itreliesonpoint-to-point integrationbetweentheinterfacesofeachparticipatingmechanism.Thesecondapproach 36

PAGE 37

wewilldiscussisanopenapproach,basedaroundafederation.Thisapproachfocuses onprovidingwhatamountstoamiddle-warethatfacilitatescommunicationbetweenthe dierentmechanismswithahighleveloftransparency,butacorrespondingincreasein requireddevelopmenteort. 3.2.1Closed/CoalitionApproach Acomponentcoalitionintegratesindependentcomponentsbyprovidingacustom solutionthatwilllinktheinterfacesofthetwocomponents.Thesecoalitionsmaintainthe independenceoftheindividualcomponentsinthefollowingways: eachcomponenthasitsowninterface eachcomponenthasindependentcontrolofitsdataandprocessing Becauseeachcomponentmaintainscontroloveritsowndataandprocessingthisarchitectureallowsforthedesiredtransparencyofintrusiondetectionmethod.Inaddition,this architectureallowsthefocustoremainondevelopingeectiveinterfacesforeachofthe components. ThearchitectureofthecoalitionispicturedinFigure3-1.Themovementofdatain thisarchitectureisachievedthroughapullmechanismonthepartoftheeventconsumers. Thisisnecessary,becauseonlyselecteventsareactuallyofinteresttotheconsumers, andtheactualattributesofthoseeventsaredynamicallydetermined.Eachcomponentis picturedasbothaproviderandconsumer,butanyonecomponentcanserveasaprovider orconsumer,bothorneither. ThediagraminFigure3-2describesthesub-partsofeachsecuritycomponent.The CoreDecisionMechanismCDMistheportionofthecomponentthatisresponsiblefor fulllingtheprimarytasksandresponsibilitiesdesignatedforthatcomponent.Theow ofdatafromtheEventConsumerECtotheCDMisbasedonapullrequestfromthe CDM.Thisisbasedontheassumptionthatnoteverycontexteventisrelevanttothe tasksthattheCDMistryingtoperform.Thus,as-needed,theCDMcanrequestcontext datausingthecontextdiscoverypolicythattheECcontains.Theowofdatafromthe 37

PAGE 38

CDMtotheEventProviderEPisapushmechanismformuchthesamereason.Itis assumedthatnoteveryeventprocessedbytheCDMwillbeusefultopublishascontext data,andsotheCDMcanpublishselecteventsatitsdiscretion. Dataintegration:datastoreandcommonschema. Inthissystem,itwillbe necessarytoprovidebothdatasemanticsanddatapersistence.Therearetwoprimary strategiesforachievingdatapersistence.Therstisconversionwhereeachcomponent maintainsitsowndatastoreanddataistranslatedintoformatsthatareconsumableby othercomponents.Thesecondmechanismfordatapersistenceisacommondatastore. Thisdatastoreismerelyasinglesourcethataccumulatesinformationfromallofthe components.Bothofthesestrategieswillbeusedtoprovidethenecessarytransparency. Acommondatastoreisnecessarytocollectdatafromalloftheintrusiondetection systemsinasingleformat.Thestrategyforclusteringandlinkingalertsdependsona standardfortherepresentationofintrusiondetectionalerts.Theseclusteringandlinking algorithmsuseconversionoperateonintrusiondetectiondatawhilestillreturningavalue consistentwiththeaccesscontrolschema. Themechanismusedfordatasemanticsisacommonschema.Thiscommonschema isgenerateddierently,however,thanthemergedpolicyschema.Inthemergedpolicy approachtwoormoreschemasaremergedtoproduceanewschemaandtheoriginalsare discarded.Theapproachbeingusedhere,however,istoaugmentoneschemae.g.the accesscontrolschemawithessentialelementsfromanotherschemaintrusiondetection, butpreservethatotherschemaforrepresentingdatainthatdomainandconvertbetween thetwoasnecessary.Theaugmentedschemaservesasacommonpointofreferencefor thetwoseparatedomains. Controlintegration:messagepassing. Themechanismforcontrolintegration inthecoalitionbasedapproachismessagepassing.ThealertsfromIDSsystemstothe centraldatastore.Messagepassingwillalsobethemeansthroughwhichaccessrequests andresponsesaresenttoandfromthedecisionpoint. 38

PAGE 39

3.2.2Open/FederationApproach Architecture:contextmanagementservices. Thedesiredfunctionalityfroman architecturalpointofviewistoprovideservicesthatcanaggregatecontextinformation frommultipleproviders,andthensubsequentlydisseminatethatcontextinformationback toconsumerson-demand.Thereareanumberofdistributedsystemarchitectureswhich couldbeusedinthisscenario,however,Publisher/Subscriberpub-subsystemsarebest suitedtotheproblemofacontextdata-sharingframeworkforanumberofreasons.First isthefactthatallpub-subsystemssupportdecouplingoftheproducerandconsumer intimeandspace,whichisanessentialdesignrequirementforthissystem.Inaddition thereisexistingworkoncontentbased,andevenontologybasedpub-subsystems[41] thatcanbebuiltuponforallowingtheselectionofappropriatecontextdatawhichwillbe consistentwiththechosenapproachformodelingcontextdata. ServiceOrientedArchitecturesalsoprovideadditionalformalismsontopofabasic publish-subscribearchitecturetofacilitateregistrationandlookupofserviceorinthis casecontextprovidersthatwillalsobenecessary.Thebasicmodelusedwillconsistofa networkofcontextprovidersandcontextaggregators.Theaggregatorsarehierarchically structuredandsubsequentlyfeedcontextconsumers.Anysecuritycomponentinthe networkcanserveaseitheracontextprovider,consumer,orboth.Thesecuritycomponentswillbeprimarycontextprovidersandsecondarycontextconsumers.Themeditative serviceswillprimarycontextconsumersandsecondarycontextproviders. InFigure3-3,securitycomponentsareagainpicturedcontainingeventconsumers. Inthisinstance,however,theeventproviderisacommonservice.Insteadofrequesting eventsfromthedierentprovidersbasedonknowingwhichproviderhaswhichevents, theeventscanbeacquiredfromoneservice,merelybyknowingthefeaturesofthedesired events. 39

PAGE 40

InFigure3-4,theanatomyofasecuritycomponentundertheopenarchitectureis showningreaterdetail.Thecoredecisionmechanismnowpusheseventstothecommon eventproviderservicewhichisexternaltothecomponent. Dataintegration:low-levelcontextmodeling. Thisapproachisbasedona dierentconceptofcontextthaniscommonlyused.Inpervasivecomputingresearch,the primaryconcernishavingapplicationsrespondtochangesinthephysicalenvironment generatedbyusersandotherphysicalobjects.Insecurity,however,theprimaryconcern iseventsinavirtualenvironmentwheremostoftheobjectsarepassivedataelements. Securitycontrolssuchasaccesscontrolandintrusiondetectionfunctionaseventclassiers.Asaresult,thefocusshiftsfromdecomposinganeventintothestatechangesthat itproducesinphysicalobjectstomaintainingtheeventitselfastheprimaryobjectof concernwhichmustexamined.Consequently,amoreappropriatedenitionofcontext wouldbetheeventsrelatedtoagiveneventthatprovideadditionalinformationabout thecircumstancesunderwhichthateventoccurred.Inthisway,thecontextofanevent consistsofother,relatedevents. In[23]sixmethodsformodelingcontextdataarecitedandtheontologybased modelingtechniqueiscitedastheonemostcapableofprovidingthefeaturesusedto evaluateallofthemodelingmethods.Thefeaturesmostrelevanttothediscussionathand are:distributedcomposition,partialvalidation,handlingincompletenessandambiguity, sucientformalityandapplicabilitytoexistingenvironments.Thissurvey,inadditionto thefrequentuseofontologiesinserviceorientedarchitecturesindicatethatanontology basedcontextmodelwouldbethemostsuitabletoachievetheaimsofthisproject. Asforactualconstructionoftheontology,itisnotedin[42]therearethreeprimary methodsforusingontologiestofacilitateintegration.Thosemethodsarethefollowing: establishmentofasingleglobalontology,useofmultipleontologieseachforaspecicsub domain,orahybridapproachthatallowsformultiplespecicontologies,butbasesthem allonasharedvocabularytofacilitateinteroperability. 40

PAGE 41

Thefactthattherearesomeexistingstandardsforrepresentingsecurityeventdata [43,44]andtheneedtomakethecontextmodelextendableadvocateinfavorofahybrid approach.Themajortaskthen,forthiscontextmodelistwo-fold:1thecontentofthe sharedvocabulary,and2thetransformationofexistingeventrepresentationsintoaform thatiscompatiblewiththesharedvocabulary.Thesharedvocabularywillconsistoftwo primaryelements:1asetofattributescommontotwoormoresecuritydomainsthat canbebuiltupontoestablishspecicdomainontologiesand2asetofpredicatesthat expresscertainrelationships,bothsemanticandsyntactic,betweentwoormoreevents. Controlintegration:ontology-basedeventcorrelation. Theprecedingtwo researchfocusescontextmodelingandcontextmanagementserviceshavebeennecessary toprovideaframeworkandinfrastructuresupportfortherstpillaroftheapproach, namely:contextacquisition.Theactualprocessofcontextacquisitionwillrelyon correlatingeventsusingtheattributesinthesharedvocabularyandthepredicatesfor expressingrelatednessbetweeneventsthatwillalsoformpartofthecontextmodel. 3.3ACoalition-BasedSystemforContextAcquisition 3.3.1InformationModel 3.3.1.1Accesscontrol Deningaccesscontrol. SandhuandSamarati[45,46]deneaccesscontrolasa familyofstrategiesforonepartytopreciselycontrolwhatotherpartieswillbeallowedto dowithresourcesthatitcontrols.Theyrestrictit,however,tolimitingandcontrollingthe actionsthatauthorizedusersofasystemareallowedtoperform.Theyalsonotethattrue informationsecurityistheproductofaccesscontrolinconjunctionwithauthentication andauditing.Theyhighlightwhatareperhapsthethreemostprominentaccesscontrol policies: DiscretionaryAccessControlDAC:informationaccessisgovernedbyrulesthat stateforeachuserandforeachdataitemwhichaccessmodestheuserisallowed onthatobject.DACisveryexiblewhichmakesitadaptabletoavarietyof 41

PAGE 42

environments,butitdoesnotprovidetrueguaranteesontheowofinformationina system. MandatoryAccessControlMAC:alsoknowaslattice-based.Securitylevelsare associatedwitheachuseranddataobjectinasystem.Userscanonlyreaddown readitemsofalowersecuritylevel,andmayonlywriteupwritetodataobjects whosesecuritylevelisgreaterthantheirown.Preventsinformationfromhigher securityareasowingtolowersecurityones. RoleBasedAccessControlRBAC:aroleisasetofactionsandresponsibilities associatedwithacertainworkactivity.Accessauthorizationsarethenspeciedfor roles,andindividualusersadoptrolesasneededwithcertainrestrictions. Tasksandresponsibilitiesinintegratedsecurity. Inanintegratedsecurityarchitecture,accesscontrolpoliciesshouldtakeadvantageofstateinformationfromother partsofthearchitecturesothatpoliciescanenforceaccesslimitswithahighlevelof granularityandspecicity.Inaddition,thesedependenciesshouldbeallowedtochange dynamicallyandautonomously.AccessControlalsotakesontheadditionalroleasthe pointofinectionandtheplacewherechangesarereected. Dataprovidedbyaccesscontrol. Theaccesscontrolmechanismhasaccessto thepoliciesgoverningeachresourceandthereforecanprovideinformationonhoweach resourceisbeingcontrolled.Inaddition,inmostsystemsanaccesscontrolmechanismwill interveneoneveryresourcerequestthatpassesthroughthesystemandthusaccesscontrol canprovidedetailedinformationonarequest-by-requestbasis.Suchinformationwould includethefollowing:abnormalitiesinaccessrequests,operationrequestsandfailures, resourceusage,login/logoutinformationandexceptionconditions. Informationneededbyaccesscontrol. Toachievethegoalofaccesscontrol beingbasedontheoverallcontextofthesystem,itisnecessaryfortheaccesscontrol systemtoresolvedependenciesinaccesspolicies.Thesedependenciescouldinclude informationaboutanyattacksthathavetakenplace,orchangesinthepolicytohelpthe 42

PAGE 43

systemrecoverfromandpreventfutureattacks.Anoutlineoftheinformationneedsfor accesscontrolisthefollowing: Vulnerabilityofeachavailablesystemresource Stateofcompromiseofeachavailablesystemresource Compromised/Misuseduseraccounts Attackdescription:user,operation,resource,means PolicyModications/Updates Aggregatesystemdataforpolicyevaluation 3.3.1.2Intrusiondetection Intrusiondetectiontraditionaldenition. Awidelyaccepteddenitionofan intrusionis,anysetofactionsthatattempttocompromisetheintegrity,condentiality oravailabilityofaresource"[47].SandhuandSamaratimentionintrusiondetectionas amethodforensuringauditcontrolsanddivideintrusiondetectionsystemsbasedon reactivityintopassiveusedtoanalyzeauditdataandreportanomalousbehaviorand activedetectionanalyzeauditdatainrealtimeandmayrespondtoprotectsystems. Otherauthorsclassifyintrusiondetectionstrategiesbasedonhowtheydetectanintrusion: eitherdetectingmisuse,whichreliesonrecognizingwell-knownattacks,ordetecting anomalies,whichmerelytriestoestablishadeviationfromnormaluserbehavior.Misuse detectionsystemstypicallyrelyonmatchingeventswithknownattackscenariosor signatures.Anomalydetectionsystemsestablishmodelsfornormalbehaviorthrough techniquesfromstatistics,articialintelligenceorotherelds. Tasksandresponsibilitiesinintegratedsecurity. Thenotionofanintrusion detectionsystemthatusesauditrecordsisinherentlydependentuponatleastoneother securitymechanism:namelyaccesscontrol.Introducingthenotionthatinformationwill owback'upstream'fromintrusiondetectiontoaccesscontrol,howevergivesrisetonew opportunitiesfortheintrusiondetectionsystem. 43

PAGE 44

Informationprovidedbyintrusiondetection. Ingeneral,anintrusiondetection systemshouldprovidethefollowinginformationregardingaperceivedintrusion:certainty ofanalysis,attackimpact,andattackcharacteristics. Informationneededbyintrusiondetection. Theinformationthattheintrusion detectionsystemusestoperformitstasksmainlyconsistsofinformationonspecic accessrequests,suchasthefollowing:theuserperformingtheaction,theactionbeing performed,theresourcebeingusedandanyexceptionconditionsgenerated. 3.3.1.3Intrusionresponse Intrusionresponsetraditionaldenition. Themainfunctionofanintrusion responsesystemistotakestepstobothpreventfutureattacksandmitigatethedamage fromcurrentattacksbasedoncharacteristicsoftheattackandthetypeofthesystem resource.TheFischTaxonomy[48]providesthefollowingclassicationofthetypesof intrusionresponse:activedamagecontrol,passivedamagecontrol,damageassessment anddamagerecovery. Tasksandresponsibilitiesinintegratedsecurity. Inadditiontotraditional responsetechniques,theintegrationofanintrusionresponsesystemwithaccesscontrol providestheopportunitytomakeaccesscontrolpolicymodications. Informationprovidedbyintrusionresponse .Anintrusionresponsesystem willhavevariousresponsescenariosfordierentattacktypes.Itwillbeabletoprovide informationabouthowtomitigateattackvulnerabilities,andthemeasuresnecessaryto counterattackdierentattacktypes.Includingpolicychangesforthefollowing:intrusion mitigationorrecoveryandintrusionprevention. Informationneededbyintrusionresponse. TheCarverIntrusionResponse Taxonomy[49]classiesintrusionresponsesinsixdimensions.Eachofthesedimensions is,inreality,aninputtotheintrusionresponsemechanismthatdeterminesthetypeof response.Thetaxonomyconsistsofthefollowingelements:timing,typeofattack,type ofattacker,attackimplications,strengthofsuspicionandenvironmentalconstraints.The 44

PAGE 45

attackimplicationsdimensionreferstohowcriticaltheresourceistothesystemasa whole.Theenvironmentalconstraintsareanylimitsonthetypeofresponsethatcanbe takenwhethertheybelegal,technicalorotherwise.Thestrengthofsuspicionisameasure ofcertaintytheIDSsystemhasintheintrusivenessoftheeventunderquestion.Ifthe goalistointegrateintrusionresponsedirectlywithaccesscontrol,theresponseshould bebasedonthepolicyusedtocontrolaccesstotheresource:theunderlyingmodel,the policytargetandtheoperationspermittedbythepolicy. 3.3.1.4Modeloverview ThisinformationmodelseeFigure3-5isbasedonthemainabstractionofa SecurityEvent.ThethreemainsubclassesofeventsareAccessRequest,Intrusion AttemptandIntrusionResponsewhichwilleachbediscussedseparatelybelow. Thismodelrelatestheconditionsforanaccessrequesttothedatafromanintrusion analysisbyplacingthelatterasattributesofasubclass.Intrusionattemptsarelinked tointrusionresponsesbyincludingoneormoreofthemasapropertyofeachresponse. Therearefourmainclasses: SecurityEvent AccessRequest IntrusionAttempt and IntrusionResponse 3.3.1.5Securityevent Attributes: 1.Source:theinitiatoroftheevent.Possiblesourcesare:Node,User,Processor Service aTarget:theintendedobjectoftheevent.Possibletargetsare:Node,User, Process,ServiceorFile Subclasses: 1.AccessRequest:anattemptbysomesourcetoperformandoperationona target. 2.IntrusionResponse:theresponsetoanintrusionattempt. 45

PAGE 46

3.3.1.6Accessrequest Attributes: 1.EvaluationResult:theresultoftheevaluationofthesetofpreconditions applicabletothisrequest.Possibleresultsare:PermitorDeny 2.Requirements:setofconditionsthatmustbesatisedfortherequesttobe granted.PreconditionscanbespeciedfortheEnvironment,Subject,or Resource 3.Consequences:specicationofactionsthatshouldbetakenonrequestcompletion. Subclass: 1.IntrusionAttempt:Anaccessrequestthatisdeemedintrusive. 3.3.1.7Intrusionattempt Attributes: 1.Means:whatwasusedtoperpetratetheattack.Couldbeinoneofthree subcategories:BypassingControl,PassiveMisuseorActiveMisuse 2.Assessment:thesystemsjudgmentoftheeventon:itsImpactinthesystem, theCondenceoftheanalysisandtheClassicationoftheattempt 3.Results:theneteectoftheintrusionattempt.Thiscouldfallintooneofthree categories:DenialofService,ExposureorErroneousOutput 3.3.1.8Intrusionresponse Attributes: 1.Constraints:anysystemfactorsthatlimittheresponsethatcanbetaken againsttheintrusionattempt 2.IntrusionAttempt:oneormoreintrusionattemptsthatarebeingrespondedto Subclasses: 1.ResponseDuringtheAttack:couldbeeitherActiveorPassive 2.ResponseAftertheAttack:couldwiththeaimofAssessmentorRecovery 46

PAGE 47

3.3.2Implementation Wehaveimplementedasystembasedontheproposedinformationmodel.This implementationconsistsoftwoprimarysystems:anaccesscontrolsystemandanintrusion detectionsystem.Inthisinitialimplementationwemakeuseoftheclosed/coalition approachwithreactivedataanalysistoproducethreatinformation. OuraccesscontrolsystemisbasedaroundtheeXtensibleAccessControlModeling LanguageXACML[44].XACMLspeciesalanguageforaccesscontrolpoliciesaswell asaccessrequestsandresponses,allinXML.Thelanguagesupportspoliciesthatare composedofthefollowingelements: Atarget:thesetofresources,subjects,actionsandenvironmentstowhichthepolicy willapply Arule-combiningalgorithm:aspecicationofhowdierentrulesshouldbecomposed Asetofrules:eachruleisacombinationofatarget,eectandacondition obligations:operationsthatareperformedbytheparentofthecurrentpolicy containerwhenaspeciedauthorizationdecisionisreturned Theeectportionoftheruleindicateswhethertheruleisanegativeorpositiveaccess right.Theconditionelementofaruleoersthepossibilityoffurthernarrowingthe applicabilityofarule,byspecifyingsomethingsthatmustbetruefortheruletocome intoeect. Themotivationbehindthislanguageistoprovideacommonpolicylanguagefor enterprisestoeasethedicultiesthatcomewiththecurrentheterogeneityinpolicy representationsfordierentsecuritydomains.Duetoitsdescriptivenessandexpansive rangesomeoftheelementsoftheXACMLdatamodelhavebeenincludedintheproposed informationmodel. TheXACMLspecicationalsoincludesabstractionsforanaccesscontrolarchitecture.Theprimaryelementsofthisarchitecturethatwewilldiscussare: 47

PAGE 48

PolicyDecisionPointPDP-evaluatespoliciesandreturnsadecisiononthe request. PolicyEnforcementPointPEP-responsibleformakingrequeststothePDPbased onaccessrequestsandactuallyenforcingthedecisionsreturnedbythePDP TheinformationowinthissystemisdetailedinFigure3-6.Itincludesthefollowing steps: 1.Aninitialaccessrequestismadeforaresourceunderthecontrolofthewebserver. InthiswaythewebserverfulllstheroleofaPolicyEnforcementPointPEP discussedintheXACMLarchitecturedescription. 2.ThewebserverinitiatesarequesttotheAccessControlSystemthePolicyDecision Pointindicatingtheresourcebeingrequestedandthesourceoftherequest 3.Theaccesscontrolsystemndsthepolicythatgovernsthatresourceandextracts anyrulesindicatingtherequestresponseshouldbebasedonthreatinformation,and whatarethedimensionsofthethreatprolesource,targetorboth 4.Basedonthedimensionsofthethreatproleandthefeaturesoftheactualrequest, theaccesscontrolsystemestablishescriteriaforasetofrelatedevents 5.AlloftherelatedeventsareselectedfromtheIDSdatastore 6.Thecalculationmethodforthethreatproleisappliedacrossthesetofselected eventsandthevalueischeckedagainstthethresholdfromthepolicy 7.Arequestresponseisreturnedtothewebserverwhichthenregulatesaccesstothe resource Inourimplementationsystem,thePEPisabasicwebserver,modiedtopassaccess requestsrstthroughanXACMLPDPwrittenwiththeSunMicrosystemsXACML API.ThePDPfunctionsasamoduleonthewebserver,butcouldbeimplementedasa standaloneservice. AlloftheintrusiondetectiondataisgeneratedthroughaninstanceofSnort,conguredtoreportalertsinIDMEF[50]format.AlertsaregeneratedbytheIDSandsent totheservicethatreceivesthealertsandstorestheminanXMLdatabase.Foreach 48

PAGE 49

accessrequest,thedatabaseisthenqueriedforalertsbasedonthepolicythatgovernsthe resourcebeingaccessed. 3.3.3SummaryoftheCoalitionApproachtoContextAcquisition Wehavemodeledandimplementedasystemthatusesacoalitionapproachoroneto-onemappingtointegrateanaccesscontrolandintrusiondetection.Thebenetsof thisapproachareitsrelativesimplicityandlackofrelianceoninfrastructuresupport. Becausethereislessoverheadinselectingrelevantcontextdata,thisapproachisalsomore ecient.Overallthecoalitionapproachdescribedwouldonlybeappropriateforaccess controlsystemsembeddedintonetworkedapplicationsthathavestricttimerequirements anddonotneedafullrangeofassessmentdatatoselectfrom.Themainstrengthofthe federatedapproachistheabilitytousethesameinterfaceandaccesscontextdatafroma varietyofassessmentmechanisms:ifthisfunctionalityisnotrequired,thenthecoalition approachcouldbesucient.Theimplementationdiscussedservedtoelucidatesomeof thecriticallimitationsofpursuingthecoalitionapproachtocontextacquisition. Whilethecoalitionapproachiseasytoimplementandprovideseciencybecause ofitslimitedscope,itstillfailstofullyprovideallofthedesignobjectivesthatwere identiedinSection3.1.Thefederatedapproach,incontrast,providesforthingslike providerandconsumerdecoupling,implementationtransparencyanddynamiccontext discoveryinamorecompletewayduetotheuseofsecondarycontextaggregationservices. Forthatreason,thefederatedapproachtocontextdataacquisitionwillnextbeexamined. 3.4AFederatedSystemforContextAcquisition 3.4.1Approach Theapproachforaddressingthedesignoffederatedsystemswillbedierentthan theapproachusedforcoalitionsystems.Becausecoalitionsystemsrelyonone-to-one interactionsbetweenthedierentcomponents,itisnecessarytoeliminatetheheterogenity orprovideacommonschemathatallowsinteroperabilitybetweeneachpairofsystems.In thefederatedapproach,thefocusshiftstomaintaingtheautonomyandexistingschemas 49

PAGE 50

butmitigatingthosefactorswithsecondarymechanisms.Wewillemployastrategyof eventcorrelationastheprimarymeansforaggregatingcontextualinformationacross multipledomains. 3.4.2TheUseofEventCorrelationinFederatedSystem InSection3.2.2,theuseofontology-basedeventcorrelationforcontrolintegration wasdiscussed.Eventcorrelation,however,isabroadeldencompassingmanydierent approaches.Inordertoselecttheappropriateapproachesforcorrelationwewillrst surveywhathasbeendoneinthisregardandthenevaluatethosemethodsinlightofthe requirementsthatmustbesatisedtofacilitateeventcorrelationacrossmultipledomains. Inaddition,theconstructionoftheontologymustbedealtwithinsomedepth.Various approacheswillbeexploredforconstructinganontologyaimedatintegratingvarious datasources.Basedonthedesignrequirementspreviouslydiscussed,thebestapproach willbeselectedandanontologyforcorrelationwillbeproposed.Finally,thedesignand implementationofacontextaggregationserviceincorporatingontology-basedcorrelation willbediscussed. 3.4.3AvailableCorrelationMethods:ATaxonomyofEventCorrelation ApproachesforSecurityData Wenextsurveyrelevantresearchintheareaofalertcorrelation,oertwotaxonomies ofeventcorrelationapproachesusedspecicallywithIDSdata.Thersttaxonomyis basedonthegoalofthecorrelationprocessandthesecondclassiesapproachesbasedon thetypeofrelationshipthatisestablishedbetweenthealertsinquestion. 3.4.3.1Taxonomyofalertcorrelationmethodsbasedonoutcome Tosummarizetheprecedingsurvey,weoertherstoftwotaxonomies.Thereare threeprimarygoalsforeventcorrelationseenintheexistingliterature:1alertreduction 2alertassociationand3alertanalysis. Correlationmethodsthatachievealertreductionaretypicallyreferredtoasfusion ormerging.Inreality,mostofthemergingtechniquesdonotmergealertsinthesenseof 50

PAGE 51

replacingtwodistinctalertswithanewonethatsomehowaddressesthemboth.Instead, oftheapproachesthatperformmerging,suchas[51,52,53]utilizethenotionofametaalertwhichrepresentstheinformationpresentinseveraldistinctalertthroughlistsfor discretevaluessuchasIPaddressesandports,orrangesforcontinuousvaluessuchas time.Theeectofcreatingameta-alertachievesalertreductionbecause,ostensibly, theadministratorcaninspectameta-alertinsteadofthemultitudeofalertsthatitis constitutedby.Inthisway,thereductionofalertsisonlyfromtheperspectiveofthe administrator. Thenextdivisionofcorrelationmethodscontainstechniquesthatdetectorassertan associationbetweentwoormorealerts.Thisclassencompassesthefollowingapproaches: aggregation[9,52],clustering[51,53,54,55,56],multi-stepattackdetection[8,52,57], sessionreconstruction[52]anddetectionbychronicles[58].Allofthesetechniqueshave beengroupedtogetherbecauseintheendtheyallexpressarelationshipbetweenthe alertsthatarethesubjectoftheapproach.Inthecaseofclustering,therelationshipisa similaritybasedonperceiveddistance.Foraggregation,theassociationisasetofoneor moresharedattributesinthatsenseitisastricterformofclustering.Multi-stepattack detectionassociatesalertsthatarepropersubsetsofthesameset.Ahigh-levelattack sequenceisviewedasanorderedsetofdistinctactionsthatachieveacertainobservable eectonthesystem.Theindividualalertsarethereforeassociatedtoeachotherthrough membershipinaspecichighlevelattack-sequence.Thechroniclesapproachissimilar tothemulti-stepdetectionapproachwiththeadditionoftemporalconstraintsbetween variousstates. Thecorrelationtechniquesinthealertanalysisclassareimpactanalysisandprioritization[52].Bothoftheseapproachesmakeadeterminationaboutanindividualalert usingonlyitsfeaturesanddataabouttheoverallcontextofthesystem.Inthecaseofimpactanalysisthecontextinformationisanassetdatabaseandwhetherornottheattack 51

PAGE 52

succeeded.Forprioritizationthecontextinformationisaweightingassignedtotheclassof theattackaswellastheassetdatabasealsousedforimpactanalysis. 3.4.3.2Taxonomyofalertcorrelationmethodsbasedonmeans Thetaxonomyforalertcorrelationmethodsbasedonmeansincludesthefollowing techniques:1attributecongruence2attributesimilarity3membershipincommon supersetand4ontologicalrelationship.Theaimofthistaxonomyistodistinguish betweencorrelationapproachesbasedonhowtheyareconducted. Intherstcategoryofattributecongruence,therearetwosubcategories:syntactic andsemantic.Aggregationistheonlycorrelationapproachthatreliesoncomplete syntacticattributecongruencetoassociateoneormorealerts.Thisisasaresultof establishingcriteriaformembershipinanoutputsetthatcertainattributevaluesa 1 ,a 2 anda 3 mustbeequaltovaluesa 1 ,a 2 ,a 3 respectivelyinthecasewhereallthreevalues areused.Themostthoroughexaminationofaggregationisfoundin[9]butitisalso discussedunderthenameofin[52],whereitisdividedintotwodistincttasks.Attack threadreconstructionisaggregationofalertswiththesamesourceandtarget,while attackfocusrecognitionisaggregationofalertswitheitherthesamesource,orthesame target. Thesessionreconstructionapproachin[52]reliesonwhatwillbereferredtoas semanticattributecongruence.Sessionreconstructionlinkstwoalerts,issuedatdierent deploymentlevels,thatrefertodierenttargetssyntacticallyaportnumberandservice name,butareinrealitydescribingthesamesystementity. Underthecategoryofattributesimilarityweplacetheclustering[51,53,54,55,56]. Implicitly,mergingisalsoplacedinthiscategory,becauseitisalmostalwaysprecededby clustering.Aclusterofalertsistheproductofusingasetofexpert-designedsimilarity measurestodeterminewhichalertsaremostlikeoneanother.Withinthecommon membershipclassaremulti-stepdetection[8,52,57]andthechroniclesapproach[58], 52

PAGE 53

bothofwhichlinkalertsbasedonthefactthattheyareassociatedwiththesamehighlevelattackdescription. Underontologicalmethods,therstisthepre/post-conditionapproach.This approachismostthoroughlydiscussedin[8,57]andreliesonaspecicationofpreconditionsandpost-conditionsforeachattack.Whenalertsarriveindicatinganattack itiscomparedwithotheravailablealertstondmatchesbetweenitsconditionsand theconditionsofotheralerts.Thesecondapproachisthecauseandeectortriggering approachusedin[56].Althoughthepre/postconditionapproachisalsoapartofthis methodspecicallytheoneusedin[8],itissomewhatdistinctbecausethecomplete functionalityreliesonaspecicationofeventsandthealertsthattheytrigger. ThefulltaxonomyispresentedinFigure3-7. Attacks:relationshipsbetweendistinctattackswewillassumethatcertainattacks canbeidentiedbythepresenceofafewspecicpropertiessuchasclassication, action,etc. OntologicalRelationship:thoserelationshipsthatidentifyaspeciclogical relationshipsbetweentwoattacks Pre/PostCondition: Cause/Eect:oneattackisidentiedasthetriggerorcauseforanother SharedMembership AttackClassication:bothattacksareinthesameclass.Aclassmaybe identiedbyspecicvaluescertainelds HighLevelAttackScenario:bothattacksaremembersofahigh-level attackscenariomadeupofmultipleevents AlertAttributes:relationshipsthatcanbeestablishedbetweenindividualeldsinan alert Congruence 53

PAGE 54

* Semantic:thetwoattributesarerelatedthroughathirdelementthat indicatesthattheyrefertothesameentity Syntactic:thevalueforthespeciedattributeisthesameinbothalerts Similarity PositiveProximity:basedonapre-designeddistancemeasure,the attributesforthetwoalertsexceedathresholdforthemaximumseparation NegativeSeparation:basedonapre-designeddistancemeasure,the attributesforthetwoalertsexceedathresholdforminimumseparation Covariance:specicsetsofattributesvaryinthesamewayfromonealert totheother 3.4.4SelectinganEectiveOntologyApproach In[42]threemethodsarediscussedfordevelopingontologieswhosepurposeiscontent explicationinanintegratedsystem:aglobalsharedontology,multipleisolatedontologies andahybridapproach.Intherstapproach,oneglobalontologyisdevisedtoprovide asharedsemanticvocabularyacrossalloftheinformationsources.Thisapproachis mostsuitedtosituationswherealloftheinformationsourcesshareasimilarviewof thedomainifeventoneinformationsourcehasaslightlydierentviewitcanbecome diculttoproduceaneectiveglobalontology.Thesecondapproachofconstructinga separateontologyforeachinformationsourcehastheadvantagethatitsupportsevolution oftheinformationsource,andtheadditionandremovalofinformationsource.Under thisapproach,however,inordertocompareontologies,itisnecessarytodeneaninterontologymapping.Inter-ontologymappings,howevercanbediculttodeneinpractice, nottomentionthefactthatasthenumberofinformationsourcesexpandsthenumber ofmappingsthatarenecessarygrowsexponentially.Thehybridapproachallowsforthe semanticsofeachinformationsourcetobedescribedbyitsowndatabase,butwiththe requirementthattheindividualontologiesarebuiltfromaglobalsharedvocabulary. Thesharedvocabularycontainsthebasictermsthatarecombinedinlocalontologiesto 54

PAGE 55

producemorecomplexsemantics.Thehybridapproachsupportsadditionandevolutionof ontologies,buthasthedrawbackthatexistingontologiesmustberebuiltfromscratch. Comparisonofontologyapproaches. Theglobalontologyoptionisnotsuited toprovidinginter-domaineventcorrelation,becausedierentviewsofthedomaindo exist,evenifonlyconsideringaccesscontrolandintrusiondetection.Whilethetaskof producingaglobalontologyforaccesscontrolandintrusiondetectionmightnotbethat infeasible,thereareafewadditionalgoalspresentinthiscasewhichmakethisoption inappropriate.Onesuchgoalistoprovideasemanticallyexplicitdescriptionofthe elementsincurrentdatamodelstofacilitateadoptionandinteroperability.Anotheristo preserveadegreeofmodularitybetweenthesystems.Theapproachofproducingmultiple, isolatedontologiesalsodoesnotmeetthedesignrequirementsinthiscase,becausethe primarygoalistocompareeventsbasedontheseontologies.Andtheneedtoprovide pairwisemappingsbetweeneverysetofontologieswouldmakessuchasystemdicult toproduce.Thehybridapproachbestmeetstherequirementsinthissituation.Itcan allowaparticularsecuritymechanismtodiscovereventsfromavarietyofpotentialdata sources,onlyusingtheinformationcontainedinthebasevocabulary.Itcanalsoallowthe ontologiesfortheindividualdomainstoevolveindividually. 3.4.5AHybridEventOntology 3.4.5.1Thebasisforacommonontology InordertoproduceabasevocabularywewillusetheIDMEFandXACMLschemas, bothofwhichproviderepresentationsforevents,althoughindierentdomains.Thegoal ofthisprocessistoextractenoughcommonelementsfromthesetwodatamodelstoform thebasisofasharedvocabularyforcross-domaineventcorrelation. AsurveyoftheXACMLeventschemas. TheXACMLschemaprovidestwo eventrepresentations:accesscontrolrequestsfromasource,andtheresponsefrom thepolicyenforcementmechanism.TheXACMLrequestcontextschemacontainsthe followingelements:1Subjectinformationaboutthesubjectoftherequest2Resource 55

PAGE 56

theresourceorresourcesforwhichaccessisbeingrequested3Actionattributes abouttheactionbeingrequested4Environmentattributesoftheenvironmentinwhich therequestisoccurring.TheXACMLresponsecontextschemaincludesthefollowing elements:1Decision2Status3Obligations. TheIDMEFeventschema. AmessageintheAlertClasscontainsthefollowing relevantclasses:1Classication-Thenameofthealert2Source-Thesourceofthe eventdescribedinthealert3Target-Thetargetoftheeventdescribedinthealert4 Assessment-Informationabouttheimpactoftheevent,actionstakenbytheanalyzer inresponsetoit,andtheanalyzer'scondenceinitsevaluation5AdditionalDataInformationincludedbytheanalyzerthatdoesnottintothedatamodel. 3.4.5.2Theproposedontology TheontologybeingproposedseeFigure3-8consistsofthreemainparts:abase vocabulary,anaccesscontroldomainontologyandanintrusiondetectionassessment ontology. Thebasesecurityeventvocabulary. Thecommonelementstothesetwoevent schemasaretheaccesssource,targetandtheactionbeingperformed.Combiningallof theprecedingdiscussionregardingexistingdatamodelsandthetaxonomyofsystemactions,wethereforeoerabasevocabularyforinter-domaineventcorrelationofassessment datainaccesscontrolsystemsbasedonthefollowingprimaryelements: SystemEntity theclasscontainingallvalidsystementities.TheSubclassesof SystemEntityareNode,Process,User,ServiceandFile.Therstfoursubclassesare validdomainsfortheEventSourceproperty,andthelatterfoursubclassesarevalid domainsfortheEventTargetproperty. SecurityEvent agenerictypeofeventpossessingthepropertiesofaneventsource, eventtargetandeventaction.ThesubclassesofSecurityEventneededfordetailed datadescriptionare AccessRequest AccessResponse and Assessment 56

PAGE 57

Action theclasscontainingallofthedistinctsystemactions.Subclassesneededfor detaileddatadescriptionareClientActionandServerAction. Accesscontroldomainontology. Inordertoprovideamoredetaileddescriptionofinformationattheaccesscontrollevelutilizingthebasevocabulary,wedevelop twosubclassesoftheSecurityEventClass AccessRequest and AccessResponse and twosubclassesoftheSystemActionclass ClientAction and ServerAction .Theclass AccessRequesthastheproperties hasSource,hasTarget and requestAction. Thersttwo propertiesrangeoverSystemEntityandareinheritedfromtheparentSecurityEvent classes. requestAction rangesovertheclassofClientAction.TheAccessResponsehas the respondsTo propertywhichreferencesanAccessRequest,a responseString dataType propertythatcontainstheactualrequestresponsepermitordenyanda hasResponseAction hasarangeofthesetofServerActionactions.InthecaseoftheAccessResponse, thehasSourceandhasTargetpropertiesarestillpresent,buttherelationshipbetween clientandserverhasbeenipped:thesourceoftheAccessResponseistheserverthatwas initiallycontactedwiththeaccessrequest. TherearetwosubclassesoftheActionclassgeneratedforaccesscontrol: ClientAction and ServerAction .ClientActionarethedesiredmanipulationsofsystemresourcesthatare speciedinAccessRequests.TheyaresubdividedintoMaliciousandNon-Malicious.NonMaliciousactionsinclude CommandExecution DataAccess and DataAlteration .Subclasses ofServerActionactionsare RequestDecision and EvaluationObligation .RequestDecisions arethebasicpermit/denydecisionissuedforeachrequest:EvaluationObligationrefersto theobligationsmentionedintheXACMLschema[59],whichconstituteactionsperformed bythepolicydecisionpointasaresultofevaluatinganaccessrequest. Intrusionassessmentdomainontology. Assessmentistheclassofanalyses regardingeventsorentities.Eachassessmenthasan assessmentSource propertywhose rangeisanAssessmentSensor.Each AssessmentSensor hasacondenceRatingthat aectsthewayitsanalysesareviewed;inthiscasethecondenceratingisgivenbythe 57

PAGE 58

accesscontrolsystemutilizingeventsfromthatsensor.Theprimarysubclassincluded intheeventontologyisthe IntrusionAssessment class.Otherassessmenttypeswillbe discussedunderthetopicofcontextanalysis. EachIntrusionAssessmenthasthefollowingdataTypeproperties: impactSeverity impactType and attackCompletion indicatingwhethertheattackcompletedsuccessfully ornot.Assessmentsalsohavethefollowingobjectproperties: describedBy,triggeredBy hasIntrusiveAction,hasSource and hasTarget .The describedBy propertyhastherange ofaVulnerabilityDescriptionanddenotesthatthevulnerabilitywhoseexploitationwas detectedisdescribedinthereferenceddescription.EachVulnerabilityDescriptionhas a referenceID ,an originDB anda referenceURL .The triggeredBy propertyhasarange ofthesetofAccessRequestsanddenotestheaccessrequesttowhichtheassessment applies.ThepropertieshasSourceandhasTargetbothrefertoSystemEntitesthatarethe sourceandtargetoftheintrusiveevent,respectivelyandareinheritedfromtheparent SecurityEventclass.The hasIntrusiveAction propertyhasarangeoftheclassof Malicious clientactions,whichgivesageneraldescriptionofthekindofattackbeingperpetrated. Thefollowingsubclassesofmaliciousclientactionareincludedintheontologyandare basedonthetaxonomyfrom[60]: Probing allactivitiesrelatedtogatheringdataaboutasystem.Subdividedinto probingofusers,servicesandnodes. DenialofService hinderinglegitimateaccesstothesystem.Subdividedinto Temporary Administrative and Permanent .Atemporarydenialofserviceisone thatwillbeautomaticallyrecoveredfrom.Anadministrativedenialofserviceisone thatwillrequireadministratorinterventionforrecovery.Permanentdenialofservice attacksarethosewhoseeectsareindenite. Interception/ReadingData subdividedintointerceptionoflesorofnetwork trac. 58

PAGE 59

Alteration/CreationofData subdividedintomodifyingsystemdataormodifying intrusiontracessuchaslogles 3.5Summary Twocontrastingapproacheswerepresentedforfacilitatingtheprocessofacquiring contextdataandachievingtheintegrationnecessarytoovercomecomponentautonomy, heterogeneityanddistribution.Acoalitionarchitecturewaspresentedwhereeachsecurity componentmustestablishaninterfacetoprovidedatatoothercomponentsserving asconsumers.Underthecoalitionarchitecture,eachmechanismisalsoresponsiblefor explicitlyperformingtheone-to-oneinteractionwitheachcomponentthatitwantsto obtaininformationfrom.Afederationarchitecturewasalsopresentedthatusesacommon contextaggregationservicetofacilitatethedisseminationofcontextdata.Thefederation alsohastheaddedbenetthatthearchitectureisoverallmoreextensibleinthateach componentofthearchitectureonlyneedstobeupdatedtopullnewinformationfrom thecommondatastoreratherthaninteractingwithanewcomponentwithaseparate interface.Twotaxonomiesofcurrentmethodsforintrusiondetectionalertcorrelation areprovided:onebasedonthemeansusedtocorrelatethealertsandanotherbasedon theoutcomeofthecorrelation.Afterexaminingapproachesforintegratingdatacoming fromheterogenousdomains,ahybridontologyisproposedforthepurposeofallowing relatedeventsindierentdomainstobeaggregated.Theontologyusesabasevocabulary, synthesizedfromcommonelementsinexistingschemasforsecurityeventsandallows extensionwithdomainspecicclassesandattributes.Thisontologywillbetranslatedinto arelationaldatabasemodelthatservesastheschemafortheeventdatabasediscussedin Section6.5.Also,basedontheconclusionthatthefederatedapproachmorecompletely fulllstheneededdesigngoals,theimplementationwillfollowafederatedmodelasthe architectureforthesystem. 59

PAGE 60

Figure3-1.Diagramofasecuritycoalition.Eachsecuritycomponenthastointeractwith alloftheothercomponentsinordertoaccesstheirdata.Thisarchitectureis limitedinextensibilitybecauseeachtimeanewmemberisaddedtothe coalition,alloftheothermembersmustbeadaptedtouseitsinterface. 60

PAGE 61

Figure3-2.Theanatomyofasecuritycomponentinanopenarchitecture.Thecore decisionmechanismisresponsibleforplacingneweventsintothemechanisms eventdatastorewhichsubsequentlyprovidesthedatatootherconsumers. Thecoredecisionmechanismalsopullsdatafromthecomponent'sevent consumermoduleinordertoenforcepolicybasedonexternalevent information.Theeventconsumermoduleincludesapolicydescribingthe dierenttypesofeventsthatshouldbedrawnfromtheeventproviderthis interactionisdepictedinFigure3-3. 61

PAGE 62

Figure3-3.Securitycomponentswithacommoneventprovider.Ratherthanhavingto interactwitheachothermemberofthesystem,thecomponentscannow accessdatathroughacommoneventprovider. 62

PAGE 63

Figure3-4.Theanatomyofasecuritycomponentinanopenarchitecture.Thecore decisionmechanismisresponsibleforplacingneweventsintothecommon eventproviderthatisnowanexternalserviceinsteadofthepreviousdata storethatwascontainedinthemechanismitself.Thecoredecisionmechanism alsopullsdatafromthecomponent'seventconsumermoduleinorderto enforcepolicybasedonexternaleventinformation.Theeventconsumer moduleincludesapolicydescribingthedierenttypesofeventsthatshouldbe drawnfromtheeventproviderthisinteractionisdepictedinFigure3-3. 63

PAGE 64

Figure3-5.Securityeventinformationmodel Figure3-6.TheowofdatabetweenanIDSandawebserverunderthecoalition-based implementation. 64

PAGE 65

Figure3-7.Taxonomyofthemeansusedtoachievealertcorrelation. 65

PAGE 66

Figure3-8.Ontologyforinter-domaineventcorrelation 66

PAGE 67

CHAPTER4 GENERALAPPROACHPART2:CONTEXTANALYSIS 4.1IntroductionandDesignGoals Contextanalysisistheprocessoftakingeventdataprovidedbyasecondarysource andderivinginformationfromthatdatawhichprovidesmoreusefulindicationsaboutthe stateofthesystem.Weexaminethetaskofcontextdataanalysisontwolevels:therst providinganoverviewofthemajorsecuritymeasuresandindicatorsandtherelationships betweenthemandthesecondbyprovidingadetailedapproachfortheanalysisofa specictypeofcontextdata.Thischapterwillproposeaframeworkwhichstructures severalcriticalsecuritymeasuresandtheirdeterminingfactors.Chapter6willdiscussthe specicanalysisandsubsequentusageofaparticularsecurityproperty. Theobjectivesforcontextanalysishavebeendividedintotwomaintypes:objectives involvinghowdataisanalyzed,andobjectivesinvolvingwhattheproductofthose analysesshouldbe.Contextanalysiscoversallofthetasksinthesystembetweenwhen thedataisacquiredbyasecuritycomponentandwhenthatisusedinadecision-making process.Designgoalsfortheapproachtocontextanalysisinclude: ActionableData-Theprimaryaimofthecontextanalysisprocessistoproduce informationthatrepresentscomplexsystemeventsinarelativelystraightforward waythatcanenableautonomousresponses.Thisrequiressynthesizingmultiple piecesofdataintohigherlevelassessmentinformation.Theaimistoprevent theaccesscontrolsystemfromnecessarilyincorporatingallofthefactorsthatan intrusiondetectionsystemconsidersinmakingitsdecision,byprovidingprocedures thatmapthosepropertiestohigh-levelconcepts.Suchhigh-levelconceptscanthen beincorporatedintoaccesscontrolpoliciestoallowtheuseofreal-timeassessment information. Extensibility-Anothergoalisthattheanalysisprocessbebasedonastructured modelthatallowsadditionalanalysisproceduresandassessmentpropertiestobe 67

PAGE 68

addedeasily.Thisrequiresaverydetaileddenitionofeachtypeofassessmentand howtheyrelatetooneanother. Anontologyisusedasthemediumtodenetheassessmentpropertiesbecauseitoersa moreprecisedenitionofthetermsthanwouldbepossiblewithonlywords.Inaddition, becauseontologiesaredescribedwithrstorderpredicatelogic,areasoningenginecould bedevelopedbasedonthespecicationtoperformfusionofsensordatatoproducedthe desiredproperties. 4.2AHigh-LevelOntologyofSecurityAssessmentInformation AnoverviewoftheproposedontologyisdepictedinFigure4-1,withFigure4-2 providingfurtherdetailonthefactorsusedtoarriveatthevariousassessments.Atthe coreoftheontologythereisan AccessRequest thathasthreeaspects:itis initiatedBy a Subject ,itis directedTo an Object theresourcebeingactedupon,andit executes an Action ontheobject.A RequestEvaluation either Permit or Deny isbasedononeor more Assessments .Eachassessmenthasa Source ,aquantitative Value ,apercentageof Certainty andoneormore Constraints Assessmentscanbecategorizedinmultipleways:basedonwhatisassessedandbased onthetypeofdatathatisusedtoproducetheassessment.Undertherstcategorization, assessmentsaredividedintotwomaintypes: EntityAssessments and EventAssessments EntityAssessmentsapplytoentitiessuchasthesubjectandobject.EventAssessments applytotheaccessrequestitself.Underthesecondcategorizationbythetypeofdata usedtoproducetheassessmentthereare CoreAssessments and CompositeAssessments. CoreAssessmentsareproducedbasedondatafromaneventdescriptionsuchasan intrusiondetectionalert.CompositeAssessmentsutilizeoneormoreCoreAssessments, andprovideinformationthatcontrastspropertiesoftheeventunderconsiderationwith propertiesofanentity. Subjectsarecharacterizedprimarilybya TrustAssessment .Objectsarecharacterized by Dependability and Importance assessments Eventsareassigneda Risk .A Threat 68

PAGE 69

assessmentcontraststhetrustgrantedtothesubjectwiththeriskoftherequestitself. The Impact assessmentcontraststheriskoftherequestwiththedependabilityand importanceoftheobject.Eachoftheseassessmentswillbediscussedinmoredetail. 4.2.1CoreAssessments 4.2.1.1Risk Ingeneralriskdenotesaprobablelosstosomeassetorvaluablepropertyofanentity. Specically,inthiscontext,riskisusedtoquantifytheprobableimpactofaneventonthe threeprimarysecurityproperties:condentiality,availabilityandintegrity.Someexisting denitionsofriskincludethefollowing:"ameasureoftheexpectedlossintheabsence ofanymitigationactionsofcountermeasures"[61],"acharacterizationofthedangerofa vulnerabilityorcondition"[62]and"therelativeimpactthatanexploitedvulnerability wouldhavetoauser'senvironment"[63].Thenaldenitionistheclosesttothemeaning beinginvokedhereandwillalsoprovidethefactorsusedtodeterminerisk. ThefactorsusedforriskinthisontologyarederivedfromtheCommonVulnerability SpecicationStandardCVSS.TheCVSSgivescriteriaforstandardizingtheseverity ratingsgiventosystemandsoftwarevulnerabilities.Thespecicationincludesbase metricswhicharesolelybasedonthevulnerabilitycharacteristics,temporalmetrics andenvironmentalmetrics.Thecoreofthespecicationratesvulnerabilitiesonthe requiredenvironment,whichincludes AccessVector AccessComplexity and Authentication andtheprojectedimpacton Condentiality Availability and Integrity -alloftheseare enumeratedasriskfactorsintheontology. 4.2.1.2Trust Therearetwomainareasofconcernwhendiscussingtrust:whatistrustbasedon, andunderwhatcircumstancesisitvalid.Toaddresstheseissues,theontologyincludes TrustFactors and TrustDomains .TrustFactorsarethosesubsidiaryvalueswhich,when consideredtogetherdeterminetheactualtrustassessmentvalue.Thetwotrustfactors includedhereare Capability and Intent 69

PAGE 70

Capabilitywasmentionedin[64]andpreviously[65]torefertoacombinationof demonstrableaccessandauthority.Thiskindofdenitionismostrelevantinthecontext ofpeer-to-peerinteractionwherepartiesarebeingratedaccordingtotheirabilityto fulllaspeciccontractualrelationship.Incontrast,wearefocusedondeningtrustina mannerthatisrestrictedtoanexternalobjectinteractingwithcontrolledresourcesina non-maliciousway.Theconcernisessentiallytoevaluatewhetherornotthetrustedparty willbehaveasexpectedbenevolentlyand,ifnot,towhatdegreetheyhavethecapacity todoharm.Asaresultofthissimplication,someofthecomplexitiesprovidedbyother trustdenitionsarenotrelevanttothecurrentdiscussion.Itisassumedeveryonehas thesamecapabilitytoperformbenevolentlywhichissimplynon-misuse,butthatsome partieshaveagreatercapacityformalevolentormaliciousbehaviorthanothers. Theothertrustfactorconsideredis Intent .Althoughitisadicultconceptto measureandquantify,itistheonlymeansthroughwhichwecanproduceanotionof mistrustnecessaryforsituationsthatrequiredistinguishingbetweenmaliciousandnonmalicioususers.TherearetwostatesforthepropertyofIntent: Benign and Malicious Trustvaluesalsohaveasetofconstraintsthataretypicallycalled TrustDomains TrustDomainsarethesituationsorcontextsinwhichaparticulartrustassessmentapplies orisvalid.Weincludevedomainsasconstraintsforatrustassessment: General or Universal Action-Specic Target-Specic and Context-Specic .A General trustisone thatisvalidacrossanentireapplicationorapplicationdomainandnotconstrainedby anysecondaryfactors. Action-Specic trustisgrantedtoasubjectbasedontheaction beingperformed.Similarly Target-Specic and Object-Specic trustareonlyvalidfora particularresourceorobject,respectively. Context-Specic trustisamoreabstractnotion thatallowstrustactivationbasedoncertaindynamiccontextproperties. 4.2.1.3Dependabilityandimportance Bothdependabilityandimportanceoftheobjectplayaroleinthewaytherequest isviewed.CVSSincludesthesecurityrequirementsofthetargetedassetcondentiality, 70

PAGE 71

integrityandavailabilityunderenvironmentalmetricsthataecttheseverityofa vulnerabilityexploitation.In[66]severalpropertiesarementionedthatcharacterize thedependabilityofsystemsandservices.Anobject'sdependabilityisencapsulatedby thefollowingproperties: Availability Reliability Safety Condentiality and Integrity Availabilityisthereadinessforusage,reliabilityisthecontinuityofserviceandsafety isthenon-occurrenceofdireconsequencesontheenvironment.Condentialityisthe non-occurrenceofunauthorizedinformationdisclosure,integrityisthenon-occurrenceof improperalterationsofinformationandmaintainabilityistheabilitytoundergorepairs andevolutions.ThesepropertiesencompassthoseusedintheCVSSandaddafew additionalpropertiesthatcanbecriticaltocontextualizinganevent. In[52]arelativemeasureoftheobjectsimportanceisusedtomeasuretheimpactof anattack.Alsoin[38],theimportanceofanetworknodeisusedtodetermineasuitable thresholdfortheriskofincomingrequests.Bothoftheseproperties,Dependabilityand Importancehavebeenincludedintheontologyasassessmentsoftheobjectoftherequest thatareneededtoproducehigh-levelassessments. 4.2.2CompositeAssessments 4.2.2.1Threat The Threat assessmentistherstofthecompositeassessmentstobediscussed.Some ofthedenitionsforthreatusedintheresearchareasfollows:"theadversary'sgoalsor whatanadversarymighttrytodotoasystem","anindicationofapotentialundesirable event"[61].and"thelikelihoodorfrequencyofaharmfuleventoccurring"[63]. In[30,67]aglobalsystem-widethreatlevelisusedtointegrateinformationfrom outsideintrusiondetectionsystemsintoanadvancedsecuritypolicythatcanspecify allowedactivities,detectabuseandrespondtointrusions.Teoetal.[38]proposeasystem tomanagenetworklevelsystemaccessthatusessource-centeredthreattoregulateaccess controldecisions.Althoughnotconcernedwithahigher-levelthreatanalysis,Valeuretal. [52]aggregateIDSalertsinmultiplewaystocharacterizethetraccomingfromasingle 71

PAGE 72

sourceorintoasingletargetattackfocusrecognition.Theyalsoconsidersetsofalerts betweenasinglesource-targetpairattackthreadreconstruction. Initsstrictestsense,threatassessmentshouldrelyonbothatrustassessment forthesourceoftherequestandariskassessmentoftherequestitself.Athreatis thereforeaspecic,quantiablesecurityriskcomingfromasubjectthatisalsoassigned acorrespondingtrustvalue.Thisresultsinanotionofthreatthatisprimarilybasedon twofactors:thenatureoftherequestitsrisk,andthesourceoftherequestthedegree oftrustgiventothem. 4.2.2.2Impact Thesecondcompositeassessmentmeasureis Impact .TheImpactcombinestherisk oftherequestwiththeimportanceoftheobjectanditsdependability.Thus,inthecase ofsecurity,animpactassessmentisajudgmentaboutthepotentialsecuritydamage inictedbyanaccessrequestconsideringthegeneralfault-toleranceoftheobjectandits importancetothesysteminwhichitexists. 4.3Summary Thisontologyhelpsdenethegoalsoftheanalysisprocessintermsofconcrete attributesthatshouldbederived.Theyincludemeasurementsusedinvarioussystems andstandards,butareplacedinauniedstructurethatelucidatesthedierencesbetween thevarioustermsmorepreciselythanmeredenitions.Inaddition,thefactorsusedto determineeachassessmentpropertyarealsolistedwhichprovidesclearerinsightastohow asystemcanarriveattheassessmentandwhatlowerleveldataisrequiredasaninput totheprocess.Inanidealsystem,thisontologywouldserveasthebasisforareasoning enginethatcouldproducethenecessaryoutputsgiventherequiredincomingdata.The implementationdiscussedinChapter6seeSection6.3willfocusonasinglesecurity propertynamelyriskandprovidefurtherdetailsonhowananalysisservercanproduce assessmentsofthattypegiveninputdata. 72

PAGE 73

Figure4-1.Coreassessmentclasses.Importance,trustanddependabilityassessmentsforentities.Threatandimpact assessmentsforaccessrequests.Valueandriskassessmentsfortheactionofanaccessrequest. 73

PAGE 74

Figure4-2.Assessmentfactorsforthreeassessmenttypes:trust,riskanddependability.TheclassAssessmentisalsoa subclassofAssessmentFactorbecauseofthecompositeassessmentsthatarederivedfromotherassessments.The assessmentfactorsforthreataretheriskoftherequestandthetrustgrantedtothesubject.Theassessment factorsfortheimpactarethedependabilityandimportanceoftheobjectandtheriskoftherequest. 74

PAGE 75

CHAPTER5 GENERALAPPROACHPART3:CONTEXTAPPLICATION 5.1Introduction Thelastphaseoftheprocessofarchitectingcontext-awarebehavioristheapplication ofcontextdata.Ifwedeneaccesscontrolasafamilyofstrategiesforonepartyto preciselycontrolwhatotherpartieswillbeallowedtodowithresourcesthatitcontrols [46,45]thenitbecomesapparentthataccesscontrolisperformedatvirtuallyeverylayer ofasystem,includingatthenetwork,operatingsystemandapplicationlevels.Toshow concreteimpactoftheapproachitisnecessarytofocustheapplicationofcontextdataon improvingsomeaspectoftheperformanceofaccesscontrol.Someofthedesigngoalsfor contextapplicationarethefollowing: Responsesnativetotheaccesscontrolparadigm Theprimaryelementsofmanipulationforaccesscontrolsystemsarepermissions:themodesofinteractions allowedforvarioussubjectswithsystemresources.Therearemanydierenttypesof responsestointrusions,butasthefocushereisoncontext-awarebehaviorforaccess control,wewillfocusonstrategiesthatmanipulatethepermissioningprocessatthe accesscontrollevel. Applicationlevelcontextapplication Allofthestrategiesusedfortheapplication ofcontextdatawillbedesignedtobeappliedattheapplicationlevel,meaning:any pieceofsoftwarerelyingonanunderlyingoperatingsystemforthemanagementof hardwareresources.Thiswillenableustocontinuetheworkwehavepreviously doneinXACML,awidelyadoptedframeworkforapplication-levelaccesscontrol. Thiswillalsoincreasethepossibilitythatthesystemforcontextapplicationcanbe furtherextendedbyotherresearchers. 5.2Context-BasedPolicyEvaluation Therstapproachtoutilizingcontextdatathatwillbediscussediscontext-based policyevaluation.Thisprocessreliesontheintroductionofcontext-dependenciesintothe 75

PAGE 76

accesscontrolpolicythatareresolvedatpolicyevaluationtimebyusinginformationfrom thecontextanalysisprocess. 5.2.1AccessControlSchemaExtension Usingtheabstractionofaneventastheunifyingfactorforsecurityintegration,it isstillnecessarytondaconcreterepresentationfortheattributesofthoseevents.In mostcurrentsystems,accesscontrolhastheroleofenforcingglobalsecuritypolicy.All requestsforresourcesmustbecheckedagainstanaccesscontrolpolicybeforetheyare granted.Butmostpresentmethodsforaccesscontrolmakelittleornouseofintrusion detectiondata.Themergedpolicyoptiondoessolvethisproblembydevelopingaschema thatincludesconceptsfromallthreerelevantdomains,butintheprocessofmigratingIDS conceptstotheaccesscontroldomain,italsomigratestheintrusiondetectionmethodtoa policyspecication. Ourapproachwillbetoprovideacommonpolicybydevelopingnewattributesthat canbeincludedinantraditionalaccesscontrolpolicy.Theseattributeswilldescribethe following: propertiesofintrusiondetectionalertsthatshouldbetakenintoaccountwhen returningavaluefortheattribute thedesiredprocedureforcalculatingthevaluereturnedfortheattribute Inessence,thecouplingbetweenIDSattributesintheaccesscontrolpolicyandthedetails andinformationusedbytheactualIDSsystemswillbeloosened.Anadditionallayer ofabstractionwillbeaddedtomakethebindingtothoseaccesscontrolattributesIDS implementationindependent. Thisapproachalsodemandsthattheauthorofthemappingfunctionunderstand theoutputoftheIDSsystems.TheuseofastandardschemaforIDSinformationwill enabletheimplementeroftheaccesscontrolpolicyevaluationmechanismtowritea singlefunctionforeachnewattributeaddedtoanaccesscontrolpolicyprovidedthat 76

PAGE 77

theIDSsystemsunderusewilleitherusethatstandardschemanatively,orprovidea transformationfromthenativeformattothestandardone. Thispolicyextensionwillprovidethemeansforsemanticintegration.Oneofthe methodsfordatapersistenceconversionwillbeusedheretoreturnthenecessaryvalue fortheaccesscontrolpolicyfromthesetofrelevantIDSalerts.Thisoperationwillrequire alimitedformofconversionbecausetheschemaforIDSalertsisdierentthantheschema fortheaccesscontrolpolicy. Basedsolelyontheaggregationrelationshipsspeciedin[9]andusingtheconceptof threatoutlinedpreviously,thefollowingattributeswereaddedtotheXACMLschemaof theaccesscontrolmechanismdescribedinSection3.3.2: 1.source-target-class-threat-providesthetotalseverityofthethreatfromthissource tothisresourceinthisclassofattack 2.source-target-all-class-threat-providesthetotalseverityofthethreatfromthis sourcetothisresourceforallclassesofattack 3.source-class-all-targets-threat-providesthetotalseverityofthethreatfromthis sourcetoallresourceswiththisclassofattack 4.all-sources-target-class-threat-providesthetotalseverityofthethreatfromall sourcestothisresourceinthisclassofattack 5.source-all-targets-all-threats-threat-providesthetotalseverityofthethreatfrom thissourcetoallresourcesforallclassesofattack 6.all-sources-target-all-classes-threat-providesthetotalseverityofthethreatfromall sourcestothisresourceforallclassesofattack 7.all-sources-all-targets-class-threat-providesthetotalseverityofthethreatfromall sourcestoallresourcesforthisclassofattack Eachoftheserulescontainsatmosttwoattributes:thethreatthresholdvalueandan attackclassforcases1,3,4and7.Thesourceandtargetwillbespeciedintheaccess controlrequestandthereforedonotneedtobespeciedinthepolicy-thevaluesfor sourceandtargetwillbeinheritedfromtherequestvalues.Examplesofaccesscontrol rulesincorporatingthesepropertiesareprovidedinFigures5-1,5-2,5-3,5-4and5-5. 77

PAGE 78

Theprocessforaccesscontrolschemaextensionunderthefederatedimplementation isdicussedinSection6.5.UnliketheXACML-basedimplementation,becausetheaccesscontrolprocessintheApachewebserverwasnotdesignedtoincorporatecontextual informationintotheschema,theprocessofschemaextensionislessstructured.Thesubsequentdiscussionwill,thereforerelyontheXACMLschemaabstractionsfordiscussingthe incorporateofcontextdataintheapplicationprocess. 5.2.2ApplicationScenarios Weprovidesomeexamplesofsituationswhereourapproachcanbeusedtoprovide verygranularIDS-awareaccesscontrol. Threatescalationbyasinglesource. Inthisrstscenariowehaveasingle sourceperformingmultipleintrusiverequestsagainstvarioussystemresources.Theaimin thiscaseistorestrictaccesstosystemresourcesfromthissourceafterthethreatprole forthatsourcepassedagiventhreshold.Thisapplicationissimilartothetaskofpacket lteringwhichisperformedbysomeIntrusionPreventionSystemsIPSbutwithafew majordierences.Therstisthatthistechniquecanbeapplieddynamicallybasedon thepasthistoryofthesourcewhereaspacketlteringmustbeconguredmanuallyto lterbasedonsource.Thesecondisthat,becausethisrestrictionisperformedatthe applicationlevel,thereisawiderrangeofpossibleresponsesavailable.Accesscouldbe deniedentirely,similartopacketltering,oronlyspecicaccessrightscouldberevoked, allowingamoremeasuredresponse. Inaconcreteexampleweconsiderawebserverwiththreeavailableresources:R 1 R 2 ,R 3 .Eachoftheresourcesisgovernedbyapolicythatdeniesrequestscomingfrom sourceswithathreatproleabove25.ThebasicstructureoftheruleisshowninFigure 5-1.Eachresourceisassignedanimpactvaluerangingbetween1and3,andcondence valuerangesbetween1and5basedonthenumberofsystemsreferencingthevulnerability used. 78

PAGE 79

Twodierenthosts:S 1 andS 2 makerequeststotheserverinparallel.HostS1 attemptsthreewebcgiexploitsagainsttheserver,withitsoverallthreatproleincreasing eachtime.BythetimeitrequestsR1onitsfourthoverallrequesttotheserver,itsthreat proleexceedsthethresholdallowedinthepolicythatcontrolsR1,R2andR3andis thereforedeniedaccesstoallofthem.Simultaneously,becauseS 2 hasmaintainedathreat proleof0,itcancontinuetoaccessalloftheresourcesavailable.Anexampleofthis scenarioissummarizedinTable5-1. Threatescalationagainstasingletarget. Inthissecondscenario,weconsider awebserverwithtwoavailableresources:R 1 ,R 2 .Accesstoeachoftheresourcesis regulatedbyapolicythatdenieswriteandupdaterequestswhenthethreatproleforthe resourceisover30.ThebasicstructureofthethreatruleisshowninFigure5-2.Three dierenthosts:S 1 ,S 2 andS 3 makerequeststotheserverinparallel.Inthiscase,however aftertwoindependentrequestsfromS 1 andS 2 forR 1 ,thethreatproleoftheresourceis at20.Asaresult,athirdrequestforR 1 fromS 3 isdenied.Allofthehosts,however,can stillaccessR 2 becausenoneoftheirindividualthreatprolesexceedsthethresholdsetin thepolicythatcontrolsR 2 .AnexampleofthisscenarioissummarizedinTable5-2. 5.3Context-BasedThreatResponse Thenextstrategyforcontextapplicationextendsthenotionofcontext-basedpolicy evaluationbyidentifyingtraditionalintrusionresponsestrategiesandapplyingthembased oncontextdata,whilestillmaintainingcontextdependenciesintheaccesscontrolpolicies. Wewillrstsurveytheavailableintrusionresponsemethods,notingthefactorsthat determinethecircumstancesunderwhichtheyareusedeectively.Wewillthenutilize theavailablecontextdataproducedduringtheanalysisprocessasacriteriaforemploying appropriatemitigation,preventionandresponsemethods.Anotherdierencebetweenthis applicationtechniqueandthepreviousone,isthateachoftheseresponsemethodswillbe dependentonmultiplepropertiestobeappliedwhereasthepreviouscontextdependencies onlyintroducedasinglepropertyintotheaccesscontrolpolicy. 79

PAGE 80

Carver[68]oersanumberofresponsesalongwiththesituationstheycanbeused appropriately.WepresentasummaryofthemostrelevantmethodsinTable5-3,along withtheirrespectiveimplementationsatanaccesscontrollevel.Implementationsfor fourofthesixaforementionedresponsemethodsareongoing:restrictinguseractivity bothspecicactionsandallactions,blockingaccesstothreatenedservices,andforcing additionalauthentication. Forcingadditionalauthentication -thisapproachwillbeimplementedbyaddinga ruletotheaccesscontrolpolicyforthedesiredresourcesthatspeciesadditional authenticationastheobligationifcertainconditionsaremet.Therequestisdenied pendingfurtherauthentication. CompleteUserActivityRestriction -accomplishedbykeepingadynamically updatedblack-listofsourcesthathaveexceededallowablethresholdsforintrusive behaviorandsimultaneouslyhavealowtrustamount.Anewattributewillbe providedthatwillrequireacustomattributeevaluationmodulesimilartotheones usedtoperformcontext-basedpolicyevaluationinSection5.2.Thismodulewill returnaBooleanvalueindicatingwhethertherequestinguserisunconditionally blockedornot.Thisevaluationmodulewillqueryablacklistingservicethatruns withinthepolicydecisionpointitself.Thisblacklistingservicewillexamineavailable behaviorwithinapre-determinedtimewindowandwillblacklistuserstemporarily whentheirbehaviorexceedstheallowablethreshold.Thethresholdwillalsobe dependentontheleveloftrustaccordedtotheuser-agreateramountoftrustgives acorrespondinglyhigherthreshold.Anexampleofapolicytoblockorlockouta userisshowninFigure5-4. BlockingAccesstoThreatenedServicesalsoachievedthroughanewpolicyattributeevaluatedwithacustomevaluationmodulethatreturnsabooleanvalue indicatingifrequeststothattargetarebeingdeniedduetoanoverwhelming amountofsuspicioustrac.Ifthisattributeisusedinapolicy,thenthismodule 80

PAGE 81

willqueryaservicemonitoringincomingrequeststotheservicesundercontrolofthe policyenforcementpoint.Basedontherequiredavailabilityofthetargetrecordedin anassetdatabaseathresholdwillbesetfortheamountofintrusivebehaviorthat canbeignoredbeforetheaccesstotheresourceshouldbeblocked.Anexampleofa policydesignedtoblockaccesstoathreatenedresourceisshowninFigure5-3. RestrictingUserActivitiesanewsetofpolicyattributeswillbeintroducedto designatetherestrictingofspecicpermissions.Amodulewillbeprovidedforeach attributewhichwillcheckifthesourceoftherequestsmeetsthecriteriatobeable toperformthatspecicaction-ifnotthatspecicrequestwillbeblocked.Each resourcewillhavethresholdsforsourcetrust,theseverityofthethreatandthe certaintyoftheassessmentthatwillbeinputstothefunctionthatdeterminesif thespecicpermissionwillbeallowedforthatrequest.Anexampleofapolicyto restrictuseractivityisshowninFigure5-5. 5.4Summary Twogeneralusesforcontextwithregardstoaccesscontrolareexploredhere:the evaluationofpolicieswithcontextualdependenciesandthetriggeringofresponsesbased oncontextdata.Thecontext-basedevaluationofpoliciesrequiresthatthepolicyschema isextendedwithnewattributesandthatdependenciesareaddedtothepolicythatforce contextinformationtoplayaroleinthedecisionissuedbytheenforcementmechanism. Context-triggeredresponse,however,focusesonidentifyingspecicscenarioswhich canbeindicatedbycontextdataandthenmatchingthosescenarioswithahigh-level countermeasurethatwillhelpmitigatetheriskinthatscenario.Asaresultofthefact thataccesscontrolisprimarilyapolicyenforcementmechanismthereisanelementof commonalitybetweenthetwoapproachesbecausetheimplementationoftheresponse techniqueswilllikelytakeplaceatthepolicylevel.Context-triggeredresponsebuildson theinclusionofcontextdataintothepolicyevaluationprocessandprovidesaresponse basedoncomparingmultipletypesofindividualcontextualproperties. 81

PAGE 82

Bothofthemethodologiesoutlinedherecontext-basedpolicyevaluationandcontextbasedthreatresponseareincorporatedintothesystemimplementationdetailedin Chapter6.Context-basedpolicyevaluationisachievedbydirectingrequestevaluationto customaccesshandlersthatinteractwithananalysisserverandthenreturnadecision aftercheckingtheriskvalueagainstthresholdssetinthepolicyspecication.Contextbasedthreatresponseisincorporatedinthateachaccesscontrolhandlerenablesa dierentresponsemoresuitabletoonesituationoranotherbasedonexamingspecic contextinformation. 82

PAGE 83

20 Figure5-1.XACMLruleincludingsource-centeredthreat.Thisruledemonstratesthe extensionoftheXACMLschemawithanewproperty total-source-threat. This propertyisdesignatedasanattributeofthesubjectoftherequest.Aninteger functionisusedtocomparethevaluereturnedforthispropertywiththe designatedvalueof20.Ifthetotal-source-threatpropertyisgreaterthanor equaltothisvalue,thentherulehastheeectofcausingtherequesttobe denied. Table5-1.Escalationofthreatinsubsequentrequestsbytwodierentsources.Whenthe threatisassignedtoindividualsourcesseperately,thesystemisableto distinguishbetweenmaliciousandnon-malicioussubjects. SourceRequestThreatTotalSourceThreat S 1 1st88 S 1 2nd1018 S 1 3rd826 S 2 1st00 Table5-2.Escalationofthreatinsubsequentrequestsbythreedierenthostsona commontarget.Whentheeectofrequestsfromdierentsubjectstothesame objectareconsideredinaggregate,thesystemisabletocontextualize individualrequestsintoanoverallpatternofinteractionwiththeobject. SourceOrderofRequestThreatTotalTargetThreat S 1 1st1010 S 2 2nd1020 S 3 3rd020 83

PAGE 84

30 Figure5-2.XACMLruleincludingtarget-centeredthreat.Thisruledemonstratesthe extensionoftheXACMLschemawithanewproperty total-target-threat. This propertyisdesignatedasanattributeoftheresourcebeingaccessed.An integerfunctionisusedtocomparethevaluereturnedforthispropertywith thedesignatedvalueof30.Ifthetotal-target-threatpropertyisgreaterthan orequaltothisvalue,thentherulehastheeectofcausingtherequesttobe denied. true Figure5-3.XACMLruleincludinganattributeindicatingthataresourceislocked.This ruledemonstratestheextensionoftheXACMLschemawithanewproperty resource-lock-status. Thispropertyisdesignatedasanattributeoftheresource beingaccessed.Abooleanfunctionisusedtocomparethevaluereturnedfor thispropertywiththedesignatedvalueof'true'.Iftheresource-lock-status propertyistrue,thentherulehastheeectofcausingallrequeststothis resourcetobedenied. 84

PAGE 85

true Figure5-4.XACMLruleincludinganattributeindicatingthatauseraccountislocked. ThisruledemonstratestheextensionoftheXACMLschemawithanew property resource-lock-status. Thispropertyisdesignatedasanattributeof thesubjectinitiatingtherequest.Abooleanfunctionisusedtocomparethe valuereturnedforthispropertywiththedesignatedvalueof'true'.Ifthe user-account-lock-statuspropertyistrue,thentherulehastheeectof causingallrequestsfromthissourcetobedenied. true Figure5-5.XACMLruleincludingapropertytorestrictaspecicpermission.Thisrule demonstratestheextensionoftheXACMLschemawithanewproperty user-write-prohibit. Thispropertyisdesignatedasanattributeofthesubject initiatingtherequest.ThePolicyDecisionPointwillbeextendedwithanew modulethatprovidesthelogictoprovideacurrentvalueforthisproperty.An booleanfunctionisusedtocomparethevaluereturnedforthispropertywith thedesignatedvalueof'true'.Iftheuser-write-prohibitpropertyistrue,then therulehastheeectofcausingtherequesttobedenied. 85

PAGE 86

Table5-3.Selectedintrusionresponsestrategies.Eachgeneralresponsestrategyislisted alongwithitsappropriateusecase,itsimplementationattheaccesscontrol levelandthecontextualpropertiesthatconstrainitsapplication. ResponsestrategyUsecasedescriptionImplementationfor accesscontrollevel response Applicationconstraints Lockinguser accounts Compromiseofuser accountinquestion Globalpolicythat deniesrequestsfrom aparticularsource Highcertaintyofattack andhighriskevaluationfor thesourcewithlowto moderateusertrust Disablingthe attackedportsor services Makingtheportor serviceinaccessible Globalpolicythat deniesrequeststoa particulartarget HighCertainty,High target-centeredthreat,Low TargetAvailability requirement Forceadditional authentication Maysloworstop intrusionsespecially automatedones, whileauthorized userswillcontinue Policythatrequires multiple authentication tokensforarequest tobegranted Usedwithlow-certainty, Source,Targetor Pair-CenteredThreatsof ModeratetoHighlevel RestrictuseractivitySuspicioususersmay berestrictedtoa specialusershell thatallowssome functionalitywhile restrictingcertain commands Policythatseparates allowedactionsinto levelsbasedonthe perceivedthreat classoftheuser 1lowtomidcertaintyof attackandlowtomiduser trust 2highcertaintyofattack andhightrustwhich wouldindicatetheaccount hasbeencompromised 3lowtomidthreat severity 86

PAGE 87

CHAPTER6 ADAPTIVERISK-AWAREACCESSCONTROLFORWEBSERVERS 6.1Introduction 6.1.1ConnectionBetweentheImplementationandPreviousChapters Thepreviouschaptershavesoughttoanswersomeofthefundamentalquestions regardinghowcontextawaresecuritysystemscanbedesigned.Thedesignprocesshas beenbrokendownintoafewmainelementstoensurethatateachstephelpsfulllthe largerdesigngoalsofthesystem. Thischapterwillfocusonaddressingsomeofthemorespecicquestionsregarding theuseofintrusiondetectiondatainanaccesscontrolprocess,suchas:dealingwithdata inaccuraciesandensuringperformanceinthefaceoflargeamountsofincomingdataand highrequestfrequency.Thesolutionspresentedintheimplementationwillrelyonthe groundworkestablishedinthepreviouschapters. AfederatedapproachisusedthatfollowstheprinciplesdiscussedinSection3.2.2. ThecorrelationontologyofSection3.4.5isadaptedtoarelationaldatabasemodelthat servesastheschemafortheeventdatabasedescribedinSection6.5.Anindependent analysisserverperformsthefunctionsofaggregatingcontextinformationandthen disseminatingit.Theimplementationfocusesononeofthecontextpropertiesdened intheChapter4ontologyofassessmentproperties-thatofrisk.Amodelisdenedfor derivingriskinformationfromassessmentsproducedbyanintrusiondetectionsystemon attemptstoexploitsoftwarevulnerabilities.Thismodeldesignateshowriskisassigned tobothsubjectsandobjectsofaccessrequests.Detailsarealsoprovidedonhowthe analysisdataisappliedandusedintheaccesscontrolprocess.Context-basedpolicy evaluationpreviouslydiscussedinSection5.2isachievedbyprovidingcustomaccess controlhandlersthatinteractwiththeanalysisservertoreceiveriskinformation.These accesscontrolhandlersalsoimplementtheresponsetechniquesdiscussedinSection5.3. 87

PAGE 88

6.1.2ImplementationOverview Theproposedsolutionforachievingattack-resistantaccesscontrolistheuseofrealtimeassessmentdatainaccesscontrolpolicyevaluationandenforcement.Specically, evidencesofvulnerabilityexploitationarecollectedandanalyzedintoahigherlevelrisk assessmentforthesourcesandtargetsofaccesscontrolrequests.Thisriskassessment issubsequentlyusedasanadditionalparameterorcontextualpropertyinaccesscontrol policiessothatpermitanddenydecisionsforanincomingrequestarebasedonan assessmentoftheriskposedbytherequestingsourceand/ortheriskposedtothetargeted resource.Thisapproachhasbeentermedthe A daptive A ssessmentB ased A ccess C ontrol S ystemABACUSforshort. Twoclosely-relatedstrategiesforimplementingthisapproacharediscussed.The rstisanapproachrelyingonon-demandanalysis,abstractingthethreepartsofthe contextmanagementprocessacquisition,analysisandapplicationintodierentserver mechanismsandperformingtheanalysisbyaggregatingrequestsandderivingarisk assessmentasnewrequestscomein.Asetofresultsarethenprovidedforthetestingdone withanimplementationofthisapproach,alongwithconclusionsontheconstraintsand limitationsofthisapproach. Thesecondapproachdiersinthattheanalysisfunctionistriggeredbynewsecurity eventsinthesystemandconsequently,theanalysisdoesnottakeplaceasafunctionofan incomingrequest.Riskassessmentsarecontinuallymaintainedforalloftheentitiesinthe system.Asnewassessmentdatabecomesavailable,thoseriskassessmentsareupdatedfor theentitiesinthatevent.Asetofresultsarethenprovidedforthetestingdonewiththis approachalongwithconclusionsonitsconstraintsandlimitations.Finally,asummary andrelativecomparisonofthetwoapproachesisoered. 88

PAGE 89

6.2IntrusionResponseandAttackResistance 6.2.1StrategySelection Thestrategiesputforthintheliteratureforrespondingtointrusionsandattempted systemattacksareverynumerousandvaried.Therefore,itisnecessarytoselectonly thosethatmostcloselymatchtherequirementsforachievingthedesiredgoal:namely, attackresistantaccesscontrol.Therstrestrictionisthattheresponsesappliedshould servetomanipulatesomeelementintheaccesscontroldomain.Accesscontrolisprimarily concernedwithasetofsubjects,asetofobjectsandthespecicoperationsthateach subjectcanperformoneachobject.Soourresponsetechniquemustmanipulatethese permissions,eitheratthesubjectsidebydesignatingwhichactionsasubjectcan performorattheobjectsidedesignatingwhatcanbedonewiththeobject.Thesecond requirementisthatthestrategyorresponsecanbetriggeredusingriskdata. Anumberofdierentintrusionresponsesaredetailedin[49,48].Usingthecriteria justdiscussed,however,thefollowingthreestrategieswereselectedasappropriateforthis application:1forcingadditionalauthentication,2restrictingsubjectpermissions3 restrictingobjectpermissions. Forcingauthenticationcouldtakeanumberofforms.Therstwouldbeforcing anonymousauthentication.Thisisastrategythathasbecomesomewhatcommonin theInternettoday,thatimplementsanauthenticationchecknotbasedonashared secretbetweentheuserandthehostsystemsuchasapasswordbutbasedonthe subjectsabilitytoperformanoperationthatdistinguisheshimfromaclassofundesirable usersfrequentlyautomatedattackscripts.Anotherformofauthenticationwouldbea traditionalpasswordcheckthatestablishestheactualidentityoftheuser.Ineitherform, howevertheaimistoensurethattheuserrequestingaccessisnotamemberofthesetof userswhoshouldbedeniedaccesstotheresource. Theresponseofrestrictingsubjectpermissionsalsotakesmorethanoneform. Therstrestrictsthesubjectfromperformingaspecicoperationorrestrictedsetof 89

PAGE 90

operationsacrosstheentiresetofsystemresources.Thissomewhatassumesthatthe setofsystemsresourceshaveasetofcommonactionsoroperations.Thesecondform isanextensionoftherst,thataddsalloftheavailableoperationstotherestrictedset, eectivelylockingthesubjectoutofperforminganyactiononanyofthesystemresources. Similarlytotheprevioustwooperations,theresponseofrestrictingpermissionsona targethastwoforms.Therstrestrictsallsubjectsfromperformingaspecicactionor restrictedsetofactionsontheobjectinquestion.Thenextformblocksallsubjectsfrom performinganyoperationontheobject.Thesetechniquessatisfythepreviouslymentioned requirementsandprovideaframeworkofresponsivebehaviorsthatcanbeusedtocurtail orlimitintrusiveactionsinthesystem. 6.2.2ResponseTriggering Thenextaspecttodetailiswhentheresponsetechniqueswillbeemployed,orbased onwhatconditionswilltheybeactivatedandhowwillthoseconditionsbedescribed. Ourapproachtoresponseselectionisroughlywithinthethirdcategoryoftheintrusion responsetaxonomymentionedin-cost-sensitiveresponseselection.Theauthorofthe accesscontrolpolicyisresponsiblefordecidingwhichsecurityriskfactorsie.global systemrisk,riskfromtherequestingsourceorrisktothetargetwillbeusedduring theprocessofevaluatingwhetherornotarequestwillbepermitted.Theseindividual measuresarethereforetheinputsintotheresponseselectionprocess.Eachriskfactor isthenmatchedwithathresholdthatdetermineswhentheactionassociatedwiththe factorsshouldbeperformed. 6.3NotionofRiskandaPreliminaryRiskAssessmentModel Riskwaspreviouslydened,alongwithitscriticaldeterminingfactors,inthe assessmentontologyfromSection4.2. 6.3.1AnalysisModel Weconsiderthefollowingbasicscenario:anewaccesscontrolrequestisgenerated r 1 .Thisrequesthasasource s 1 andatarget t 1 .Wetakeanapproachtoassessing 90

PAGE 91

theriskoftherequestthatreliesprimarilyonassessingthesourceandtargetofthe request.Therefore,therststepistoaggregatethesetofrequestsgeneratedbythesource R s 1 = r a ;r b ;r c :::r n andthetarget R t 1 = r f ;r g ;r h :::r m andtherebyassignrisktothose entities.Therstsectionwilldealwithhowwearriveatariskassessmentforeachrequest intheaggregatesetsforthesourceandtarget.Thenextsectionwillthendealwithhow thosevaluesarecombinedtoarriveatasingleassessmentfortheentity. Estimatingriskforpastevents. Riskisassociatedwithaprobableintrusion attempt,evidencedbyanattempttoexploitasystemvulnerability.Theriskposedbya request,therefore,isproportionaltotheseverityofthevulnerabilitiesitissuspectedtobe seekingtoexploit. TheCVSSstandardprovidesawidelyaccepted,quantitativemeasurementscalefor theseverityofvulnerabilities,andthereforewewillleveragethatstandardfortherating ofvulnerabilities.Theoverallmethodforprovidingasinglevulnerabilityestimatebased onmultiplevulnerabilitiesspreadoutovertimeisderivedfromthemethodusedin[69]. Themethodhasbeenadapted,however,totakeasinputasetofvulnerabilitiesassociated witharequest,insteadofthesetofvulnerabilitiesthatapplytoaparticularservice.The function R r j givenbelowprovidesanestimationofthetotalriskforarequest r j by takingtheexponentialaverageofallofthevulnerabilitydescriptionsassociatedwiththat request.Theexponentialaveragewaschosen,asnotedin[69],toprovideanriskestimate fortherequestthatisatleastaslargeasthehighestseverityvulnerabilityassociatedwith therequest. R r j = X v k V r j e SS v k Decay r j Decay r j = e )]TJ/F24 7.9701 Tf 6.587 0 Td [( currenttime )]TJ/F24 7.9701 Tf 6.586 0 Td [(requesttime r j Inmanycases,analertistriggeredbyanintrusiondetectionsystemandbecause ofthenatureoftherequestitcouldcorrespondtomultiplevulnerabilities.Theset 91

PAGE 92

V r j isthesetofallvulnerabilityexploitationsignaturestriggeredbytherequest r j SS v k isthemagnitudeofthevulnerability v k Decay r j servesasaweightingforeach vulnerabilitybasedontheageoftherequest.Itdeterminestheamountoftheoriginal magnitudethatremainsasafunctionoftime-thisallowsmorerecentinformationto playamoreprominentroleinariskevaluation. isthedecayperiodafterwhichthe magnitudeoftherequestbeginsdecreasingovertime. Estimatingtheriskposedbyasourceortoatarget. Theriskposedbythe sourceofarequestisthentheweightedsumoftheriskvaluesforalloftherequeststhat canbeattributedtothatsource.Wedenethefunction SR s i tobetheriskassessment assignedtoasource s i .Thisisgivenbythefollowingformula: SR s i = ln + X x f H;M;L g w x X r j HV x s i R r j Alloftherequestsinitiatedbyasource s i andassociatedwithanattempttoexploit asystemvulnerabilityarecontainedintheset HV s i .Thissetisthendividedinto threesubsets HV L s i HV M s i and HV H s i basedonthemagnitudeoftheriskfor therequest.Theset HV x s i denotesalloftherequestswithvulnerabilityexploitation assessmentsofacertainseveritylevelLow,MediumorHighforwhich s i isthesource. Eachsetissummedintothetotalriskevaluationwithaweightingof w x .Thenal weighting ampliestheoutputsothatdierencesbetweendierentsourcescanbe viewedmoreeectively.Theexponentialaverageisusedagain,togiveanoverallestimate thatisatleastaslargeastheweightedsumofthehighestseverityvulnerabilitiesineach ofthethreeclasses.Thelogarithmoftheweightedsumistakentokeeptheoutputwithin arangethatismanageableandwhichcanbe Similarly,theriskassociatedwithatarget t i isgivenbybythefunction TR t i : TR t i = ln + X x f H;M;L g w x X r j HV x t i R r j 92

PAGE 93

Inthiscase,however,theset HV x t i denotesalloftherequestswithvulnerability exploitationassessmentsofacertainseveritylevellow,mediumorhighforwhich t i is thetarget. Contributionsofthisassessmentmodel. Extendingtheworkdoneonsecurity metricsthatassessthestateofthesystematagivenpointintimeweproposeathe useofsecuritymetricstomonitorthesystemstateinrealtimeandbtofocustheuse ofsystemmetricsonassessingtheprincipalentitiesinaccesscontrolrequests,namely: requestsourcesandtargets.Thefocusisthereforeusingvulnerabilityexploitation informationtodevelopriskassessmentsforentitiesinasystem. Inparticular,wehaveusedamethodbasedontheonein[69]tocombinethe magnitudeofmultiplevulnerabilitiesspreadoutovertime,butfocusedonwhenthe requestwasgeneratedinsteadofwhenthevulnerabilitywasdiscoveredasameansfor assessingthesecurityofaparticularservice. 6.4TriggeringRestrictedPermissioningWithRiskData Althoughthecostdeterminationequationsforresponseselectionarehighlysystem dependent,theriskprogressioninFigure6-1isprovidedasanexampleandhasbeen testedusingthemodeldiscussedpreviously.Forthisspecicprogression,theattacker executesexploitationattemptsofmid-severityevery60seconds.Theriskprogression wouldchangeifanyofthevariablessuchastheriskratingoftheindividualrequests,the interarrivaltimebetweenrequests,ortheweightingofthelow,mediumandhighlevel riskeventswereadjusted. Usingtheexampleriskprogression,thefollowingsampleconditionsareprovidedfor performingeachofthepreviouslymentionedintrusionresponses: 1.ifSource_Risk>=36.11ORSystem_Risk>=53.8THENForce_Authentication 2.ifTarget_Risk>=41.11THENRestrict_Permission_X_On_Object 3.ifSource_Risk>=41.11THENRestrict_Permission_X_For_Subject 93

PAGE 94

Therstconditionforcesauthenticationforthesubjectiftheriskgeneratedbythe subjectexceeds36.11roughlythreeexploitationattemptsofmid-severityoriftheoverall systemlevelthreatexceeds53.8fteenexploitationattempts.Thesecondcondition deniesthesubjectfromperformingactionXontheobjectifthetargetriskhasrisenator above41.11meaningithasreceived5ormoreexploitationattempts.Thelastcondition deniesthesubjectfromperformingactionXonanyobjectsifthesourceriskisator above41.11meaningthat5ormoreexploitationattemptshavebeenattributedtothat subject. 6.5AbacusFrameworkArchitecture Thearchitectureabstractstheriskanalysisfunctionsintoanexternalriskanalysis servicewhichtheaccesscontrolsystemisthenadaptedtointeractwith.Theaccess controlsystemusedtodemonstratethisarchitectureistheApachewebserver.This secondapproachcorrespondsroughlytoafederatedorserviceorientedapproach.The threerisktypesdiscussedpreviously:source,targetandsystemareeachimplementedin ananalysismodulewhichcanprovideariskassessmentfortheappropriateentityorin thecaseofthesystemlevelriskforalloftheentities.Alloftheanalysisdataisthen madeavailablebyananalysisservicethatreceivesandservicesrequestsforriskanalysis information.Thewebserverisalsoextendedtoperformthethreeintrusionresponses discussedpreviouslyasthemeanstoattackresistance:forcingadditionalauthentication, restrictinguserpermissionsandrestrictingaccesstoatarget.Basedontheresourceand theactionsavailableonthatresource,athresholdisdeterminedforthesourceandtarget associatedriskabovewhich,requestsaredenied. Eventdatabase.TheeventdatabaseisbackedbyarelationaldatabaseimplementationinthiscaseMuscle.Someofthestructureofthisdatabasewasderivedfrom theIDMEFschema[50].Otherpartsofthestructurewereproducedaspartofalarger ontologyforsecurityassessmentparameters,whichissoontobepublished.Theevent databasecontainsthefollowingtables: 94

PAGE 95

CVSSVulnerabilities-thistablestoresinformationregardingcurrentvulnerabilities fromtheNationalVulnerabilityDatabaseNVD,whichhasadoptedtheCVSS scoringsystem.EachvulnerabilityislistedalongwithitsCVSSbasescore,exploit sub-score,impactsub-score,overallscoreandvector.Thenameofthevulnerability, theproductitaectsandtheversionsofthatproductthatarevulnerablearealso storedinthistable. NetworkAccessRequests-Entriesinthistablearegeneratedonthereceiptofan IDSalertbythealertprocessingengine.TheIPaddressandportofthesourcenode arelistedalongwiththeIPaddressandportofthetargetnode.Thetimeofthe request,actionbeingperformedandtargetentityarealsoincludedinthistable. Files-listingallleentitiesreferencedinrequests;includesthele'spathanda referencetothenodeonwhichtheleishosted Nodes-listingofallnodeentitiesreferencedinrequests;includesthenodesIP address Port-listingofallportsreferencedinrequests;includesthenodethattheportwas on,andtheprotocoltowhichitwasbound User-listingofallusersreferencedinrequests;includestheiruserid IntrusionAssessments-thistablelinksindividualrequeststoanintrusionassessment.Eachassessmentprovidesaclassicationfortheevent,itsseveritywhich maybeprovidedbytheIDSandwhetherornottheattackcompletedsuccessfully. Italsoincludestheidfortheanalyzerwhichproducedtheassessmentandany additionaldatathattheIDSprovides,suchasthepacketpayload,etc. VulnerabilityDescriptions-avulnerabilitydescriptionprovidesinformationona concretesoftwarevulnerability.EachvulnerabilitydescriptionisprovidedbyavulnerabilitydatabaseforthepurposesofthisstudyweonlyuseCVEvulnerabilities becausetheyhaveanobjectivescoringsystem.Eachvulnerabilitydescription, 95

PAGE 96

thereforeonlylinkstooneelementinthetableofCVSSvulnerabilitiesand,consequently,onlyhasonebasescore.ThetablealsostoresthereferencenameandURL, alongwithalinktotheintrusionassessmentwhichreferencesthevulnerability. RequestRiskCache-thistablestoresacalculatedriskvalueforeachrequestidby queryingfortheCVSSscoreforallofthevulnerabilitydescriptionsthatarelinked toanintrusionassessmentandwhichprovideaCVEID.Asmentionedinthe sectiondescribingthemodel,theexponentialaverageofalloftheCVSSscoresfor thevulnerabilitydescriptionsusedinaparticularintrusionassessmentaretaken, andthisvalueisstoredintherequestriskcache.Whenaparticularriskhandler queriestheriskcachetoproduceariskevaluationforaparticularentity,therisk estimateismultipliedbythedecayfactortoproduceadynamicriskestimatefor thatparticularrequest. Dynamicriskmodules. Thethreedynamicriskmodulesimplementthefunctions describedundertheriskmodel.Thefunctionsforeachhandlerarethesame,withthe exceptionoftherststep.Inthecaseofthesourceriskhandler,alloftherequests originatingfromthatsourceareaggregated.Forthetargetriskhandler,alloftherequests directedatthattargetareaggregated.Lastly,forthesystemriskhandler,allofsystem requestsareaggregated.Followingthis,forthoseexistingrequeststhatmaybecachedin therequestriskcache,theestimatevalueispulledandthedecayfunctioniscalculated.If novalueiscached,thentheriskhandlercalculatesariskestimatebyjoiningtherequest, intrusionassessment,vulnerabilitydescriptionandCVSSvulnerabilitytablestondall oftheCVSSscoresforallofthevulnerabilitydescriptionsreferencedasapartofthe intrusionassessmentfortherequest.Basedonthis,astaticriskestimationisproduced andcachedforfutureaccess. Alertprocessingmodule. Thealertprocessingmoduleisresponsibleforextracting theinformationforeachofthetablesmentionedpreviouslyfromthealertsitreceives.In additionitcanperformthefunctionsoflteringoutalertsthatdonotreferenceconcrete 96

PAGE 97

vulnerabilities,oralertsforwhichthevulnerabilitydoesnotmatchthecurrentsystem conguration. ThearchitectureisshowninFigure6-2.Theanalysisserverperformsriskanalysis operations,providingriskassessmentsforvariousentitiessourcesandtargetsbasedon requestsfromtheaccesscontrolsystem.Theintrusiondetectionsystemlistensonthe linkforincomingrequestsandreportsalertsforanyrequeststhatseemintrusiveinthis casespecically,thoserequeststhatappeartobeanattempttoexploitaknownsoftware vulnerability.TherawalertsfromtheIDSarepassedthroughaprocessingmodulethat maylterthealertsusingconcretevulnerabilityorcongurationvericationasmentioned earlier.Finally,thedatafromtheneweventsisstoredinaneventdatabase. TheaccesscontrolsystemusedwiththesecondapproachwastheApachewebserver. Inordertomakeasfewmodicationsaspossibletoitsexistingaccesscontrolpolicy evaluationmechanism,theabilitytomakeandspecifycustomaccesscontrolhandlers forcertainresourceswasutilized.Ratherthanreturningavalueforaspecicattribute andqueryingagainsttheeventdatabasewithintheaccesscontrolhandlers,thequerying andanalysisfunctionswereabstractedintoanexternalanalysisserverthatprovidesrisk analysisasaservice.RequestingaccesscontrolsystemssuchastheApachewebserver implementationsubmitrequeststotheanalysisserverspecifyingthetypeofdesiredrisk analysissource,targetorsystemandtheattributesoftheentitywhichtheanalysis shouldcenteraroundinthecaseofthesourceandtargetanalyses.Basedontherisk assessmentreturnedandtheriskthresholdthatisassignedtothatparticularresourceor actionapermitordenydecisionisreturned. Sourcerestrictionimplementation. Anexcerptfromthehttpd.confleforthe webserverthatestablishestheaccesscontrolhandlerforrestrictingsourcepermissionsis showninFigure6-3.Thisdirectiveestablishesthemodule"SourcePermissionRestrict" asanaccesscontrolhandler.Thismoduleimplementstheattackresponseofrestricting sourcepermission.Inthisparticularexamplevedierentlevelsofgranularityare 97

PAGE 98

established.Action"A1"istheleasttolerantofrisk:athresholdof26issetforthe sourcerisk,abovewhich,requestswillbedenied.Theotheractionsareprogressivelymore risk-tolerant.Thenalthreshold"SourceLockoutThreshold"establishesthatasource willbeblockedfromallactionsonallobjectswhenitssourcerisklevelexceeds41.The correspondingpseudocodeforthehandlerisshowninFigure6-4. Theprocessingstepsforthesourcerestrictionandtargetrestrictionhandlersare relativelythesame,summarizedinthefollowingsteps: 1.Thepropertiesoftherequestsubjectandobjectoftherequestandtheactionbeing performedareextractedfromtheURLandtherequestproperties. 2.Arequesttotheriskanalysisserverisgeneratedspecifyingawhichtypeofanalysis dataisrequiredandbtheidentierforthesubjectorobjectoftherequest 3.Oncetheriskvalueisreturned,itiscomparedwiththethresholdsspeciedinthe congurationletodetermineiftherequestshouldbedenied. 4.Ifnoneofthethresholdsareviolated,therequestispermitted. Forceauthenticationimplementation. Thepolicycongurationfortheaccesscontrol moduletoforceauthenticationisshowninFigure6-5.Theauthenticationmodulewas actuallywrittenasacontenthandler,becausetheAuthenticationhandlersaresomewhat restrictedandwouldnotallowforthetypeofrandomchallengeauthenticationthatwas desiredinthiscase.Theexampleshownestablishesthreeindependentthresholds,anyof whichcouldbeusedtotriggerauthenticationfortherequestingsource.Thecorresponding pseudocodefortheauthenticationmoduleisshowninFigure6-6.Thesystemthreshold ishighertolimitthenumberofauthenticationrequeststhatarenecessarywhenthe riskforaparticularsourceortargetisnotyetatasuspiciouslevel.Italso,however, oersprotectionforas-yetuntouchedresourceswhenthemajorityofintrusivetracis concentratedelsewhereinthesystem.Theanalysisserverreceivesrequestsandthenloads theappropriateriskanalysismodule,dynamicallygeneratingqueriestotheeventdatabase toselecttheappropriateevents.Theriskmodulethengeneratestheriskmeasurewhichis returnedtotheservicerequester. 98

PAGE 99

6.6UpdatesandModicationstotheInitialModelandArchitecture 6.6.1PerformanceIssuesWiththeInitialArchitecture Theproblemwiththeinitialarchitecturewasthefactthattheeventswerebeing aggregatedonthedemandoftheclient,andeachtimearequestwasmadeallofthe relatedeventswerebeingre-examinedandhavingriskvaluesre-calculatedbasedonanew decayfactorthataccountedfortheaccuratetimedierencebetweentherequestandthe timetheeventactuallyoccurred.Asthenumberofeventsthatwerestoredintheevent databaseandneededtobeanalyzedaspartoftheaggregatesetincreased,thetimeto processeachrequestwasalsoincreasing. 6.6.2Solution1:Caching Theschemeforcachingofriskdatareliedonthecreationofabackgroundthread topre-fetchriskdata.Thegoalwastoeliminatetheincreasedresponsetimeproblem describedpreviously.Underthecachingscheme,theanalysisservercreatesabackground threadthatcontinuallyextractsallofthesourcesandtargetsfromtheeventdatabase.It thenevokestheriskhandlersoneachoftheentitiesextracted,producingsource,target andsystemlevelriskwhereappropriateandstoringthedatabackintotheeventdatabase. Whentheanalysisserverreceivesarequestforariskevaluationonasystementity, insteadofinvokingthehandlerforthatindividualrequest,itperformsalookuponthe cachetablesintheeventdatabase. Althoughthecachingapproachaddressedtheissueoftheresponsetimebetweenthe partoftheanalysisserverthatservicesrequestsandthedataconsumer,italsointroduced anotherissue:thetimelinessofthedatathatisreturnedtotheconsumer.Theincreasing timetakentoexecuteacachingrunthatre-calculatestheriskvaluesforsystementitiesis approximatelythesameastheincreasingresponsetimefromtheserver.Intesting,after asignicantnumberofrequests,thetimetakentoperformafullrefreshoftheriskcache foralloftheentitiesbecameprohibitivelylong,suchthatrequestsfromconsumersfor riskinformationwouldreceiveoutdated,inaccurateinformation.Inessence,thecaching 99

PAGE 100

approachdidnotaddressthecomplexityofthealgorithmforriskcalculationapproach whichwastheprimaryreasonfortheincreasingresponsetime-itmerelydetachedthe calculationofanupdatedriskassessmentfromthefulllmentofaclientdatarequest. Thisanalysisledtothedevelopmentofasecondimplementationapproachtoaddress theseshortcomings. 6.6.3Solution2:RedesigningtheAnalysisAlgorithmandRefactoringthe Architecture Thesecondimplementationapproachprovidesmoreecientanalysisofevents-each eventisseenandanalyzedonlyonce,whenitrstarrives.Riskassessmentsforaected entitiesareupdatedwhenanewalertarrives,andthefunctionoftheanalysisserver istopullthestoredassessmentnotcalculateitasbeforeandreturntheresulttothe requestingclient. 6.6.4RevisedRiskAssessmentModel Theriskmagnitudeassignedtoavulnerabilityexploitationattemptisstillthe exponentialaverageofallofthemagnitudesofallofthevulnerabilitiesreferencedinthe alert.Thealgorithmforcalculatingriskbasedonmultipleeventsisnolongeriterative, butrecursive.Thedecayfunctionhasbeenremovedsothattheweightofeachrequest doesnotneedtobere-assessed.Instead,the valueservestoweightthepreviousrisk assessmentfortheentitywithrespecttotheriskassessmentforthenewestevent.This servesthesamefunctionofdecreasingtheinuenceofolderdatainfavorofnewerdata, butdoessoastriggeredbynewevents,andnotmerelyauniformtimedependency. Thisalsoaccommodatesbetterassessingrisktoentitieswithvastlydierentrequest frequencies. R r j = ln X v k V r j e w x SS v k TR t i ;r t +1 = ln e TR t i ;r t + R r t +1 100

PAGE 101

SR s i ;r t +1 = ln e SR s i ;r t + R r t +1 Theset V r j ,withmembers v k isthesetofallvulnerabilityexploitationsignatures triggeredbytherequest r j SS v k isthemagnitudeofthevulnerability v k TR t i ;r t +1 istheriskassessedtothetarget t i asaresultofintrusiverequest r t +1 SR s i ;r t +1 isthe riskassessedtothesource s i asaresultofintrusiverequest r t +1 6.6.5RestructuredArchitecture Theprimarychangetothearchitectureisthedistributionofanalysisfunctions betweenthealertserverresponsibleforcontextacquisitionandtheanalysisserver. Inthepreviousapproach,thealertserveronlyreceivedalerts,extractedthenecessary information,andstoredthemintheeventdatabase.Theanalysisserverwasresponsible forreceivingclientrequestsforriskdata,performingtherequiredanalysisoperationsand thesendingaresponsetotheclient.Thechangeintheriskmodelhowever,demandsthat theupdatingofriskinformationoccursasneweventsareprocessed.Thisrequiresthat theprimaryanalysisfunctionupdatingriskvaluesforentitiesoccursastheeventsare processedandconsequentlymustbeperformedbythealertserver. Anotherchange,usedtofacilitatethepreservationoftheincominganalysisdata, wastoqueueincomingalertsinthedatabaseuntiltheycouldbeprocessedbyoneofthe availableprocessingthreads.Thisallowedthenumberofactivealertprocessingthreadsto bedecreasedsothatthetotalprocessingtimeforeachalertwouldbeless. 6.7Summary Asystemimplementationisdetailedbasedonthegeneralframeworkpreviously discussedandsatisfyingthekeydesigngoalsoutlinedundertheacquisition,analysis andapplicationofcontextinformation.Afederatedapproachisusedthatfollowsthe principlesdiscussedinSection3.2.2andadaptingthecorrelationontologyofSection3.4.5 toarelationaldatabasemodelthatservesastheschemafortheeventdatabasedescribed inSection6.5.Anindependentanalysisserverperformsthefunctionsofaggregating 101

PAGE 102

contextinformationandthendisseminatingit.Theimplementationfocusesononeofthe contextpropertiesdenedintheChapter4ontologyofassessmentproperties-thatof risk.Amodelisdenedforderivingriskinformationfromassessmentsproducedbyan intrusiondetectionsystemonattemptstoexploitsoftwarevulnerabilities.Thismodel designateshowriskisassignedtobothsubjectsandobjectsofaccessrequests.Detailsare alsoprovidedonhowtheanalysisdataisappliedandusedintheaccesscontrolprocess. Context-basedpolicyevaluationpreviouslydiscussedinSection5.2isachievedby providingcustomaccesscontrolhandlersthatinteractwiththeanalysisservertoreceive riskinformation.Theseaccesscontrolhandlersalsoimplementtheresponsetechniques discussedinSection5.3. 102

PAGE 103

Figure6-1.Sampleriskprogressionforanintruderexecutingintrusiverequestsof moderateseverity RequestNumberRiskEstimationNumberofPreviousRequests 100 225.651 332.192 436.113 538.924 641.115 742.916 844.437 945.758 1046.929 1147.9610 1249.7711 1350.5712 1451.9913 1553.2314 1653.815 1754.3416 1854.8517 1955.3418 2055.819 Figure6-2.ArchitecturefortheABACUSframework. 103

PAGE 104

PerlAccessHandlerSourcePermissionRestrict PerlSetVarAction_A1_RiskThreshold26 PerlSetVarAction_A2_RiskThreshold32 PerlSetVarAction_A3_RiskThreshold36 PerlSetVarAction_A4_RiskThreshold39 PerlSetVarSourceLockoutThreshold41 Figure6-3.Apachecongurationdirectivethatestablishesa SourcePermissionRestrict accesshandlertoevaluateallrequeststoresourcesinthedirectory'/s'.The directivealsoestablishesfourriskthresholds,eachforadierentaction.These thresholdsaresubsequentlyusedbytheaccesshandlertocompareagainstthe currentriskevaluationforthesourceoftherequest,withtherequestbeing deniedifthesource'sriskexceedsthethreshold.Thenalvariable SourceLockoutThreshold establishesthatonetheriskattachedtothesource exceeds41,allrequestsfromthatsourcewillbedenied. readthreshold_values; readrequest_properties; requestsource_riskfromanalysisserver; setresponse=OK; ifsource_risk>lockout_threshold {response=DENY_REQUEST;} elseifrequest_action==A1ANDsource_risk>A1_threshold {response=DENY_REQUEST;} elseifrequest_action==A2ANDsource_risk>A2_threshold {response=DENY_REQUEST;} elseifrequest_action==A3ANDsource_risk>A3_threshold {response=DENY_REQUEST;} elseifrequest_action==A4ANDsource_risk>A4_threshold {response=DENY_REQUEST;} returnresponse; Figure6-4.Psuedocodefortheaccesscontrolmodelthatperformsrestrictionofsource permissionsbasedonariskassessmentobtainedfromananalysisserver.It retrievesariskassessmentforthesourcefromtheanalysisserverandthen comparesitwiththeappropriatethresholdfortheactionbeingperformed. 104

PAGE 105

SetHandlerperl-scriptPerlHandlerAuthChain PerlSetVarSystemRiskThreshold55 PerlSetVarSourceRiskThreshold33 PerlSetVarTargetRiskThreshold45 PerlSetVarAuthExpiration300000 Figure6-5.Apachecongurationdirectiveforacustomauthenticationhandler.Three dierentthresholds,orpropertiesareestablishedwhichcouldbeusedto triggertheuseofauthentication.Avalueisalsosetfor AuthExpiration which ensuresthat,oneauthenticated,usersareonlyre-authenticatedevery300 secondveminutesatmost. readthreshold_values; readrequest_properties; requestsource_riskfromanalysis_server; requesttarget_riskfromanalysis_server; requestsystem_riskfromanalysis_server; ifsource_risk>source_thresholdORtarget_risk>target_thresholdORsystem_risk> system_threshold { sendauthentication_request; ifcredentials_incorrect {returnAUTHENTICATION_REQUIRED;} else {returnAUTHENTICATION_GRANTED;} } else{returnNO_AUTHENTICATION_REQUIRED;} Figure6-6.Pseudocodeforauthenticationmodule.Authenticationisrequiredifanyof theestablishedriskthresholdsareexceeded. 105

PAGE 106

CHAPTER7 RESULTS 7.1TestingSetup Hardwaresetup. Allofthetestingtobediscussedwasperformedusingtwo identicalLinuxvirtualimageseachrunningUbuntuLinux8.04witha1.86Ghzprocessor and1GBofRAM.Onemachineservedastheserverandtheotherastheclientortrac generationnode.Theservermachinecontainedthewebserver,IDS,alertserver,analysis serverandeventdatabasementionedinthearchitecture.Forthepurposeoftestingand implementation,thewebserverusedwasApacheversion2.2.10.Snortversion2.8.1was usedastheintrusiondetectionsystem.TheeventdatabasewassupportedbytheMySQL DBMSversion5.0.51.BoththeanalysisandalertprocessingserverswerewritteninJava. TheaccesscontrolmodulesforApachewerewritteninPerlusingmod_perl2.0.4. 7.2ValidationofAnalysisModel Therstsetofresultspertaintotheevaluationoftheriskanalysismodel.Thegoal ofthistestingistodemonstratethefollowing: 1.thattheessentialassumptionofthemodel-thatofescalatingrisk-isvalidfor scenariosthatinvolvesuccessive,relatedintrusionattempts 2.thatthisassumptioncanbevalidatedexperimentallyusingrealdatasets 3.thatvarioustechniquesexist,andcanbeusedeectively,todealwithsomeofthe problemsregardingdataqualityincluding:falsepositivesandfalsenegatives Thedataforthetestswerefromthetherstofthetwoscenario-specicdatasets providedbytheLincolnLaboratory[70].Thedatasetrecordsadistributeddenialof serviceattackandwasdividedintothefollowingvephases:1anIPsweepofthetarget networkfromaremotesite2aprobeofliveIP'stolookforthesadminddaemonrunning onSolarishosts3breakinsviathesadmindvulnerability,bothsuccessfulandunsuccessful onthosehosts4installationofthetrojanmstreamDDoSsoftwareonthreehostsinthe targetnetworkand5launchingthedenialofserviceattack.Initialtestresultsshowed theintruderasdescribedintheprovidedlabelingdatawiththehighestriskratingafter 106

PAGE 107

amajorityoftheattackhadconcluded.Unsatisfactorily,however,duetofalsepositives earlyinthetestssomeothernodeswereinitiallygivenhigherriskratingsduringthe rstphasesoftheattack.Inaddition,theoverallnumberofnodesthatwereassessed aspotentialintruderswashigh.Twodierentalertlteringtechniqueswereapplied,in aneorttoimprovethedataaccuracyandreducefalsepositives.Therstwastousea techniqueproposedin[71]tolteroutalertsthatdonotcorrespondtotheexploitation ofa'concretevulnerability'.Aconcretevulnerabilityisdenedinthiscaseasonewhich islistedintheCVE[72],astandardizeddatabaseforsoftwarevulnerabilities.Inorder tocompileaworkingdatabasetocheckvulnerabilitysignatures,thelatestCVEentries weredownloadedandstoredinarelationaldatabase.Theresultsforthesecondroundof testingusingtheconcretevulnerabilitylteringareshowninFigure7-1onpage118. Thelatterpartoftheriskprogressionisrelativelyatbecausetheintrusiondetection systembeingusedfailedtodetectsomeofthelatereventsinvolvedintheattacksequence. Andwhiletheriskmodeldoesnotmakeprovisionsfordetectingattackswhicharemissed byintrusionassessmentmechanism,theuseofhistoricaldatatoassessthethreatposedby thesourceatleastensuresthatthesamerisklevelbasedonearlierbehaviorismaintained. Inthisway,themodelistolerantofmisseddetections. Theriskassessmentsinthesecondsetoftestresultswerestillsomewhatinaccurate;a numberofnodesonthelocalnetworkwereratedassuspiciousandupuntilapproximately the9thsamplingiterationtheactualintruderdoesnothavethehighestriskrating.Asecondalertlteringtechniquewasusedtofurtherincreasetheaccuracyoftheassessment: congurationverication.Thisissimilartotheapproachofverifyalertsusingnetwork knowledgeasdiscussedin[73,74].Inthiscase,adatabasewasconstructedwithallof theknown,labelednodesinthedataset,theoperatingsystemrunningonthenodeand itsversionoftheoperatingsystem.Eachtimeanalertwasgeneratedthisdatabasewas consultedtoseeifthevulnerabilitybeingreportedactuallymatchedthecongurationof thetargetedmachine.Iftherewasnomatch,thealertwasdiscarded.Usingthesetwo 107

PAGE 108

lteringtechniquesinconjunctiontheriskassessmentreectedthesingle-intrudernature ofthedataset,asshowninFigure7-1. Afterapplyingthelteringtechniques,theresultsfortargetriskestimationwere improved.ResultsfortargetriskestimationareshowninFigure7-2partAandFigure 7-2partB.InthenalriskestimationgraphfortargetednodesFigure7-2partB,only thenodesactuallyattackedarerated,andthosenodesforwhichsuccessfulattacksare launchedareratedwiththehighestriskvalues. 7.3WebServerAttackResistanceResults Thissecondsetoftestingresultsisdesignedtodemonstrateresultsoftestingthe secondofthetwoarchitecturestheriskanalysisserverintegratedwithApachewith realtimeincomingrequests.Inordertoeectivelyillustratetheeectofthethree chosenresponsetechniques,threedierentscenariosweregeneratedwithawebserver tracsimulatorandrequestsweresenttotwodierentwebservers:oneusingthethree analysismodulesdescribedpreviously,andanotheronlyusingthenotionoftheglobal systemthreattotriggerresponsetechniques.Whereasvalidationoftheriskmodelcould beperformedwithacaptureddatasetbeingreplayedoverthenetwork,theuseofthe responsestrategieswillrequireactiveconnectionstotheaccesscontrolsystemandhence demandslivetrac. ThetracsimulatorcreatesanarrayofrequestingnodesSwhere s i isamemberof S,eachwithanintrusivenessrating i r ,aninter-requestperiodpandatotalrequestlife l.ThewebserverisarrangedasanarrayoftargetresourcesTwhere t i isamemberof T.Each t i hasasetofvalidactions a 1 a 2 ,.... a n andinvalidorintrusiveactions i 1 i 2 ,... i k .Everypsecondsorarandomnumberofsecondsbetween0andp,requestsource s i selectsamemberofTandthenbasedonitsintrusivenessrating,selectseitheranormal orintrusiveactiontoperformontheresource.Sourceswithahigher i r haveagreater probabilityofselectinganintrusiveactionforeachrequest.Inpractice,theseintrusiveness ormaliciousnessratingsrangefrom0%to90%. 108

PAGE 109

Fortheriskanalysismodel,vulnerabilityweightingswerethefollowing:highseverity w H =3 ,mediumseverity w M =2 andlowseverity w L =1 .Theriskmultiplier wassetto10,toprovideamorenoticeabledierencebetweenvariousassessments. Scenario1:singleintruder,vulnerabilityprobing. Inthisrstscenario,a singleintruderexecutesintrusiverequestsonseveralsystemresources-amethodindicativeofprobingforwhichvulnerabilitieshavebeenpatchedorwhichcongurationholes havebeenclosed.Therestofthesourcesgeneratingsystemrequestsarenormalusersexecutinglittleornorequeststhatcouldbecategorizedasintrusive.Therequestswere generatedoverthecourseofathreehoursimulation.Therequesttracefortheintruder demonstratesthatrequestsfordierentactionsaredeniedbasedonhisoverallriskprole andeventuallytheintruderislockedoutfromallsystemrequests.Meanwhile,requests fromtheotherusersarestillpermitted.Asummaryoftheresultsforasimulationofthis scenarioarepresentedinTable7-1.Figure7-4chartsthegrowthoftheriskassessedto theintruder.Inthisscenarioalloftheintrusiverequestswerefromthesingleintruder. Server1begantodenyrequestsfromtheintruderaftertheirsourceriskpassedthethresholdof45.Thenormalrequestsblockedbyserver1werealsofromtheintruder.Oncethe systemriskforserver2passesthethreshold,itbeginstodenyrequestsfromallsources. Thecongurationdirectivesusedinthetwoserversduringthisscenarioareshownin Figure7-3. Scenario2:multipleintruders,singletarget,many-to-oneattack. Inthe secondscenario,multipleintruderstargetthesameresourcewithtwodierentattacks. Thiscouldcorrespondtothepublicationofanewvulnerabilityforanexistingservice.In theinterimperiodsomenon-intrusiverequestsareallowedontheresource,butwhenthe targetriskreachesthethreshold,allrequeststothetargetaredenied.Asummaryofthe resultsforasimulationofthisscenarioarepresentedinTable7-2.Thegrowthoftherisk assessedtothetargetischartedinFigure7-6. 109

PAGE 110

Thetestingforscenariotwodemonstratesthatusingtargetriskwhenaparticular resourceisbeingtargetedcanincreasethenumberofintrusiverequeststhatareblocked whilemaintainingavailabilityfortheothersystemresources.Duringthissimulation, boththesystemriskandthetargetriskforthetargetedresourcepeakedat83.Thiswas duetothefactthatalloftheintrusiverequestsintheentiresystemweredirectedatthe sameresource.Whilethesystemriskthresholdcouldhavebeenraisedtodecreasethe percentageofnormalrequeststhatweredenied,itwouldhavealsoincreasedthenumber ofintrusiverequeststhatwereblocked.Thecongurationdirectivesusedinthetwo serversduringthisscenarioareshowninFigure7-5. Scenario3:multipleattackersonvariousresources. Inthethirdscenario, multipleintrudersattackmultiplesystemresources.Thiscouldcorrespondtoasystem withhightraclevelsthatseesexploitationattemptsonmultipleresourcesfrommultiple sourcesinagivenperiodoftime.Usingbothsourceandtargetrisklevels,requestsat variouspointsintheoverallrequesttracearerespondedtobyarequestforauthentication.Eventuallywhenthesystemrisklevelpassesthethreshold,allinitialrequestsare respondedtobyrequestsforauthentication.Asummaryoftheresultsforasimulation ofthisscenarioarepresentedinTable7-3.Thesimulationwasrunforapproximately2.5 hourswithnodesgeneratingrequestsatalllevelsofmaliciousnessandthusthereisno clearintruder. Duetotheuseofsource,targetandsystemriskinformation,thepolicyforserverone wasstricter.Despitethis,theproportionofnon-intrusiverequeststhatwereresponded tobyarequestforauthenticationwasonlyfourpercenthigherthanforservertwo.This numberofnon-intrusiverequestsalsoincludesrequestsfromnodeswithhighmaliciousness ratingssuchas90%,whichwouldotherwisebedeemedintrudersbutwereclassied atnon-intrusivebecausetheparticularrequestbeingclassiedwasnotintrusive.The congurationdirectivesusedduringthisscenarioareshowninFigure7-7.Thepolicyused fortheserverwithintheABACUSframeworkwasmorestringentthantheserveronly 110

PAGE 111

usingsystemrisk.Theformerusedthreedierentriskpropertiestotriggerauthentication, butonlyexperienceda3.9%increaseinthenumberofnon-intrusiverequests. Theresultsforthisscenarioessentiallyrepresentthebehaviorofanauthentication mechanismthathasanimmediateexpirationofauthenticationcredentialsafterauthenticationandthusre-authenticatesforeachrequest.Inasimulationinvolvinghumanusers whowouldbecapableofsuccessfullycompletingauthentication,manyofthesubsequent authenticationrequestswouldbeeliminatedbyalongerperiodbeforetheexpirationof theauthentication.Insuchsituationswhereahighpercentageoftherequestsarebeing authenticated,theservercouldpotentiallycutoverallresponsetimebybypassingthe requestforanalysisdatafromtheanalysisserverwhichtypicallydominatesthelength oftheresponseandjustauthenticatingeachrequestimmediately.Thiswouldmovethe numberofnon-intrusiveandintrusiverequestsauthenticatedto100%whenthesystem riskreachesasucientlevel.However,iftheprocessofauthenticationrequiresmoretime thantherequestforanalysisdataitmightstillbeslightlymoreecienttoeliminatesome ofthetheauthenticationrequests;intheend,thisishighlydependentontherelativetime requiredforeachprocess. 7.4PerformanceAnalysis 7.4.1PerformanceTestingMethodology InordertocomparetheperformanceofthenalversionoftheAbacusframework againsttheearlierversionandalsoagainstanormalApachewebserver,eachserverwas stress-tested.Thispartofthetestingreliedonaregressiontestingandbenchmarking utilitycalledSiege[75].Thebasicaimofthistestingwastoexaminethebehaviorof eachserversubjecttoincreasingload.Thefollowingparameterswereusedinthetesting process: Numberofclients-withtheuseofawrapperforSiegecalledBombard,theuseris abletospecifyaninitialnumberofclientsanincrementofhowmanyclientstheload 111

PAGE 112

shouldbeincreasedbyforeachiterationandatotalnumberofiterationswhichalso limitsthemaximumnumberofclients AsetofURLs-thesameURLsfromthescenariotestingwereusedbothnormal andintrusive.Theywereplacedinacongurationleandreadintomemorybythe utilitywhenitstarts.TheclientsthenrandomlyrequestoneoftheURLsinthele foreachrequest. Delaybetweenrequests-beforeeachrequest,theclientwaitsarandomnumberof secondsbetween0andd,wheredisthemaximumdelaybetweenrequestsspecied bytheuser Bytestinginthisway,wehopetodrawconclusionsonthefollowing:thedegreeof improvementprovidedbythethirditerationoftheAbacusframeworkovertherst, thepointatwhicheachoftheservertypesbecomeoverwhelmedgiventhehardware constraintsaswellasthespecicreasonsthataccountfortheperformancedierences. 7.4.2PerformanceofInitialAbacusFramework InFigure7-8thetimetoserverequestsonServer1isshownasthenumberof requestsincreases.Forthecollectionofthisdata,thesimulatorwassettogenerate3 hoursoftracfrom10dierentnodes,onlyoneofthemexecutingintrusiverequests scenariooneasdescribedabove.Inpartaofthegurethetimetoserveisshownfor alloftherequests.Inpartb,onlythetimetoserverequestsfromtheintruderisshownthisgraphhasthesamelinearlyincreasingpatternthatisapparentwhenlookingatthe peaksofthegraphinparta.InpartcofFigure7-8thetimetakentoserverequestsfrom thenon-intrudernodesisgraphed.Thetimetoservetheserequestsremainedrelatively constantthroughouttheentiresimulation,oscillatingbetweenzeroandoneseconds.The reasonthattheincreaseonlyoccuredfortheintrudernodeisthatwhenthewebserver requestsriskdataonthatnode,thereisaconstantlyincreasingamountofeventdatato analyze.Fortheothernodes,thereisnosuchincreaseofdatatoanalyzeand,asaresult, requestsareservedinthesameamountoftimeforthedurationofthesimulation.This 112

PAGE 113

isundesirable,however,andcouldpotentiallycreateascalabilityissueinscenarioswhere therearemorenodeswithintrusivebehavior.Inordertoamelioratetheseperformance issues,acachingschemewasdevisedtofacilitatefastergenerationofriskdata. 7.4.3PerformanceofAbacusFrameworkwithRecursiveAnalysisModel Afteradaptingtheanalysismodelasdescribedin6.6toberecursiveinsteadofthe previousiterativeformulationandmodifyingthealertservertomaketheupdatesfor theriskvaluesasnewdatacamein,theperformanceoftheframeworkwasimproved signicantly.Whereastherstversionwasnotstablewithtenconcurrentusers,the modicationsallowedtheframeworktohandleupto100concurrentusersstablyfor anindeniteperiodoftime.Thisdemonstratesthatthemodicationsmadetothe modelenabletheframeworktoprocessincomingrequestswithoutnoticinganincrease inresponsetimeforincreasedamountsofdata,whichwastheproblemintheprevious version.ThegraphsinFigures7-9and7-10summarizetheperformanceofthedierent aspectsoftheframework.Thewebserverandanalysisserverexperiencedsomelocal spikesbasedontheshortdelaybetweensubsequentrequestsfromthestresstesting application,butoverallmaintainedaconsistentresponsetime.Thealertserversee graphsinFigure7-10experiencedaninitialspikeinprocessingtimeduetoprovisioning newthreadstoprocessthehighvolumeofincomingalerts.Performancestabilizedquickly andremainedstablethroughouttheremainderofthesimulation. 7.4.4PerformanceComparisonforABACUSFrameworkandOrdinary ApacheWebserver Results. Figures7-12and7-13summarizetheserverresponsetime,concurrencyand transactionrateasseenfromtheclientforthreedierentservertypes:anormalApache webserver,withnointegrationofriskinformation,anApacheserverintegratedwiththe rstversionoftheanalysisframeworkasdiscussedaboveAbacusServerversionone, andanApacheserverintegratedwiththenalversionoftheanalysisframeworkAbacus Serverversiontwo.Therangeofdelaybetweenrequestsdiersbetweenthetwogures: 113

PAGE 114

inFigure7-12alltestingthreadswereconguredtodelaybetween0and1secondbefore initiatinganotherrequest.InFigure7-13therangewasbetween0and10seconds. Figure7-12indicatesthattheAbacusFrameworkversiontwowasabletoserve 100simulatedclientswitharesponsetimeof5.16comparedto1.73secondsforthe unmodiedApachewebserver.AtthisloadtheAbacusFrameworkwasmaintainingthe requestfrequencywithoutanoticeableincreaseinprocessingtimeduringtheduration ofthetest,asdemonstratedbyFigure7-9.Figure7-13wherethedelayforthestress testingsimulationwasbetween0and10secondsforsubsequentrequestsplacesthe maximumnumberofclientsat210witharesponsetimeof6.35beforetheresponsetime spikedatthenextincrementofclients.Whatisconsistentinbothgures,however,is thetransactionrateortheaveragenumberofconnectionsprocessedpersecond.With thedelaybetweenzeroandone,themaximumtransactionratewas18.76andwith thedelaybetweenzeroandten,themaximumwas18.Afewindividualsimulationsat highernumbersofconnectingclientswererunandtheresultsareshowninFigure7-11. Thesegures,particularlypartsBandCdemonstratethattheincreasingresponsetime generatesmoretimeoutsathigherconcurrency,becausethereisalsoahigherrateof incomingconnections.PartCinparticular,where200simulatedclientswereused,shows theeectonresponsetimefromalargenumberofrequesttimeouts. Discussion. Itwouldbediculttosaythattherstversionoftheframework beforethecachingapproachcouldrealisticallysupportanynumberofusersforan extendedperiodoftime.AsshowninFigure7-8partA,thetimetoserverequestsforthe rstversionoftheserverwasincreasingevenwhenthenumberofsimulatedclientswas heldconstantatten.Theperformancedeterminantfortherstversionoftheframework wasthenumberofrequests:increasingthenumberofsimulatedclientsjustcausedthe numberofrequeststoincreasemorerapidly.Thetimetoserviceeachrequestwaslinear inthenumberofrequeststhattheserverhadreceiveduptothatpoint.Thecaching 114

PAGE 115

approachallowedforaconstanttimetoserveeachrequest,butattheexpenseofdata accuracy,wherethealgorithmiccomplexitywasstillthesame. Itislikelythattheresourcesoftheservermachinewereexhaustedwhenthetests movedtohighernumbersofsimulatedclients110forthehigherfrequencyteststhanthe servertransactionratecouldhandleandnewconnectionswerestillcominginresultingin queuing.TheApachewebserverlimitsthenumberofforkedclientprocessesto256by defaultthislimitiscompiledintothesoftware.Itappearsbasedonthedatathatatthe failurepoints,whentheresponsetimespikes,theserverresourceswereexhaustedbefore thelimitof256clientprocessesbytheincreasingnumberofforkedclientprocesses beingcreatedbytheApacheserver.Duringtesting,thisledtoincidenceswherethe servermachinelockedupandrequiredrestartingwhentestingwithboththeABACUS frameworkandwiththeunmodiedApacheserver.Thisiscorroboratedbythefactthat theunmodiedApachewebserverfailedinasimilarwayalbeitatahighertransaction rate. AratelimitingmechanismwasbuiltintotheAbacusFrameworkv3wherebyonce acertainnumberofrequestsarequeued,theserverbeginstodenyincomingrequests untilmoreworkerprocessesbecomeavailabletoavoidforkingtoomanyprocessesto serverequests.TheApacheserveraccesslogsduringthesetestsdemonstratethatsome oftherequestsforanalysisdatafromthewebserveraccesscontrolmoduleswerebeing deniedtodueincreasingload;atthesametime,however,theApachewebserverwas stillacceptingandqueuingnewclientconnections.Insummary,thetestingfailureofthe AbacusFrameworkwasduetothedicultyincontrollingserverresources:inparticular ofeectivelylimitingtheincomingclientconnectionsinthefaceofincreasedconcurrency andthereforeincreasedresponsetimeperrequest.Amorerobustsetoftestingconditions wouldlikelyyieldbetterresults. Withthatsaid,thepeaktransactionratefortheAbacusFrameworkv3wasstill15.53 transactionspersecondataresponserateof5.73seconds.Thisroughlyequatesto931.8 115

PAGE 116

transactionsaminute,55,908transactionsanhourand1,341,792transactionsperday.By wayofcomparison,accordingtoCompete.com[76]webstatistics,Facebook.comreceived 874,806,456pagevisitsinDecember2008withanaverageof62.1pagesaccessedpervisit foratotalof54,325,480,917.6pageaccessinDecember,or1,810,849,363.92pageaccesses eachday.TheUFL.EDUdomainandallofitssubdomainsreceived2,385,137visits inthemonthofDecember2008,withanaverageof17.5pagespervisitor41,739,897.5 pageviewsinthatmonth.Thisequatesto1,391,329.9pageviewsperday.Table7-4 summarizesstatisticsforthreetopwebsites,whileTable7-5providesanestimateforthe peakperformanceoftheABACUSframeworkundercurrenttestingconditions.Based onthisdata,wecancanconcludethattheproposedapproachcouldbeimplementedin alarge,hightracwebsite-particularlywithdedicatedserverhardwarewithincreased performance. ThedataalsodemonstratesthatfailureofasimilarnatureoccursfortheApacheweb serverinisolation.Becausetherewasaslowergrowthinresponsetimeperrequest,the Apacheserverinisolationwasabletohandleagreaternumberofclientconnectionsbefore failure,butwhenthefailurehappened,itmanifestedwithmuchthesamebehavioraswas displayedwhentestingthenalversionoftheAbacusFramework. Figure7-14representsthefactorofincreaseintheresponsetimeforthewebserver intheABACUSframeworkcomparedwiththeresponsetimeofthenormalApacheweb server.Afteraninitialspikeinrequesttimeduetoprovisioningofserverresources,the responsetimeincreasefactorstabilizesatapproximatelythree,meaningthatduring themajorityofthetestingperiodtheaveragerequesttotheABACUSframeworktook threetimesaslongtoprocessasarequesttoanormalApachewebserver.Thegure alsoshowsasharpincreaseat110simulatedclientswhichiswherethesimulationrst recordedasignicantnumberoftimeoutsfortheABACUSframework,butwherethe normalApachewebserverremainedstable.Thisincreasefactorislikelyaresultof thefollowingadditionalstepstakenbeforearesponseisgeneratedintheframework: 116

PAGE 117

theaccesscontrolhandlergeneratingarequestforriskinformation,theanalysisserver performingthenecessaryqueriestotheeventdatabaseandformulatingaresponsebackto thewebserver.Inaddition,whiletheanalysisserverandwebserverwererunning,some ofthesystemresourceswereconsistentlybeingconsumedbytheserverresponsiblefor receivingandlteringIDSinformationwhichwasnotrunningalongwiththestandalone webserver. 117

PAGE 118

A B Figure7-1.Simulationresultsfromthevalidationoftheanalysismodelshowingrisk estimatesforthesourcesdetectedasintrusive.Ausingonlyconcrete vulnerabilitylteringBusingconcretevulnerabilitylteringand congurationverication. 118

PAGE 119

A B Figure7-2.Simulationresultsfromthevalidationoftheanalysismodelshowingrisk estimatesfortargetsbeingattackedbyintrusiverequests.Ausingonly concretevulnerabilitylteringBusingconcretevulnerabilitylteringand congurationverication. Table7-1.Asummaryofthesimulationresultsforscenarioonesimulatinganattackfrom asinglesourceonmultiplesystemresources. PropertymeasuredServer1sourceriskServer2systemrisk Totalrequests24722472 Totalintrusiverequests230230 Intrusiverequestsdenied229179 Percentagedenied99.5%77.8% Totalnormalrequests22422242 Normalrequestsdenied161751 Percentagedenied.7%78.1% 119

PAGE 120

A B Figure7-3.Accesscontrolpoliciesforthetwoserversduringscenarioonewhilesimulating anattackfromasinglesourceonmultiplesystemresources.AservertwoB serverone.TherstpolicyAestablishesanaccesshandlerthatusessystem levelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusessourceriskdataandsetsathresholdof45forthesourcerisk, beyondwhich,requestsfromthatsourcewillbedenied. Figure7-4.Thegrowthoftheriskfromtheintruderinscenarioone. StatisticSystem1targetriskSystem2systemrisk Totalrequests10231023 Totalintrusiverequests320320 Intrusiverequestsblocked319274 Percentagedenied93.5%85.6% Totalnormalrequests703703 Normalrequestsdenied65588 Percentagedenied9.2%83.6% Table7-2.Asummaryofthesimulationresultsfromscenariotwowhilesimulatingan attackfrommultiplesourcesonasinglesystemresource. 120

PAGE 121

A B Figure7-5.Accesscontrolpoliciesforthetwoserversduringscenariotwowhilesimulating anattackfrommultiplesourcesonasinglesystemresource.AservertwoB serverone.TherstpolicyAestablishesanaccesshandlerthatusessystem levelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusestargetriskdataandsetsathresholdof45forthetargetrisk,beyond which,requeststothattargetwillbedenied. Figure7-6.Thegrowthofriskforthetargetedresourceinscenariotwo. Table7-3.Asummaryofthesimulationresultsfromscenariothreewhilesimulatingan attackfrommultiplesourcesonmultiplesystemresources. StatisticServer1Server2 Totalrequestsreceived875875 Totalintrusiverequests437437 Intrusiverequestsauthenticated409252 Percentageauthenticated93.5%57.7% Totalnon-intrusiverequests438438 Non-intrusiverequestsauthenticated385368 Percentageauthenticated87.9%84% 121

PAGE 122

A B Figure7-7.Accesscontrolpoliciesforthetwoserversduringscenariothreewhile simulatinganattackfrommultiplesourcesonmultiplesystemresources.A servertwoBserverone.TherstpolicyAestablishesanaccesshandler thatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk, beyondwhich,requestswillbedenied.ThesecondpolicyBestablishesan accesshandlerthatusesthreedierentriskpropertiestotriggerthe requirementofauthentication.Thesystemriskthresholdis65,thesourcerisk thresholdis33andthetargetriskthresholdis45.Atimelimitforthe expirationofavalidauthenticationissetat300secondsusingthe AuthExpiration property. 122

PAGE 123

A B C Figure7-8.StatisticsforABACUSframeworkversion1duringasimulationwithten concurrentusers,oneofwhichwasanintruder.Graphsshowtimetoserve requestsfordierentbreakdownsofthesetofrequestingusers.Arequests fromallusersBrequestsfromtheintruderCrequestsfromnon-intrusive users.Thesegraphsestablishthatthetimetoprocessrequestswasincreasing throughoutthesimulationandthatthiswasduetotheincreasedtimeintook toprocessrequestsfromtheintruderthatrequiredmoredatatobeaggregated andanalyzedinordertoproduceariskassessment. 123

PAGE 124

A B Figure7-9.StatisticsforABACUSframeworkversiontwo.Atimetoserverequestsfor thewebserverBtimetoserverequestsfortheanalysisserver.Thegraphs correspondtoasimulationwith100concurrentusersfortheentiredurationof thetest10minutestresstest. 124

PAGE 125

A B Figure7-10.StatisticsforABACUSframeworkversiontwo.AalertprocessingtimeB alertreceivingtime.Thegraphscorrespondtoasimulationwith100 concurrentusersfortheentiredurationofthetest10minutestresstest. 125

PAGE 126

A B C Figure7-11.AdditionalstressteststatisticsforABACUSframeworkversiontwo.Ausing 110concurrentclientsBusing175concurrentclientsCusing200 concurrentclients. 126

PAGE 127

A B C Figure7-12.Webservercomparisonusingarandomizeddelayfrom0and1second betweenrequests.AresponsetimeBconcurrencyCtransactionrate 127

PAGE 128

A B C Figure7-13.Webservercomparisonusingarandomizeddelayfrom0and10seconds betweenrequests.AresponsetimeBconcurrencyCtransactionrate. 128

PAGE 129

Table7-4.TracstatisticsforthreetopwebsitesinDecember2008. DomainVisits/MonthPages/VisitPageViews/MonthPageViews/Day Yahoo.com2,211,018,10219.442,893,751,178.81,429,791,705.96 Facebook.com874,806,45662.154,325,480,917.61,810,849,363.92 U.edu2,385,13717.541,739,897.51,391,329.9 Table7-5.EstimatedpeakperformanceforABACUSframeworkwithcurrenttesting constraints. Transactions/SecResponseRatesecTransactions/HourTransactions/Day 15.535.7355,9081,341,792 Figure7-14.SummaryofthefactorincreaseinwebserverresponsetimefortheABACUS frameworkversiontwocomparedtotheperformanceofanunmodiedweb server. 129

PAGE 130

CHAPTER8 CONCLUSIONS Theaimofthisstudywasprimarilytwofold:rstly,todemonstrateacohesive, generalapproachtodesigningandconstructingcontext-awareoradaptivesecurity mechanismsandsecondlytodemonstratetheapplicationofthoseprinciplesbydesigning suchasystemanddemonstratingitsfeasibilityandeectiveness. 8.1ConclusionsProducedByExaminationoftheGeneralApproach Thedesigndecisionwasmadethatthenebulousconceptofcontextawarenesswas bestevidencedbycontext-awarebehavior,orbehaviortodemonstratesanawarenessof changingsystemstate.Theprocessofmakingadecisionawareofcontextwasabstracted intothreephases:acquiringthatdata,analyzingitandapplyingitinthedecisionmaking process. 8.1.1DataAcquisition Acquisitionwasapproachedasanintegrationissue,particularwithregardstothe integrationofsecuritymechanismsthatoftenexhibithighdegreesofautonomy,heterogeneityanddistribution.Thetrade-osbetweentwodierentintegrationapproacheswere discussedatlength.Whileaverticalintegrationstrategyprovidesatightandseamless integration,itisalsoverydiculttoextend.Thethreefactorsmentionedpreviouslyautonomy,heterogeneityanddistributionareessentiallydealtwithbymergingthedistinct mechanismsintoone.Horizontalintegrationpresentsmanychallengesandrequirestheuse ofindividualintegrationtechniquestodealwithdata,controlandprocessintegration.The result,however,isahighlyextendablesystem. 8.1.2DataAnalysis Oneoftheprimaryconclusionsregardingdataanalysiswasthatthisphasemust produceconcrete,quantiable,actionabledata.Thisconclusionseemsintuitive,but contrastsstarklywithmanyoftheeortsforanalyzingsecuritydata,particularlythat whichcomesfromintrusiondetectionsystems.Oneoftheprimaryobstaclespreventing 130

PAGE 131

dataanalysistechniquesfromimprovinginastructuredwaywasthelackofanexplicit frameworkwithinwhichspecicassessmentpropertiescouldbedenedprecisely.Terms suchasthreatandriskareusedfrequentlyintheliterature,butrarely-ifever-given explicitdenitionsthatcoulddistinguishthemfromrelatedterms.Forthisreasonan ontologyofassessmentpropertieswasdevelopedthatincorporatesthemostcritical securitypropertieswithdenitionsbasedonindustrystandardssuchasCVSSand IDMEF. 8.2ConclusionsOntheImplementationandTestingoftheConcrete Implementation 8.2.1DataQuality Oneofthecriticalissuesthatwereconfrontedduringthisinvestigationwastheaccuracyoftheassessmentdata.Twodierentlteringtechniqueswereemployedinorder toincreasedataaccuracybyeliminatingfalsepositives.Therstwasconcretevulnerabilityltering,whichallowedustoeliminateincomingalertsthatdidnotcorrespondtoa specic,exploitablesoftwarevulnerability.ThiswasdonebyverifyingthatthealertreferencedanentryinthecommonvulnerabilitiesandexposuresdatabaseCVE.Thesecond techniqueusedtoimprovethequalityoftheincomingdatawascongurationverication. Byemployingcongurationverication,thesystemonlyconsideredalertsthatpresented arealizablethreattooneofthenodesorservicesbeingmonitoredbytheframework.This approachinvolvedaugmentingthelocalsystemvulnerabilitydatabasewithinformation regardingtheaectedsoftwareforeachvulnerability.Simultaneously,adatabaseoflocal systemnodes,thesoftwarerunningonthemandversioninformationforeachsoftware productisestablished.Bycheckingthattheincomingvulnerabilityexploitationattempt wouldactuallyaecttheversionofsoftwarerunningonthenode,manyofthefalsepositivesgeneratedduringtestingwereeliminated.Thesetwostrategieswerekeyinincreasing thequalityofincomingdataandconsequentlytheaccuracyoftheattackresponses. 131

PAGE 132

8.2.2ChangesFromtheGeneralApproachtotheConcreteImplementation ExtensivetestingandmultipleiterationsoftheAbacusframeworkledtotheconclusionthatalthoughtheprocessofcontext-awaredecisionmakingmaybeabstracted intothreeprocesses,theinstantiationofthoseprocessesintoactualsoftwaremodulesmay requiresomeadaptation.Thebestperformancewasachievedwithanimplementation thatvirtuallyjoinedtheacquisitionandanalysisphases,suchthatalloftheanalysistasks wereperformedasnewdatawasacquired.Theinitialstrategyofgeneratingtheanalysis datawhenitwasrequestedbytheclientprovedtobeprohibitivelyslowgiventheamount ofdatabeinggeneratedinthesystem.Thisstrategy,however,wasonlyfeasiblebecause thesystemwaseventbasedessentiallythatthedatawasdiscreteandnotcontinuous. Forsystemswheretherearenosucheventstotriggertheanalysistasksitwillstillbe necessarytocollectthedataandperformtheanalysistaskswhentheinformationisrequested-althoughinthesecases,therewillbenosuchtimepenaltyforanalyzingmultiple events.Theonlyothersituationtofavortheon-demandanalysiswouldbewheremostof theincomingdataprovedtobeirrelevanttothenalanalysisandthuspayingthetime penaltyforanalyzingeacheventwouldproveunreasonable. Anotherkeyquestionthatneededtobeansweredwashowtodesignanattack responsethatwastemperedandstilleective.Wechosetouseastrategyofrestricting accesspermissionsastheresponsetolikelyintrusivebehavior.Thisresponsewasin concertwiththeapplicationdomainbeinginvestigatedanditwasalsolessinvasivethan otherresponsetechniquesintheliteraturethatinvolvetakingactionagainstthesuspected intruder.Ariskassessmentwassynthesizedfromtheprovideddataonvulnerability exploitationattemptsinordertoprovideaquantiablemeasurementofthechanging stateofsystementitiesinrelationtotheirprospectofbeingattacked.Becausetherisk assessmentswerecalculatedforindividualsystementities,theassessmentdataalso allowedformoregranularresponses. 132

PAGE 133

8.2.3EectivenessandPerformance Oneoftheimportantconclusionswecandrawfromthetestingdatafortheproposed approachisthefeasibilityofadaptivesecuritymechanisms.Theactualresultsofthe attacksimulationsshowedamarkedimprovementfortheratioofintrusiverequests thatweredeniedusingtheriskassessments.Inthescenariothatsimulatedanattacker performingvulnerabilityprobingagainstthewebserver,99%oftheintrusiverequests weredenied,whileonly.7%ofthenormalrequestsweredenied.Inthecaseofmultiple intrudersforonetargetattack,theframeworkdenied93.5%oftheintrusiverequestswhile onlydenying9.2%ofthenon-intrusiverequests.Eveninthescenarioofmultipleintruders onmultipleresources,whereauthenticationwasemployedasaresponse,moreintrusive requestswereauthenticatedthannon-intrusiveones.5%to87.9%,respectively, leadingtoamoreecientuseofresourcesovertheapproachofauthenticatingallrequests insituationsofelevatedrisk. Theperformanceoftheframeworkwasanotheraspectoftheapproachthatneeded tobedemonstratedandvalidated.Thetestingresultsshowedthattheframework,given limitedserverresources,wasabletoreceiveandprocessrequestsatarateofover1.3 millionperday,exceedingtheprocessingrequirementsformanyhightracdomainsand websites. 8.3FutureWork Theareaofdesigningadaptivesecuritymechanismsisverybroadandthereremains asignicantamountofworktoprovidesystemswithsuchcapabilitiesthataresuitable forusebyindustryandthegeneralpublic.Thesystemforacquiringcontextdatacould beextendedtoincludeagreatervarietyofsensors.Othertypesofcorrelationbesides matchingvaluescouldalsobeincorporatedintotheacquisitionapproachtoenable assessmentsthataremorepredictive. Areasoningenginebasedontheproposedassessmentontologycouldbeaddedtothe analysisservertomakeallofthedierenttypesofassessmentsavailableattheapplication 133

PAGE 134

phase.This,however,wouldalsodemandthatawidevarietyofsensorsareintegratedin theacquisitionphasesothatthenecessaryinputsarepresent. Thevariousserversalertandanalysiscouldberelocatedtoindependentmulti-core machinestoinvestigatetheimpactofgreaterparallelismonexpandingthecapabilitiesfor thehandlingofcontextinformation.Additionalmeasurestosecurethedatatransmissions betweensecuritycomponentscouldalsobeadded. 134

PAGE 135

REFERENCES [1]CERTCoordinationCenter,Overviewofattacktrends,2002. [2]IBMGlobalTechnologyServices,IBMInternetSecuritySystemsX-force2007Trend Statistics,tech.rep.,InternetSecuritySystems-IBMGlobalTechnologyServices, 2007. [3]E.BertinoandL.D.Martino,Aservice-orientedapproachtosecurity-concepts andissues,in ISADS'07:ProceedingsoftheEighthInternationalSymposium onAutonomousDecentralizedSystems ,Washington,DC,USA,pp.7,IEEE ComputerSociety,2007. [4]R.SandhuandP.Samarati,Authentication,accesscontrol,andaudit, ACM Comput.Surv. ,vol.28,pp.241,1996. [5]S.Axelsson,Thebase-ratefallacyandthedicultyofintrusiondetection, ACM TransactionsonInformationandSystemSecurityTISSEC ,vol.3,pp.186, 2000. [6]C.Abad,J.Taylor,C.Sengul,W.Yurcik,Y.Zhou,andK.Rowe,Logcorrelationfor intrusiondetection:aproofofconcept, ComputerSecurityApplicationsConference, 2003.Proceedings.19thAnnual ,pp.255,2003. [7]N.Carey,A.Clark,andG.Mohay, IDSInteroperabilityandCorrelationUsing IDMEFandCommoditySystems ,pp.252.2002. [8]F.CuppensandA.Miege,Alertcorrelationinacooperativeintrusiondetection framework, SecurityandPrivacy,2002.Proceedings.2002IEEESymposiumon pp.202,2002. [9]H.DebarandA.Wespi,Aggregationandcorrelationofintrusion-detectionalerts, RAID'00:Proceedingsofthe4thInternationalSymposiumonRecentAdvancesin IntrusionDetection ,pp.85,2001. [10]B.Morin,L.M,H.Debar,andM.Ducass, M2D2:AFormalDataModelforIDS AlertCorrelation ,vol.RecentAdvancesinIntrusionDetectionof LectureNotesin ComputerScience .SpringerBerlin/Heidelberg,October2002. [11]P.Ning,Y.Cui,andD.S.Reeves, AnalyzingIntensiveIntrusionAlertsviaCorrelation ,vol.ProceedingsofRecentAdvancesinIntrusionDetection:5thInternational Symposium,RAID2002,Zurich,Switzerland,October16-18,2002,pp.74.2002. [12]P.A.Porras,M.W.Fong,andA.Valdes, AMission-Impact-BasedApproachto INFOSECAlarmCorrelation ,pp.95.2002. [13]V.Yegneswaran,P.Barford,andS.Jha,Globalintrusiondetectioninthedomino overlaysystem,in InProceedingsofNetworkandDistributedSystemSecurity SymposiumNDSS ,2004. 135

PAGE 136

[14]Symantec,Deepsightthreatmanagementsystem.https://tms.symantec.com/,2008. [15]MyNetWatchman,http://mynetwatchman.com/,2008. [16]Dshield,http://www.dshield.org,2008. [17]K.Henricksen,J.Indulska,andA.Rakotonirainy, ModelingContextInformationin PervasiveComputingSystems ,pp.79.2002. [18]T.Gu,H.K.Pung,andD.Q.Zhang,Aservice-orientedmiddlewareforbuilding context-awareservices, JournalofNetworkandComputerApplications ,vol.28, pp.1,2005. [19]Context, TheAmericanHeritageDictionaryoftheEnglishLanguage,Fourth Edition ,Feb2009.http://dictionary.reference.com/browse/context. [20]Context, Merriam-WebsterOnlineDictionary ,Feb2009.http://www.merriamwebster.com/dictionary/context. [21]A.K.Dey,Understandingandusingcontext, PersonalUbiquitousComput. ,vol.5, pp.4,2001. [22]P.Brezillon,G.K.Mostefaoui,andJ.Pasquier-Rocha,Context-awarecomputing:A guideforthepervasivecomputingcommunity, PervasiveServices,2004.ICPS2004. IEEE/ACSInternationalConferenceon ,2004. [23]T.StrangandC.Linnho-Popien,Acontextmodelingsurvey,in Workshopon AdvancedContextModelling,ReasoningandManagementaspartofUbiComp 2004-TheSixthInternationalConferenceonUbiquitousComputing ,Nottingham, England,2004. [24]R.A.KemmererandG.Vigna,Intrusiondetection:Abriefhistoryandoverview supplementtocomputermagazine, Computer ,vol.35,pp.27,2002. [25]W.Hasselbring,Informationsystemintegration, CommunicationsoftheACM vol.43,pp.32,2000. [26]V.Stavridou,Integrationinsoftwareintensivesystems, JournalofSystemsand Software ,vol.48,pp.91,1999. [27]M.K.Perry,Verticalintegration:Determinantsandeects,in HandbookofIndustrialOrganization R.SchmalenseeandR.Willig,eds.,vol.1,ch.4,pp.183255, Elsevier,July1989. [28]V.N.L.Franqueira,Accesscontrolfromanintrusiondetectionperspective, TechnicalReportTR-CTIT-06-10,CenterforTelematicsandInformationTechnology, UniversittofTwente,February2006. 136

PAGE 137

[29]T.RyutovandC.Neuman,Thespecicationandenforcementofadvancedsecurity policies, PoliciesforDistributedSystemsandNetworks,2002.Proceedings.Third InternationalWorkshopon ,pp.128,2002. [30]T.Ryutov,C.Neuman,K.Dongho,andZ.Li,Integratedaccesscontrolandintrusiondetectionforwebservers, ParallelandDistributedSystems,IEEETransactions on ,vol.14,pp.841,2003. [31]T.Ryutov,C.Neuman,andD.Kim,Dynamicauthorizationandintrusionresponse indistributedsystems, DARPAInformationSurvivabilityConferenceandExposition, 2003.Proceedings ,vol.1,pp.50vol.1,2003. [32]C.-Y.Tseng,P.Balasubramanyam,C.Ko,R.Limprasittiporn,J.Rowe,and K.Levitt, Aspecication-basedintrusiondetectionsystemforAODV .ACMPress, 2003.986876125-134. [33]P.UppuluriandR.Sekar, ExperienceswithSpecication-BasedIntrusionDetection p.172.2001. [34]J.Garcia,F.Autrel,J.Borrell,S.Castillo,F.Cuppens,andG.Navarro, DecentralizedPublish-SubscribeSystemtoPreventCoordinatedAttacksviaAlertCorrelation pp.223.2004. [35]R.Bhatti,E.Bertino,andA.Ghafoor,Atrust-basedcontext-awareaccesscontrol modelforweb-services, WebServices,2004.Proceedings.IEEEInternational Conferenceon ,pp.184,2004. [36]N.Dimmock,A.Belokosztolszki,D.Eyers,J.Bacon,andK.Moody,Usingtrust andriskinrole-basedaccesscontrolpolicies, SACMAT'04:Proceedingsoftheninth ACMsymposiumonAccesscontrolmodelsandtechnologies ,pp.156,2004. [37]N.Dimmock,Howmuchis"enough"?riskintrust-basedaccesscontrol, WETICE '03:ProceedingsoftheTwelfthInternationalWorkshoponEnablingTechnologies p.281,2003. [38]L.Teo,G.-J.Ahn,andY.Zheng,Dynamicandrisk-awarenetworkaccessmanagement, SACMAT'03:ProceedingsoftheeighthACMsymposiumonAccesscontrol modelsandtechnologies ,pp.217,2003. [39]N.Stakhanova,S.Basu,andJ.Wong,Ataxonomyofintrusionresponsesystems, Int.J.Inf.Comput.Secur. ,vol.1,no.1/2,pp.169,2007. [40]S.Manganaris,M.Christensen,D.Zerkle,andK.Hermiz,Adatamininganalysisof rtidalarms, ComputerNetworks ,vol.34,pp.571,102000. [41]J.Wang,B.Jin,andJ.Li, Anontology-basedpublish/subscribesystem .SpringerVerlagNewYork,Inc.,2004.1045676232-253. 137

PAGE 138

[42]H.Wache,V.Ogele,T.Visser,U.Stuckenschmidt,H.Schuster,G.Neumann, andH.Ubner,Ontology-basedintegrationofinformation-asurveyofexisting approaches,Seattle,WA,pp.108,2001. [43]H.Debar,D.A.Curry,andB.S.Feinstein,Theintrusiondetectionmessageexchangeformatidmef,2007.RequestForCommentsExperimental. [44]SunMicrosystems,Xacmlimplementation,AccessedNovember2007. http://sunxacml.sourceforge.net/. [45]R.S.Sandhu,E.J.Coyne,H.L.Feinstein,andC.E.Youman,Role-basedaccess controlmodels, Computer ,vol.29,pp.38,1996. [46]R.S.SandhuandP.Samarati,Accesscontrol:Principlesandpractice, IEEE CommunicationsMagazine ,vol.32,pp.40,1994. [47]R.Heady,G.Luger,A.Maccabe,andM.Servilla,Thearchitectureofanetwork levelintrusiondetectionsystem,Aug.1990. [48]E.Fisch, IntrusionDamageControlandAssessment:ATaxonomyandImplementationofAutomatedResponsestoIntrusiveBehavior .PhDthesis,TexasA&M University,1996. [49]C.Carver,Jr.andU.Pooch,Anintrusionresponsetaxonomyanditsrolein automaticintrusionresponse, IEEEWorkshoponInformationAssuranceand Security ,2000. [50]H.Debar,D.Curry,andB.Feinstein, TheIntrusionDetectionMessageExchange FormatIDMEF .No.4765inRequestforComments,IETF,Mar.2007. [51]F.Cuppens,Managingalertsinamulti-intrusiondetectionenvironment, Computer SecurityApplicationsConference,2001.ACSAC2001.Proceedings17thAnnual pp.22,2001. [52]F.Valeur,G.Vigna,C.Kruegel,andR.A.Kemmerer,Acomprehensiveapproachto intrusiondetectionalertcorrelation, IEEETransactionsonDependableandSecure Computing ,vol.01,pp.146,2004. [53]G.Giacinto,R.Perdisci,andF.Roli,Alarmclusteringforintrusiondetection systemsincomputernetworks, MachineLearningandDataMininginPattern Recognition ,pp.184,2005. [54]S.Staniford,J.A.Hoagland,andJ.M.McAlerney,Practicalautomateddetectionof stealthyportscans, JournalofComputerSecurity ,vol.10,pp.105,2002. [55]P.Ning,Y.Cui,D.S.Reeves,andD.Xu,Techniquesandtoolsforanalyzing intrusionalerts, ACMTrans.Inf.Syst.Secur. ,vol.7,pp.274,2004. 138

PAGE 139

[56]D.XuandP.Ning,Alertcorrelationthroughtriggeringeventsandcommonresources,in 20thAnnualComputerSecurityApplicationsConference,2004 ,pp.360 369,2004. [57]P.Ning,D.Reeves,andY.Cui,Correlatingalertsusingprerequisitesofintrusions, Dec.2001. [58]B.MorinandH.Debar, CorrelationofIntrusionSymptoms:AnApplicationof Chronicles ,vol.RecentAdvancesinIntrusionDetection,pp.94.2003. [59]S.Godik,T.Moses,andetal,Extensibleaccesscontrolmarkuplanguagexacml version2.0.OASISStandard,February2005. [60]D.J.Weber, Ataxonomyofcomputerintrusions .PhDthesis,MassachusettsInstitute ofTechnology.,1998. [61]C.AlbertsandA.Dorofee,Octavecriteria,version2.0,Dec.2001. [62]F.SwiderskiandW.Snyder, ThreatModeling .Redmond,Wash:MicrosoftPress, 2004. [63]P.Mell,K.Scarfone,andS.Romanosky,Acompleteguidetothecommonvulnerabilityscoringsystemversion2.0.http://www.rst.org/cvss/cvss-guide.pdf,June 2007. [64]L.Viljanen, Trust,PrivacyandSecurityinDigitalBusiness ,vol.Volume3592/2005 of LectureNotesinComputerScience ,ch.TowardsanOntologyofTrust,pp.175 184.SpringerBerlin/Heidelberg,August312005. [65]D.J.Essin,Patternsoftrustandpolicy,in Proceedingsofthe1997NewSecurity ParadigmsWorkshop ,ACMPress,1997. [66]A.Avizienis,J.Laprie,B.Randell,andC.C.Landwehr,Basicconceptsandtaxonomyofdependableandsecurecomputing, IEEETransactionsonDependableand SecureComputing ,vol.1,pp.11,Jan.-March2004. [67]T.Ryutov,C.Neuman,D.Kim,andL.Zhou,Integratedaccesscontrolandintrusion detectionforwebservers, DistributedComputingSystems,2003.Proceedings.23rd InternationalConferenceon ,pp.394,2003. [68]C.A.Carver, AdaptiveAgent-BasedIntrusionResponse .PhDthesis,TexasA&M UniversityatCollegeStation,May2001. [69]M.Ahmed,E.Al-Shaer,andL.Khan,Anovelquantitativeapproachformeasuring networksecurity, INFOCOM2008.The27thConferenceonComputerCommunications.IEEE ,pp.1957,April2008. 139

PAGE 140

[70]MITLincolnLaboratory,2000DARPAIntrusionDetectionScenarioSpecicDataSets.,http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000data.html,AccessedSeptember2008. [71]A.HessandN.Karowski,Automatedprotectionofend-systemsagainstknown attacks,in ProceedingsofIEEE/ISTWorkshoponMonitoring,AttackDetectionand Mitigation ,Tuebingen,Germany,2006. [72]CommonVulnerabilitiesandExposures,CommonVulnerabilitiesandExposures List.http://cve.mitre.org/,AccessedSeptember2008. [73]C.KruegelandW.Robertson,Alertverication:Determiningthesuccessofintrusionattempts,in 1stWorkshopontheDetectionofIntrusionsandMalwareand VulnerabilityAssessmentDIMVA2004 ,July2004. [74]U.ShankarandV.Paxson,Activemapping:Resistingnidsevasionwithoutaltering trac,in SP'03:Proceedingsofthe2003IEEESymposiumonSecurityandPrivacy Washington,DC,USA,p.44,IEEEComputerSociety,2003. [75]JoeDogSoftware,Siege.http://www.joedog.org/index/siege-home,November2008. [76]Compete.com.http://www.compete.com,February2009. 140

PAGE 141

BIOGRAPHICALSKETCH HassanRasheedwasbornin1981inFloridatoHowardandBarbaraRasheed. HegraduatedfromKingHighSchoolinTampa,Floridain2000.In2004,heearned aBachelorofSciencedegreeincomputerengineeringfromtheUniversityofFlorida. Aftercompletinghisbachelor'sdegree,hebeganworkingonhisDoctorofPhilosophy incomputerengineeringattheUniversityofFlorida.Hisgraduatestudiesfocusedon distributedsystems,informationsecurityandthedesignandimplementationofcontextawaresystems. 141