Integrating Access Control with Real-Time Assessment

rasheed_h.pdf

rasheed_h_pdf.txt

PAGE 1

INTEGRATINGACCESSCONTROLWITHREAL-TIMEASSESSMENT:ADAPTIVE SECURITYTHROUGHTHEACQUISITION,ANALYSISANDAPPLICATIONOF CONTEXTDATA By HASSANRASHEED ADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOL OFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENT OFTHEREQUIREMENTSFORTHEDEGREEOF DOCTOROFPHILOSOPHY UNIVERSITYOFFLORIDA 2009 1

PAGE 2

2009HassanRasheed 2

PAGE 3

HetheCreatoristheEverLiving,nonehastherighttobeworshippedbutHe;soinvoke HimmakingyourworshippureforHimalone.AllthepraiseandthanksbetoAllah,the Lordofallthatexists.Qur'an40:65 3

PAGE 4

ACKNOWLEDGMENTS IthanktheCreatorforHiscontinuousmercyandfavorandmyparentsfortheir continualsupportandself-lesscare;andIthankallofthosewhohavecontributedtomy intellectualdevelopmentthroughoutmystudies. 4

PAGE 5

TABLEOFCONTENTS page ACKNOWLEDGMENTS.................................4 LISTOFTABLES.....................................9 LISTOFFIGURES....................................10 ABSTRACT........................................15 CHAPTER 1INTRODUCTION..................................16 1.1Motivation:ParadigmShiftsinSystemSecurity...............16 1.1.1ChangingNatureofAttacks......................16 1.1.2ChangingDeploymentEnvironments.................17 1.1.3GreaterEmphasisonDistributedDataAnalysis...........18 1.2ChallengesFaced................................19 1.2.1TheNatureofContextInformation..................19 1.2.2ApplyingSecurityDataforImprovedAccessControl........20 1.3Approach....................................21 1.4SummaryofResults..............................21 1.5SignicanceandImpact............................22 1.6OrganizationofthisReport..........................23 2RELATEDWORK..................................24 2.1ContextInformation..............................24 2.1.1ExistingDenitionsofContext.....................24 2.1.2RedeningContext...........................24 2.1.3ContextRepresentation.........................26 2.2SystemsIntegration...............................26 2.2.1HorizontalIntegration..........................27 2.2.2VerticalIntegration...........................29 2.2.3SummaryonIntegration........................30 2.3IntegrationofSecurityControls........................31 2.4UseofThreat,RiskandTrustinAccessControl...............33 2.5IntrusionResponse...............................33 3GENERALAPPROACHPART1:CONTEXTACQUISITION.........35 3.1IntroductionandDesignGoals.........................35 3.2SurveyofContextAcquisitionApproaches..................36 3.2.1Closed/CoalitionApproach.......................37 3.2.2Open/FederationApproach.......................39 3.3ACoalition-BasedSystemforContextAcquisition..............41 5

PAGE 6

3.3.1InformationModel...........................41 3.3.1.1Accesscontrol.........................41 3.3.1.2Intrusiondetection......................43 3.3.1.3Intrusionresponse......................44 3.3.1.4Modeloverview........................45 3.3.1.5Securityevent.........................45 3.3.1.6Accessrequest.........................46 3.3.1.7Intrusionattempt.......................46 3.3.1.8Intrusionresponse......................46 3.3.2Implementation.............................47 3.3.3SummaryoftheCoalitionApproachtoContextAcquisition.....49 3.4AFederatedSystemforContextAcquisition.................49 3.4.1Approach.................................49 3.4.2TheUseofEventCorrelationinFederatedSystem..........50 3.4.3AvailableCorrelationMethods:ATaxonomyofEventCorrelation ApproachesforSecurityData.....................50 3.4.3.1Taxonomyofalertcorrelationmethodsbasedonoutcome.50 3.4.3.2Taxonomyofalertcorrelationmethodsbasedonmeans..52 3.4.4SelectinganEectiveOntologyApproach...............54 3.4.5AHybridEventOntology.......................55 3.4.5.1Thebasisforacommonontology..............55 3.4.5.2Theproposedontology....................56 3.5Summary....................................59 4GENERALAPPROACHPART2:CONTEXTANALYSIS...........67 4.1IntroductionandDesignGoals.........................67 4.2AHigh-LevelOntologyofSecurityAssessmentInformation.........68 4.2.1CoreAssessments............................69 4.2.1.1Risk..............................69 4.2.1.2Trust..............................69 4.2.1.3Dependabilityandimportance................70 4.2.2CompositeAssessments.........................71 4.2.2.1Threat.............................71 4.2.2.2Impact.............................72 4.3Summary....................................72 5GENERALAPPROACHPART3:CONTEXTAPPLICATION.........75 5.1Introduction...................................75 5.2Context-BasedPolicyEvaluation.......................75 5.2.1AccessControlSchemaExtension...................76 5.2.2ApplicationScenarios..........................78 5.3Context-BasedThreatResponse........................79 5.4Summary....................................81 6

PAGE 7

6ADAPTIVERISK-AWAREACCESSCONTROLFORWEBSERVERS....87 6.1Introduction...................................87 6.1.1ConnectionBetweentheImplementationandPreviousChapters..87 6.1.2ImplementationOverview........................88 6.2IntrusionResponseandAttackResistance..................89 6.2.1StrategySelection............................89 6.2.2ResponseTriggering...........................90 6.3NotionofRiskandaPreliminaryRiskAssessmentModel..........90 6.3.1AnalysisModel.............................90 6.4TriggeringRestrictedPermissioningWithRiskData.............93 6.5AbacusFrameworkArchitecture........................94 6.6UpdatesandModicationstotheInitialModelandArchitecture......99 6.6.1PerformanceIssuesWiththeInitialArchitecture...........99 6.6.2Solution1:Caching...........................99 6.6.3Solution2:RedesigningtheAnalysisAlgorithmandRefactoring theArchitecture.............................100 6.6.4RevisedRiskAssessmentModel....................100 6.6.5RestructuredArchitecture.......................101 6.7Summary....................................101 7RESULTS.......................................106 7.1TestingSetup..................................106 7.2ValidationofAnalysisModel..........................106 7.3WebServerAttackResistanceResults....................108 7.4PerformanceAnalysis..............................111 7.4.1PerformanceTestingMethodology...................111 7.4.2PerformanceofInitialAbacusFramework...............112 7.4.3PerformanceofAbacusFrameworkwithRecursiveAnalysisModel.113 7.4.4PerformanceComparisonforABACUSFrameworkandOrdinary ApacheWebserver...........................113 8CONCLUSIONS...................................130 8.1ConclusionsProducedByExaminationoftheGeneralApproach......130 8.1.1DataAcquisition............................130 8.1.2DataAnalysis..............................130 8.2ConclusionsOntheImplementationandTestingoftheConcreteImplementation....................................131 8.2.1DataQuality...............................131 8.2.2ChangesFromtheGeneralApproachtotheConcreteImplementation132 8.2.3EectivenessandPerformance.....................133 8.3FutureWork...................................133 7

PAGE 8

REFERENCES.......................................135 BIOGRAPHICALSKETCH................................141 8

PAGE 9

LISTOFTABLES Table page 5-1Escalationofthreatinsubsequentrequestsbytwodierentsources.Whenthe threatisassignedtoindividualsourcesseperately,thesystemisabletodistinguishbetweenmaliciousandnon-malicioussubjects................83 5-2Escalationofthreatinsubsequentrequestsbythreedierenthostsonacommontarget.Whentheeectofrequestsfromdierentsubjectstothesameobjectareconsideredinaggregate,thesystemisabletocontextualizeindividual requestsintoanoverallpatternofinteractionwiththeobject...........83 5-3Selectedintrusionresponsestrategies.Eachgeneralresponsestrategyislisted alongwithitsappropriateusecase,itsimplementationattheaccesscontrol levelandthecontextualpropertiesthatconstrainitsapplication.........86 7-1Asummaryofthesimulationresultsforscenarioonesimulatinganattackfrom asinglesourceonmultiplesystemresources.....................119 7-2Asummaryofthesimulationresultsfromscenariotwowhilesimulatinganattackfrommultiplesourcesonasinglesystemresource...............120 7-3Asummaryofthesimulationresultsfromscenariothreewhilesimulatingan attackfrommultiplesourcesonmultiplesystemresources.............121 7-4TracstatisticsforthreetopwebsitesinDecember2008..............129 7-5EstimatedpeakperformanceforABACUSframeworkwithcurrenttestingconstraints.........................................129 9

PAGE 10

LISTOFFIGURES Figure page 3-1Diagramofasecuritycoalition.Eachsecuritycomponenthastointeractwith alloftheothercomponentsinordertoaccesstheirdata.Thisarchitectureis limitedinextensibilitybecauseeachtimeanewmemberisaddedtothecoalition,alloftheothermembersmustbeadaptedtouseitsinterface........60 3-2Theanatomyofasecuritycomponentinanopenarchitecture.Thecoredecisionmechanismisresponsibleforplacingneweventsintothemechanismsevent datastorewhichsubsequentlyprovidesthedatatootherconsumers.Thecore decisionmechanismalsopullsdatafromthecomponent'seventconsumermoduleinordertoenforcepolicybasedonexternaleventinformation.Theevent consumermoduleincludesapolicydescribingthedierenttypesofeventsthat shouldbedrawnfromtheeventproviderthisinteractionisdepictedinFigure 3-3...........................................61 3-3Securitycomponentswithacommoneventprovider.Ratherthanhavingtointeractwitheachothermemberofthesystem,thecomponentscannowaccess datathroughacommoneventprovider.......................62 3-4Theanatomyofasecuritycomponentinanopenarchitecture.Thecoredecisionmechanismisresponsibleforplacingneweventsintothecommonevent providerthatisnowanexternalserviceinsteadofthepreviousdatastorethat wascontainedinthemechanismitself.Thecoredecisionmechanismalsopulls datafromthecomponent'seventconsumermoduleinordertoenforcepolicy basedonexternaleventinformation.Theeventconsumermoduleincludesa policydescribingthedierenttypesofeventsthatshouldbedrawnfromthe eventproviderthisinteractionisdepictedinFigure3-3..............63 3-5Securityeventinformationmodel..........................64 3-6TheowofdatabetweenanIDSandawebserverunderthecoalition-based implementation.....................................64 3-7Taxonomyofthemeansusedtoachievealertcorrelation..............65 3-8Ontologyforinter-domaineventcorrelation....................66 4-1Coreassessmentclasses.Importance,trustanddependabilityassessmentsfor entities.Threatandimpactassessmentsforaccessrequests.Valueandriskassessmentsfortheactionofanaccessrequest.....................73 10

PAGE 11

4-2Assessmentfactorsforthreeassessmenttypes:trust,riskanddependability. TheclassAssessmentisalsoasubclassofAssessmentFactorbecauseofthecompositeassessmentsthatarederivedfromotherassessments.Theassessmentfactorsforthreataretheriskoftherequestandthetrustgrantedtothesubject. Theassessmentfactorsfortheimpactarethedependabilityandimportanceof theobjectandtheriskoftherequest.........................74 5-1XACMLruleincludingsource-centeredthreat.ThisruledemonstratestheextensionoftheXACMLschemawithanewproperty total-source-threat. This propertyisdesignatedasanattributeofthesubjectoftherequest.Aninteger functionisusedtocomparethevaluereturnedforthispropertywiththedesignatedvalueof20.Ifthetotal-source-threatpropertyisgreaterthanorequalto thisvalue,thentherulehastheeectofcausingtherequesttobedenied....83 5-2XACMLruleincludingtarget-centeredthreat.ThisruledemonstratestheextensionoftheXACMLschemawithanewproperty total-target-threat. This propertyisdesignatedasanattributeoftheresourcebeingaccessed.Anintegerfunctionisusedtocomparethevaluereturnedforthispropertywiththe designatedvalueof30.Ifthetotal-target-threatpropertyisgreaterthanorequal tothisvalue,thentherulehastheeectofcausingtherequesttobedenied...84 5-3XACMLruleincludinganattributeindicatingthataresourceislocked.This ruledemonstratestheextensionoftheXACMLschemawithanewproperty resource-lock-status. Thispropertyisdesignatedasanattributeoftheresource beingaccessed.Abooleanfunctionisusedtocomparethevaluereturnedfor thispropertywiththedesignatedvalueof'true'.Iftheresource-lock-statuspropertyistrue,thentherulehastheeectofcausingallrequeststothisresource tobedenied......................................84 5-4XACMLruleincludinganattributeindicatingthatauseraccountislocked. ThisruledemonstratestheextensionoftheXACMLschemawithanewproperty resource-lock-status. Thispropertyisdesignatedasanattributeofthesubjectinitiatingtherequest.Abooleanfunctionisusedtocomparethevaluereturnedforthispropertywiththedesignatedvalueof'true'.Iftheuser-accountlock-statuspropertyistrue,thentherulehastheeectofcausingallrequests fromthissourcetobedenied.............................85 5-5XACMLruleincludingapropertytorestrictaspecicpermission.Thisrule demonstratestheextensionoftheXACMLschemawithanewproperty userwrite-prohibit. Thispropertyisdesignatedasanattributeofthesubjectinitiatingtherequest.ThePolicyDecisionPointwillbeextendedwithanewmodule thatprovidesthelogictoprovideacurrentvalueforthisproperty.Anboolean functionisusedtocomparethevaluereturnedforthispropertywiththedesignatedvalueof'true'.Iftheuser-write-prohibitpropertyistrue,thentherule hastheeectofcausingtherequesttobedenied..................85 11

PAGE 12

6-1Sampleriskprogressionforanintruderexecutingintrusiverequestsofmoderate severity......................................103 6-2ArchitecturefortheABACUSframework......................103 6-3Apachecongurationdirectivethatestablishesa SourcePermissionRestrict accesshandlertoevaluateallrequeststoresourcesinthedirectory'/s'.Thedirectivealsoestablishesfourriskthresholds,eachforadierentaction.These thresholdsaresubsequentlyusedbytheaccesshandlertocompareagainstthe currentriskevaluationforthesourceoftherequest,withtherequestbeingdeniedifthesource'sriskexceedsthethreshold.Thenalvariable SourceLockoutThreshold establishesthatonetheriskattachedtothesourceexceeds41,all requestsfromthatsourcewillbedenied.......................104 6-4Psuedocodefortheaccesscontrolmodelthatperformsrestrictionofsourcepermissionsbasedonariskassessmentobtainedfromananalysisserver.Itretrieves ariskassessmentforthesourcefromtheanalysisserverandthencomparesit withtheappropriatethresholdfortheactionbeingperformed...........104 6-5Apachecongurationdirectiveforacustomauthenticationhandler.Threedifferentthresholds,orpropertiesareestablishedwhichcouldbeusedtotrigger theuseofauthentication.Avalueisalsosetfor AuthExpiration whichensures that,oneauthenticated,usersareonlyre-authenticatedevery300secondve minutesatmost....................................105 6-6Pseudocodeforauthenticationmodule.Authenticationisrequiredifanyofthe establishedriskthresholdsareexceeded.......................105 7-1Simulationresultsfromthevalidationoftheanalysismodelshowingriskestimatesforthesourcesdetectedasintrusive.Ausingonlyconcretevulnerability lteringBusingconcretevulnerabilitylteringandcongurationverication..118 7-2Simulationresultsfromthevalidationoftheanalysismodelshowingriskestimatesfortargetsbeingattackedbyintrusiverequests.Ausingonlyconcrete vulnerabilitylteringBusingconcretevulnerabilitylteringandconguration verication.......................................119 7-3Accesscontrolpoliciesforthetwoserversduringscenarioonewhilesimulatinganattackfromasinglesourceonmultiplesystemresources.Aservertwo Bserverone.TherstpolicyAestablishesanaccesshandlerthatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusessourceriskdataandsetsathresholdof45forthesourcerisk,beyond which,requestsfromthatsourcewillbedenied...................120 7-4Thegrowthoftheriskfromtheintruderinscenarioone..............120 12

PAGE 13

7-5Accesscontrolpoliciesforthetwoserversduringscenariotwowhilesimulatinganattackfrommultiplesourcesonasinglesystemresource.Aservertwo Bserverone.TherstpolicyAestablishesanaccesshandlerthatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusestargetriskdataandsetsathresholdof45forthetargetrisk,beyond which,requeststothattargetwillbedenied.....................121 7-6Thegrowthofriskforthetargetedresourceinscenariotwo............121 7-7Accesscontrolpoliciesforthetwoserversduringscenariothreewhilesimulatinganattackfrommultiplesourcesonmultiplesystemresources.Aservertwo Bserverone.TherstpolicyAestablishesanaccesshandlerthatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusesthreedierentriskpropertiestotriggertherequirementofauthentication.Thesystemriskthresholdis65,thesourceriskthresholdis33andthe targetriskthresholdis45.Atimelimitfortheexpirationofavalidauthenticationissetat300secondsusingthe AuthExpiration property...........122 7-8StatisticsforABACUSframeworkversion1duringasimulationwithtenconcurrentusers,oneofwhichwasanintruder.Graphsshowtimetoserverequests fordierentbreakdownsofthesetofrequestingusers.Arequestsfromallusers BrequestsfromtheintruderCrequestsfromnon-intrusiveusers.Thesegraphs establishthatthetimetoprocessrequestswasincreasingthroughoutthesimulationandthatthiswasduetotheincreasedtimeintooktoprocessrequests fromtheintruderthatrequiredmoredatatobeaggregatedandanalyzedinordertoproduceariskassessment...........................123 7-9StatisticsforABACUSframeworkversiontwo.Atimetoserverequestsfor thewebserverBtimetoserverequestsfortheanalysisserver.Thegraphscorrespondtoasimulationwith100concurrentusersfortheentiredurationofthe test10minutestresstest...............................124 7-10StatisticsforABACUSframeworkversiontwo.AalertprocessingtimeBalert receivingtime.Thegraphscorrespondtoasimulationwith100concurrentusers fortheentiredurationofthetest10minutestresstest..............125 7-11AdditionalstressteststatisticsforABACUSframeworkversiontwo.Ausing 110concurrentclientsBusing175concurrentclientsCusing200concurrent clients.........................................126 7-12Webservercomparisonusingarandomizeddelayfrom0and1secondbetween requests.AresponsetimeBconcurrencyCtransactionrate..........127 7-13Webservercomparisonusingarandomizeddelayfrom0and10secondsbetweenrequests.AresponsetimeBconcurrencyCtransactionrate.......128 13

PAGE 14

7-14SummaryofthefactorincreaseinwebserverresponsetimefortheABACUS frameworkversiontwocomparedtotheperformanceofanunmodiedwebserver.129 14

PAGE 15

AbstractofDissertationPresentedtotheGraduateSchool oftheUniversityofFloridainPartialFulllmentofthe RequirementsfortheDegreeofDoctorofPhilosophy INTEGRATINGACCESSCONTROLWITHREAL-TIMEASSESSMENT:ADAPTIVE SECURITYTHROUGHTHEACQUISITION,ANALYSISANDAPPLICATIONOF CONTEXTDATA By HassanRasheed May2009 Chair:RandyY.C.Chow Major:ComputerEngineering Theneedforadaptivesecuritymechanismsisgrowing,drivenbytheincreasing automationandmodularityofattacktools,theprevalenceofdynamicservice-oriented architecturesandthegreateravailabilityofnetworkanalysisdata.Inordertofacilitate theevaluationandenforcementofaccesscontrolpoliciesbasedonreal-timeanalysisdata, aframeworkforthecollection,analysisanddisseminationofsecuritydataisproposed. Indemonstratingitsimplementation,theframeworkisintegratedwithawebserver andisusedtoprovideaquantitativeriskassessmentbasedondatafromvulnerability exploitationattempts.Whilemaintaininghighavailabilityfornon-aectedentities, thepercentageofdeniedintrusiverequestsisincreasedbytriggeringmorerestrictive permissioninginthefaceofescalatingriskfromexternalnodesandtosystemresources. Adetailedperformanceanalysisisalsoconductedthatcomparestheproposedframework withanordinarywebserveranddemonstratestheabilityoftheframeworktohandlehigh requestloadsinexcessofonemilliontransactionsperday. 15

PAGE 16

CHAPTER1 INTRODUCTION Oneofthemostsignicantchallengesinthesecuritydomainisthedevelopmentof securitymechanismswiththecapabilitiesofdynamic,contextawarebehavior.Theword contextawarenessmeansdierentthingsinvariousdomains,butherewerefertothe generalabilityofasoftwaredevicetoadjustitsbehaviorbasedonitsperceptionofthe environmentitoperatesin.Thisisstillaverybroadconcept,butwillbefurtherspecied inthecourseofthediscussion. Securitymechanismsoftenoerassessmentsorevaluationsofvariousrequestsand events,forexample:evaluatingthevalidityofarequestforauthorizationoranalyzingan eventforintrusivecharacteristics.Anyassessmentisbasedonassumptionsbothimplicit andexplicitaboutthecurrentenvironment:explicitassumptionsmayoftenbemodeled inapolicywhereasimplicitassumptionsaresubsumedintheunderlyingmodelusedfor decisionmaking.Theroleofcontextdataisthentoeitherkeepthoseexplicitassumptions accurateiftheyexist,ortointroduceimportantparametersinthedecision-makingprocess iftheyhavebeenleftout.Therearethreeprimarymotivationsforthecurrentapproach: theenvironmentsinwhichsecuritymechanismsaredeployedarechanging,theattacks themselvesthatmustbeguardedagainstarechanging,andtheemergingopportunityto leveragedatasourcesprovidingvaluablesecuritydata. 1.1Motivation:ParadigmShiftsinSystemSecurity 1.1.1ChangingNatureofAttacks Therearetwoprimarymotivatingsub-factorstowardsproducingsecuritymechanisms withanimprovedabilitytodealwithachangingenvironment:thechangingnatureof attacks,andmovetowardsutilizingsecuritymechanismsinserviceorientedarchitectures. Thechangingnatureofattackswasnotedin[1]andhassincebeenconrmedinvarious otherreports.Amongstthefactorsnotedinthereportwerethefollowing: 1. Theautomationandspeedofattacktools -eachofthefourcommonphasesofautomatedattacksscanning,compromising,propagatingandcoordinatedmanagement 16

PAGE 17

arebeingdonemorequicklyandeectively.Attacktoolsuseexploitsinthemidst ofscanningandautomaticallyinitiateattackcycles.Coordinatedmanagementis facilitatedbywidelyusedcommunicationsprotocolssuchasinstantmessaging.As aresult,thewindowofresponsebeforeanattackmovesontothenextstageisno longerbasedontheresponsetimeofahumanattackerandthereforeeasilyoutpaces ahumanadministratorsabilitytorespond. 2. Theincreasingsophisticationofattacktools -attackersincreasinglyusetechniques toconcealthenatureofthetoolstheyuse.Toolsthemselvesaremoremodular andexhibitmoredynamicbehavior.Becauseoftheanti-forensicbehavior,previous detectionmethodsusinglow-levelorisolatedindicatorsmayfailtodetectattacks thatotherwisemightbeevidentusingmultiplerelatedpiecesofevidence. 3. Fasterdiscoveryofvulnerabilities -thenumberofnewvulnerabilitiesreported morethandoubleseachyear,oftenduetoexaminationofexistingcodefornewly discoveredvulnerabilityclasses.Thisimpliesawidernumberofavailableattack vectorsatanygivenpointintime.Italsoimpliesthatthepotentialforpublicizing vulnerabilitieswillcreatemoreoccurrencesofwidespreadexploitationofthesame vulnerability.Inits2007annualreportIBM'sInternetSecuritySystemsISSgroup reportedthatvulnerabilitiesin2007weredownvepercentcomparedto2006. However,thenumberofthosevulnerabilitiesthatwereclassiedasseverehigh impactroseby28percent[2].Highimpactvulnerabilitiesarethosethatallow immediateremoteorlocalaccess,orimmediateexecutionofcodeorcommands withunauthorizedprivileges.Thereportalsonotedthatofallofthevulnerabilities newlydiscoveredin2007,thatonly50%ofthemarecorrectablewithavendor patch,meaningthatmoreandmorevulnerabilitiesareofasevere,uncorrectable nature. 4. Increasinglyasymmetricthreat -attackscannowbelaunchedusinglargenumbers ofdistributedsystems,meaningthatthetraditionalone-to-onerelationshipbetween victimandattackerwillincreasinglybeaone-to-manyrelationship. 1.1.2ChangingDeploymentEnvironments Thesecondmotivatingfactoristheneedforsecuritytasksimplementedundera serviceabstractionthatcanbeusedindistributedserviceorientedarchitectures.Service orientedcomputinghasgrownduetothegrowthoftheWebandWebServices.Withthis growth,hascomeagreaterneedfordatasecurity.In[3]severalchallengestoproviding securityservicesarediscussed.Anumberofthesechallengesarerelatedtothenotionof context-awarenessandcontextdatasharing.Thechallengesinthisregardfallinthree 17

PAGE 18

mainareas:contextdataacquisition,analysisandapplication.Amongthequestionsraised arethefollowing: Shoulddecisionpointtodecisionpointinteractionsforshareddecisionmakingbe directormediated Howwillsharedcontextinformationbemanaged Howcanwebuildservicesthatcanmakeuseofpastcontexthistoryandgetaround thestatelessinput/outputmodelforservices Howcaninherentlycontext-dependentservicessuchasintrusiondetectionbe implementedasservices Allofthesechallenges,however,leadtotheconclusionthatcontextinformationand consequentlymechanismsadaptedtousecontextdataarecriticaltothedevelopmentof secureserviceorientedarchitectures.Asoneofthethreeprimarysystemsecurityfunctions notedin[4],therequirementsplacedonaccesscontrolsystems,andconsequentlytheir needtoexhibitcontextawarenessareamongthehighestofanysecuritymechanism. Accesscontrol,morethanperhapsanyothersecuritymechanism,isalsoinneedofthis capabilityasitoftenservesastherstlineofdefenseagainstattacksandintrusionsboth attheapplicationandnetworklevel. 1.1.3GreaterEmphasisonDistributedDataAnalysis Astherealizationhasgrownthattherearesomefundamentallimitationswith individualintrusiondetectionsystems[5],interesthasgrowninleveragingmultiple intrusiondetectionsystemswiththeexpectationthatmoredatawillleadtomoreaccurate analyses.Theseeortsbeganwithcorrelationresearch[6,7,8,9,10,11,12]whichfocused onrelativelysmallsetsofdatacontributors.Ithasalsorecentlygrowntoincludewideareaorglobaldataanalysiseortsthatutilizelargesetsofintrusiondetectionsystems [13,14,15,16]inlookingfornewandemergingthreats.Thequestionofwhattodowith thesevastamountsofdataoncewehavethemhaslargelygoneignoredhowever-the primaryassumptionbeingthatadministratornoticationistheonlydependableway 18

PAGE 19

tomakeuseofsuchdata.Thereis,however,anopportunityforthedesignofsecurity mechanismssuitedtousingsuchdatathatcanperformsomelimitedtaskstoimprove responsetime. 1.2ChallengesFaced Therearechallengesontwomainlevelstotheconstructionofeectivecontext-aware securitysystems.Thersttyperelatetoalltypesofsystemsinwhichcontext-awareness isadesigngoal.Thesearedicultiesrelatedtotheacquisition,analysisandapplication ofthecontextinformation.Theseproblemsarisefromthenatureofthedatabeing collectedandthesensorsprovidingthedata:thefactthattheyarelargelyautonomous, heterogeneousanddistributed. Thesecondtypeofchallengearethosearisingfromtheparticularapplicationdomain. Theseproblemsincludetherateofincomingdata,thehighrateofinaccuracieswith securitydataandtheresultinguncertaintyforaectingresponsestointrusions.Another challengeatthislevel-becauseweareseekingtoutilizecontextdataattheaccesscontrol level-isensuringthatadaptingthesystemtorelyoncontextualinformationdoesnot proveprohibitivelyslowfromaperformanceperspective.Thechallengesforapplying contextdataalsoincludepreventingandmitigatingthenegativeeectsofintrusionswhile maintainingahighlevelofserviceavailability. 1.2.1TheNatureofContextInformation Dealingwithrepresentationsofcontextdatatomakesuchresponsivenesspossible,is inherentlycomplex.Thereareseveralinherentdicultiesdealingwithcontextinformation discussedin[17]includingthefollowing:therangeoftemporalcharacteristicsexhibited, highdegreeofinterrelatedness,inaccuraciesorimperfectionsinthedataandlarge numberofalternaterepresentations.Addtothis,thefactthatservicestodealwith contextareapplicationspecic[18]andthetaskofmanagingcontextdatabecomeseven moreimposing.Thesediculties,however,haveonlybeenconfrontedintherealmof securityinaverylimitedway.Someapproachestoalertcorrelationdealwithreceiving 19

PAGE 20

heterogeneous,interdependentandpossiblyimperfectpiecesofdata,butthegoalhasyet tobemakingthatdatausablebyothersecuritycomponents. Tofurtherspecifythechallengesinthisarena,webreakthetaskofcontext-awareness downintothreesub-tasks:acquisition,analysisandapplication.Contextdataacquisition iscomplicatedbythefactthatthesourcesforcontextdatainthisdomainarevery diverse,sometimespossessingtheirownspecializeddomain-specicstandards.Thisisa somewhatuniquechallengeastheapproachestoacquiringcontextdatainapervasive computingenvironmentrelyondatasourcesthatarepassivesensorsproducingrelatively low-leveldata.Morespecically,aneectiveapproachtowardscontextdataacquisition amongstsecurityservicesmustdealwiththeinherentautonomy,heterogeneityand distributionpresentincurrentsecuritymechanisms. Asaresultoftheintricaciesanduniquenessesinsecuritydata,ecientcontext analysistechniquessuitedtosecuritydatamustalsobedesignedtoderivekeysecurity measuresfromdatathathassignicantsemanticheterogeneities.Thesecontextanalysis techniquesmustalsobefocusedonproducing actionabledata :informationthatcan subsequentlybeusedtoadaptpolicies,behaviorsandenactresponsestochanging circumstances. 1.2.2ApplyingSecurityDataforImprovedAccessControl Thenotionofusingsecuritydataforpolicyenforcementassumesalevelofaccuracy forthesensorsthatisoftennotpresentforsecuritysensors.Inparticular,considering theclassofintrusiondetectionsystems,anumberofissueswithdatainaccuracyhave beennotedintheresearch,bothonapracticalandtheoreticallevel[5].Generically,the problemsaredividedintotwotypes:1falsepositives,whichareincidentsdetectedas intrusivethatareinrealitybenignand2falsenegatives,whichareincidentsthatare intrusivebutarecategorizedasbenignorsimplymissedaltogether.Anotherissueisthe sheernumberofalertsthataregeneratedbyintrusiondetectionsystems-thisplaces 20

PAGE 21

constraintsontheperformanceofthetechniquesusedforstorageanalysistobeableto keepupwiththeincomingstreamofdata. 1.3Approach Inordertoaddressthegeneralissuesregardingarchitectingcontext-awaresystems, wedevelopageneralframeworkforthecollection,analysisanddisseminationofsecurity data.Theacquisitionapproachwillfocusonthedierentarchitecturesandmechanism thatcanbeemployedforintegratingdatafrommultiplesources.Onesuchsolutionwill beatightlyintegratedsystemsuitedtosmalldeploymentsbutlackinginextensibility. Theotheracquisitionarchitecturewillprovidegreaterextensibilitybyutilizingaserviceorientedabstraction.Theanalysisapproachwilldevelopasetofcriticalanalysismeasures afterexamingthereasonabletechniquesforanalyzingsecuritydata.Theapproachto applicationwillbemoredomain-specic,surveyingtheavailableintrusionresponse controlsandthetechniquesforactivatingthem. Animplementationwillbedicussedthatfocusesonaddressingsomeoftheconcerns specictotheuseofsecuritydataincludingperformanceanddatainaccuracies.This systemwillalsoprovideaplatformfortestingtheenforcementofaccesscontrolpolicies basedonreal-timeanalysisdata.Theimplementationframeworkwillincludeawebserver astheprimaryaccesscontrolmechanism.Theanalysisprocesswillthenproduceentityspecicriskassessmentsbasedondatafromvulnerabilityexploitationattempts.Thedata willthenbeappliedtoresolvecontextdependenciesattheaccesscontrolpolicyleveland regulatepermissionsbasedonestablishedriskthresholds. 1.4SummaryofResults Whilemaintaininghighavailabilityfornon-aectedentities,weareabletoshowan increasedratioofdeniedintrusiverequestsbytriggeringmorerestrictivepermissioningin thefaceofescalatingriskfromexternalnodesandtosystemresources.Wealsoprovide performanceanalysiscomparingtheproposedframeworkwithanordinarywebserverand 21

PAGE 22

demonstratingtheabilityoftheframeworktohandlehighrequestloadsinexcessofone milliontransactionsperday. 1.5SignicanceandImpact Thisapproachdemonstratesthefeasibilityofsuchadaptivesecuritymeasuresboth intermsofeectivenessatlimitingattacksandinmaintaininghighrequestthroughput. Theimpactoftheapproachisprimarilyindemonstratingmorecareful,tailoredresponse usageasaresultofmoredetaileddataanalysis.Previousapproachesthatuseddatafrom assessmentmechanismsintheperformanceofaccesscontrolwereprimarilyfocusedon integratingtheperformanceofintrusiondetectionandaccesscontrolinonemechanismasaresult,thedataanalysiswasminimalandtheresultingresponsesbasedoncontext datawereappliedatasystemwidelevel.Bygeneratingcontextanalysisdataforspecic sourcesandtargets,preventativemeasuressuchasforcingadditionalauthenticationare appliedmoreecientlyandonlywhennecessary.Strongerresponsemethodssuchas lockingoutuseraccountscanalsobeutilizedbecausethescopeismoregranular. Experimentationwillfocusontheutilizationofafewkeyresponsesattheaccess controllevel:forcingadditionalauthentication,restrictinguserpermissions,lockinguser accountsandrestrictingaccesstothreatenedservices.Wewillshowthattheresultant systemisableto: 1.Useresponsemethodsmoreeciently-decreasethenumberofrequestsforadditionalauthenticationthatmustbehandledinsituationsofelevatedthreat,by elevatingthreatlevelsonlyforspecicsourcesandtargets 2.Limitintrusivebehaviorwhilemaintainingresourceavailability-decreasethe numberofrequestscomingfromthreateningsourcesthatarepermittedusing permissionrestrictionandaccountlockingwhilemaintainingresourceavailability forlegitimaterequests. 3.Ensuregreaterintegrityandcondentialityprotectionforselectresources-limit riskstocondentialityandintegritybyrestrictingaccesstoselectedservicesincases wherecondentialityandintegrityareofgreaterconcernthancompleteavailability 22

PAGE 23

1.6OrganizationofthisReport Therstsectionwillfocusonrelatedwork.Inthissectionpreviousresearchin contextinformation,systemsintegrations,theintegrationofsecuritycontrols,theuse ofkeyassessmentsinaccesscontrolandintrusionresponsewillbeaddressed.Thenext threesectionswilleachaddressoneaspectofthegeneralchallengesdiscussedrelatedto architectingcontext-awaresystems:dataacquisition,dataanalysisanddataapplication. Followingthiswillbeadiscussionofthesystemimplentation:theanalysismodel,the architectureandtheintegrationbetweentheframeworkandthepre-existingaccesscontrol system.Nextacomprehensivesetoftestingresultsfromexperimentationwiththesystem implementationwillbepresented.Concludingthesections,willbeachapteronthe conclusionsdrawnfromtheresearchandastatementonfuturework. 23

PAGE 24

CHAPTER2 RELATEDWORK 2.1ContextInformation 2.1.1ExistingDenitionsofContext Therearetwodenitionsofcontextthatwillbeconsideredwhendeningcontext forthepurposesofthisstudy:alinguisticdenitionandadenitionfromthepervasive computingarea. Linguistic. TheAmericanHeritageDictionarydenescontextasThepartofatext orstatementthatsurroundsaparticularwordorpassageanddeterminesitsmeaning.[19] TheMerriuamWebsterDictionarydenescontextas,Theinterrelatedconditionsin whichsomethingexistsoroccurs[20]. Pervasivecomputing. SchilitandTheimerrstmentionedtheterm context-aware morethanadecadeagowiththeexplanationthatsuchsystems,[adapt]accordingtothe locationofuse,thecollectionofnearbypeople,hosts,andaccessibledevices,aswellas tochangesinsuchthingsovertime.Otherdenitionshavetakenahumanuser-centric viewofcontext,deningitas:anyinformationthatcanbeusedtocharacterizethe situationofanentity.Anentityisaperson,placeorobjectthatisconsideredrelevantto theinteractionbetweenauserandanapplication[21].Broaderdenitionsalsoexistsuch as,alltheknowledgethatconstrainsproblemsolvingatagivenstepwithoutintervening initexplicitly[22]. 2.1.2RedeningContext Thereareafewproblemswithdenitionssuchasthosestatedabove.Firstlythey areeitherareoverlybroad,lumpingmanytypesofinformationtogetherascontext:or theyareoverlyspecic,restrictingcontexttotypesofinformationusefulintheparticular applicationbeingdeemed context-aware Intuitivelycontextisnecessarybecauseitclariesmeaning-butdenitionsthat neglectthiswilladoptinformationascontextthatdoesnotaddtomeaning.Denitions 24

PAGE 25

thatonlyconsidercontexttobeinformationusedinaparticularapplicationwillnot bewidelyusable,andcouldpossiblymisssomeinformationthatmightimprovethe application. Anotherissueisthenotionofcontextownership.Mostofthesedenitionsview contextualinformationasbelongingtoanobjectorentity.Butevents-theoccurrences thatchangethecontextofanobjectorentityalsohavetheirowncontext:timeof occurrence,initiatingentity,receivingentity,location,etc.Consideringeventsseparately fromobjectsallowsustostoretemporalinformationdirectly,andtobeginusingthe abstractionofaneventhistorywithinagivendomain.Thiswouldallowustodescribe thesemanticsattachedtoothereventsinclosespatialortemporalproximitytotheevent underexamination. Manyapplicationsinthesecuritydomainforinstancetypicallyconsiderpatternsof behaviorovertimetobeaprimarytypeofcontext.Foranapplicationsuchasintrusion detection,thephysicalcontextofasystemwiththeexceptionofnetworktopologyis actuallyirrelevant.Inadditionwewouldliketodevelopawayofdescribingcontextand context-ownershipthatfacilitatescontext-sharingamongentitiesinagivendomain.This wouldbedicultifweconsideramodelwhereonlyobjectspossesscontext.Ifwewere todevelopamodelbasedontheadditionalabstractionofaneventalongwithobjects, thenwecouldbegintodescribethecontextofanevent:itstime,itsactor,itssubject. Andcontext-sharingbecomesaseasyasprovidingeventinformationtoallobjectsinthe domainwheretheeventoccurred. Logicalcontextdenition. Contextisthesetofinterrelatedconditionssurroundinganentityorevent,suchthatwhentheyareconsideredtogethergiveafulland complete usage or applied meaningtoanentityorsituation.Thesepropertiesare notinherenttotheentityoreventandmaybechangedwithoutaectingthesemantics inherenttotheitem. 25

PAGE 26

2.1.3ContextRepresentation Strangetal.[23]citethefollowingsixmodelsforrepresentingcontext:keyvalue, markupscheme,graphical,objectoriented,logicbasedandontologybased. Theyalsoestablishsixtypesofrequirementsthataubiquitouscomputingapplication wouldneedfromacontextmodelingapproach.Thesixpropertiesofacontextmodelthat aremostappropriateare: distributedcomposition-theabilitytocomposecontextinformationintheabsence ofacentralentityresponsibleforthe partialvalidation-thecapabilityofvalidatingcontextdatawithoutalloftherelated databeingpresentatthesamenode formality-theoveralllevelofstructureusedtoorganizethecontextdata applicability-thecontextmodelshouldttheapplicationitisbeingusedin incompletenessandambiguityinthedomainofasecuritysystemincompleteness canbemanifestedthroughthemissingofeventsbyanintrusiondetectionsystem qualityofinformationtheconcernaboutthequalityofinformationdeliveredby asinglesensorvaryingovertimeislessofaconcernforwell-connectedintrusion detection,buttheneedforacontextmodelthatcanaccommodatevaryinglevelsof informationqualitybetweensensorsisvalid.Dierentintrusiondetectionsystems providedierenttypesandamountsofdataoneventsinthesystemandthecontext modelmustbeabletoaccommodatethis. Basedontheserequirements,themostappropriatecontext-modelingstrategyisontology based.ThisisalsoconrmedbyKemmereretal.[24]whonotethatacommonontology isanimportantadditiontheeortsbytheInternetEngineeringTaskForceIETFto establishanintrusiondetectionmessageformatandprotocol. 2.2SystemsIntegration Beforeactuallyaddressingtheissuesneededtoachieveanintegratedsecuritysystem, thequestionastowhatconstitutesintegrationmustbeaddressed.Inthisrespect,there 26

PAGE 27

aretwomajorphilosophies,bothofwhichhavehadasignicantamountofattentionin theareasofsystemintegrationandmicroeconomics. Therstideaistopreservetheexistingsystems,sometimescalledlegacysystems, andapplytechnologiestomaketheminteroperableandachievethedesiredoverallsystem, albeitaheterogeneousone.Wewillrefertothisashorizontalintegration.Agreatdealof researchonthistopichasbeendoneintheareaofInformationSystemscalledSystems IntegrationorApplicationIntegration. Thesecondideaistotaketherequirementsfullledbyeachofthelegacysystems anddevelopanentirelynewsystemthatfulllstherequirementsofalloftheoldsystems, butishomogeneous.Wewillcallthisverticalintegration.Althoughtheobjectstobe integratedinourcasearesomewhatdierentthanthoseintheeldswhoseresearchwill becited,manyofthesameanalyzeshold. 2.2.1HorizontalIntegration Therearethreemaincharacteristicsthatdistinguishahorizontallyintegratedsystem [25]:1heterogeneity,2autonomyand3distribution.Fromtheperspectiveofsystems integration,alloftheseissuesareriskswhichmustbemitigated;inotherwords,theyare thingsstandinginthewayofanintegratedsystem.Themitigationprocessoftendoes notchangethefundamentalcharacteristicsoftheconstituentsystemsandsothesame characteristicsareusuallypresentbeforeandafterintegration.Systemsintegrationviews horizontalintegrationasagoalthatmustbefacilitated,whereaseconomicstheoryviews verticalintegrationasaphenomenonthatoccurswhencertainfactorsarepresent.Thus, thedeterminantstobediscussedlaterareusuallydescribedasstrategiesforovercoming thesecharacteristics,buttheyarefactorsthatleadtoahorizontallyintegratedsystem nonetheless.Heterogeneitycanmanifestitselfintwomainareas:technicalandconceptual [26].Technicalheterogeneitycancomefromdierencesinthingssuchas:hardware platforms,operatingsystems,databasemanagementsystemsandprogramminglanguages. Conceptualheterogeneitycanbeproducedbydieringprogramminganddatamodels 27

PAGE 28

ordierencesinmodelingreal-worldconcepts.Autonomyusuallyoccursintheareasof designorcommunicationandexecution. Architecturesforhorizontalintegration. Therstintegrationarchitectureis termedacomponentcoalition.Thearchitectureintegratesindependentcomponentsby providingacustomsolutionthatwilllinktheinterfacesofthetwocomponents.These coalitionsmaintaintheindependenceoftheindividualcomponentsinthefollowingways: eachcomponenthasitsowninterface eachcomponenthasindependentcontrolofitsdataandprocessing componentsmayprovideoverlappingorconict Thesecondtypeofintegrationarchitectureisacomponentfederation.Themainconcept underlyingcomponentfederationsisthecreationofaplatformwhichcansupporta myriadofcomponentsaslongastheyconformtoasetofstandards.Thefederation providesinfrastructureforinter-componentcommunicationanddatasharing.Thereforein contrastwithcomponentcoalitions,componentfederationsaremoregeneral-purposeand moreexible. Mechanismsforhorizontalintegration. Therearetwoprimarymechanism tofacilitatethe persistence aspectofdataintegration:coversionandacommondata store.Undertheconversionapproach,componentsmaintainseparatedatastoresand dataistranslatedtoaformatconsumablebyothercomponents.Withacommondata store,however,thereisasinglesourcethataccumulatesdatafromallofthecomponents. Therearealsotwomechanismscommonlyusedtoensure semantics indataintegration: acommonschemaandcommondataformats.Themainmethodforachieving control integration ismessagepassing.Thismessagepassingsolutionisactuallytheproductofa mechanismtoenablecommunicationandaprotocoltodenethecommunicationpattern. 28

PAGE 29

2.2.2VerticalIntegration Oneofthemaincharacteristicsthatdistinguishesverticalintegrationistheuseof internalexchangeswithinarm,insteadofmarketorcontractualexchanges[27].Contractualexchangesarethoseinwhichthecharacteristicsoftheexchangebetweenthetwo partiestypicallyprice,quantity,etcareregulatedbyacontractualrelationship.Another characteristicofaverticalintegratedprocessiscentralizedcontroloverneighboringstages ofproductionordistribution.Anextensionofthisisthewayinwhichdecisionmakingin averticallyintegratedrmdiersfromdecisionmakinginaverticallydisintegratedone. Determinantsofverticalintegration. Therearethreemainfactorsthatproduce orleadtoverticalintegration:technologicaleconomies,transactioneconomies,andmarket imperfections.Technologicaleconomiesaresituationswherelessofanintermediateinput isnecessarytoproducethesamedownstreamoutput,whentheexchangeiscontrolledby thesamerm.Thisleadstoverticalintegrationbecausebytakingonacertaintaskofa productionprocess,agivencompanycanlessenitsneedforcertainresources.Transaction economiesaresituationswherecostsassociatedwiththeexchangeofcertaininputscan belessenedbyinternalizingtheprocess.Itisverysimilarphenomenontotechnological economies. Advantages. Thetypicallycitedadvantagestoverticalintegrationthatareapplicableherearelowertransactioncostsandsynchronizationofsupplyanddemandalong achainofproducts.Thedisadvantagesarerigidorganizationalstructure,andhigher organizationalcostsofswitchingtoothersuppliers. Manifestationsofverticalintegrationinsoftwaresystems. Thetheoretical pointsmentionedabovehaveimplicationsinsecurityintegrationaswell.Wewillusethe characteristicsofaverticallyintegratedbusinessrmtoestablishwhatwemeanbya verticalintegrationapproachtosecurity.Namelythat: 1.Theexchangeofdatabetweenthemodulesresponsiblefordierenttasksisviewed asaninternaloperation,andutilizesaformatthatisstandardacrosstheentire application 29

PAGE 30

2.Thesameprogrammaticentityisresponsibleforeachphaseofthesecurityassurance process,oreachsecuritytask. 2.2.3SummaryonIntegration AVerticalapproachtointegratedsecuritywouldperformthefunctionsofaccess control,intrusiondetectionandintrusionresponseinabsenceofinterfacesandprotocols betweenthethreemodules.Eachofthesetaskswouldinsteadbeperformedbymodules withasharedorcentralizedcontrolmechanism.Averticallyintegratedarchitecturewould takeadvantageoflowcostdataexchangesbetweenallofthemodulesandwouldalsooer ahigherdegreeofsynchronization. Theapproachdescribedaboveasverticalintegrationroughlycorrespondstothe approachtosecurityintegrationknownasmergedpolicy:theoperationsofaccesscontrol, intrusiondetectionandintrusionresponseareallperformedbyasinglepolicyevaluation mechanism,workingwithasingleuniformpolicy.Theabsenceofdataexchangesbasedon interfacesorprotocolsalsopointtothefactthatalloftheoperationsinamergedpolicy solutionareinternalanddonotrequirecommunicationbetweendierentindependent modules.Consequentlymanyofthedrawbackscitedforverticalintegrationarealso apparentinthemergedpolicysolution:primarilytherigidstructureofthesolutionand theprohibitivecostofusingadataprovideroutsideofthosepackagedintheevaluation mechanism. Thedrawbacksofaverticallyintegratedsolutionhaveseriousimplicationsfora securitysystem.Intrusiondetectionbeganasameanstodetectintrusivebehaviorthat couldnotbeexplicitlyprohibitedinanaccesscontrol-likespecication.Inaddition, manycurrentmethodsforintrusiondetectionusingmethodssuchasneuralnetworks,or immunologymodelscouldnotbesatisfactorilyrepresentedinarule-basedspecication.So therearetheoreticalaswellaspracticallimitstoaverticallyintegratedsecuritysystem. AHorizontalapproachtointegratedsecuritywouldfacilitateinteroperabilitywhile preservingautonomyandconsequentlysomedegreeofheterogeneity.Dependingupon 30

PAGE 31

thearchitecture,itmightbenecessarytodeviseandenforce contractualrelationships betweentheaccesscontrol,intrusiondetectionandintrusionresponsemodulessodata exchangeisperformedinanagreeduponway.Thiscouldtaketheformofinterfaces betweeneachtwomodulesinquestion.Itwouldalsobenecessarytoprovidecontroland dataintegrationtopreservethegranularityofthesystemcomponentsandstillprovidean integratedsolution. AHorizontallyintegratedsolutionismoreconsistentwiththecharacteristicsand needsofadistributedsystemincluding:distribution,heterogeneityandautonomyfor theinvolvedsystems.Itcouldalsoenableavariedsetofintrusiondetectionsystems tointeractwithoutnecessarilyenforcingaparticulardetectionmethodoneachofthe systems.Suchasystemwould,however,havehigherdatatransactionandprocessing costs. Forthosereasons,therefore,theprimaryapproachtointegrationwillbeahorizontal one.Bothofthedatapersistencemethodsmentionedearlierinthischapterconversion andacommondatastorewillbeusedforthissolution.Acommonschemawillbeused toprovidesemantics,andaformofmessagepassingwillbeusedtoprovidesomecontrol integration. 2.3IntegrationofSecurityControls Wewilldenesecurityintegrationlooselytobe:theperformanceofasinglesecurity functionortaskutilizingthedataorfunctionalityfromwhataretraditionallyconsidered dierentsecuritymechanisms.Thisnotionofsoftwarecomponentsthatperformmultiple securitytasksisnotnecessarilynew,buttheformalitywithwhichitisbeingdealt withisincreasing.Franqueria[28]notesthreebasicstrategiesfor`narrowingthegap' betweenaccesscontrolandintrusiondetection:mergedpolicyasinglecomponentfor ACandIDSusingauniformpolicy,correlationbothonlineandoineinlogsand additionalinformationusingaccesscontrolpoliciestomodelnormalbehavior.Withthe exceptionofthemergedpolicyinvestigation,alloftheresearchcitedundercorrelationand 31

PAGE 32

additionalinformationareimplementationsoftherespectivetechnologies,notattemptsto performaccesscontrolandintrusiondetectioninacoordinatedway. Ryutovetal.[29,30,31]takethemergedpolicyapproachandproduceanimplementationthatseekstoperformaccesscontrolandintrusiondetectioninacoordinated manner.Theydevelopamulti-stagepolicyevaluationmechanismthatoperatesonpolicies writteninalanguagethathasconstructsforapplicationlevelaccesscontrolandintrusion detection.Unaddressedinthiseortisatransparentmethodforageneralaccesscontrol mechanismtointerfacewithdataprovidedbydierentintrusiondetectionsystems.In addition,althoughtherehasbeensomerecentworkonspecication-basedIDS[32,33] mostIDSsystemsstilldonotworkonspecications,andtheinabilitytospecifytotraits ofattackscouldbeapotentiallyrestrictivelimitation. Theclassicationwewilluseforapproachestosecurityintegrationwillbebased onthestrategyusedforintegration,ofwhichtherearetwo:horizontalandvertical integration.Wewilldeneaverticallyintegratedsecuritysystemasonewhere:athe exchangeofdatabetweenthemodulesresponsiblefordierenttasksisviewedasan internaloperation,andutilizesaformatthatisstandardacrosstheentireapplicationand bthesameprogrammaticentityisresponsibleforeachphaseofthesecurityassurance process,oreachsecuritytask.Ahorizontallyintegratedsystemthen,wouldbeonewhere: asecuritytasksareperformedbyrelativelyautonomousprogrammaticentitiesandbthe exchangeofinformationbetweenthoseentitiesisbasedonstandardsandanarchitecture tomitigatetheeectsofdistributionandheterogeneity. Verticallyintegratedsystemscanbesomewhatrigidanddiculttoexpandtoinclude newcomponentsorfunctionalityfromoutsidesystems. Inreality,alloftheapproachestoperformingaccesscontrolandintrusionthathave beendonethusfarreectaverticalapproachtointegrationwiththeexceptionof[34] wherethefocusisusingalertcorrelationtopreventlocalsystemresourcesfrombeingused 32

PAGE 33

toassistinadistributedorcoordinatedattack.Thereisstillaneedforanexplorationof anopenapproachtointegratingsecuritycomponents. 2.4UseofThreat,RiskandTrustinAccessControl Inordertoutilizedatafromintrusiondetectionsystemsatanaccesscontrollevel,it isnecessarytohaveafoundationuponwhichthederivedcontextdatacanberelatedto traditionalaccesscontrolconcepts.Solutionstothisissuecanbemanifestedatthepolicy level,orattheimplementationlevel. In[35]anextensiontoRBACisdevelopedtoincorporatethenotionoftrust.They focusontrustbasedauthorizationandmakeprovisionstoadjustthetrustgiventoauser dynamicallybasedontheattributesoftheuserandenvironmentaswellasthepastaccess behavioroftheuser. Thenotionofriskisusedinconjunctionwiththreatin[36,37].Theriskthatagiven requestmightposetothesystemandthetrustthatshouldbeaordedtotherequesting entityareassessedsimultaneously.Basedontheriskoftherequest,atrustthresholdis establishedwhichallrequestingentitiesmustmeetorexceedinorderfortheirrequeststo begranted. Anassessmentofthreatisusedtomakeaccesscontroldecisionsin[38],byassigning athreatthresholdwhichcannotbeexceededtoeachnetworkresourceandthenmaintainingathreatlevelforalloutsidenodesthatisdynamicallyupdatedwhentheydisplay suspiciousbehavior. Whatismissingfromtheprecedingeortsisanimplementationthatcanenable accesscontrolsystemstousetheassessmentdataproducedbyintrusiondetectionsystems tomakedecisionsthatareawareofsystemcontext. 2.5IntrusionResponse In[39]oneofthefactorsusedtoclassifyresponsesystemsistheirmethodfor selectingresponses.Theyaredividedintothreeclasses:thosethatmapattacksstatically, thosethatdosodynamicallybasedonsomeparametersandthosethatuseacalculation 33

PAGE 34

oftherelativecostoftheintrusionwiththecostoftheresponse.Staticresponseselection matchesaparticularattackwithapre-determinedresponse.Dynamicmappingsystems selectanappropriateresponsebasedonattackmetrics.Atdesigntime,eachattackis associatedwithasetofresponsesandtheninrealtimeoneoftheresponsesischosen basedonthecharacteristicsoftheattack.Cost-sensitiveresponseselectiondeterminesthe bestresponsebasedonseveralcostandriskfactors.Thesevaluesmayincludemonetary values,probabilisticmeasurementorotherobjectivemetrics.Theymayalsoinclude relativemeasurementsoforganizationalsecurityandriskfactors. 34

PAGE 35

CHAPTER3 GENERALAPPROACHPART1:CONTEXTACQUISITION 3.1IntroductionandDesignGoals Therstnecessarystageinarchitectingcontext-awarebehavioristogatherthedata whichwillinuencethebehaviorofthemechanism.Becausethedatainquestioniscomingfromlargelyautonomousassessmentmechanismswithhighdegreesofheterogeneity, theacquisitionofcontextdataispartiallyanintegrationproblem.Systemsintegration approachestypicallydiscussthearchitecture,dataintegrationandcontrolintegration strategiesusedtoreduceheterogeneitywhilepreservingtheautonomyoftheinvolved systems.Theotherfacetofthecontextacquisitionmethodisthemeansfordiscovering relevantcontextinformationonceheterogeneityhasbeenreduced.Designgoalsforthe approachforcontextacquisitioninclude: DynamicContextDiscovery-Oneoftheprimarycharacteristicsoftheapproach forcontextacquisitionwillbetoprovidesupportforwhatwewillcalldynamic contextframing.Usingthenotionthatthecontextofaneventconsistsofother, relatedeventswethenestablishacriteriaforrelatednessthatisappropriatefor eachindividualsecuritymechanismandthenframethecontextofaneventbasedon thosetwofactors.Thiscontextacquisitionstrategymustallowsecuritycomponents toselectandreceive only thatdatathatisrelevanttothedecisiontheyaretryingto make.Becausesecuritymechanismsdealwithevents,theyshouldbeabletoselect theothereventsthatrelatetotheeventunderconsiderationwithoutnecessarily havingtoprocessanddealwitheveryeventthatoccursinthedomain.Asnotedin [40]thispropertyisnotsomuchadesiredtraitasarequiredoneasthevolumeof eventsprocessedsolelybyintrusiondetectionsystemscanreachtensofthousands perday.Thisimpliesalsothatthestrategyforcontextacquisitionmustbeableto searchforeventsbasedoncharacteristicsofrelevance.Sotherstrequiredproperty ofthecontextacquisitionapproachisthatitmustproviderelevantdata. 35

PAGE 36

ImplementationTransparency-Anothergoalofourapproachwithregardsto acquisitionofcontextdataistoallowsecuritymechanismstoacquiredatafrom othersecuritycontrolswhileremainingagnosticoftheirimplementationdetails:that asecuritycomponentcanacquirecontextdatamerelybyknowingthefeaturesofthe dataitwouldliketoreceive.Inthiscasethatwillentailthefeaturesoftheevent thatisbeingevaluatedandthedomainsfromwhichthedatashouldbegathered. ProviderandConsumerDecoupling-Anothernecessaryfeatureisthattheprovider andconsumershouldbedecoupledintimeandspace.Wewouldliketoprovide functionalitywhereaneventprovidercanregisterorpublisheventinformationand thenconsumerscanaccessthatdataaccordingtotheirownconstraintsaround whatconstitutesrelevantcontextdata.Thisalsoimpliesthattheaccessesofthe provideraretobeasynchronous,whilethoseoftheconsumerswillbesynchronous. Decouplinginspaceisalsonecessarytosupportdistribution. AllowingPolicyLevelDescriptionofRelevantContext-Beforewecananalyze contextdata,orevensearchforit,wemusthaveameanstodescribeitsfeaturesand characteristics.Oneprimarywayofachievingthisisthroughpolicy-specications thatincludethefeaturesofcontextdata. 3.2SurveyofContextAcquisitionApproaches Inthissectionweoutlinetwoapproachesforarchitectingasystemcapableofprovidingon-demandcontextdataandthendiscussspecicissuesrelatingtohowaccess controlandintrusiondetectioncanbebroughtclosertogether.Bothoftheapproaches arewithintheclassicationofhorizontalintegrationapproachesasdiscussedpreviously. Theydierprimarilyinwhetherornotdataexchangesarecarriedoutwiththeuseofan externalthirdparty.Therstarchitecturalapproachisaclosedone,basedaroundacomponentcoalition.Thisapproachisappropriateforenvironmentswheretheparticipants inthearchitecturearefewandwillnotneedtobeextended.Itreliesonpoint-to-point integrationbetweentheinterfacesofeachparticipatingmechanism.Thesecondapproach 36

PAGE 37

wewilldiscussisanopenapproach,basedaroundafederation.Thisapproachfocuses onprovidingwhatamountstoamiddle-warethatfacilitatescommunicationbetweenthe dierentmechanismswithahighleveloftransparency,butacorrespondingincreasein requireddevelopmenteort. 3.2.1Closed/CoalitionApproach Acomponentcoalitionintegratesindependentcomponentsbyprovidingacustom solutionthatwilllinktheinterfacesofthetwocomponents.Thesecoalitionsmaintainthe independenceoftheindividualcomponentsinthefollowingways: eachcomponenthasitsowninterface eachcomponenthasindependentcontrolofitsdataandprocessing Becauseeachcomponentmaintainscontroloveritsowndataandprocessingthisarchitectureallowsforthedesiredtransparencyofintrusiondetectionmethod.Inaddition,this architectureallowsthefocustoremainondevelopingeectiveinterfacesforeachofthe components. ThearchitectureofthecoalitionispicturedinFigure3-1.Themovementofdatain thisarchitectureisachievedthroughapullmechanismonthepartoftheeventconsumers. Thisisnecessary,becauseonlyselecteventsareactuallyofinteresttotheconsumers, andtheactualattributesofthoseeventsaredynamicallydetermined.Eachcomponentis picturedasbothaproviderandconsumer,butanyonecomponentcanserveasaprovider orconsumer,bothorneither. ThediagraminFigure3-2describesthesub-partsofeachsecuritycomponent.The CoreDecisionMechanismCDMistheportionofthecomponentthatisresponsiblefor fulllingtheprimarytasksandresponsibilitiesdesignatedforthatcomponent.Theow ofdatafromtheEventConsumerECtotheCDMisbasedonapullrequestfromthe CDM.Thisisbasedontheassumptionthatnoteverycontexteventisrelevanttothe tasksthattheCDMistryingtoperform.Thus,as-needed,theCDMcanrequestcontext datausingthecontextdiscoverypolicythattheECcontains.Theowofdatafromthe 37

PAGE 38

CDMtotheEventProviderEPisapushmechanismformuchthesamereason.Itis assumedthatnoteveryeventprocessedbytheCDMwillbeusefultopublishascontext data,andsotheCDMcanpublishselecteventsatitsdiscretion. Dataintegration:datastoreandcommonschema. Inthissystem,itwillbe necessarytoprovidebothdatasemanticsanddatapersistence.Therearetwoprimary strategiesforachievingdatapersistence.Therstisconversionwhereeachcomponent maintainsitsowndatastoreanddataistranslatedintoformatsthatareconsumableby othercomponents.Thesecondmechanismfordatapersistenceisacommondatastore. Thisdatastoreismerelyasinglesourcethataccumulatesinformationfromallofthe components.Bothofthesestrategieswillbeusedtoprovidethenecessarytransparency. Acommondatastoreisnecessarytocollectdatafromalloftheintrusiondetection systemsinasingleformat.Thestrategyforclusteringandlinkingalertsdependsona standardfortherepresentationofintrusiondetectionalerts.Theseclusteringandlinking algorithmsuseconversionoperateonintrusiondetectiondatawhilestillreturningavalue consistentwiththeaccesscontrolschema. Themechanismusedfordatasemanticsisacommonschema.Thiscommonschema isgenerateddierently,however,thanthemergedpolicyschema.Inthemergedpolicy approachtwoormoreschemasaremergedtoproduceanewschemaandtheoriginalsare discarded.Theapproachbeingusedhere,however,istoaugmentoneschemae.g.the accesscontrolschemawithessentialelementsfromanotherschemaintrusiondetection, butpreservethatotherschemaforrepresentingdatainthatdomainandconvertbetween thetwoasnecessary.Theaugmentedschemaservesasacommonpointofreferencefor thetwoseparatedomains. Controlintegration:messagepassing. Themechanismforcontrolintegration inthecoalitionbasedapproachismessagepassing.ThealertsfromIDSsystemstothe centraldatastore.Messagepassingwillalsobethemeansthroughwhichaccessrequests andresponsesaresenttoandfromthedecisionpoint. 38

PAGE 39

3.2.2Open/FederationApproach Architecture:contextmanagementservices. Thedesiredfunctionalityfroman architecturalpointofviewistoprovideservicesthatcanaggregatecontextinformation frommultipleproviders,andthensubsequentlydisseminatethatcontextinformationback toconsumerson-demand.Thereareanumberofdistributedsystemarchitectureswhich couldbeusedinthisscenario,however,Publisher/Subscriberpub-subsystemsarebest suitedtotheproblemofacontextdata-sharingframeworkforanumberofreasons.First isthefactthatallpub-subsystemssupportdecouplingoftheproducerandconsumer intimeandspace,whichisanessentialdesignrequirementforthissystem.Inaddition thereisexistingworkoncontentbased,andevenontologybasedpub-subsystems[41] thatcanbebuiltuponforallowingtheselectionofappropriatecontextdatawhichwillbe consistentwiththechosenapproachformodelingcontextdata. ServiceOrientedArchitecturesalsoprovideadditionalformalismsontopofabasic publish-subscribearchitecturetofacilitateregistrationandlookupofserviceorinthis casecontextprovidersthatwillalsobenecessary.Thebasicmodelusedwillconsistofa networkofcontextprovidersandcontextaggregators.Theaggregatorsarehierarchically structuredandsubsequentlyfeedcontextconsumers.Anysecuritycomponentinthe networkcanserveaseitheracontextprovider,consumer,orboth.Thesecuritycomponentswillbeprimarycontextprovidersandsecondarycontextconsumers.Themeditative serviceswillprimarycontextconsumersandsecondarycontextproviders. InFigure3-3,securitycomponentsareagainpicturedcontainingeventconsumers. Inthisinstance,however,theeventproviderisacommonservice.Insteadofrequesting eventsfromthedierentprovidersbasedonknowingwhichproviderhaswhichevents, theeventscanbeacquiredfromoneservice,merelybyknowingthefeaturesofthedesired events. 39

PAGE 40

InFigure3-4,theanatomyofasecuritycomponentundertheopenarchitectureis showningreaterdetail.Thecoredecisionmechanismnowpusheseventstothecommon eventproviderservicewhichisexternaltothecomponent. Dataintegration:low-levelcontextmodeling. Thisapproachisbasedona dierentconceptofcontextthaniscommonlyused.Inpervasivecomputingresearch,the primaryconcernishavingapplicationsrespondtochangesinthephysicalenvironment generatedbyusersandotherphysicalobjects.Insecurity,however,theprimaryconcern iseventsinavirtualenvironmentwheremostoftheobjectsarepassivedataelements. Securitycontrolssuchasaccesscontrolandintrusiondetectionfunctionaseventclassiers.Asaresult,thefocusshiftsfromdecomposinganeventintothestatechangesthat itproducesinphysicalobjectstomaintainingtheeventitselfastheprimaryobjectof concernwhichmustexamined.Consequently,amoreappropriatedenitionofcontext wouldbetheeventsrelatedtoagiveneventthatprovideadditionalinformationabout thecircumstancesunderwhichthateventoccurred.Inthisway,thecontextofanevent consistsofother,relatedevents. In[23]sixmethodsformodelingcontextdataarecitedandtheontologybased modelingtechniqueiscitedastheonemostcapableofprovidingthefeaturesusedto evaluateallofthemodelingmethods.Thefeaturesmostrelevanttothediscussionathand are:distributedcomposition,partialvalidation,handlingincompletenessandambiguity, sucientformalityandapplicabilitytoexistingenvironments.Thissurvey,inadditionto thefrequentuseofontologiesinserviceorientedarchitecturesindicatethatanontology basedcontextmodelwouldbethemostsuitabletoachievetheaimsofthisproject. Asforactualconstructionoftheontology,itisnotedin[42]therearethreeprimary methodsforusingontologiestofacilitateintegration.Thosemethodsarethefollowing: establishmentofasingleglobalontology,useofmultipleontologieseachforaspecicsub domain,orahybridapproachthatallowsformultiplespecicontologies,butbasesthem allonasharedvocabularytofacilitateinteroperability. 40

PAGE 41

Thefactthattherearesomeexistingstandardsforrepresentingsecurityeventdata [43,44]andtheneedtomakethecontextmodelextendableadvocateinfavorofahybrid approach.Themajortaskthen,forthiscontextmodelistwo-fold:1thecontentofthe sharedvocabulary,and2thetransformationofexistingeventrepresentationsintoaform thatiscompatiblewiththesharedvocabulary.Thesharedvocabularywillconsistoftwo primaryelements:1asetofattributescommontotwoormoresecuritydomainsthat canbebuiltupontoestablishspecicdomainontologiesand2asetofpredicatesthat expresscertainrelationships,bothsemanticandsyntactic,betweentwoormoreevents. Controlintegration:ontology-basedeventcorrelation. Theprecedingtwo researchfocusescontextmodelingandcontextmanagementserviceshavebeennecessary toprovideaframeworkandinfrastructuresupportfortherstpillaroftheapproach, namely:contextacquisition.Theactualprocessofcontextacquisitionwillrelyon correlatingeventsusingtheattributesinthesharedvocabularyandthepredicatesfor expressingrelatednessbetweeneventsthatwillalsoformpartofthecontextmodel. 3.3ACoalition-BasedSystemforContextAcquisition 3.3.1InformationModel 3.3.1.1Accesscontrol Deningaccesscontrol. SandhuandSamarati[45,46]deneaccesscontrolasa familyofstrategiesforonepartytopreciselycontrolwhatotherpartieswillbeallowedto dowithresourcesthatitcontrols.Theyrestrictit,however,tolimitingandcontrollingthe actionsthatauthorizedusersofasystemareallowedtoperform.Theyalsonotethattrue informationsecurityistheproductofaccesscontrolinconjunctionwithauthentication andauditing.Theyhighlightwhatareperhapsthethreemostprominentaccesscontrol policies: DiscretionaryAccessControlDAC:informationaccessisgovernedbyrulesthat stateforeachuserandforeachdataitemwhichaccessmodestheuserisallowed onthatobject.DACisveryexiblewhichmakesitadaptabletoavarietyof 41

PAGE 42

environments,butitdoesnotprovidetrueguaranteesontheowofinformationina system. MandatoryAccessControlMAC:alsoknowaslattice-based.Securitylevelsare associatedwitheachuseranddataobjectinasystem.Userscanonlyreaddown readitemsofalowersecuritylevel,andmayonlywriteupwritetodataobjects whosesecuritylevelisgreaterthantheirown.Preventsinformationfromhigher securityareasowingtolowersecurityones. RoleBasedAccessControlRBAC:aroleisasetofactionsandresponsibilities associatedwithacertainworkactivity.Accessauthorizationsarethenspeciedfor roles,andindividualusersadoptrolesasneededwithcertainrestrictions. Tasksandresponsibilitiesinintegratedsecurity. Inanintegratedsecurityarchitecture,accesscontrolpoliciesshouldtakeadvantageofstateinformationfromother partsofthearchitecturesothatpoliciescanenforceaccesslimitswithahighlevelof granularityandspecicity.Inaddition,thesedependenciesshouldbeallowedtochange dynamicallyandautonomously.AccessControlalsotakesontheadditionalroleasthe pointofinectionandtheplacewherechangesarereected. Dataprovidedbyaccesscontrol. Theaccesscontrolmechanismhasaccessto thepoliciesgoverningeachresourceandthereforecanprovideinformationonhoweach resourceisbeingcontrolled.Inaddition,inmostsystemsanaccesscontrolmechanismwill interveneoneveryresourcerequestthatpassesthroughthesystemandthusaccesscontrol canprovidedetailedinformationonarequest-by-requestbasis.Suchinformationwould includethefollowing:abnormalitiesinaccessrequests,operationrequestsandfailures, resourceusage,login/logoutinformationandexceptionconditions. Informationneededbyaccesscontrol. Toachievethegoalofaccesscontrol beingbasedontheoverallcontextofthesystem,itisnecessaryfortheaccesscontrol systemtoresolvedependenciesinaccesspolicies.Thesedependenciescouldinclude informationaboutanyattacksthathavetakenplace,orchangesinthepolicytohelpthe 42

PAGE 43

systemrecoverfromandpreventfutureattacks.Anoutlineoftheinformationneedsfor accesscontrolisthefollowing: Vulnerabilityofeachavailablesystemresource Stateofcompromiseofeachavailablesystemresource Compromised/Misuseduseraccounts Attackdescription:user,operation,resource,means PolicyModications/Updates Aggregatesystemdataforpolicyevaluation 3.3.1.2Intrusiondetection Intrusiondetectiontraditionaldenition. Awidelyaccepteddenitionofan intrusionis,anysetofactionsthatattempttocompromisetheintegrity,condentiality oravailabilityofaresource"[47].SandhuandSamaratimentionintrusiondetectionas amethodforensuringauditcontrolsanddivideintrusiondetectionsystemsbasedon reactivityintopassiveusedtoanalyzeauditdataandreportanomalousbehaviorand activedetectionanalyzeauditdatainrealtimeandmayrespondtoprotectsystems. Otherauthorsclassifyintrusiondetectionstrategiesbasedonhowtheydetectanintrusion: eitherdetectingmisuse,whichreliesonrecognizingwell-knownattacks,ordetecting anomalies,whichmerelytriestoestablishadeviationfromnormaluserbehavior.Misuse detectionsystemstypicallyrelyonmatchingeventswithknownattackscenariosor signatures.Anomalydetectionsystemsestablishmodelsfornormalbehaviorthrough techniquesfromstatistics,articialintelligenceorotherelds. Tasksandresponsibilitiesinintegratedsecurity. Thenotionofanintrusion detectionsystemthatusesauditrecordsisinherentlydependentuponatleastoneother securitymechanism:namelyaccesscontrol.Introducingthenotionthatinformationwill owback'upstream'fromintrusiondetectiontoaccesscontrol,howevergivesrisetonew opportunitiesfortheintrusiondetectionsystem. 43

PAGE 44

Informationprovidedbyintrusiondetection. Ingeneral,anintrusiondetection systemshouldprovidethefollowinginformationregardingaperceivedintrusion:certainty ofanalysis,attackimpact,andattackcharacteristics. Informationneededbyintrusiondetection. Theinformationthattheintrusion detectionsystemusestoperformitstasksmainlyconsistsofinformationonspecic accessrequests,suchasthefollowing:theuserperformingtheaction,theactionbeing performed,theresourcebeingusedandanyexceptionconditionsgenerated. 3.3.1.3Intrusionresponse Intrusionresponsetraditionaldenition. Themainfunctionofanintrusion responsesystemistotakestepstobothpreventfutureattacksandmitigatethedamage fromcurrentattacksbasedoncharacteristicsoftheattackandthetypeofthesystem resource.TheFischTaxonomy[48]providesthefollowingclassicationofthetypesof intrusionresponse:activedamagecontrol,passivedamagecontrol,damageassessment anddamagerecovery. Tasksandresponsibilitiesinintegratedsecurity. Inadditiontotraditional responsetechniques,theintegrationofanintrusionresponsesystemwithaccesscontrol providestheopportunitytomakeaccesscontrolpolicymodications. Informationprovidedbyintrusionresponse .Anintrusionresponsesystem willhavevariousresponsescenariosfordierentattacktypes.Itwillbeabletoprovide informationabouthowtomitigateattackvulnerabilities,andthemeasuresnecessaryto counterattackdierentattacktypes.Includingpolicychangesforthefollowing:intrusion mitigationorrecoveryandintrusionprevention. Informationneededbyintrusionresponse. TheCarverIntrusionResponse Taxonomy[49]classiesintrusionresponsesinsixdimensions.Eachofthesedimensions is,inreality,aninputtotheintrusionresponsemechanismthatdeterminesthetypeof response.Thetaxonomyconsistsofthefollowingelements:timing,typeofattack,type ofattacker,attackimplications,strengthofsuspicionandenvironmentalconstraints.The 44

PAGE 45

attackimplicationsdimensionreferstohowcriticaltheresourceistothesystemasa whole.Theenvironmentalconstraintsareanylimitsonthetypeofresponsethatcanbe takenwhethertheybelegal,technicalorotherwise.Thestrengthofsuspicionisameasure ofcertaintytheIDSsystemhasintheintrusivenessoftheeventunderquestion.Ifthe goalistointegrateintrusionresponsedirectlywithaccesscontrol,theresponseshould bebasedonthepolicyusedtocontrolaccesstotheresource:theunderlyingmodel,the policytargetandtheoperationspermittedbythepolicy. 3.3.1.4Modeloverview ThisinformationmodelseeFigure3-5isbasedonthemainabstractionofa SecurityEvent.ThethreemainsubclassesofeventsareAccessRequest,Intrusion AttemptandIntrusionResponsewhichwilleachbediscussedseparatelybelow. Thismodelrelatestheconditionsforanaccessrequesttothedatafromanintrusion analysisbyplacingthelatterasattributesofasubclass.Intrusionattemptsarelinked tointrusionresponsesbyincludingoneormoreofthemasapropertyofeachresponse. Therearefourmainclasses: SecurityEvent AccessRequest IntrusionAttempt and IntrusionResponse 3.3.1.5Securityevent Attributes: 1.Source:theinitiatoroftheevent.Possiblesourcesare:Node,User,Processor Service aTarget:theintendedobjectoftheevent.Possibletargetsare:Node,User, Process,ServiceorFile Subclasses: 1.AccessRequest:anattemptbysomesourcetoperformandoperationona target. 2.IntrusionResponse:theresponsetoanintrusionattempt. 45

PAGE 46

3.3.1.6Accessrequest Attributes: 1.EvaluationResult:theresultoftheevaluationofthesetofpreconditions applicabletothisrequest.Possibleresultsare:PermitorDeny 2.Requirements:setofconditionsthatmustbesatisedfortherequesttobe granted.PreconditionscanbespeciedfortheEnvironment,Subject,or Resource 3.Consequences:specicationofactionsthatshouldbetakenonrequestcompletion. Subclass: 1.IntrusionAttempt:Anaccessrequestthatisdeemedintrusive. 3.3.1.7Intrusionattempt Attributes: 1.Means:whatwasusedtoperpetratetheattack.Couldbeinoneofthree subcategories:BypassingControl,PassiveMisuseorActiveMisuse 2.Assessment:thesystemsjudgmentoftheeventon:itsImpactinthesystem, theCondenceoftheanalysisandtheClassicationoftheattempt 3.Results:theneteectoftheintrusionattempt.Thiscouldfallintooneofthree categories:DenialofService,ExposureorErroneousOutput 3.3.1.8Intrusionresponse Attributes: 1.Constraints:anysystemfactorsthatlimittheresponsethatcanbetaken againsttheintrusionattempt 2.IntrusionAttempt:oneormoreintrusionattemptsthatarebeingrespondedto Subclasses: 1.ResponseDuringtheAttack:couldbeeitherActiveorPassive 2.ResponseAftertheAttack:couldwiththeaimofAssessmentorRecovery 46

PAGE 47

3.3.2Implementation Wehaveimplementedasystembasedontheproposedinformationmodel.This implementationconsistsoftwoprimarysystems:anaccesscontrolsystemandanintrusion detectionsystem.Inthisinitialimplementationwemakeuseoftheclosed/coalition approachwithreactivedataanalysistoproducethreatinformation. OuraccesscontrolsystemisbasedaroundtheeXtensibleAccessControlModeling LanguageXACML[44].XACMLspeciesalanguageforaccesscontrolpoliciesaswell asaccessrequestsandresponses,allinXML.Thelanguagesupportspoliciesthatare composedofthefollowingelements: Atarget:thesetofresources,subjects,actionsandenvironmentstowhichthepolicy willapply Arule-combiningalgorithm:aspecicationofhowdierentrulesshouldbecomposed Asetofrules:eachruleisacombinationofatarget,eectandacondition obligations:operationsthatareperformedbytheparentofthecurrentpolicy containerwhenaspeciedauthorizationdecisionisreturned Theeectportionoftheruleindicateswhethertheruleisanegativeorpositiveaccess right.Theconditionelementofaruleoersthepossibilityoffurthernarrowingthe applicabilityofarule,byspecifyingsomethingsthatmustbetruefortheruletocome intoeect. Themotivationbehindthislanguageistoprovideacommonpolicylanguagefor enterprisestoeasethedicultiesthatcomewiththecurrentheterogeneityinpolicy representationsfordierentsecuritydomains.Duetoitsdescriptivenessandexpansive rangesomeoftheelementsoftheXACMLdatamodelhavebeenincludedintheproposed informationmodel. TheXACMLspecicationalsoincludesabstractionsforanaccesscontrolarchitecture.Theprimaryelementsofthisarchitecturethatwewilldiscussare: 47

PAGE 48

PolicyDecisionPointPDP-evaluatespoliciesandreturnsadecisiononthe request. PolicyEnforcementPointPEP-responsibleformakingrequeststothePDPbased onaccessrequestsandactuallyenforcingthedecisionsreturnedbythePDP TheinformationowinthissystemisdetailedinFigure3-6.Itincludesthefollowing steps: 1.Aninitialaccessrequestismadeforaresourceunderthecontrolofthewebserver. InthiswaythewebserverfulllstheroleofaPolicyEnforcementPointPEP discussedintheXACMLarchitecturedescription. 2.ThewebserverinitiatesarequesttotheAccessControlSystemthePolicyDecision Pointindicatingtheresourcebeingrequestedandthesourceoftherequest 3.Theaccesscontrolsystemndsthepolicythatgovernsthatresourceandextracts anyrulesindicatingtherequestresponseshouldbebasedonthreatinformation,and whatarethedimensionsofthethreatprolesource,targetorboth 4.Basedonthedimensionsofthethreatproleandthefeaturesoftheactualrequest, theaccesscontrolsystemestablishescriteriaforasetofrelatedevents 5.AlloftherelatedeventsareselectedfromtheIDSdatastore 6.Thecalculationmethodforthethreatproleisappliedacrossthesetofselected eventsandthevalueischeckedagainstthethresholdfromthepolicy 7.Arequestresponseisreturnedtothewebserverwhichthenregulatesaccesstothe resource Inourimplementationsystem,thePEPisabasicwebserver,modiedtopassaccess requestsrstthroughanXACMLPDPwrittenwiththeSunMicrosystemsXACML API.ThePDPfunctionsasamoduleonthewebserver,butcouldbeimplementedasa standaloneservice. AlloftheintrusiondetectiondataisgeneratedthroughaninstanceofSnort,conguredtoreportalertsinIDMEF[50]format.AlertsaregeneratedbytheIDSandsent totheservicethatreceivesthealertsandstorestheminanXMLdatabase.Foreach 48

PAGE 49

accessrequest,thedatabaseisthenqueriedforalertsbasedonthepolicythatgovernsthe resourcebeingaccessed. 3.3.3SummaryoftheCoalitionApproachtoContextAcquisition Wehavemodeledandimplementedasystemthatusesacoalitionapproachoroneto-onemappingtointegrateanaccesscontrolandintrusiondetection.Thebenetsof thisapproachareitsrelativesimplicityandlackofrelianceoninfrastructuresupport. Becausethereislessoverheadinselectingrelevantcontextdata,thisapproachisalsomore ecient.Overallthecoalitionapproachdescribedwouldonlybeappropriateforaccess controlsystemsembeddedintonetworkedapplicationsthathavestricttimerequirements anddonotneedafullrangeofassessmentdatatoselectfrom.Themainstrengthofthe federatedapproachistheabilitytousethesameinterfaceandaccesscontextdatafroma varietyofassessmentmechanisms:ifthisfunctionalityisnotrequired,thenthecoalition approachcouldbesucient.Theimplementationdiscussedservedtoelucidatesomeof thecriticallimitationsofpursuingthecoalitionapproachtocontextacquisition. Whilethecoalitionapproachiseasytoimplementandprovideseciencybecause ofitslimitedscope,itstillfailstofullyprovideallofthedesignobjectivesthatwere identiedinSection3.1.Thefederatedapproach,incontrast,providesforthingslike providerandconsumerdecoupling,implementationtransparencyanddynamiccontext discoveryinamorecompletewayduetotheuseofsecondarycontextaggregationservices. Forthatreason,thefederatedapproachtocontextdataacquisitionwillnextbeexamined. 3.4AFederatedSystemforContextAcquisition 3.4.1Approach Theapproachforaddressingthedesignoffederatedsystemswillbedierentthan theapproachusedforcoalitionsystems.Becausecoalitionsystemsrelyonone-to-one interactionsbetweenthedierentcomponents,itisnecessarytoeliminatetheheterogenity orprovideacommonschemathatallowsinteroperabilitybetweeneachpairofsystems.In thefederatedapproach,thefocusshiftstomaintaingtheautonomyandexistingschemas 49

PAGE 50

butmitigatingthosefactorswithsecondarymechanisms.Wewillemployastrategyof eventcorrelationastheprimarymeansforaggregatingcontextualinformationacross multipledomains. 3.4.2TheUseofEventCorrelationinFederatedSystem InSection3.2.2,theuseofontology-basedeventcorrelationforcontrolintegration wasdiscussed.Eventcorrelation,however,isabroadeldencompassingmanydierent approaches.Inordertoselecttheappropriateapproachesforcorrelationwewillrst surveywhathasbeendoneinthisregardandthenevaluatethosemethodsinlightofthe requirementsthatmustbesatisedtofacilitateeventcorrelationacrossmultipledomains. Inaddition,theconstructionoftheontologymustbedealtwithinsomedepth.Various approacheswillbeexploredforconstructinganontologyaimedatintegratingvarious datasources.Basedonthedesignrequirementspreviouslydiscussed,thebestapproach willbeselectedandanontologyforcorrelationwillbeproposed.Finally,thedesignand implementationofacontextaggregationserviceincorporatingontology-basedcorrelation willbediscussed. 3.4.3AvailableCorrelationMethods:ATaxonomyofEventCorrelation ApproachesforSecurityData Wenextsurveyrelevantresearchintheareaofalertcorrelation,oertwotaxonomies ofeventcorrelationapproachesusedspecicallywithIDSdata.Thersttaxonomyis basedonthegoalofthecorrelationprocessandthesecondclassiesapproachesbasedon thetypeofrelationshipthatisestablishedbetweenthealertsinquestion. 3.4.3.1Taxonomyofalertcorrelationmethodsbasedonoutcome Tosummarizetheprecedingsurvey,weoertherstoftwotaxonomies.Thereare threeprimarygoalsforeventcorrelationseenintheexistingliterature:1alertreduction 2alertassociationand3alertanalysis. Correlationmethodsthatachievealertreductionaretypicallyreferredtoasfusion ormerging.Inreality,mostofthemergingtechniquesdonotmergealertsinthesenseof 50

PAGE 51

replacingtwodistinctalertswithanewonethatsomehowaddressesthemboth.Instead, oftheapproachesthatperformmerging,suchas[51,52,53]utilizethenotionofametaalertwhichrepresentstheinformationpresentinseveraldistinctalertthroughlistsfor discretevaluessuchasIPaddressesandports,orrangesforcontinuousvaluessuchas time.Theeectofcreatingameta-alertachievesalertreductionbecause,ostensibly, theadministratorcaninspectameta-alertinsteadofthemultitudeofalertsthatitis constitutedby.Inthisway,thereductionofalertsisonlyfromtheperspectiveofthe administrator. Thenextdivisionofcorrelationmethodscontainstechniquesthatdetectorassertan associationbetweentwoormorealerts.Thisclassencompassesthefollowingapproaches: aggregation[9,52],clustering[51,53,54,55,56],multi-stepattackdetection[8,52,57], sessionreconstruction[52]anddetectionbychronicles[58].Allofthesetechniqueshave beengroupedtogetherbecauseintheendtheyallexpressarelationshipbetweenthe alertsthatarethesubjectoftheapproach.Inthecaseofclustering,therelationshipisa similaritybasedonperceiveddistance.Foraggregation,theassociationisasetofoneor moresharedattributesinthatsenseitisastricterformofclustering.Multi-stepattack detectionassociatesalertsthatarepropersubsetsofthesameset.Ahigh-levelattack sequenceisviewedasanorderedsetofdistinctactionsthatachieveacertainobservable eectonthesystem.Theindividualalertsarethereforeassociatedtoeachotherthrough membershipinaspecichighlevelattack-sequence.Thechroniclesapproachissimilar tothemulti-stepdetectionapproachwiththeadditionoftemporalconstraintsbetween variousstates. Thecorrelationtechniquesinthealertanalysisclassareimpactanalysisandprioritization[52].Bothoftheseapproachesmakeadeterminationaboutanindividualalert usingonlyitsfeaturesanddataabouttheoverallcontextofthesystem.Inthecaseofimpactanalysisthecontextinformationisanassetdatabaseandwhetherornottheattack 51

PAGE 52

succeeded.Forprioritizationthecontextinformationisaweightingassignedtotheclassof theattackaswellastheassetdatabasealsousedforimpactanalysis. 3.4.3.2Taxonomyofalertcorrelationmethodsbasedonmeans Thetaxonomyforalertcorrelationmethodsbasedonmeansincludesthefollowing techniques:1attributecongruence2attributesimilarity3membershipincommon supersetand4ontologicalrelationship.Theaimofthistaxonomyistodistinguish betweencorrelationapproachesbasedonhowtheyareconducted. Intherstcategoryofattributecongruence,therearetwosubcategories:syntactic andsemantic.Aggregationistheonlycorrelationapproachthatreliesoncomplete syntacticattributecongruencetoassociateoneormorealerts.Thisisasaresultof establishingcriteriaformembershipinanoutputsetthatcertainattributevaluesa 1 ,a 2 anda 3 mustbeequaltovaluesa 1 ,a 2 ,a 3 respectivelyinthecasewhereallthreevalues areused.Themostthoroughexaminationofaggregationisfoundin[9]butitisalso discussedunderthenameofin[52],whereitisdividedintotwodistincttasks.Attack threadreconstructionisaggregationofalertswiththesamesourceandtarget,while attackfocusrecognitionisaggregationofalertswitheitherthesamesource,orthesame target. Thesessionreconstructionapproachin[52]reliesonwhatwillbereferredtoas semanticattributecongruence.Sessionreconstructionlinkstwoalerts,issuedatdierent deploymentlevels,thatrefertodierenttargetssyntacticallyaportnumberandservice name,butareinrealitydescribingthesamesystementity. Underthecategoryofattributesimilarityweplacetheclustering[51,53,54,55,56]. Implicitly,mergingisalsoplacedinthiscategory,becauseitisalmostalwaysprecededby clustering.Aclusterofalertsistheproductofusingasetofexpert-designedsimilarity measurestodeterminewhichalertsaremostlikeoneanother.Withinthecommon membershipclassaremulti-stepdetection[8,52,57]andthechroniclesapproach[58], 52

PAGE 53

bothofwhichlinkalertsbasedonthefactthattheyareassociatedwiththesamehighlevelattackdescription. Underontologicalmethods,therstisthepre/post-conditionapproach.This approachismostthoroughlydiscussedin[8,57]andreliesonaspecicationofpreconditionsandpost-conditionsforeachattack.Whenalertsarriveindicatinganattack itiscomparedwithotheravailablealertstondmatchesbetweenitsconditionsand theconditionsofotheralerts.Thesecondapproachisthecauseandeectortriggering approachusedin[56].Althoughthepre/postconditionapproachisalsoapartofthis methodspecicallytheoneusedin[8],itissomewhatdistinctbecausethecomplete functionalityreliesonaspecicationofeventsandthealertsthattheytrigger. ThefulltaxonomyispresentedinFigure3-7. Attacks:relationshipsbetweendistinctattackswewillassumethatcertainattacks canbeidentiedbythepresenceofafewspecicpropertiessuchasclassication, action,etc. OntologicalRelationship:thoserelationshipsthatidentifyaspeciclogical relationshipsbetweentwoattacks Pre/PostCondition: Cause/Eect:oneattackisidentiedasthetriggerorcauseforanother SharedMembership AttackClassication:bothattacksareinthesameclass.Aclassmaybe identiedbyspecicvaluescertainelds HighLevelAttackScenario:bothattacksaremembersofahigh-level attackscenariomadeupofmultipleevents AlertAttributes:relationshipsthatcanbeestablishedbetweenindividualeldsinan alert Congruence 53

PAGE 54

* Semantic:thetwoattributesarerelatedthroughathirdelementthat indicatesthattheyrefertothesameentity Syntactic:thevalueforthespeciedattributeisthesameinbothalerts Similarity PositiveProximity:basedonapre-designeddistancemeasure,the attributesforthetwoalertsexceedathresholdforthemaximumseparation NegativeSeparation:basedonapre-designeddistancemeasure,the attributesforthetwoalertsexceedathresholdforminimumseparation Covariance:specicsetsofattributesvaryinthesamewayfromonealert totheother 3.4.4SelectinganEectiveOntologyApproach In[42]threemethodsarediscussedfordevelopingontologieswhosepurposeiscontent explicationinanintegratedsystem:aglobalsharedontology,multipleisolatedontologies andahybridapproach.Intherstapproach,oneglobalontologyisdevisedtoprovide asharedsemanticvocabularyacrossalloftheinformationsources.Thisapproachis mostsuitedtosituationswherealloftheinformationsourcesshareasimilarviewof thedomainifeventoneinformationsourcehasaslightlydierentviewitcanbecome diculttoproduceaneectiveglobalontology.Thesecondapproachofconstructinga separateontologyforeachinformationsourcehastheadvantagethatitsupportsevolution oftheinformationsource,andtheadditionandremovalofinformationsource.Under thisapproach,however,inordertocompareontologies,itisnecessarytodeneaninterontologymapping.Inter-ontologymappings,howevercanbediculttodeneinpractice, nottomentionthefactthatasthenumberofinformationsourcesexpandsthenumber ofmappingsthatarenecessarygrowsexponentially.Thehybridapproachallowsforthe semanticsofeachinformationsourcetobedescribedbyitsowndatabase,butwiththe requirementthattheindividualontologiesarebuiltfromaglobalsharedvocabulary. Thesharedvocabularycontainsthebasictermsthatarecombinedinlocalontologiesto 54

PAGE 55

producemorecomplexsemantics.Thehybridapproachsupportsadditionandevolutionof ontologies,buthasthedrawbackthatexistingontologiesmustberebuiltfromscratch. Comparisonofontologyapproaches. Theglobalontologyoptionisnotsuited toprovidinginter-domaineventcorrelation,becausedierentviewsofthedomaindo exist,evenifonlyconsideringaccesscontrolandintrusiondetection.Whilethetaskof producingaglobalontologyforaccesscontrolandintrusiondetectionmightnotbethat infeasible,thereareafewadditionalgoalspresentinthiscasewhichmakethisoption inappropriate.Onesuchgoalistoprovideasemanticallyexplicitdescriptionofthe elementsincurrentdatamodelstofacilitateadoptionandinteroperability.Anotheristo preserveadegreeofmodularitybetweenthesystems.Theapproachofproducingmultiple, isolatedontologiesalsodoesnotmeetthedesignrequirementsinthiscase,becausethe primarygoalistocompareeventsbasedontheseontologies.Andtheneedtoprovide pairwisemappingsbetweeneverysetofontologieswouldmakessuchasystemdicult toproduce.Thehybridapproachbestmeetstherequirementsinthissituation.Itcan allowaparticularsecuritymechanismtodiscovereventsfromavarietyofpotentialdata sources,onlyusingtheinformationcontainedinthebasevocabulary.Itcanalsoallowthe ontologiesfortheindividualdomainstoevolveindividually. 3.4.5AHybridEventOntology 3.4.5.1Thebasisforacommonontology InordertoproduceabasevocabularywewillusetheIDMEFandXACMLschemas, bothofwhichproviderepresentationsforevents,althoughindierentdomains.Thegoal ofthisprocessistoextractenoughcommonelementsfromthesetwodatamodelstoform thebasisofasharedvocabularyforcross-domaineventcorrelation. AsurveyoftheXACMLeventschemas. TheXACMLschemaprovidestwo eventrepresentations:accesscontrolrequestsfromasource,andtheresponsefrom thepolicyenforcementmechanism.TheXACMLrequestcontextschemacontainsthe followingelements:1Subjectinformationaboutthesubjectoftherequest2Resource 55

PAGE 56

theresourceorresourcesforwhichaccessisbeingrequested3Actionattributes abouttheactionbeingrequested4Environmentattributesoftheenvironmentinwhich therequestisoccurring.TheXACMLresponsecontextschemaincludesthefollowing elements:1Decision2Status3Obligations. TheIDMEFeventschema. AmessageintheAlertClasscontainsthefollowing relevantclasses:1Classication-Thenameofthealert2Source-Thesourceofthe eventdescribedinthealert3Target-Thetargetoftheeventdescribedinthealert4 Assessment-Informationabouttheimpactoftheevent,actionstakenbytheanalyzer inresponsetoit,andtheanalyzer'scondenceinitsevaluation5AdditionalDataInformationincludedbytheanalyzerthatdoesnottintothedatamodel. 3.4.5.2Theproposedontology TheontologybeingproposedseeFigure3-8consistsofthreemainparts:abase vocabulary,anaccesscontroldomainontologyandanintrusiondetectionassessment ontology. Thebasesecurityeventvocabulary. Thecommonelementstothesetwoevent schemasaretheaccesssource,targetandtheactionbeingperformed.Combiningallof theprecedingdiscussionregardingexistingdatamodelsandthetaxonomyofsystemactions,wethereforeoerabasevocabularyforinter-domaineventcorrelationofassessment datainaccesscontrolsystemsbasedonthefollowingprimaryelements: SystemEntity theclasscontainingallvalidsystementities.TheSubclassesof SystemEntityareNode,Process,User,ServiceandFile.Therstfoursubclassesare validdomainsfortheEventSourceproperty,andthelatterfoursubclassesarevalid domainsfortheEventTargetproperty. SecurityEvent agenerictypeofeventpossessingthepropertiesofaneventsource, eventtargetandeventaction.ThesubclassesofSecurityEventneededfordetailed datadescriptionare AccessRequest AccessResponse and Assessment 56

PAGE 57

Action theclasscontainingallofthedistinctsystemactions.Subclassesneededfor detaileddatadescriptionareClientActionandServerAction. Accesscontroldomainontology. Inordertoprovideamoredetaileddescriptionofinformationattheaccesscontrollevelutilizingthebasevocabulary,wedevelop twosubclassesoftheSecurityEventClass AccessRequest and AccessResponse and twosubclassesoftheSystemActionclass ClientAction and ServerAction .Theclass AccessRequesthastheproperties hasSource,hasTarget and requestAction. Thersttwo propertiesrangeoverSystemEntityandareinheritedfromtheparentSecurityEvent classes. requestAction rangesovertheclassofClientAction.TheAccessResponsehas the respondsTo propertywhichreferencesanAccessRequest,a responseString dataType propertythatcontainstheactualrequestresponsepermitordenyanda hasResponseAction hasarangeofthesetofServerActionactions.InthecaseoftheAccessResponse, thehasSourceandhasTargetpropertiesarestillpresent,buttherelationshipbetween clientandserverhasbeenipped:thesourceoftheAccessResponseistheserverthatwas initiallycontactedwiththeaccessrequest. TherearetwosubclassesoftheActionclassgeneratedforaccesscontrol: ClientAction and ServerAction .ClientActionarethedesiredmanipulationsofsystemresourcesthatare speciedinAccessRequests.TheyaresubdividedintoMaliciousandNon-Malicious.NonMaliciousactionsinclude CommandExecution DataAccess and DataAlteration .Subclasses ofServerActionactionsare RequestDecision and EvaluationObligation .RequestDecisions arethebasicpermit/denydecisionissuedforeachrequest:EvaluationObligationrefersto theobligationsmentionedintheXACMLschema[59],whichconstituteactionsperformed bythepolicydecisionpointasaresultofevaluatinganaccessrequest. Intrusionassessmentdomainontology. Assessmentistheclassofanalyses regardingeventsorentities.Eachassessmenthasan assessmentSource propertywhose rangeisanAssessmentSensor.Each AssessmentSensor hasacondenceRatingthat aectsthewayitsanalysesareviewed;inthiscasethecondenceratingisgivenbythe 57

PAGE 58

accesscontrolsystemutilizingeventsfromthatsensor.Theprimarysubclassincluded intheeventontologyisthe IntrusionAssessment class.Otherassessmenttypeswillbe discussedunderthetopicofcontextanalysis. EachIntrusionAssessmenthasthefollowingdataTypeproperties: impactSeverity impactType and attackCompletion indicatingwhethertheattackcompletedsuccessfully ornot.Assessmentsalsohavethefollowingobjectproperties: describedBy,triggeredBy hasIntrusiveAction,hasSource and hasTarget .The describedBy propertyhastherange ofaVulnerabilityDescriptionanddenotesthatthevulnerabilitywhoseexploitationwas detectedisdescribedinthereferenceddescription.EachVulnerabilityDescriptionhas a referenceID ,an originDB anda referenceURL .The triggeredBy propertyhasarange ofthesetofAccessRequestsanddenotestheaccessrequesttowhichtheassessment applies.ThepropertieshasSourceandhasTargetbothrefertoSystemEntitesthatarethe sourceandtargetoftheintrusiveevent,respectivelyandareinheritedfromtheparent SecurityEventclass.The hasIntrusiveAction propertyhasarangeoftheclassof Malicious clientactions,whichgivesageneraldescriptionofthekindofattackbeingperpetrated. Thefollowingsubclassesofmaliciousclientactionareincludedintheontologyandare basedonthetaxonomyfrom[60]: Probing allactivitiesrelatedtogatheringdataaboutasystem.Subdividedinto probingofusers,servicesandnodes. DenialofService hinderinglegitimateaccesstothesystem.Subdividedinto Temporary Administrative and Permanent .Atemporarydenialofserviceisone thatwillbeautomaticallyrecoveredfrom.Anadministrativedenialofserviceisone thatwillrequireadministratorinterventionforrecovery.Permanentdenialofservice attacksarethosewhoseeectsareindenite. Interception/ReadingData subdividedintointerceptionoflesorofnetwork trac. 58

PAGE 59

Alteration/CreationofData subdividedintomodifyingsystemdataormodifying intrusiontracessuchaslogles 3.5Summary Twocontrastingapproacheswerepresentedforfacilitatingtheprocessofacquiring contextdataandachievingtheintegrationnecessarytoovercomecomponentautonomy, heterogeneityanddistribution.Acoalitionarchitecturewaspresentedwhereeachsecurity componentmustestablishaninterfacetoprovidedatatoothercomponentsserving asconsumers.Underthecoalitionarchitecture,eachmechanismisalsoresponsiblefor explicitlyperformingtheone-to-oneinteractionwitheachcomponentthatitwantsto obtaininformationfrom.Afederationarchitecturewasalsopresentedthatusesacommon contextaggregationservicetofacilitatethedisseminationofcontextdata.Thefederation alsohastheaddedbenetthatthearchitectureisoverallmoreextensibleinthateach componentofthearchitectureonlyneedstobeupdatedtopullnewinformationfrom thecommondatastoreratherthaninteractingwithanewcomponentwithaseparate interface.Twotaxonomiesofcurrentmethodsforintrusiondetectionalertcorrelation areprovided:onebasedonthemeansusedtocorrelatethealertsandanotherbasedon theoutcomeofthecorrelation.Afterexaminingapproachesforintegratingdatacoming fromheterogenousdomains,ahybridontologyisproposedforthepurposeofallowing relatedeventsindierentdomainstobeaggregated.Theontologyusesabasevocabulary, synthesizedfromcommonelementsinexistingschemasforsecurityeventsandallows extensionwithdomainspecicclassesandattributes.Thisontologywillbetranslatedinto arelationaldatabasemodelthatservesastheschemafortheeventdatabasediscussedin Section6.5.Also,basedontheconclusionthatthefederatedapproachmorecompletely fulllstheneededdesigngoals,theimplementationwillfollowafederatedmodelasthe architectureforthesystem. 59

PAGE 60

Figure3-1.Diagramofasecuritycoalition.Eachsecuritycomponenthastointeractwith alloftheothercomponentsinordertoaccesstheirdata.Thisarchitectureis limitedinextensibilitybecauseeachtimeanewmemberisaddedtothe coalition,alloftheothermembersmustbeadaptedtouseitsinterface. 60

PAGE 61

Figure3-2.Theanatomyofasecuritycomponentinanopenarchitecture.Thecore decisionmechanismisresponsibleforplacingneweventsintothemechanisms eventdatastorewhichsubsequentlyprovidesthedatatootherconsumers. Thecoredecisionmechanismalsopullsdatafromthecomponent'sevent consumermoduleinordertoenforcepolicybasedonexternalevent information.Theeventconsumermoduleincludesapolicydescribingthe dierenttypesofeventsthatshouldbedrawnfromtheeventproviderthis interactionisdepictedinFigure3-3. 61

PAGE 62

Figure3-3.Securitycomponentswithacommoneventprovider.Ratherthanhavingto interactwitheachothermemberofthesystem,thecomponentscannow accessdatathroughacommoneventprovider. 62

PAGE 63

Figure3-4.Theanatomyofasecuritycomponentinanopenarchitecture.Thecore decisionmechanismisresponsibleforplacingneweventsintothecommon eventproviderthatisnowanexternalserviceinsteadofthepreviousdata storethatwascontainedinthemechanismitself.Thecoredecisionmechanism alsopullsdatafromthecomponent'seventconsumermoduleinorderto enforcepolicybasedonexternaleventinformation.Theeventconsumer moduleincludesapolicydescribingthedierenttypesofeventsthatshouldbe drawnfromtheeventproviderthisinteractionisdepictedinFigure3-3. 63

PAGE 64

Figure3-5.Securityeventinformationmodel Figure3-6.TheowofdatabetweenanIDSandawebserverunderthecoalition-based implementation. 64

PAGE 65

Figure3-7.Taxonomyofthemeansusedtoachievealertcorrelation. 65

PAGE 66

Figure3-8.Ontologyforinter-domaineventcorrelation 66

PAGE 67

CHAPTER4 GENERALAPPROACHPART2:CONTEXTANALYSIS 4.1IntroductionandDesignGoals Contextanalysisistheprocessoftakingeventdataprovidedbyasecondarysource andderivinginformationfromthatdatawhichprovidesmoreusefulindicationsaboutthe stateofthesystem.Weexaminethetaskofcontextdataanalysisontwolevels:therst providinganoverviewofthemajorsecuritymeasuresandindicatorsandtherelationships betweenthemandthesecondbyprovidingadetailedapproachfortheanalysisofa specictypeofcontextdata.Thischapterwillproposeaframeworkwhichstructures severalcriticalsecuritymeasuresandtheirdeterminingfactors.Chapter6willdiscussthe specicanalysisandsubsequentusageofaparticularsecurityproperty. Theobjectivesforcontextanalysishavebeendividedintotwomaintypes:objectives involvinghowdataisanalyzed,andobjectivesinvolvingwhattheproductofthose analysesshouldbe.Contextanalysiscoversallofthetasksinthesystembetweenwhen thedataisacquiredbyasecuritycomponentandwhenthatisusedinadecision-making process.Designgoalsfortheapproachtocontextanalysisinclude: ActionableData-Theprimaryaimofthecontextanalysisprocessistoproduce informationthatrepresentscomplexsystemeventsinarelativelystraightforward waythatcanenableautonomousresponses.Thisrequiressynthesizingmultiple piecesofdataintohigherlevelassessmentinformation.Theaimistoprevent theaccesscontrolsystemfromnecessarilyincorporatingallofthefactorsthatan intrusiondetectionsystemconsidersinmakingitsdecision,byprovidingprocedures thatmapthosepropertiestohigh-levelconcepts.Suchhigh-levelconceptscanthen beincorporatedintoaccesscontrolpoliciestoallowtheuseofreal-timeassessment information. Extensibility-Anothergoalisthattheanalysisprocessbebasedonastructured modelthatallowsadditionalanalysisproceduresandassessmentpropertiestobe 67

PAGE 68

addedeasily.Thisrequiresaverydetaileddenitionofeachtypeofassessmentand howtheyrelatetooneanother. Anontologyisusedasthemediumtodenetheassessmentpropertiesbecauseitoersa moreprecisedenitionofthetermsthanwouldbepossiblewithonlywords.Inaddition, becauseontologiesaredescribedwithrstorderpredicatelogic,areasoningenginecould bedevelopedbasedonthespecicationtoperformfusionofsensordatatoproducedthe desiredproperties. 4.2AHigh-LevelOntologyofSecurityAssessmentInformation AnoverviewoftheproposedontologyisdepictedinFigure4-1,withFigure4-2 providingfurtherdetailonthefactorsusedtoarriveatthevariousassessments.Atthe coreoftheontologythereisan AccessRequest thathasthreeaspects:itis initiatedBy a Subject ,itis directedTo an Object theresourcebeingactedupon,andit executes an Action ontheobject.A RequestEvaluation either Permit or Deny isbasedononeor more Assessments .Eachassessmenthasa Source ,aquantitative Value ,apercentageof Certainty andoneormore Constraints Assessmentscanbecategorizedinmultipleways:basedonwhatisassessedandbased onthetypeofdatathatisusedtoproducetheassessment.Undertherstcategorization, assessmentsaredividedintotwomaintypes: EntityAssessments and EventAssessments EntityAssessmentsapplytoentitiessuchasthesubjectandobject.EventAssessments applytotheaccessrequestitself.Underthesecondcategorizationbythetypeofdata usedtoproducetheassessmentthereare CoreAssessments and CompositeAssessments. CoreAssessmentsareproducedbasedondatafromaneventdescriptionsuchasan intrusiondetectionalert.CompositeAssessmentsutilizeoneormoreCoreAssessments, andprovideinformationthatcontrastspropertiesoftheeventunderconsiderationwith propertiesofanentity. Subjectsarecharacterizedprimarilybya TrustAssessment .Objectsarecharacterized by Dependability and Importance assessments Eventsareassigneda Risk .A Threat 68

PAGE 69

assessmentcontraststhetrustgrantedtothesubjectwiththeriskoftherequestitself. The Impact assessmentcontraststheriskoftherequestwiththedependabilityand importanceoftheobject.Eachoftheseassessmentswillbediscussedinmoredetail. 4.2.1CoreAssessments 4.2.1.1Risk Ingeneralriskdenotesaprobablelosstosomeassetorvaluablepropertyofanentity. Specically,inthiscontext,riskisusedtoquantifytheprobableimpactofaneventonthe threeprimarysecurityproperties:condentiality,availabilityandintegrity.Someexisting denitionsofriskincludethefollowing:"ameasureoftheexpectedlossintheabsence ofanymitigationactionsofcountermeasures"[61],"acharacterizationofthedangerofa vulnerabilityorcondition"[62]and"therelativeimpactthatanexploitedvulnerability wouldhavetoauser'senvironment"[63].Thenaldenitionistheclosesttothemeaning beinginvokedhereandwillalsoprovidethefactorsusedtodeterminerisk. ThefactorsusedforriskinthisontologyarederivedfromtheCommonVulnerability SpecicationStandardCVSS.TheCVSSgivescriteriaforstandardizingtheseverity ratingsgiventosystemandsoftwarevulnerabilities.Thespecicationincludesbase metricswhicharesolelybasedonthevulnerabilitycharacteristics,temporalmetrics andenvironmentalmetrics.Thecoreofthespecicationratesvulnerabilitiesonthe requiredenvironment,whichincludes AccessVector AccessComplexity and Authentication andtheprojectedimpacton Condentiality Availability and Integrity -alloftheseare enumeratedasriskfactorsintheontology. 4.2.1.2Trust Therearetwomainareasofconcernwhendiscussingtrust:whatistrustbasedon, andunderwhatcircumstancesisitvalid.Toaddresstheseissues,theontologyincludes TrustFactors and TrustDomains .TrustFactorsarethosesubsidiaryvalueswhich,when consideredtogetherdeterminetheactualtrustassessmentvalue.Thetwotrustfactors includedhereare Capability and Intent 69

PAGE 70

Capabilitywasmentionedin[64]andpreviously[65]torefertoacombinationof demonstrableaccessandauthority.Thiskindofdenitionismostrelevantinthecontext ofpeer-to-peerinteractionwherepartiesarebeingratedaccordingtotheirabilityto fulllaspeciccontractualrelationship.Incontrast,wearefocusedondeningtrustina mannerthatisrestrictedtoanexternalobjectinteractingwithcontrolledresourcesina non-maliciousway.Theconcernisessentiallytoevaluatewhetherornotthetrustedparty willbehaveasexpectedbenevolentlyand,ifnot,towhatdegreetheyhavethecapacity todoharm.Asaresultofthissimplication,someofthecomplexitiesprovidedbyother trustdenitionsarenotrelevanttothecurrentdiscussion.Itisassumedeveryonehas thesamecapabilitytoperformbenevolentlywhichissimplynon-misuse,butthatsome partieshaveagreatercapacityformalevolentormaliciousbehaviorthanothers. Theothertrustfactorconsideredis Intent .Althoughitisadicultconceptto measureandquantify,itistheonlymeansthroughwhichwecanproduceanotionof mistrustnecessaryforsituationsthatrequiredistinguishingbetweenmaliciousandnonmalicioususers.TherearetwostatesforthepropertyofIntent: Benign and Malicious Trustvaluesalsohaveasetofconstraintsthataretypicallycalled TrustDomains TrustDomainsarethesituationsorcontextsinwhichaparticulartrustassessmentapplies orisvalid.Weincludevedomainsasconstraintsforatrustassessment: General or Universal Action-Specic Target-Specic and Context-Specic .A General trustisone thatisvalidacrossanentireapplicationorapplicationdomainandnotconstrainedby anysecondaryfactors. Action-Specic trustisgrantedtoasubjectbasedontheaction beingperformed.Similarly Target-Specic and Object-Specic trustareonlyvalidfora particularresourceorobject,respectively. Context-Specic trustisamoreabstractnotion thatallowstrustactivationbasedoncertaindynamiccontextproperties. 4.2.1.3Dependabilityandimportance Bothdependabilityandimportanceoftheobjectplayaroleinthewaytherequest isviewed.CVSSincludesthesecurityrequirementsofthetargetedassetcondentiality, 70

PAGE 71

integrityandavailabilityunderenvironmentalmetricsthataecttheseverityofa vulnerabilityexploitation.In[66]severalpropertiesarementionedthatcharacterize thedependabilityofsystemsandservices.Anobject'sdependabilityisencapsulatedby thefollowingproperties: Availability Reliability Safety Condentiality and Integrity Availabilityisthereadinessforusage,reliabilityisthecontinuityofserviceandsafety isthenon-occurrenceofdireconsequencesontheenvironment.Condentialityisthe non-occurrenceofunauthorizedinformationdisclosure,integrityisthenon-occurrenceof improperalterationsofinformationandmaintainabilityistheabilitytoundergorepairs andevolutions.ThesepropertiesencompassthoseusedintheCVSSandaddafew additionalpropertiesthatcanbecriticaltocontextualizinganevent. In[52]arelativemeasureoftheobjectsimportanceisusedtomeasuretheimpactof anattack.Alsoin[38],theimportanceofanetworknodeisusedtodetermineasuitable thresholdfortheriskofincomingrequests.Bothoftheseproperties,Dependabilityand Importancehavebeenincludedintheontologyasassessmentsoftheobjectoftherequest thatareneededtoproducehigh-levelassessments. 4.2.2CompositeAssessments 4.2.2.1Threat The Threat assessmentistherstofthecompositeassessmentstobediscussed.Some ofthedenitionsforthreatusedintheresearchareasfollows:"theadversary'sgoalsor whatanadversarymighttrytodotoasystem","anindicationofapotentialundesirable event"[61].and"thelikelihoodorfrequencyofaharmfuleventoccurring"[63]. In[30,67]aglobalsystem-widethreatlevelisusedtointegrateinformationfrom outsideintrusiondetectionsystemsintoanadvancedsecuritypolicythatcanspecify allowedactivities,detectabuseandrespondtointrusions.Teoetal.[38]proposeasystem tomanagenetworklevelsystemaccessthatusessource-centeredthreattoregulateaccess controldecisions.Althoughnotconcernedwithahigher-levelthreatanalysis,Valeuretal. [52]aggregateIDSalertsinmultiplewaystocharacterizethetraccomingfromasingle 71

PAGE 72

sourceorintoasingletargetattackfocusrecognition.Theyalsoconsidersetsofalerts betweenasinglesource-targetpairattackthreadreconstruction. Initsstrictestsense,threatassessmentshouldrelyonbothatrustassessment forthesourceoftherequestandariskassessmentoftherequestitself.Athreatis thereforeaspecic,quantiablesecurityriskcomingfromasubjectthatisalsoassigned acorrespondingtrustvalue.Thisresultsinanotionofthreatthatisprimarilybasedon twofactors:thenatureoftherequestitsrisk,andthesourceoftherequestthedegree oftrustgiventothem. 4.2.2.2Impact Thesecondcompositeassessmentmeasureis Impact .TheImpactcombinestherisk oftherequestwiththeimportanceoftheobjectanditsdependability.Thus,inthecase ofsecurity,animpactassessmentisajudgmentaboutthepotentialsecuritydamage inictedbyanaccessrequestconsideringthegeneralfault-toleranceoftheobjectandits importancetothesysteminwhichitexists. 4.3Summary Thisontologyhelpsdenethegoalsoftheanalysisprocessintermsofconcrete attributesthatshouldbederived.Theyincludemeasurementsusedinvarioussystems andstandards,butareplacedinauniedstructurethatelucidatesthedierencesbetween thevarioustermsmorepreciselythanmeredenitions.Inaddition,thefactorsusedto determineeachassessmentpropertyarealsolistedwhichprovidesclearerinsightastohow asystemcanarriveattheassessmentandwhatlowerleveldataisrequiredasaninput totheprocess.Inanidealsystem,thisontologywouldserveasthebasisforareasoning enginethatcouldproducethenecessaryoutputsgiventherequiredincomingdata.The implementationdiscussedinChapter6seeSection6.3willfocusonasinglesecurity propertynamelyriskandprovidefurtherdetailsonhowananalysisservercanproduce assessmentsofthattypegiveninputdata. 72

PAGE 73

Figure4-1.Coreassessmentclasses.Importance,trustanddependabilityassessmentsforentities.Threatandimpact assessmentsforaccessrequests.Valueandriskassessmentsfortheactionofanaccessrequest. 73

PAGE 74

Figure4-2.Assessmentfactorsforthreeassessmenttypes:trust,riskanddependability.TheclassAssessmentisalsoa subclassofAssessmentFactorbecauseofthecompositeassessmentsthatarederivedfromotherassessments.The assessmentfactorsforthreataretheriskoftherequestandthetrustgrantedtothesubject.Theassessment factorsfortheimpactarethedependabilityandimportanceoftheobjectandtheriskoftherequest. 74

PAGE 75

CHAPTER5 GENERALAPPROACHPART3:CONTEXTAPPLICATION 5.1Introduction Thelastphaseoftheprocessofarchitectingcontext-awarebehavioristheapplication ofcontextdata.Ifwedeneaccesscontrolasafamilyofstrategiesforonepartyto preciselycontrolwhatotherpartieswillbeallowedtodowithresourcesthatitcontrols [46,45]thenitbecomesapparentthataccesscontrolisperformedatvirtuallyeverylayer ofasystem,includingatthenetwork,operatingsystemandapplicationlevels.Toshow concreteimpactoftheapproachitisnecessarytofocustheapplicationofcontextdataon improvingsomeaspectoftheperformanceofaccesscontrol.Someofthedesigngoalsfor contextapplicationarethefollowing: Responsesnativetotheaccesscontrolparadigm Theprimaryelementsofmanipulationforaccesscontrolsystemsarepermissions:themodesofinteractions allowedforvarioussubjectswithsystemresources.Therearemanydierenttypesof responsestointrusions,butasthefocushereisoncontext-awarebehaviorforaccess control,wewillfocusonstrategiesthatmanipulatethepermissioningprocessatthe accesscontrollevel. Applicationlevelcontextapplication Allofthestrategiesusedfortheapplication ofcontextdatawillbedesignedtobeappliedattheapplicationlevel,meaning:any pieceofsoftwarerelyingonanunderlyingoperatingsystemforthemanagementof hardwareresources.Thiswillenableustocontinuetheworkwehavepreviously doneinXACML,awidelyadoptedframeworkforapplication-levelaccesscontrol. Thiswillalsoincreasethepossibilitythatthesystemforcontextapplicationcanbe furtherextendedbyotherresearchers. 5.2Context-BasedPolicyEvaluation Therstapproachtoutilizingcontextdatathatwillbediscussediscontext-based policyevaluation.Thisprocessreliesontheintroductionofcontext-dependenciesintothe 75

PAGE 76

accesscontrolpolicythatareresolvedatpolicyevaluationtimebyusinginformationfrom thecontextanalysisprocess. 5.2.1AccessControlSchemaExtension Usingtheabstractionofaneventastheunifyingfactorforsecurityintegration,it isstillnecessarytondaconcreterepresentationfortheattributesofthoseevents.In mostcurrentsystems,accesscontrolhastheroleofenforcingglobalsecuritypolicy.All requestsforresourcesmustbecheckedagainstanaccesscontrolpolicybeforetheyare granted.Butmostpresentmethodsforaccesscontrolmakelittleornouseofintrusion detectiondata.Themergedpolicyoptiondoessolvethisproblembydevelopingaschema thatincludesconceptsfromallthreerelevantdomains,butintheprocessofmigratingIDS conceptstotheaccesscontroldomain,italsomigratestheintrusiondetectionmethodtoa policyspecication. Ourapproachwillbetoprovideacommonpolicybydevelopingnewattributesthat canbeincludedinantraditionalaccesscontrolpolicy.Theseattributeswilldescribethe following: propertiesofintrusiondetectionalertsthatshouldbetakenintoaccountwhen returningavaluefortheattribute thedesiredprocedureforcalculatingthevaluereturnedfortheattribute Inessence,thecouplingbetweenIDSattributesintheaccesscontrolpolicyandthedetails andinformationusedbytheactualIDSsystemswillbeloosened.Anadditionallayer ofabstractionwillbeaddedtomakethebindingtothoseaccesscontrolattributesIDS implementationindependent. Thisapproachalsodemandsthattheauthorofthemappingfunctionunderstand theoutputoftheIDSsystems.TheuseofastandardschemaforIDSinformationwill enabletheimplementeroftheaccesscontrolpolicyevaluationmechanismtowritea singlefunctionforeachnewattributeaddedtoanaccesscontrolpolicyprovidedthat 76

PAGE 77

theIDSsystemsunderusewilleitherusethatstandardschemanatively,orprovidea transformationfromthenativeformattothestandardone. Thispolicyextensionwillprovidethemeansforsemanticintegration.Oneofthe methodsfordatapersistenceconversionwillbeusedheretoreturnthenecessaryvalue fortheaccesscontrolpolicyfromthesetofrelevantIDSalerts.Thisoperationwillrequire alimitedformofconversionbecausetheschemaforIDSalertsisdierentthantheschema fortheaccesscontrolpolicy. Basedsolelyontheaggregationrelationshipsspeciedin[9]andusingtheconceptof threatoutlinedpreviously,thefollowingattributeswereaddedtotheXACMLschemaof theaccesscontrolmechanismdescribedinSection3.3.2: 1.source-target-class-threat-providesthetotalseverityofthethreatfromthissource tothisresourceinthisclassofattack 2.source-target-all-class-threat-providesthetotalseverityofthethreatfromthis sourcetothisresourceforallclassesofattack 3.source-class-all-targets-threat-providesthetotalseverityofthethreatfromthis sourcetoallresourceswiththisclassofattack 4.all-sources-target-class-threat-providesthetotalseverityofthethreatfromall sourcestothisresourceinthisclassofattack 5.source-all-targets-all-threats-threat-providesthetotalseverityofthethreatfrom thissourcetoallresourcesforallclassesofattack 6.all-sources-target-all-classes-threat-providesthetotalseverityofthethreatfromall sourcestothisresourceforallclassesofattack 7.all-sources-all-targets-class-threat-providesthetotalseverityofthethreatfromall sourcestoallresourcesforthisclassofattack Eachoftheserulescontainsatmosttwoattributes:thethreatthresholdvalueandan attackclassforcases1,3,4and7.Thesourceandtargetwillbespeciedintheaccess controlrequestandthereforedonotneedtobespeciedinthepolicy-thevaluesfor sourceandtargetwillbeinheritedfromtherequestvalues.Examplesofaccesscontrol rulesincorporatingthesepropertiesareprovidedinFigures5-1,5-2,5-3,5-4and5-5. 77

PAGE 78

Theprocessforaccesscontrolschemaextensionunderthefederatedimplementation isdicussedinSection6.5.UnliketheXACML-basedimplementation,becausetheaccesscontrolprocessintheApachewebserverwasnotdesignedtoincorporatecontextual informationintotheschema,theprocessofschemaextensionislessstructured.Thesubsequentdiscussionwill,thereforerelyontheXACMLschemaabstractionsfordiscussingthe incorporateofcontextdataintheapplicationprocess. 5.2.2ApplicationScenarios Weprovidesomeexamplesofsituationswhereourapproachcanbeusedtoprovide verygranularIDS-awareaccesscontrol. Threatescalationbyasinglesource. Inthisrstscenariowehaveasingle sourceperformingmultipleintrusiverequestsagainstvarioussystemresources.Theaimin thiscaseistorestrictaccesstosystemresourcesfromthissourceafterthethreatprole forthatsourcepassedagiventhreshold.Thisapplicationissimilartothetaskofpacket lteringwhichisperformedbysomeIntrusionPreventionSystemsIPSbutwithafew majordierences.Therstisthatthistechniquecanbeapplieddynamicallybasedon thepasthistoryofthesourcewhereaspacketlteringmustbeconguredmanuallyto lterbasedonsource.Thesecondisthat,becausethisrestrictionisperformedatthe applicationlevel,thereisawiderrangeofpossibleresponsesavailable.Accesscouldbe deniedentirely,similartopacketltering,oronlyspecicaccessrightscouldberevoked, allowingamoremeasuredresponse. Inaconcreteexampleweconsiderawebserverwiththreeavailableresources:R 1 R 2 ,R 3 .Eachoftheresourcesisgovernedbyapolicythatdeniesrequestscomingfrom sourceswithathreatproleabove25.ThebasicstructureoftheruleisshowninFigure 5-1.Eachresourceisassignedanimpactvaluerangingbetween1and3,andcondence valuerangesbetween1and5basedonthenumberofsystemsreferencingthevulnerability used. 78

PAGE 79

Twodierenthosts:S 1 andS 2 makerequeststotheserverinparallel.HostS1 attemptsthreewebcgiexploitsagainsttheserver,withitsoverallthreatproleincreasing eachtime.BythetimeitrequestsR1onitsfourthoverallrequesttotheserver,itsthreat proleexceedsthethresholdallowedinthepolicythatcontrolsR1,R2andR3andis thereforedeniedaccesstoallofthem.Simultaneously,becauseS 2 hasmaintainedathreat proleof0,itcancontinuetoaccessalloftheresourcesavailable.Anexampleofthis scenarioissummarizedinTable5-1. Threatescalationagainstasingletarget. Inthissecondscenario,weconsider awebserverwithtwoavailableresources:R 1 ,R 2 .Accesstoeachoftheresourcesis regulatedbyapolicythatdenieswriteandupdaterequestswhenthethreatproleforthe resourceisover30.ThebasicstructureofthethreatruleisshowninFigure5-2.Three dierenthosts:S 1 ,S 2 andS 3 makerequeststotheserverinparallel.Inthiscase,however aftertwoindependentrequestsfromS 1 andS 2 forR 1 ,thethreatproleoftheresourceis at20.Asaresult,athirdrequestforR 1 fromS 3 isdenied.Allofthehosts,however,can stillaccessR 2 becausenoneoftheirindividualthreatprolesexceedsthethresholdsetin thepolicythatcontrolsR 2 .AnexampleofthisscenarioissummarizedinTable5-2. 5.3Context-BasedThreatResponse Thenextstrategyforcontextapplicationextendsthenotionofcontext-basedpolicy evaluationbyidentifyingtraditionalintrusionresponsestrategiesandapplyingthembased oncontextdata,whilestillmaintainingcontextdependenciesintheaccesscontrolpolicies. Wewillrstsurveytheavailableintrusionresponsemethods,notingthefactorsthat determinethecircumstancesunderwhichtheyareusedeectively.Wewillthenutilize theavailablecontextdataproducedduringtheanalysisprocessasacriteriaforemploying appropriatemitigation,preventionandresponsemethods.Anotherdierencebetweenthis applicationtechniqueandthepreviousone,isthateachoftheseresponsemethodswillbe dependentonmultiplepropertiestobeappliedwhereasthepreviouscontextdependencies onlyintroducedasinglepropertyintotheaccesscontrolpolicy. 79

PAGE 80

Carver[68]oersanumberofresponsesalongwiththesituationstheycanbeused appropriately.WepresentasummaryofthemostrelevantmethodsinTable5-3,along withtheirrespectiveimplementationsatanaccesscontrollevel.Implementationsfor fourofthesixaforementionedresponsemethodsareongoing:restrictinguseractivity bothspecicactionsandallactions,blockingaccesstothreatenedservices,andforcing additionalauthentication. Forcingadditionalauthentication -thisapproachwillbeimplementedbyaddinga ruletotheaccesscontrolpolicyforthedesiredresourcesthatspeciesadditional authenticationastheobligationifcertainconditionsaremet.Therequestisdenied pendingfurtherauthentication. CompleteUserActivityRestriction -accomplishedbykeepingadynamically updatedblack-listofsourcesthathaveexceededallowablethresholdsforintrusive behaviorandsimultaneouslyhavealowtrustamount.Anewattributewillbe providedthatwillrequireacustomattributeevaluationmodulesimilartotheones usedtoperformcontext-basedpolicyevaluationinSection5.2.Thismodulewill returnaBooleanvalueindicatingwhethertherequestinguserisunconditionally blockedornot.Thisevaluationmodulewillqueryablacklistingservicethatruns withinthepolicydecisionpointitself.Thisblacklistingservicewillexamineavailable behaviorwithinapre-determinedtimewindowandwillblacklistuserstemporarily whentheirbehaviorexceedstheallowablethreshold.Thethresholdwillalsobe dependentontheleveloftrustaccordedtotheuser-agreateramountoftrustgives acorrespondinglyhigherthreshold.Anexampleofapolicytoblockorlockouta userisshowninFigure5-4. BlockingAccesstoThreatenedServicesalsoachievedthroughanewpolicyattributeevaluatedwithacustomevaluationmodulethatreturnsabooleanvalue indicatingifrequeststothattargetarebeingdeniedduetoanoverwhelming amountofsuspicioustrac.Ifthisattributeisusedinapolicy,thenthismodule 80

PAGE 81

willqueryaservicemonitoringincomingrequeststotheservicesundercontrolofthe policyenforcementpoint.Basedontherequiredavailabilityofthetargetrecordedin anassetdatabaseathresholdwillbesetfortheamountofintrusivebehaviorthat canbeignoredbeforetheaccesstotheresourceshouldbeblocked.Anexampleofa policydesignedtoblockaccesstoathreatenedresourceisshowninFigure5-3. RestrictingUserActivitiesanewsetofpolicyattributeswillbeintroducedto designatetherestrictingofspecicpermissions.Amodulewillbeprovidedforeach attributewhichwillcheckifthesourceoftherequestsmeetsthecriteriatobeable toperformthatspecicaction-ifnotthatspecicrequestwillbeblocked.Each resourcewillhavethresholdsforsourcetrust,theseverityofthethreatandthe certaintyoftheassessmentthatwillbeinputstothefunctionthatdeterminesif thespecicpermissionwillbeallowedforthatrequest.Anexampleofapolicyto restrictuseractivityisshowninFigure5-5. 5.4Summary Twogeneralusesforcontextwithregardstoaccesscontrolareexploredhere:the evaluationofpolicieswithcontextualdependenciesandthetriggeringofresponsesbased oncontextdata.Thecontext-basedevaluationofpoliciesrequiresthatthepolicyschema isextendedwithnewattributesandthatdependenciesareaddedtothepolicythatforce contextinformationtoplayaroleinthedecisionissuedbytheenforcementmechanism. Context-triggeredresponse,however,focusesonidentifyingspecicscenarioswhich canbeindicatedbycontextdataandthenmatchingthosescenarioswithahigh-level countermeasurethatwillhelpmitigatetheriskinthatscenario.Asaresultofthefact thataccesscontrolisprimarilyapolicyenforcementmechanismthereisanelementof commonalitybetweenthetwoapproachesbecausetheimplementationoftheresponse techniqueswilllikelytakeplaceatthepolicylevel.Context-triggeredresponsebuildson theinclusionofcontextdataintothepolicyevaluationprocessandprovidesaresponse basedoncomparingmultipletypesofindividualcontextualproperties. 81

PAGE 82

Bothofthemethodologiesoutlinedherecontext-basedpolicyevaluationandcontextbasedthreatresponseareincorporatedintothesystemimplementationdetailedin Chapter6.Context-basedpolicyevaluationisachievedbydirectingrequestevaluationto customaccesshandlersthatinteractwithananalysisserverandthenreturnadecision aftercheckingtheriskvalueagainstthresholdssetinthepolicyspecication.Contextbasedthreatresponseisincorporatedinthateachaccesscontrolhandlerenablesa dierentresponsemoresuitabletoonesituationoranotherbasedonexamingspecic contextinformation. 82

PAGE 83

20 Figure5-1.XACMLruleincludingsource-centeredthreat.Thisruledemonstratesthe extensionoftheXACMLschemawithanewproperty total-source-threat. This propertyisdesignatedasanattributeofthesubjectoftherequest.Aninteger functionisusedtocomparethevaluereturnedforthispropertywiththe designatedvalueof20.Ifthetotal-source-threatpropertyisgreaterthanor equaltothisvalue,thentherulehastheeectofcausingtherequesttobe denied. Table5-1.Escalationofthreatinsubsequentrequestsbytwodierentsources.Whenthe threatisassignedtoindividualsourcesseperately,thesystemisableto distinguishbetweenmaliciousandnon-malicioussubjects. SourceRequestThreatTotalSourceThreat S 1 1st88 S 1 2nd1018 S 1 3rd826 S 2 1st00 Table5-2.Escalationofthreatinsubsequentrequestsbythreedierenthostsona commontarget.Whentheeectofrequestsfromdierentsubjectstothesame objectareconsideredinaggregate,thesystemisabletocontextualize individualrequestsintoanoverallpatternofinteractionwiththeobject. SourceOrderofRequestThreatTotalTargetThreat S 1 1st1010 S 2 2nd1020 S 3 3rd020 83

PAGE 84

30 Figure5-2.XACMLruleincludingtarget-centeredthreat.Thisruledemonstratesthe extensionoftheXACMLschemawithanewproperty total-target-threat. This propertyisdesignatedasanattributeoftheresourcebeingaccessed.An integerfunctionisusedtocomparethevaluereturnedforthispropertywith thedesignatedvalueof30.Ifthetotal-target-threatpropertyisgreaterthan orequaltothisvalue,thentherulehastheeectofcausingtherequesttobe denied. true Figure5-3.XACMLruleincludinganattributeindicatingthataresourceislocked.This ruledemonstratestheextensionoftheXACMLschemawithanewproperty resource-lock-status. Thispropertyisdesignatedasanattributeoftheresource beingaccessed.Abooleanfunctionisusedtocomparethevaluereturnedfor thispropertywiththedesignatedvalueof'true'.Iftheresource-lock-status propertyistrue,thentherulehastheeectofcausingallrequeststothis resourcetobedenied. 84

PAGE 85

true Figure5-4.XACMLruleincludinganattributeindicatingthatauseraccountislocked. ThisruledemonstratestheextensionoftheXACMLschemawithanew property resource-lock-status. Thispropertyisdesignatedasanattributeof thesubjectinitiatingtherequest.Abooleanfunctionisusedtocomparethe valuereturnedforthispropertywiththedesignatedvalueof'true'.Ifthe user-account-lock-statuspropertyistrue,thentherulehastheeectof causingallrequestsfromthissourcetobedenied. true Figure5-5.XACMLruleincludingapropertytorestrictaspecicpermission.Thisrule demonstratestheextensionoftheXACMLschemawithanewproperty user-write-prohibit. Thispropertyisdesignatedasanattributeofthesubject initiatingtherequest.ThePolicyDecisionPointwillbeextendedwithanew modulethatprovidesthelogictoprovideacurrentvalueforthisproperty.An booleanfunctionisusedtocomparethevaluereturnedforthispropertywith thedesignatedvalueof'true'.Iftheuser-write-prohibitpropertyistrue,then therulehastheeectofcausingtherequesttobedenied. 85

PAGE 86

Table5-3.Selectedintrusionresponsestrategies.Eachgeneralresponsestrategyislisted alongwithitsappropriateusecase,itsimplementationattheaccesscontrol levelandthecontextualpropertiesthatconstrainitsapplication. ResponsestrategyUsecasedescriptionImplementationfor accesscontrollevel response Applicationconstraints Lockinguser accounts Compromiseofuser accountinquestion Globalpolicythat deniesrequestsfrom aparticularsource Highcertaintyofattack andhighriskevaluationfor thesourcewithlowto moderateusertrust Disablingthe attackedportsor services Makingtheportor serviceinaccessible Globalpolicythat deniesrequeststoa particulartarget HighCertainty,High target-centeredthreat,Low TargetAvailability requirement Forceadditional authentication Maysloworstop intrusionsespecially automatedones, whileauthorized userswillcontinue Policythatrequires multiple authentication tokensforarequest tobegranted Usedwithlow-certainty, Source,Targetor Pair-CenteredThreatsof ModeratetoHighlevel RestrictuseractivitySuspicioususersmay berestrictedtoa specialusershell thatallowssome functionalitywhile restrictingcertain commands Policythatseparates allowedactionsinto levelsbasedonthe perceivedthreat classoftheuser 1lowtomidcertaintyof attackandlowtomiduser trust 2highcertaintyofattack andhightrustwhich wouldindicatetheaccount hasbeencompromised 3lowtomidthreat severity 86

PAGE 87

CHAPTER6 ADAPTIVERISK-AWAREACCESSCONTROLFORWEBSERVERS 6.1Introduction 6.1.1ConnectionBetweentheImplementationandPreviousChapters Thepreviouschaptershavesoughttoanswersomeofthefundamentalquestions regardinghowcontextawaresecuritysystemscanbedesigned.Thedesignprocesshas beenbrokendownintoafewmainelementstoensurethatateachstephelpsfulllthe largerdesigngoalsofthesystem. Thischapterwillfocusonaddressingsomeofthemorespecicquestionsregarding theuseofintrusiondetectiondatainanaccesscontrolprocess,suchas:dealingwithdata inaccuraciesandensuringperformanceinthefaceoflargeamountsofincomingdataand highrequestfrequency.Thesolutionspresentedintheimplementationwillrelyonthe groundworkestablishedinthepreviouschapters. AfederatedapproachisusedthatfollowstheprinciplesdiscussedinSection3.2.2. ThecorrelationontologyofSection3.4.5isadaptedtoarelationaldatabasemodelthat servesastheschemafortheeventdatabasedescribedinSection6.5.Anindependent analysisserverperformsthefunctionsofaggregatingcontextinformationandthen disseminatingit.Theimplementationfocusesononeofthecontextpropertiesdened intheChapter4ontologyofassessmentproperties-thatofrisk.Amodelisdenedfor derivingriskinformationfromassessmentsproducedbyanintrusiondetectionsystemon attemptstoexploitsoftwarevulnerabilities.Thismodeldesignateshowriskisassigned tobothsubjectsandobjectsofaccessrequests.Detailsarealsoprovidedonhowthe analysisdataisappliedandusedintheaccesscontrolprocess.Context-basedpolicy evaluationpreviouslydiscussedinSection5.2isachievedbyprovidingcustomaccess controlhandlersthatinteractwiththeanalysisservertoreceiveriskinformation.These accesscontrolhandlersalsoimplementtheresponsetechniquesdiscussedinSection5.3. 87

PAGE 88

6.1.2ImplementationOverview Theproposedsolutionforachievingattack-resistantaccesscontrolistheuseofrealtimeassessmentdatainaccesscontrolpolicyevaluationandenforcement.Specically, evidencesofvulnerabilityexploitationarecollectedandanalyzedintoahigherlevelrisk assessmentforthesourcesandtargetsofaccesscontrolrequests.Thisriskassessment issubsequentlyusedasanadditionalparameterorcontextualpropertyinaccesscontrol policiessothatpermitanddenydecisionsforanincomingrequestarebasedonan assessmentoftheriskposedbytherequestingsourceand/ortheriskposedtothetargeted resource.Thisapproachhasbeentermedthe A daptive A ssessmentB ased A ccess C ontrol S ystemABACUSforshort. Twoclosely-relatedstrategiesforimplementingthisapproacharediscussed.The rstisanapproachrelyingonon-demandanalysis,abstractingthethreepartsofthe contextmanagementprocessacquisition,analysisandapplicationintodierentserver mechanismsandperformingtheanalysisbyaggregatingrequestsandderivingarisk assessmentasnewrequestscomein.Asetofresultsarethenprovidedforthetestingdone withanimplementationofthisapproach,alongwithconclusionsontheconstraintsand limitationsofthisapproach. Thesecondapproachdiersinthattheanalysisfunctionistriggeredbynewsecurity eventsinthesystemandconsequently,theanalysisdoesnottakeplaceasafunctionofan incomingrequest.Riskassessmentsarecontinuallymaintainedforalloftheentitiesinthe system.Asnewassessmentdatabecomesavailable,thoseriskassessmentsareupdatedfor theentitiesinthatevent.Asetofresultsarethenprovidedforthetestingdonewiththis approachalongwithconclusionsonitsconstraintsandlimitations.Finally,asummary andrelativecomparisonofthetwoapproachesisoered. 88

PAGE 89

6.2IntrusionResponseandAttackResistance 6.2.1StrategySelection Thestrategiesputforthintheliteratureforrespondingtointrusionsandattempted systemattacksareverynumerousandvaried.Therefore,itisnecessarytoselectonly thosethatmostcloselymatchtherequirementsforachievingthedesiredgoal:namely, attackresistantaccesscontrol.Therstrestrictionisthattheresponsesappliedshould servetomanipulatesomeelementintheaccesscontroldomain.Accesscontrolisprimarily concernedwithasetofsubjects,asetofobjectsandthespecicoperationsthateach subjectcanperformoneachobject.Soourresponsetechniquemustmanipulatethese permissions,eitheratthesubjectsidebydesignatingwhichactionsasubjectcan performorattheobjectsidedesignatingwhatcanbedonewiththeobject.Thesecond requirementisthatthestrategyorresponsecanbetriggeredusingriskdata. Anumberofdierentintrusionresponsesaredetailedin[49,48].Usingthecriteria justdiscussed,however,thefollowingthreestrategieswereselectedasappropriateforthis application:1forcingadditionalauthentication,2restrictingsubjectpermissions3 restrictingobjectpermissions. Forcingauthenticationcouldtakeanumberofforms.Therstwouldbeforcing anonymousauthentication.Thisisastrategythathasbecomesomewhatcommonin theInternettoday,thatimplementsanauthenticationchecknotbasedonashared secretbetweentheuserandthehostsystemsuchasapasswordbutbasedonthe subjectsabilitytoperformanoperationthatdistinguisheshimfromaclassofundesirable usersfrequentlyautomatedattackscripts.Anotherformofauthenticationwouldbea traditionalpasswordcheckthatestablishestheactualidentityoftheuser.Ineitherform, howevertheaimistoensurethattheuserrequestingaccessisnotamemberofthesetof userswhoshouldbedeniedaccesstotheresource. Theresponseofrestrictingsubjectpermissionsalsotakesmorethanoneform. Therstrestrictsthesubjectfromperformingaspecicoperationorrestrictedsetof 89

PAGE 90

operationsacrosstheentiresetofsystemresources.Thissomewhatassumesthatthe setofsystemsresourceshaveasetofcommonactionsoroperations.Thesecondform isanextensionoftherst,thataddsalloftheavailableoperationstotherestrictedset, eectivelylockingthesubjectoutofperforminganyactiononanyofthesystemresources. Similarlytotheprevioustwooperations,theresponseofrestrictingpermissionsona targethastwoforms.Therstrestrictsallsubjectsfromperformingaspecicactionor restrictedsetofactionsontheobjectinquestion.Thenextformblocksallsubjectsfrom performinganyoperationontheobject.Thesetechniquessatisfythepreviouslymentioned requirementsandprovideaframeworkofresponsivebehaviorsthatcanbeusedtocurtail orlimitintrusiveactionsinthesystem. 6.2.2ResponseTriggering Thenextaspecttodetailiswhentheresponsetechniqueswillbeemployed,orbased onwhatconditionswilltheybeactivatedandhowwillthoseconditionsbedescribed. Ourapproachtoresponseselectionisroughlywithinthethirdcategoryoftheintrusion responsetaxonomymentionedin-cost-sensitiveresponseselection.Theauthorofthe accesscontrolpolicyisresponsiblefordecidingwhichsecurityriskfactorsie.global systemrisk,riskfromtherequestingsourceorrisktothetargetwillbeusedduring theprocessofevaluatingwhetherornotarequestwillbepermitted.Theseindividual measuresarethereforetheinputsintotheresponseselectionprocess.Eachriskfactor isthenmatchedwithathresholdthatdetermineswhentheactionassociatedwiththe factorsshouldbeperformed. 6.3NotionofRiskandaPreliminaryRiskAssessmentModel Riskwaspreviouslydened,alongwithitscriticaldeterminingfactors,inthe assessmentontologyfromSection4.2. 6.3.1AnalysisModel Weconsiderthefollowingbasicscenario:anewaccesscontrolrequestisgenerated r 1 .Thisrequesthasasource s 1 andatarget t 1 .Wetakeanapproachtoassessing 90

PAGE 91

theriskoftherequestthatreliesprimarilyonassessingthesourceandtargetofthe request.Therefore,therststepistoaggregatethesetofrequestsgeneratedbythesource R s 1 = r a ;r b ;r c :::r n andthetarget R t 1 = r f ;r g ;r h :::r m andtherebyassignrisktothose entities.Therstsectionwilldealwithhowwearriveatariskassessmentforeachrequest intheaggregatesetsforthesourceandtarget.Thenextsectionwillthendealwithhow thosevaluesarecombinedtoarriveatasingleassessmentfortheentity. Estimatingriskforpastevents. Riskisassociatedwithaprobableintrusion attempt,evidencedbyanattempttoexploitasystemvulnerability.Theriskposedbya request,therefore,isproportionaltotheseverityofthevulnerabilitiesitissuspectedtobe seekingtoexploit. TheCVSSstandardprovidesawidelyaccepted,quantitativemeasurementscalefor theseverityofvulnerabilities,andthereforewewillleveragethatstandardfortherating ofvulnerabilities.Theoverallmethodforprovidingasinglevulnerabilityestimatebased onmultiplevulnerabilitiesspreadoutovertimeisderivedfromthemethodusedin[69]. Themethodhasbeenadapted,however,totakeasinputasetofvulnerabilitiesassociated witharequest,insteadofthesetofvulnerabilitiesthatapplytoaparticularservice.The function R r j givenbelowprovidesanestimationofthetotalriskforarequest r j by takingtheexponentialaverageofallofthevulnerabilitydescriptionsassociatedwiththat request.Theexponentialaveragewaschosen,asnotedin[69],toprovideanriskestimate fortherequestthatisatleastaslargeasthehighestseverityvulnerabilityassociatedwith therequest. R r j = X v k V r j e SS v k Decay r j Decay r j = e )]TJ/F24 7.9701 Tf 6.587 0 Td [( currenttime )]TJ/F24 7.9701 Tf 6.586 0 Td [(requesttime r j Inmanycases,analertistriggeredbyanintrusiondetectionsystemandbecause ofthenatureoftherequestitcouldcorrespondtomultiplevulnerabilities.Theset 91

PAGE 92

V r j isthesetofallvulnerabilityexploitationsignaturestriggeredbytherequest r j SS v k isthemagnitudeofthevulnerability v k Decay r j servesasaweightingforeach vulnerabilitybasedontheageoftherequest.Itdeterminestheamountoftheoriginal magnitudethatremainsasafunctionoftime-thisallowsmorerecentinformationto playamoreprominentroleinariskevaluation. isthedecayperiodafterwhichthe magnitudeoftherequestbeginsdecreasingovertime. Estimatingtheriskposedbyasourceortoatarget. Theriskposedbythe sourceofarequestisthentheweightedsumoftheriskvaluesforalloftherequeststhat canbeattributedtothatsource.Wedenethefunction SR s i tobetheriskassessment assignedtoasource s i .Thisisgivenbythefollowingformula: SR s i = ln + X x f H;M;L g w x X r j HV x s i R r j Alloftherequestsinitiatedbyasource s i andassociatedwithanattempttoexploit asystemvulnerabilityarecontainedintheset HV s i .Thissetisthendividedinto threesubsets HV L s i HV M s i and HV H s i basedonthemagnitudeoftheriskfor therequest.Theset HV x s i denotesalloftherequestswithvulnerabilityexploitation assessmentsofacertainseveritylevelLow,MediumorHighforwhich s i isthesource. Eachsetissummedintothetotalriskevaluationwithaweightingof w x .Thenal weighting ampliestheoutputsothatdierencesbetweendierentsourcescanbe viewedmoreeectively.Theexponentialaverageisusedagain,togiveanoverallestimate thatisatleastaslargeastheweightedsumofthehighestseverityvulnerabilitiesineach ofthethreeclasses.Thelogarithmoftheweightedsumistakentokeeptheoutputwithin arangethatismanageableandwhichcanbe Similarly,theriskassociatedwithatarget t i isgivenbybythefunction TR t i : TR t i = ln + X x f H;M;L g w x X r j HV x t i R r j 92

PAGE 93

Inthiscase,however,theset HV x t i denotesalloftherequestswithvulnerability exploitationassessmentsofacertainseveritylevellow,mediumorhighforwhich t i is thetarget. Contributionsofthisassessmentmodel. Extendingtheworkdoneonsecurity metricsthatassessthestateofthesystematagivenpointintimeweproposeathe useofsecuritymetricstomonitorthesystemstateinrealtimeandbtofocustheuse ofsystemmetricsonassessingtheprincipalentitiesinaccesscontrolrequests,namely: requestsourcesandtargets.Thefocusisthereforeusingvulnerabilityexploitation informationtodevelopriskassessmentsforentitiesinasystem. Inparticular,wehaveusedamethodbasedontheonein[69]tocombinethe magnitudeofmultiplevulnerabilitiesspreadoutovertime,butfocusedonwhenthe requestwasgeneratedinsteadofwhenthevulnerabilitywasdiscoveredasameansfor assessingthesecurityofaparticularservice. 6.4TriggeringRestrictedPermissioningWithRiskData Althoughthecostdeterminationequationsforresponseselectionarehighlysystem dependent,theriskprogressioninFigure6-1isprovidedasanexampleandhasbeen testedusingthemodeldiscussedpreviously.Forthisspecicprogression,theattacker executesexploitationattemptsofmid-severityevery60seconds.Theriskprogression wouldchangeifanyofthevariablessuchastheriskratingoftheindividualrequests,the interarrivaltimebetweenrequests,ortheweightingofthelow,mediumandhighlevel riskeventswereadjusted. Usingtheexampleriskprogression,thefollowingsampleconditionsareprovidedfor performingeachofthepreviouslymentionedintrusionresponses: 1.ifSource_Risk>=36.11ORSystem_Risk>=53.8THENForce_Authentication 2.ifTarget_Risk>=41.11THENRestrict_Permission_X_On_Object 3.ifSource_Risk>=41.11THENRestrict_Permission_X_For_Subject 93

PAGE 94

Therstconditionforcesauthenticationforthesubjectiftheriskgeneratedbythe subjectexceeds36.11roughlythreeexploitationattemptsofmid-severityoriftheoverall systemlevelthreatexceeds53.8fteenexploitationattempts.Thesecondcondition deniesthesubjectfromperformingactionXontheobjectifthetargetriskhasrisenator above41.11meaningithasreceived5ormoreexploitationattempts.Thelastcondition deniesthesubjectfromperformingactionXonanyobjectsifthesourceriskisator above41.11meaningthat5ormoreexploitationattemptshavebeenattributedtothat subject. 6.5AbacusFrameworkArchitecture Thearchitectureabstractstheriskanalysisfunctionsintoanexternalriskanalysis servicewhichtheaccesscontrolsystemisthenadaptedtointeractwith.Theaccess controlsystemusedtodemonstratethisarchitectureistheApachewebserver.This secondapproachcorrespondsroughlytoafederatedorserviceorientedapproach.The threerisktypesdiscussedpreviously:source,targetandsystemareeachimplementedin ananalysismodulewhichcanprovideariskassessmentfortheappropriateentityorin thecaseofthesystemlevelriskforalloftheentities.Alloftheanalysisdataisthen madeavailablebyananalysisservicethatreceivesandservicesrequestsforriskanalysis information.Thewebserverisalsoextendedtoperformthethreeintrusionresponses discussedpreviouslyasthemeanstoattackresistance:forcingadditionalauthentication, restrictinguserpermissionsandrestrictingaccesstoatarget.Basedontheresourceand theactionsavailableonthatresource,athresholdisdeterminedforthesourceandtarget associatedriskabovewhich,requestsaredenied. Eventdatabase.TheeventdatabaseisbackedbyarelationaldatabaseimplementationinthiscaseMuscle.Someofthestructureofthisdatabasewasderivedfrom theIDMEFschema[50].Otherpartsofthestructurewereproducedaspartofalarger ontologyforsecurityassessmentparameters,whichissoontobepublished.Theevent databasecontainsthefollowingtables: 94

PAGE 95

CVSSVulnerabilities-thistablestoresinformationregardingcurrentvulnerabilities fromtheNationalVulnerabilityDatabaseNVD,whichhasadoptedtheCVSS scoringsystem.EachvulnerabilityislistedalongwithitsCVSSbasescore,exploit sub-score,impactsub-score,overallscoreandvector.Thenameofthevulnerability, theproductitaectsandtheversionsofthatproductthatarevulnerablearealso storedinthistable. NetworkAccessRequests-Entriesinthistablearegeneratedonthereceiptofan IDSalertbythealertprocessingengine.TheIPaddressandportofthesourcenode arelistedalongwiththeIPaddressandportofthetargetnode.Thetimeofthe request,actionbeingperformedandtargetentityarealsoincludedinthistable. Files-listingallleentitiesreferencedinrequests;includesthele'spathanda referencetothenodeonwhichtheleishosted Nodes-listingofallnodeentitiesreferencedinrequests;includesthenodesIP address Port-listingofallportsreferencedinrequests;includesthenodethattheportwas on,andtheprotocoltowhichitwasbound User-listingofallusersreferencedinrequests;includestheiruserid IntrusionAssessments-thistablelinksindividualrequeststoanintrusionassessment.Eachassessmentprovidesaclassicationfortheevent,itsseveritywhich maybeprovidedbytheIDSandwhetherornottheattackcompletedsuccessfully. Italsoincludestheidfortheanalyzerwhichproducedtheassessmentandany additionaldatathattheIDSprovides,suchasthepacketpayload,etc. VulnerabilityDescriptions-avulnerabilitydescriptionprovidesinformationona concretesoftwarevulnerability.EachvulnerabilitydescriptionisprovidedbyavulnerabilitydatabaseforthepurposesofthisstudyweonlyuseCVEvulnerabilities becausetheyhaveanobjectivescoringsystem.Eachvulnerabilitydescription, 95

PAGE 96

thereforeonlylinkstooneelementinthetableofCVSSvulnerabilitiesand,consequently,onlyhasonebasescore.ThetablealsostoresthereferencenameandURL, alongwithalinktotheintrusionassessmentwhichreferencesthevulnerability. RequestRiskCache-thistablestoresacalculatedriskvalueforeachrequestidby queryingfortheCVSSscoreforallofthevulnerabilitydescriptionsthatarelinked toanintrusionassessmentandwhichprovideaCVEID.Asmentionedinthe sectiondescribingthemodel,theexponentialaverageofalloftheCVSSscoresfor thevulnerabilitydescriptionsusedinaparticularintrusionassessmentaretaken, andthisvalueisstoredintherequestriskcache.Whenaparticularriskhandler queriestheriskcachetoproduceariskevaluationforaparticularentity,therisk estimateismultipliedbythedecayfactortoproduceadynamicriskestimatefor thatparticularrequest. Dynamicriskmodules. Thethreedynamicriskmodulesimplementthefunctions describedundertheriskmodel.Thefunctionsforeachhandlerarethesame,withthe exceptionoftherststep.Inthecaseofthesourceriskhandler,alloftherequests originatingfromthatsourceareaggregated.Forthetargetriskhandler,alloftherequests directedatthattargetareaggregated.Lastly,forthesystemriskhandler,allofsystem requestsareaggregated.Followingthis,forthoseexistingrequeststhatmaybecachedin therequestriskcache,theestimatevalueispulledandthedecayfunctioniscalculated.If novalueiscached,thentheriskhandlercalculatesariskestimatebyjoiningtherequest, intrusionassessment,vulnerabilitydescriptionandCVSSvulnerabilitytablestondall oftheCVSSscoresforallofthevulnerabilitydescriptionsreferencedasapartofthe intrusionassessmentfortherequest.Basedonthis,astaticriskestimationisproduced andcachedforfutureaccess. Alertprocessingmodule. Thealertprocessingmoduleisresponsibleforextracting theinformationforeachofthetablesmentionedpreviouslyfromthealertsitreceives.In additionitcanperformthefunctionsoflteringoutalertsthatdonotreferenceconcrete 96

PAGE 97

vulnerabilities,oralertsforwhichthevulnerabilitydoesnotmatchthecurrentsystem conguration. ThearchitectureisshowninFigure6-2.Theanalysisserverperformsriskanalysis operations,providingriskassessmentsforvariousentitiessourcesandtargetsbasedon requestsfromtheaccesscontrolsystem.Theintrusiondetectionsystemlistensonthe linkforincomingrequestsandreportsalertsforanyrequeststhatseemintrusiveinthis casespecically,thoserequeststhatappeartobeanattempttoexploitaknownsoftware vulnerability.TherawalertsfromtheIDSarepassedthroughaprocessingmodulethat maylterthealertsusingconcretevulnerabilityorcongurationvericationasmentioned earlier.Finally,thedatafromtheneweventsisstoredinaneventdatabase. TheaccesscontrolsystemusedwiththesecondapproachwastheApachewebserver. Inordertomakeasfewmodicationsaspossibletoitsexistingaccesscontrolpolicy evaluationmechanism,theabilitytomakeandspecifycustomaccesscontrolhandlers forcertainresourceswasutilized.Ratherthanreturningavalueforaspecicattribute andqueryingagainsttheeventdatabasewithintheaccesscontrolhandlers,thequerying andanalysisfunctionswereabstractedintoanexternalanalysisserverthatprovidesrisk analysisasaservice.RequestingaccesscontrolsystemssuchastheApachewebserver implementationsubmitrequeststotheanalysisserverspecifyingthetypeofdesiredrisk analysissource,targetorsystemandtheattributesoftheentitywhichtheanalysis shouldcenteraroundinthecaseofthesourceandtargetanalyses.Basedontherisk assessmentreturnedandtheriskthresholdthatisassignedtothatparticularresourceor actionapermitordenydecisionisreturned. Sourcerestrictionimplementation. Anexcerptfromthehttpd.confleforthe webserverthatestablishestheaccesscontrolhandlerforrestrictingsourcepermissionsis showninFigure6-3.Thisdirectiveestablishesthemodule"SourcePermissionRestrict" asanaccesscontrolhandler.Thismoduleimplementstheattackresponseofrestricting sourcepermission.Inthisparticularexamplevedierentlevelsofgranularityare 97

PAGE 98

established.Action"A1"istheleasttolerantofrisk:athresholdof26issetforthe sourcerisk,abovewhich,requestswillbedenied.Theotheractionsareprogressivelymore risk-tolerant.Thenalthreshold"SourceLockoutThreshold"establishesthatasource willbeblockedfromallactionsonallobjectswhenitssourcerisklevelexceeds41.The correspondingpseudocodeforthehandlerisshowninFigure6-4. Theprocessingstepsforthesourcerestrictionandtargetrestrictionhandlersare relativelythesame,summarizedinthefollowingsteps: 1.Thepropertiesoftherequestsubjectandobjectoftherequestandtheactionbeing performedareextractedfromtheURLandtherequestproperties. 2.Arequesttotheriskanalysisserverisgeneratedspecifyingawhichtypeofanalysis dataisrequiredandbtheidentierforthesubjectorobjectoftherequest 3.Oncetheriskvalueisreturned,itiscomparedwiththethresholdsspeciedinthe congurationletodetermineiftherequestshouldbedenied. 4.Ifnoneofthethresholdsareviolated,therequestispermitted. Forceauthenticationimplementation. Thepolicycongurationfortheaccesscontrol moduletoforceauthenticationisshowninFigure6-5.Theauthenticationmodulewas actuallywrittenasacontenthandler,becausetheAuthenticationhandlersaresomewhat restrictedandwouldnotallowforthetypeofrandomchallengeauthenticationthatwas desiredinthiscase.Theexampleshownestablishesthreeindependentthresholds,anyof whichcouldbeusedtotriggerauthenticationfortherequestingsource.Thecorresponding pseudocodefortheauthenticationmoduleisshowninFigure6-6.Thesystemthreshold ishighertolimitthenumberofauthenticationrequeststhatarenecessarywhenthe riskforaparticularsourceortargetisnotyetatasuspiciouslevel.Italso,however, oersprotectionforas-yetuntouchedresourceswhenthemajorityofintrusivetracis concentratedelsewhereinthesystem.Theanalysisserverreceivesrequestsandthenloads theappropriateriskanalysismodule,dynamicallygeneratingqueriestotheeventdatabase toselecttheappropriateevents.Theriskmodulethengeneratestheriskmeasurewhichis returnedtotheservicerequester. 98

PAGE 99

6.6UpdatesandModicationstotheInitialModelandArchitecture 6.6.1PerformanceIssuesWiththeInitialArchitecture Theproblemwiththeinitialarchitecturewasthefactthattheeventswerebeing aggregatedonthedemandoftheclient,andeachtimearequestwasmadeallofthe relatedeventswerebeingre-examinedandhavingriskvaluesre-calculatedbasedonanew decayfactorthataccountedfortheaccuratetimedierencebetweentherequestandthe timetheeventactuallyoccurred.Asthenumberofeventsthatwerestoredintheevent databaseandneededtobeanalyzedaspartoftheaggregatesetincreased,thetimeto processeachrequestwasalsoincreasing. 6.6.2Solution1:Caching Theschemeforcachingofriskdatareliedonthecreationofabackgroundthread topre-fetchriskdata.Thegoalwastoeliminatetheincreasedresponsetimeproblem describedpreviously.Underthecachingscheme,theanalysisservercreatesabackground threadthatcontinuallyextractsallofthesourcesandtargetsfromtheeventdatabase.It thenevokestheriskhandlersoneachoftheentitiesextracted,producingsource,target andsystemlevelriskwhereappropriateandstoringthedatabackintotheeventdatabase. Whentheanalysisserverreceivesarequestforariskevaluationonasystementity, insteadofinvokingthehandlerforthatindividualrequest,itperformsalookuponthe cachetablesintheeventdatabase. Althoughthecachingapproachaddressedtheissueoftheresponsetimebetweenthe partoftheanalysisserverthatservicesrequestsandthedataconsumer,italsointroduced anotherissue:thetimelinessofthedatathatisreturnedtotheconsumer.Theincreasing timetakentoexecuteacachingrunthatre-calculatestheriskvaluesforsystementitiesis approximatelythesameastheincreasingresponsetimefromtheserver.Intesting,after asignicantnumberofrequests,thetimetakentoperformafullrefreshoftheriskcache foralloftheentitiesbecameprohibitivelylong,suchthatrequestsfromconsumersfor riskinformationwouldreceiveoutdated,inaccurateinformation.Inessence,thecaching 99

PAGE 100

approachdidnotaddressthecomplexityofthealgorithmforriskcalculationapproach whichwastheprimaryreasonfortheincreasingresponsetime-itmerelydetachedthe calculationofanupdatedriskassessmentfromthefulllmentofaclientdatarequest. Thisanalysisledtothedevelopmentofasecondimplementationapproachtoaddress theseshortcomings. 6.6.3Solution2:RedesigningtheAnalysisAlgorithmandRefactoringthe Architecture Thesecondimplementationapproachprovidesmoreecientanalysisofevents-each eventisseenandanalyzedonlyonce,whenitrstarrives.Riskassessmentsforaected entitiesareupdatedwhenanewalertarrives,andthefunctionoftheanalysisserver istopullthestoredassessmentnotcalculateitasbeforeandreturntheresulttothe requestingclient. 6.6.4RevisedRiskAssessmentModel Theriskmagnitudeassignedtoavulnerabilityexploitationattemptisstillthe exponentialaverageofallofthemagnitudesofallofthevulnerabilitiesreferencedinthe alert.Thealgorithmforcalculatingriskbasedonmultipleeventsisnolongeriterative, butrecursive.Thedecayfunctionhasbeenremovedsothattheweightofeachrequest doesnotneedtobere-assessed.Instead,the valueservestoweightthepreviousrisk assessmentfortheentitywithrespecttotheriskassessmentforthenewestevent.This servesthesamefunctionofdecreasingtheinuenceofolderdatainfavorofnewerdata, butdoessoastriggeredbynewevents,andnotmerelyauniformtimedependency. Thisalsoaccommodatesbetterassessingrisktoentitieswithvastlydierentrequest frequencies. R r j = ln X v k V r j e w x SS v k TR t i ;r t +1 = ln e TR t i ;r t + R r t +1 100

PAGE 101

SR s i ;r t +1 = ln e SR s i ;r t + R r t +1 Theset V r j ,withmembers v k isthesetofallvulnerabilityexploitationsignatures triggeredbytherequest r j SS v k isthemagnitudeofthevulnerability v k TR t i ;r t +1 istheriskassessedtothetarget t i asaresultofintrusiverequest r t +1 SR s i ;r t +1 isthe riskassessedtothesource s i asaresultofintrusiverequest r t +1 6.6.5RestructuredArchitecture Theprimarychangetothearchitectureisthedistributionofanalysisfunctions betweenthealertserverresponsibleforcontextacquisitionandtheanalysisserver. Inthepreviousapproach,thealertserveronlyreceivedalerts,extractedthenecessary information,andstoredthemintheeventdatabase.Theanalysisserverwasresponsible forreceivingclientrequestsforriskdata,performingtherequiredanalysisoperationsand thesendingaresponsetotheclient.Thechangeintheriskmodelhowever,demandsthat theupdatingofriskinformationoccursasneweventsareprocessed.Thisrequiresthat theprimaryanalysisfunctionupdatingriskvaluesforentitiesoccursastheeventsare processedandconsequentlymustbeperformedbythealertserver. Anotherchange,usedtofacilitatethepreservationoftheincominganalysisdata, wastoqueueincomingalertsinthedatabaseuntiltheycouldbeprocessedbyoneofthe availableprocessingthreads.Thisallowedthenumberofactivealertprocessingthreadsto bedecreasedsothatthetotalprocessingtimeforeachalertwouldbeless. 6.7Summary Asystemimplementationisdetailedbasedonthegeneralframeworkpreviously discussedandsatisfyingthekeydesigngoalsoutlinedundertheacquisition,analysis andapplicationofcontextinformation.Afederatedapproachisusedthatfollowsthe principlesdiscussedinSection3.2.2andadaptingthecorrelationontologyofSection3.4.5 toarelationaldatabasemodelthatservesastheschemafortheeventdatabasedescribed inSection6.5.Anindependentanalysisserverperformsthefunctionsofaggregating 101

PAGE 102

contextinformationandthendisseminatingit.Theimplementationfocusesononeofthe contextpropertiesdenedintheChapter4ontologyofassessmentproperties-thatof risk.Amodelisdenedforderivingriskinformationfromassessmentsproducedbyan intrusiondetectionsystemonattemptstoexploitsoftwarevulnerabilities.Thismodel designateshowriskisassignedtobothsubjectsandobjectsofaccessrequests.Detailsare alsoprovidedonhowtheanalysisdataisappliedandusedintheaccesscontrolprocess. Context-basedpolicyevaluationpreviouslydiscussedinSection5.2isachievedby providingcustomaccesscontrolhandlersthatinteractwiththeanalysisservertoreceive riskinformation.Theseaccesscontrolhandlersalsoimplementtheresponsetechniques discussedinSection5.3. 102

PAGE 103

Figure6-1.Sampleriskprogressionforanintruderexecutingintrusiverequestsof moderateseverity RequestNumberRiskEstimationNumberofPreviousRequests 100 225.651 332.192 436.113 538.924 641.115 742.916 844.437 945.758 1046.929 1147.9610 1249.7711 1350.5712 1451.9913 1553.2314 1653.815 1754.3416 1854.8517 1955.3418 2055.819 Figure6-2.ArchitecturefortheABACUSframework. 103

PAGE 104

PerlAccessHandlerSourcePermissionRestrict PerlSetVarAction_A1_RiskThreshold26 PerlSetVarAction_A2_RiskThreshold32 PerlSetVarAction_A3_RiskThreshold36 PerlSetVarAction_A4_RiskThreshold39 PerlSetVarSourceLockoutThreshold41 Figure6-3.Apachecongurationdirectivethatestablishesa SourcePermissionRestrict accesshandlertoevaluateallrequeststoresourcesinthedirectory'/s'.The directivealsoestablishesfourriskthresholds,eachforadierentaction.These thresholdsaresubsequentlyusedbytheaccesshandlertocompareagainstthe currentriskevaluationforthesourceoftherequest,withtherequestbeing deniedifthesource'sriskexceedsthethreshold.Thenalvariable SourceLockoutThreshold establishesthatonetheriskattachedtothesource exceeds41,allrequestsfromthatsourcewillbedenied. readthreshold_values; readrequest_properties; requestsource_riskfromanalysisserver; setresponse=OK; ifsource_risk>lockout_threshold {response=DENY_REQUEST;} elseifrequest_action==A1ANDsource_risk>A1_threshold {response=DENY_REQUEST;} elseifrequest_action==A2ANDsource_risk>A2_threshold {response=DENY_REQUEST;} elseifrequest_action==A3ANDsource_risk>A3_threshold {response=DENY_REQUEST;} elseifrequest_action==A4ANDsource_risk>A4_threshold {response=DENY_REQUEST;} returnresponse; Figure6-4.Psuedocodefortheaccesscontrolmodelthatperformsrestrictionofsource permissionsbasedonariskassessmentobtainedfromananalysisserver.It retrievesariskassessmentforthesourcefromtheanalysisserverandthen comparesitwiththeappropriatethresholdfortheactionbeingperformed. 104

PAGE 105

SetHandlerperl-scriptPerlHandlerAuthChain PerlSetVarSystemRiskThreshold55 PerlSetVarSourceRiskThreshold33 PerlSetVarTargetRiskThreshold45 PerlSetVarAuthExpiration300000 Figure6-5.Apachecongurationdirectiveforacustomauthenticationhandler.Three dierentthresholds,orpropertiesareestablishedwhichcouldbeusedto triggertheuseofauthentication.Avalueisalsosetfor AuthExpiration which ensuresthat,oneauthenticated,usersareonlyre-authenticatedevery300 secondveminutesatmost. readthreshold_values; readrequest_properties; requestsource_riskfromanalysis_server; requesttarget_riskfromanalysis_server; requestsystem_riskfromanalysis_server; ifsource_risk>source_thresholdORtarget_risk>target_thresholdORsystem_risk> system_threshold { sendauthentication_request; ifcredentials_incorrect {returnAUTHENTICATION_REQUIRED;} else {returnAUTHENTICATION_GRANTED;} } else{returnNO_AUTHENTICATION_REQUIRED;} Figure6-6.Pseudocodeforauthenticationmodule.Authenticationisrequiredifanyof theestablishedriskthresholdsareexceeded. 105

PAGE 106

CHAPTER7 RESULTS 7.1TestingSetup Hardwaresetup. Allofthetestingtobediscussedwasperformedusingtwo identicalLinuxvirtualimageseachrunningUbuntuLinux8.04witha1.86Ghzprocessor and1GBofRAM.Onemachineservedastheserverandtheotherastheclientortrac generationnode.Theservermachinecontainedthewebserver,IDS,alertserver,analysis serverandeventdatabasementionedinthearchitecture.Forthepurposeoftestingand implementation,thewebserverusedwasApacheversion2.2.10.Snortversion2.8.1was usedastheintrusiondetectionsystem.TheeventdatabasewassupportedbytheMySQL DBMSversion5.0.51.BoththeanalysisandalertprocessingserverswerewritteninJava. TheaccesscontrolmodulesforApachewerewritteninPerlusingmod_perl2.0.4. 7.2ValidationofAnalysisModel Therstsetofresultspertaintotheevaluationoftheriskanalysismodel.Thegoal ofthistestingistodemonstratethefollowing: 1.thattheessentialassumptionofthemodel-thatofescalatingrisk-isvalidfor scenariosthatinvolvesuccessive,relatedintrusionattempts 2.thatthisassumptioncanbevalidatedexperimentallyusingrealdatasets 3.thatvarioustechniquesexist,andcanbeusedeectively,todealwithsomeofthe problemsregardingdataqualityincluding:falsepositivesandfalsenegatives Thedataforthetestswerefromthetherstofthetwoscenario-specicdatasets providedbytheLincolnLaboratory[70].Thedatasetrecordsadistributeddenialof serviceattackandwasdividedintothefollowingvephases:1anIPsweepofthetarget networkfromaremotesite2aprobeofliveIP'stolookforthesadminddaemonrunning onSolarishosts3breakinsviathesadmindvulnerability,bothsuccessfulandunsuccessful onthosehosts4installationofthetrojanmstreamDDoSsoftwareonthreehostsinthe targetnetworkand5launchingthedenialofserviceattack.Initialtestresultsshowed theintruderasdescribedintheprovidedlabelingdatawiththehighestriskratingafter 106

PAGE 107

amajorityoftheattackhadconcluded.Unsatisfactorily,however,duetofalsepositives earlyinthetestssomeothernodeswereinitiallygivenhigherriskratingsduringthe rstphasesoftheattack.Inaddition,theoverallnumberofnodesthatwereassessed aspotentialintruderswashigh.Twodierentalertlteringtechniqueswereapplied,in aneorttoimprovethedataaccuracyandreducefalsepositives.Therstwastousea techniqueproposedin[71]tolteroutalertsthatdonotcorrespondtotheexploitation ofa'concretevulnerability'.Aconcretevulnerabilityisdenedinthiscaseasonewhich islistedintheCVE[72],astandardizeddatabaseforsoftwarevulnerabilities.Inorder tocompileaworkingdatabasetocheckvulnerabilitysignatures,thelatestCVEentries weredownloadedandstoredinarelationaldatabase.Theresultsforthesecondroundof testingusingtheconcretevulnerabilitylteringareshowninFigure7-1onpage118. Thelatterpartoftheriskprogressionisrelativelyatbecausetheintrusiondetection systembeingusedfailedtodetectsomeofthelatereventsinvolvedintheattacksequence. Andwhiletheriskmodeldoesnotmakeprovisionsfordetectingattackswhicharemissed byintrusionassessmentmechanism,theuseofhistoricaldatatoassessthethreatposedby thesourceatleastensuresthatthesamerisklevelbasedonearlierbehaviorismaintained. Inthisway,themodelistolerantofmisseddetections. Theriskassessmentsinthesecondsetoftestresultswerestillsomewhatinaccurate;a numberofnodesonthelocalnetworkwereratedassuspiciousandupuntilapproximately the9thsamplingiterationtheactualintruderdoesnothavethehighestriskrating.Asecondalertlteringtechniquewasusedtofurtherincreasetheaccuracyoftheassessment: congurationverication.Thisissimilartotheapproachofverifyalertsusingnetwork knowledgeasdiscussedin[73,74].Inthiscase,adatabasewasconstructedwithallof theknown,labelednodesinthedataset,theoperatingsystemrunningonthenodeand itsversionoftheoperatingsystem.Eachtimeanalertwasgeneratedthisdatabasewas consultedtoseeifthevulnerabilitybeingreportedactuallymatchedthecongurationof thetargetedmachine.Iftherewasnomatch,thealertwasdiscarded.Usingthesetwo 107

PAGE 108

lteringtechniquesinconjunctiontheriskassessmentreectedthesingle-intrudernature ofthedataset,asshowninFigure7-1. Afterapplyingthelteringtechniques,theresultsfortargetriskestimationwere improved.ResultsfortargetriskestimationareshowninFigure7-2partAandFigure 7-2partB.InthenalriskestimationgraphfortargetednodesFigure7-2partB,only thenodesactuallyattackedarerated,andthosenodesforwhichsuccessfulattacksare launchedareratedwiththehighestriskvalues. 7.3WebServerAttackResistanceResults Thissecondsetoftestingresultsisdesignedtodemonstrateresultsoftestingthe secondofthetwoarchitecturestheriskanalysisserverintegratedwithApachewith realtimeincomingrequests.Inordertoeectivelyillustratetheeectofthethree chosenresponsetechniques,threedierentscenariosweregeneratedwithawebserver tracsimulatorandrequestsweresenttotwodierentwebservers:oneusingthethree analysismodulesdescribedpreviously,andanotheronlyusingthenotionoftheglobal systemthreattotriggerresponsetechniques.Whereasvalidationoftheriskmodelcould beperformedwithacaptureddatasetbeingreplayedoverthenetwork,theuseofthe responsestrategieswillrequireactiveconnectionstotheaccesscontrolsystemandhence demandslivetrac. ThetracsimulatorcreatesanarrayofrequestingnodesSwhere s i isamemberof S,eachwithanintrusivenessrating i r ,aninter-requestperiodpandatotalrequestlife l.ThewebserverisarrangedasanarrayoftargetresourcesTwhere t i isamemberof T.Each t i hasasetofvalidactions a 1 a 2 ,.... a n andinvalidorintrusiveactions i 1 i 2 ,... i k .Everypsecondsorarandomnumberofsecondsbetween0andp,requestsource s i selectsamemberofTandthenbasedonitsintrusivenessrating,selectseitheranormal orintrusiveactiontoperformontheresource.Sourceswithahigher i r haveagreater probabilityofselectinganintrusiveactionforeachrequest.Inpractice,theseintrusiveness ormaliciousnessratingsrangefrom0%to90%. 108

PAGE 109

Fortheriskanalysismodel,vulnerabilityweightingswerethefollowing:highseverity w H =3 ,mediumseverity w M =2 andlowseverity w L =1 .Theriskmultiplier wassetto10,toprovideamorenoticeabledierencebetweenvariousassessments. Scenario1:singleintruder,vulnerabilityprobing. Inthisrstscenario,a singleintruderexecutesintrusiverequestsonseveralsystemresources-amethodindicativeofprobingforwhichvulnerabilitieshavebeenpatchedorwhichcongurationholes havebeenclosed.Therestofthesourcesgeneratingsystemrequestsarenormalusersexecutinglittleornorequeststhatcouldbecategorizedasintrusive.Therequestswere generatedoverthecourseofathreehoursimulation.Therequesttracefortheintruder demonstratesthatrequestsfordierentactionsaredeniedbasedonhisoverallriskprole andeventuallytheintruderislockedoutfromallsystemrequests.Meanwhile,requests fromtheotherusersarestillpermitted.Asummaryoftheresultsforasimulationofthis scenarioarepresentedinTable7-1.Figure7-4chartsthegrowthoftheriskassessedto theintruder.Inthisscenarioalloftheintrusiverequestswerefromthesingleintruder. Server1begantodenyrequestsfromtheintruderaftertheirsourceriskpassedthethresholdof45.Thenormalrequestsblockedbyserver1werealsofromtheintruder.Oncethe systemriskforserver2passesthethreshold,itbeginstodenyrequestsfromallsources. Thecongurationdirectivesusedinthetwoserversduringthisscenarioareshownin Figure7-3. Scenario2:multipleintruders,singletarget,many-to-oneattack. Inthe secondscenario,multipleintruderstargetthesameresourcewithtwodierentattacks. Thiscouldcorrespondtothepublicationofanewvulnerabilityforanexistingservice.In theinterimperiodsomenon-intrusiverequestsareallowedontheresource,butwhenthe targetriskreachesthethreshold,allrequeststothetargetaredenied.Asummaryofthe resultsforasimulationofthisscenarioarepresentedinTable7-2.Thegrowthoftherisk assessedtothetargetischartedinFigure7-6. 109

PAGE 110

Thetestingforscenariotwodemonstratesthatusingtargetriskwhenaparticular resourceisbeingtargetedcanincreasethenumberofintrusiverequeststhatareblocked whilemaintainingavailabilityfortheothersystemresources.Duringthissimulation, boththesystemriskandthetargetriskforthetargetedresourcepeakedat83.Thiswas duetothefactthatalloftheintrusiverequestsintheentiresystemweredirectedatthe sameresource.Whilethesystemriskthresholdcouldhavebeenraisedtodecreasethe percentageofnormalrequeststhatweredenied,itwouldhavealsoincreasedthenumber ofintrusiverequeststhatwereblocked.Thecongurationdirectivesusedinthetwo serversduringthisscenarioareshowninFigure7-5. Scenario3:multipleattackersonvariousresources. Inthethirdscenario, multipleintrudersattackmultiplesystemresources.Thiscouldcorrespondtoasystem withhightraclevelsthatseesexploitationattemptsonmultipleresourcesfrommultiple sourcesinagivenperiodoftime.Usingbothsourceandtargetrisklevels,requestsat variouspointsintheoverallrequesttracearerespondedtobyarequestforauthentication.Eventuallywhenthesystemrisklevelpassesthethreshold,allinitialrequestsare respondedtobyrequestsforauthentication.Asummaryoftheresultsforasimulation ofthisscenarioarepresentedinTable7-3.Thesimulationwasrunforapproximately2.5 hourswithnodesgeneratingrequestsatalllevelsofmaliciousnessandthusthereisno clearintruder. Duetotheuseofsource,targetandsystemriskinformation,thepolicyforserverone wasstricter.Despitethis,theproportionofnon-intrusiverequeststhatwereresponded tobyarequestforauthenticationwasonlyfourpercenthigherthanforservertwo.This numberofnon-intrusiverequestsalsoincludesrequestsfromnodeswithhighmaliciousness ratingssuchas90%,whichwouldotherwisebedeemedintrudersbutwereclassied atnon-intrusivebecausetheparticularrequestbeingclassiedwasnotintrusive.The congurationdirectivesusedduringthisscenarioareshowninFigure7-7.Thepolicyused fortheserverwithintheABACUSframeworkwasmorestringentthantheserveronly 110

PAGE 111

usingsystemrisk.Theformerusedthreedierentriskpropertiestotriggerauthentication, butonlyexperienceda3.9%increaseinthenumberofnon-intrusiverequests. Theresultsforthisscenarioessentiallyrepresentthebehaviorofanauthentication mechanismthathasanimmediateexpirationofauthenticationcredentialsafterauthenticationandthusre-authenticatesforeachrequest.Inasimulationinvolvinghumanusers whowouldbecapableofsuccessfullycompletingauthentication,manyofthesubsequent authenticationrequestswouldbeeliminatedbyalongerperiodbeforetheexpirationof theauthentication.Insuchsituationswhereahighpercentageoftherequestsarebeing authenticated,theservercouldpotentiallycutoverallresponsetimebybypassingthe requestforanalysisdatafromtheanalysisserverwhichtypicallydominatesthelength oftheresponseandjustauthenticatingeachrequestimmediately.Thiswouldmovethe numberofnon-intrusiveandintrusiverequestsauthenticatedto100%whenthesystem riskreachesasucientlevel.However,iftheprocessofauthenticationrequiresmoretime thantherequestforanalysisdataitmightstillbeslightlymoreecienttoeliminatesome ofthetheauthenticationrequests;intheend,thisishighlydependentontherelativetime requiredforeachprocess. 7.4PerformanceAnalysis 7.4.1PerformanceTestingMethodology InordertocomparetheperformanceofthenalversionoftheAbacusframework againsttheearlierversionandalsoagainstanormalApachewebserver,eachserverwas stress-tested.Thispartofthetestingreliedonaregressiontestingandbenchmarking utilitycalledSiege[75].Thebasicaimofthistestingwastoexaminethebehaviorof eachserversubjecttoincreasingload.Thefollowingparameterswereusedinthetesting process: Numberofclients-withtheuseofawrapperforSiegecalledBombard,theuseris abletospecifyaninitialnumberofclientsanincrementofhowmanyclientstheload 111

PAGE 112

shouldbeincreasedbyforeachiterationandatotalnumberofiterationswhichalso limitsthemaximumnumberofclients AsetofURLs-thesameURLsfromthescenariotestingwereusedbothnormal andintrusive.Theywereplacedinacongurationleandreadintomemorybythe utilitywhenitstarts.TheclientsthenrandomlyrequestoneoftheURLsinthele foreachrequest. Delaybetweenrequests-beforeeachrequest,theclientwaitsarandomnumberof secondsbetween0andd,wheredisthemaximumdelaybetweenrequestsspecied bytheuser Bytestinginthisway,wehopetodrawconclusionsonthefollowing:thedegreeof improvementprovidedbythethirditerationoftheAbacusframeworkovertherst, thepointatwhicheachoftheservertypesbecomeoverwhelmedgiventhehardware constraintsaswellasthespecicreasonsthataccountfortheperformancedierences. 7.4.2PerformanceofInitialAbacusFramework InFigure7-8thetimetoserverequestsonServer1isshownasthenumberof requestsincreases.Forthecollectionofthisdata,thesimulatorwassettogenerate3 hoursoftracfrom10dierentnodes,onlyoneofthemexecutingintrusiverequests scenariooneasdescribedabove.Inpartaofthegurethetimetoserveisshownfor alloftherequests.Inpartb,onlythetimetoserverequestsfromtheintruderisshownthisgraphhasthesamelinearlyincreasingpatternthatisapparentwhenlookingatthe peaksofthegraphinparta.InpartcofFigure7-8thetimetakentoserverequestsfrom thenon-intrudernodesisgraphed.Thetimetoservetheserequestsremainedrelatively constantthroughouttheentiresimulation,oscillatingbetweenzeroandoneseconds.The reasonthattheincreaseonlyoccuredfortheintrudernodeisthatwhenthewebserver requestsriskdataonthatnode,thereisaconstantlyincreasingamountofeventdatato analyze.Fortheothernodes,thereisnosuchincreaseofdatatoanalyzeand,asaresult, requestsareservedinthesameamountoftimeforthedurationofthesimulation.This 112

PAGE 113

isundesirable,however,andcouldpotentiallycreateascalabilityissueinscenarioswhere therearemorenodeswithintrusivebehavior.Inordertoamelioratetheseperformance issues,acachingschemewasdevisedtofacilitatefastergenerationofriskdata. 7.4.3PerformanceofAbacusFrameworkwithRecursiveAnalysisModel Afteradaptingtheanalysismodelasdescribedin6.6toberecursiveinsteadofthe previousiterativeformulationandmodifyingthealertservertomaketheupdatesfor theriskvaluesasnewdatacamein,theperformanceoftheframeworkwasimproved signicantly.Whereastherstversionwasnotstablewithtenconcurrentusers,the modicationsallowedtheframeworktohandleupto100concurrentusersstablyfor anindeniteperiodoftime.Thisdemonstratesthatthemodicationsmadetothe modelenabletheframeworktoprocessincomingrequestswithoutnoticinganincrease inresponsetimeforincreasedamountsofdata,whichwastheproblemintheprevious version.ThegraphsinFigures7-9and7-10summarizetheperformanceofthedierent aspectsoftheframework.Thewebserverandanalysisserverexperiencedsomelocal spikesbasedontheshortdelaybetweensubsequentrequestsfromthestresstesting application,butoverallmaintainedaconsistentresponsetime.Thealertserversee graphsinFigure7-10experiencedaninitialspikeinprocessingtimeduetoprovisioning newthreadstoprocessthehighvolumeofincomingalerts.Performancestabilizedquickly andremainedstablethroughouttheremainderofthesimulation. 7.4.4PerformanceComparisonforABACUSFrameworkandOrdinary ApacheWebserver Results. Figures7-12and7-13summarizetheserverresponsetime,concurrencyand transactionrateasseenfromtheclientforthreedierentservertypes:anormalApache webserver,withnointegrationofriskinformation,anApacheserverintegratedwiththe rstversionoftheanalysisframeworkasdiscussedaboveAbacusServerversionone, andanApacheserverintegratedwiththenalversionoftheanalysisframeworkAbacus Serverversiontwo.Therangeofdelaybetweenrequestsdiersbetweenthetwogures: 113

PAGE 114

inFigure7-12alltestingthreadswereconguredtodelaybetween0and1secondbefore initiatinganotherrequest.InFigure7-13therangewasbetween0and10seconds. Figure7-12indicatesthattheAbacusFrameworkversiontwowasabletoserve 100simulatedclientswitharesponsetimeof5.16comparedto1.73secondsforthe unmodiedApachewebserver.AtthisloadtheAbacusFrameworkwasmaintainingthe requestfrequencywithoutanoticeableincreaseinprocessingtimeduringtheduration ofthetest,asdemonstratedbyFigure7-9.Figure7-13wherethedelayforthestress testingsimulationwasbetween0and10secondsforsubsequentrequestsplacesthe maximumnumberofclientsat210witharesponsetimeof6.35beforetheresponsetime spikedatthenextincrementofclients.Whatisconsistentinbothgures,however,is thetransactionrateortheaveragenumberofconnectionsprocessedpersecond.With thedelaybetweenzeroandone,themaximumtransactionratewas18.76andwith thedelaybetweenzeroandten,themaximumwas18.Afewindividualsimulationsat highernumbersofconnectingclientswererunandtheresultsareshowninFigure7-11. Thesegures,particularlypartsBandCdemonstratethattheincreasingresponsetime generatesmoretimeoutsathigherconcurrency,becausethereisalsoahigherrateof incomingconnections.PartCinparticular,where200simulatedclientswereused,shows theeectonresponsetimefromalargenumberofrequesttimeouts. Discussion. Itwouldbediculttosaythattherstversionoftheframework beforethecachingapproachcouldrealisticallysupportanynumberofusersforan extendedperiodoftime.AsshowninFigure7-8partA,thetimetoserverequestsforthe rstversionoftheserverwasincreasingevenwhenthenumberofsimulatedclientswas heldconstantatten.Theperformancedeterminantfortherstversionoftheframework wasthenumberofrequests:increasingthenumberofsimulatedclientsjustcausedthe numberofrequeststoincreasemorerapidly.Thetimetoserviceeachrequestwaslinear inthenumberofrequeststhattheserverhadreceiveduptothatpoint.Thecaching 114

PAGE 115

approachallowedforaconstanttimetoserveeachrequest,butattheexpenseofdata accuracy,wherethealgorithmiccomplexitywasstillthesame. Itislikelythattheresourcesoftheservermachinewereexhaustedwhenthetests movedtohighernumbersofsimulatedclients110forthehigherfrequencyteststhanthe servertransactionratecouldhandleandnewconnectionswerestillcominginresultingin queuing.TheApachewebserverlimitsthenumberofforkedclientprocessesto256by defaultthislimitiscompiledintothesoftware.Itappearsbasedonthedatathatatthe failurepoints,whentheresponsetimespikes,theserverresourceswereexhaustedbefore thelimitof256clientprocessesbytheincreasingnumberofforkedclientprocesses beingcreatedbytheApacheserver.Duringtesting,thisledtoincidenceswherethe servermachinelockedupandrequiredrestartingwhentestingwithboththeABACUS frameworkandwiththeunmodiedApacheserver.Thisiscorroboratedbythefactthat theunmodiedApachewebserverfailedinasimilarwayalbeitatahighertransaction rate. AratelimitingmechanismwasbuiltintotheAbacusFrameworkv3wherebyonce acertainnumberofrequestsarequeued,theserverbeginstodenyincomingrequests untilmoreworkerprocessesbecomeavailabletoavoidforkingtoomanyprocessesto serverequests.TheApacheserveraccesslogsduringthesetestsdemonstratethatsome oftherequestsforanalysisdatafromthewebserveraccesscontrolmoduleswerebeing deniedtodueincreasingload;atthesametime,however,theApachewebserverwas stillacceptingandqueuingnewclientconnections.Insummary,thetestingfailureofthe AbacusFrameworkwasduetothedicultyincontrollingserverresources:inparticular ofeectivelylimitingtheincomingclientconnectionsinthefaceofincreasedconcurrency andthereforeincreasedresponsetimeperrequest.Amorerobustsetoftestingconditions wouldlikelyyieldbetterresults. Withthatsaid,thepeaktransactionratefortheAbacusFrameworkv3wasstill15.53 transactionspersecondataresponserateof5.73seconds.Thisroughlyequatesto931.8 115

PAGE 116

transactionsaminute,55,908transactionsanhourand1,341,792transactionsperday.By wayofcomparison,accordingtoCompete.com[76]webstatistics,Facebook.comreceived 874,806,456pagevisitsinDecember2008withanaverageof62.1pagesaccessedpervisit foratotalof54,325,480,917.6pageaccessinDecember,or1,810,849,363.92pageaccesses eachday.TheUFL.EDUdomainandallofitssubdomainsreceived2,385,137visits inthemonthofDecember2008,withanaverageof17.5pagespervisitor41,739,897.5 pageviewsinthatmonth.Thisequatesto1,391,329.9pageviewsperday.Table7-4 summarizesstatisticsforthreetopwebsites,whileTable7-5providesanestimateforthe peakperformanceoftheABACUSframeworkundercurrenttestingconditions.Based onthisdata,wecancanconcludethattheproposedapproachcouldbeimplementedin alarge,hightracwebsite-particularlywithdedicatedserverhardwarewithincreased performance. ThedataalsodemonstratesthatfailureofasimilarnatureoccursfortheApacheweb serverinisolation.Becausetherewasaslowergrowthinresponsetimeperrequest,the Apacheserverinisolationwasabletohandleagreaternumberofclientconnectionsbefore failure,butwhenthefailurehappened,itmanifestedwithmuchthesamebehavioraswas displayedwhentestingthenalversionoftheAbacusFramework. Figure7-14representsthefactorofincreaseintheresponsetimeforthewebserver intheABACUSframeworkcomparedwiththeresponsetimeofthenormalApacheweb server.Afteraninitialspikeinrequesttimeduetoprovisioningofserverresources,the responsetimeincreasefactorstabilizesatapproximatelythree,meaningthatduring themajorityofthetestingperiodtheaveragerequesttotheABACUSframeworktook threetimesaslongtoprocessasarequesttoanormalApachewebserver.Thegure alsoshowsasharpincreaseat110simulatedclientswhichiswherethesimulationrst recordedasignicantnumberoftimeoutsfortheABACUSframework,butwherethe normalApachewebserverremainedstable.Thisincreasefactorislikelyaresultof thefollowingadditionalstepstakenbeforearesponseisgeneratedintheframework: 116

PAGE 117

theaccesscontrolhandlergeneratingarequestforriskinformation,theanalysisserver performingthenecessaryqueriestotheeventdatabaseandformulatingaresponsebackto thewebserver.Inaddition,whiletheanalysisserverandwebserverwererunning,some ofthesystemresourceswereconsistentlybeingconsumedbytheserverresponsiblefor receivingandlteringIDSinformationwhichwasnotrunningalongwiththestandalone webserver. 117

PAGE 118

A B Figure7-1.Simulationresultsfromthevalidationoftheanalysismodelshowingrisk estimatesforthesourcesdetectedasintrusive.Ausingonlyconcrete vulnerabilitylteringBusingconcretevulnerabilitylteringand congurationverication. 118

PAGE 119

A B Figure7-2.Simulationresultsfromthevalidationoftheanalysismodelshowingrisk estimatesfortargetsbeingattackedbyintrusiverequests.Ausingonly concretevulnerabilitylteringBusingconcretevulnerabilitylteringand congurationverication. Table7-1.Asummaryofthesimulationresultsforscenarioonesimulatinganattackfrom asinglesourceonmultiplesystemresources. PropertymeasuredServer1sourceriskServer2systemrisk Totalrequests24722472 Totalintrusiverequests230230 Intrusiverequestsdenied229179 Percentagedenied99.5%77.8% Totalnormalrequests22422242 Normalrequestsdenied161751 Percentagedenied.7%78.1% 119

PAGE 120

A B Figure7-3.Accesscontrolpoliciesforthetwoserversduringscenarioonewhilesimulating anattackfromasinglesourceonmultiplesystemresources.AservertwoB serverone.TherstpolicyAestablishesanaccesshandlerthatusessystem levelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusessourceriskdataandsetsathresholdof45forthesourcerisk, beyondwhich,requestsfromthatsourcewillbedenied. Figure7-4.Thegrowthoftheriskfromtheintruderinscenarioone. StatisticSystem1targetriskSystem2systemrisk Totalrequests10231023 Totalintrusiverequests320320 Intrusiverequestsblocked319274 Percentagedenied93.5%85.6% Totalnormalrequests703703 Normalrequestsdenied65588 Percentagedenied9.2%83.6% Table7-2.Asummaryofthesimulationresultsfromscenariotwowhilesimulatingan attackfrommultiplesourcesonasinglesystemresource. 120

PAGE 121

A B Figure7-5.Accesscontrolpoliciesforthetwoserversduringscenariotwowhilesimulating anattackfrommultiplesourcesonasinglesystemresource.AservertwoB serverone.TherstpolicyAestablishesanaccesshandlerthatusessystem levelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusestargetriskdataandsetsathresholdof45forthetargetrisk,beyond which,requeststothattargetwillbedenied. Figure7-6.Thegrowthofriskforthetargetedresourceinscenariotwo. Table7-3.Asummaryofthesimulationresultsfromscenariothreewhilesimulatingan attackfrommultiplesourcesonmultiplesystemresources. StatisticServer1Server2 Totalrequestsreceived875875 Totalintrusiverequests437437 Intrusiverequestsauthenticated409252 Percentageauthenticated93.5%57.7% Totalnon-intrusiverequests438438 Non-intrusiverequestsauthenticated385368 Percentageauthenticated87.9%84% 121

PAGE 122

A B Figure7-7.Accesscontrolpoliciesforthetwoserversduringscenariothreewhile simulatinganattackfrommultiplesourcesonmultiplesystemresources.A servertwoBserverone.TherstpolicyAestablishesanaccesshandler thatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk, beyondwhich,requestswillbedenied.ThesecondpolicyBestablishesan accesshandlerthatusesthreedierentriskpropertiestotriggerthe requirementofauthentication.Thesystemriskthresholdis65,thesourcerisk thresholdis33andthetargetriskthresholdis45.Atimelimitforthe expirationofavalidauthenticationissetat300secondsusingthe AuthExpiration property. 122

PAGE 123

A B C Figure7-8.StatisticsforABACUSframeworkversion1duringasimulationwithten concurrentusers,oneofwhichwasanintruder.Graphsshowtimetoserve requestsfordierentbreakdownsofthesetofrequestingusers.Arequests fromallusersBrequestsfromtheintruderCrequestsfromnon-intrusive users.Thesegraphsestablishthatthetimetoprocessrequestswasincreasing throughoutthesimulationandthatthiswasduetotheincreasedtimeintook toprocessrequestsfromtheintruderthatrequiredmoredatatobeaggregated andanalyzedinordertoproduceariskassessment. 123

PAGE 124

A B Figure7-9.StatisticsforABACUSframeworkversiontwo.Atimetoserverequestsfor thewebserverBtimetoserverequestsfortheanalysisserver.Thegraphs correspondtoasimulationwith100concurrentusersfortheentiredurationof thetest10minutestresstest. 124

PAGE 125

A B Figure7-10.StatisticsforABACUSframeworkversiontwo.AalertprocessingtimeB alertreceivingtime.Thegraphscorrespondtoasimulationwith100 concurrentusersfortheentiredurationofthetest10minutestresstest. 125

PAGE 126

A B C Figure7-11.AdditionalstressteststatisticsforABACUSframeworkversiontwo.Ausing 110concurrentclientsBusing175concurrentclientsCusing200 concurrentclients. 126

PAGE 127

A B C Figure7-12.Webservercomparisonusingarandomizeddelayfrom0and1second betweenrequests.AresponsetimeBconcurrencyCtransactionrate 127

PAGE 128

A B C Figure7-13.Webservercomparisonusingarandomizeddelayfrom0and10seconds betweenrequests.AresponsetimeBconcurrencyCtransactionrate. 128

PAGE 129

Table7-4.TracstatisticsforthreetopwebsitesinDecember2008. DomainVisits/MonthPages/VisitPageViews/MonthPageViews/Day Yahoo.com2,211,018,10219.442,893,751,178.81,429,791,705.96 Facebook.com874,806,45662.154,325,480,917.61,810,849,363.92 U.edu2,385,13717.541,739,897.51,391,329.9 Table7-5.EstimatedpeakperformanceforABACUSframeworkwithcurrenttesting constraints. Transactions/SecResponseRatesecTransactions/HourTransactions/Day 15.535.7355,9081,341,792 Figure7-14.SummaryofthefactorincreaseinwebserverresponsetimefortheABACUS frameworkversiontwocomparedtotheperformanceofanunmodiedweb server. 129

PAGE 130

CHAPTER8 CONCLUSIONS Theaimofthisstudywasprimarilytwofold:rstly,todemonstrateacohesive, generalapproachtodesigningandconstructingcontext-awareoradaptivesecurity mechanismsandsecondlytodemonstratetheapplicationofthoseprinciplesbydesigning suchasystemanddemonstratingitsfeasibilityandeectiveness. 8.1ConclusionsProducedByExaminationoftheGeneralApproach Thedesigndecisionwasmadethatthenebulousconceptofcontextawarenesswas bestevidencedbycontext-awarebehavior,orbehaviortodemonstratesanawarenessof changingsystemstate.Theprocessofmakingadecisionawareofcontextwasabstracted intothreephases:acquiringthatdata,analyzingitandapplyingitinthedecisionmaking process. 8.1.1DataAcquisition Acquisitionwasapproachedasanintegrationissue,particularwithregardstothe integrationofsecuritymechanismsthatoftenexhibithighdegreesofautonomy,heterogeneityanddistribution.Thetrade-osbetweentwodierentintegrationapproacheswere discussedatlength.Whileaverticalintegrationstrategyprovidesatightandseamless integration,itisalsoverydiculttoextend.Thethreefactorsmentionedpreviouslyautonomy,heterogeneityanddistributionareessentiallydealtwithbymergingthedistinct mechanismsintoone.Horizontalintegrationpresentsmanychallengesandrequirestheuse ofindividualintegrationtechniquestodealwithdata,controlandprocessintegration.The result,however,isahighlyextendablesystem. 8.1.2DataAnalysis Oneoftheprimaryconclusionsregardingdataanalysiswasthatthisphasemust produceconcrete,quantiable,actionabledata.Thisconclusionseemsintuitive,but contrastsstarklywithmanyoftheeortsforanalyzingsecuritydata,particularlythat whichcomesfromintrusiondetectionsystems.Oneoftheprimaryobstaclespreventing 130

PAGE 131

dataanalysistechniquesfromimprovinginastructuredwaywasthelackofanexplicit frameworkwithinwhichspecicassessmentpropertiescouldbedenedprecisely.Terms suchasthreatandriskareusedfrequentlyintheliterature,butrarely-ifever-given explicitdenitionsthatcoulddistinguishthemfromrelatedterms.Forthisreasonan ontologyofassessmentpropertieswasdevelopedthatincorporatesthemostcritical securitypropertieswithdenitionsbasedonindustrystandardssuchasCVSSand IDMEF. 8.2ConclusionsOntheImplementationandTestingoftheConcrete Implementation 8.2.1DataQuality Oneofthecriticalissuesthatwereconfrontedduringthisinvestigationwastheaccuracyoftheassessmentdata.Twodierentlteringtechniqueswereemployedinorder toincreasedataaccuracybyeliminatingfalsepositives.Therstwasconcretevulnerabilityltering,whichallowedustoeliminateincomingalertsthatdidnotcorrespondtoa specic,exploitablesoftwarevulnerability.ThiswasdonebyverifyingthatthealertreferencedanentryinthecommonvulnerabilitiesandexposuresdatabaseCVE.Thesecond techniqueusedtoimprovethequalityoftheincomingdatawascongurationverication. Byemployingcongurationverication,thesystemonlyconsideredalertsthatpresented arealizablethreattooneofthenodesorservicesbeingmonitoredbytheframework.This approachinvolvedaugmentingthelocalsystemvulnerabilitydatabasewithinformation regardingtheaectedsoftwareforeachvulnerability.Simultaneously,adatabaseoflocal systemnodes,thesoftwarerunningonthemandversioninformationforeachsoftware productisestablished.Bycheckingthattheincomingvulnerabilityexploitationattempt wouldactuallyaecttheversionofsoftwarerunningonthenode,manyofthefalsepositivesgeneratedduringtestingwereeliminated.Thesetwostrategieswerekeyinincreasing thequalityofincomingdataandconsequentlytheaccuracyoftheattackresponses. 131

PAGE 132

8.2.2ChangesFromtheGeneralApproachtotheConcreteImplementation ExtensivetestingandmultipleiterationsoftheAbacusframeworkledtotheconclusionthatalthoughtheprocessofcontext-awaredecisionmakingmaybeabstracted intothreeprocesses,theinstantiationofthoseprocessesintoactualsoftwaremodulesmay requiresomeadaptation.Thebestperformancewasachievedwithanimplementation thatvirtuallyjoinedtheacquisitionandanalysisphases,suchthatalloftheanalysistasks wereperformedasnewdatawasacquired.Theinitialstrategyofgeneratingtheanalysis datawhenitwasrequestedbytheclientprovedtobeprohibitivelyslowgiventheamount ofdatabeinggeneratedinthesystem.Thisstrategy,however,wasonlyfeasiblebecause thesystemwaseventbasedessentiallythatthedatawasdiscreteandnotcontinuous. Forsystemswheretherearenosucheventstotriggertheanalysistasksitwillstillbe necessarytocollectthedataandperformtheanalysistaskswhentheinformationisrequested-althoughinthesecases,therewillbenosuchtimepenaltyforanalyzingmultiple events.Theonlyothersituationtofavortheon-demandanalysiswouldbewheremostof theincomingdataprovedtobeirrelevanttothenalanalysisandthuspayingthetime penaltyforanalyzingeacheventwouldproveunreasonable. Anotherkeyquestionthatneededtobeansweredwashowtodesignanattack responsethatwastemperedandstilleective.Wechosetouseastrategyofrestricting accesspermissionsastheresponsetolikelyintrusivebehavior.Thisresponsewasin concertwiththeapplicationdomainbeinginvestigatedanditwasalsolessinvasivethan otherresponsetechniquesintheliteraturethatinvolvetakingactionagainstthesuspected intruder.Ariskassessmentwassynthesizedfromtheprovideddataonvulnerability exploitationattemptsinordertoprovideaquantiablemeasurementofthechanging stateofsystementitiesinrelationtotheirprospectofbeingattacked.Becausetherisk assessmentswerecalculatedforindividualsystementities,theassessmentdataalso allowedformoregranularresponses. 132

PAGE 133

8.2.3EectivenessandPerformance Oneoftheimportantconclusionswecandrawfromthetestingdatafortheproposed approachisthefeasibilityofadaptivesecuritymechanisms.Theactualresultsofthe attacksimulationsshowedamarkedimprovementfortheratioofintrusiverequests thatweredeniedusingtheriskassessments.Inthescenariothatsimulatedanattacker performingvulnerabilityprobingagainstthewebserver,99%oftheintrusiverequests weredenied,whileonly.7%ofthenormalrequestsweredenied.Inthecaseofmultiple intrudersforonetargetattack,theframeworkdenied93.5%oftheintrusiverequestswhile onlydenying9.2%ofthenon-intrusiverequests.Eveninthescenarioofmultipleintruders onmultipleresources,whereauthenticationwasemployedasaresponse,moreintrusive requestswereauthenticatedthannon-intrusiveones.5%to87.9%,respectively, leadingtoamoreecientuseofresourcesovertheapproachofauthenticatingallrequests insituationsofelevatedrisk. Theperformanceoftheframeworkwasanotheraspectoftheapproachthatneeded tobedemonstratedandvalidated.Thetestingresultsshowedthattheframework,given limitedserverresources,wasabletoreceiveandprocessrequestsatarateofover1.3 millionperday,exceedingtheprocessingrequirementsformanyhightracdomainsand websites. 8.3FutureWork Theareaofdesigningadaptivesecuritymechanismsisverybroadandthereremains asignicantamountofworktoprovidesystemswithsuchcapabilitiesthataresuitable forusebyindustryandthegeneralpublic.Thesystemforacquiringcontextdatacould beextendedtoincludeagreatervarietyofsensors.Othertypesofcorrelationbesides matchingvaluescouldalsobeincorporatedintotheacquisitionapproachtoenable assessmentsthataremorepredictive. Areasoningenginebasedontheproposedassessmentontologycouldbeaddedtothe analysisservertomakeallofthedierenttypesofassessmentsavailableattheapplication 133

PAGE 134

phase.This,however,wouldalsodemandthatawidevarietyofsensorsareintegratedin theacquisitionphasesothatthenecessaryinputsarepresent. Thevariousserversalertandanalysiscouldberelocatedtoindependentmulti-core machinestoinvestigatetheimpactofgreaterparallelismonexpandingthecapabilitiesfor thehandlingofcontextinformation.Additionalmeasurestosecurethedatatransmissions betweensecuritycomponentscouldalsobeadded. 134

PAGE 135

REFERENCES [1]CERTCoordinationCenter,Overviewofattacktrends,2002. [2]IBMGlobalTechnologyServices,IBMInternetSecuritySystemsX-force2007Trend Statistics,tech.rep.,InternetSecuritySystems-IBMGlobalTechnologyServices, 2007. [3]E.BertinoandL.D.Martino,Aservice-orientedapproachtosecurity-concepts andissues,in ISADS'07:ProceedingsoftheEighthInternationalSymposium onAutonomousDecentralizedSystems ,Washington,DC,USA,pp.7,IEEE ComputerSociety,2007. [4]R.SandhuandP.Samarati,Authentication,accesscontrol,andaudit, ACM Comput.Surv. ,vol.28,pp.241,1996. [5]S.Axelsson,Thebase-ratefallacyandthedicultyofintrusiondetection, ACM TransactionsonInformationandSystemSecurityTISSEC ,vol.3,pp.186, 2000. [6]C.Abad,J.Taylor,C.Sengul,W.Yurcik,Y.Zhou,andK.Rowe,Logcorrelationfor intrusiondetection:aproofofconcept, ComputerSecurityApplicationsConference, 2003.Proceedings.19thAnnual ,pp.255,2003. [7]N.Carey,A.Clark,andG.Mohay, IDSInteroperabilityandCorrelationUsing IDMEFandCommoditySystems ,pp.252.2002. [8]F.CuppensandA.Miege,Alertcorrelationinacooperativeintrusiondetection framework, SecurityandPrivacy,2002.Proceedings.2002IEEESymposiumon pp.202,2002. [9]H.DebarandA.Wespi,Aggregationandcorrelationofintrusion-detectionalerts, RAID'00:Proceedingsofthe4thInternationalSymposiumonRecentAdvancesin IntrusionDetection ,pp.85,2001. [10]B.Morin,L.M,H.Debar,andM.Ducass, M2D2:AFormalDataModelforIDS AlertCorrelation ,vol.RecentAdvancesinIntrusionDetectionof LectureNotesin ComputerScience .SpringerBerlin/Heidelberg,October2002. [11]P.Ning,Y.Cui,andD.S.Reeves, AnalyzingIntensiveIntrusionAlertsviaCorrelation ,vol.ProceedingsofRecentAdvancesinIntrusionDetection:5thInternational Symposium,RAID2002,Zurich,Switzerland,October16-18,2002,pp.74.2002. [12]P.A.Porras,M.W.Fong,andA.Valdes, AMission-Impact-BasedApproachto INFOSECAlarmCorrelation ,pp.95.2002. [13]V.Yegneswaran,P.Barford,andS.Jha,Globalintrusiondetectioninthedomino overlaysystem,in InProceedingsofNetworkandDistributedSystemSecurity SymposiumNDSS ,2004. 135

PAGE 136

[14]Symantec,Deepsightthreatmanagementsystem.https://tms.symantec.com/,2008. [15]MyNetWatchman,http://mynetwatchman.com/,2008. [16]Dshield,http://www.dshield.org,2008. [17]K.Henricksen,J.Indulska,andA.Rakotonirainy, ModelingContextInformationin PervasiveComputingSystems ,pp.79.2002. [18]T.Gu,H.K.Pung,andD.Q.Zhang,Aservice-orientedmiddlewareforbuilding context-awareservices, JournalofNetworkandComputerApplications ,vol.28, pp.1,2005. [19]Context, TheAmericanHeritageDictionaryoftheEnglishLanguage,Fourth Edition ,Feb2009.http://dictionary.reference.com/browse/context. [20]Context, Merriam-WebsterOnlineDictionary ,Feb2009.http://www.merriamwebster.com/dictionary/context. [21]A.K.Dey,Understandingandusingcontext, PersonalUbiquitousComput. ,vol.5, pp.4,2001. [22]P.Brezillon,G.K.Mostefaoui,andJ.Pasquier-Rocha,Context-awarecomputing:A guideforthepervasivecomputingcommunity, PervasiveServices,2004.ICPS2004. IEEE/ACSInternationalConferenceon ,2004. [23]T.StrangandC.Linnho-Popien,Acontextmodelingsurvey,in Workshopon AdvancedContextModelling,ReasoningandManagementaspartofUbiComp 2004-TheSixthInternationalConferenceonUbiquitousComputing ,Nottingham, England,2004. [24]R.A.KemmererandG.Vigna,Intrusiondetection:Abriefhistoryandoverview supplementtocomputermagazine, Computer ,vol.35,pp.27,2002. [25]W.Hasselbring,Informationsystemintegration, CommunicationsoftheACM vol.43,pp.32,2000. [26]V.Stavridou,Integrationinsoftwareintensivesystems, JournalofSystemsand Software ,vol.48,pp.91,1999. [27]M.K.Perry,Verticalintegration:Determinantsandeects,in HandbookofIndustrialOrganization R.SchmalenseeandR.Willig,eds.,vol.1,ch.4,pp.183255, Elsevier,July1989. [28]V.N.L.Franqueira,Accesscontrolfromanintrusiondetectionperspective, TechnicalReportTR-CTIT-06-10,CenterforTelematicsandInformationTechnology, UniversittofTwente,February2006. 136

PAGE 137

[29]T.RyutovandC.Neuman,Thespecicationandenforcementofadvancedsecurity policies, PoliciesforDistributedSystemsandNetworks,2002.Proceedings.Third InternationalWorkshopon ,pp.128,2002. [30]T.Ryutov,C.Neuman,K.Dongho,andZ.Li,Integratedaccesscontrolandintrusiondetectionforwebservers, ParallelandDistributedSystems,IEEETransactions on ,vol.14,pp.841,2003. [31]T.Ryutov,C.Neuman,andD.Kim,Dynamicauthorizationandintrusionresponse indistributedsystems, DARPAInformationSurvivabilityConferenceandExposition, 2003.Proceedings ,vol.1,pp.50vol.1,2003. [32]C.-Y.Tseng,P.Balasubramanyam,C.Ko,R.Limprasittiporn,J.Rowe,and K.Levitt, Aspecication-basedintrusiondetectionsystemforAODV .ACMPress, 2003.986876125-134. [33]P.UppuluriandR.Sekar, ExperienceswithSpecication-BasedIntrusionDetection p.172.2001. [34]J.Garcia,F.Autrel,J.Borrell,S.Castillo,F.Cuppens,andG.Navarro, DecentralizedPublish-SubscribeSystemtoPreventCoordinatedAttacksviaAlertCorrelation pp.223.2004. [35]R.Bhatti,E.Bertino,andA.Ghafoor,Atrust-basedcontext-awareaccesscontrol modelforweb-services, WebServices,2004.Proceedings.IEEEInternational Conferenceon ,pp.184,2004. [36]N.Dimmock,A.Belokosztolszki,D.Eyers,J.Bacon,andK.Moody,Usingtrust andriskinrole-basedaccesscontrolpolicies, SACMAT'04:Proceedingsoftheninth ACMsymposiumonAccesscontrolmodelsandtechnologies ,pp.156,2004. [37]N.Dimmock,Howmuchis"enough"?riskintrust-basedaccesscontrol, WETICE '03:ProceedingsoftheTwelfthInternationalWorkshoponEnablingTechnologies p.281,2003. [38]L.Teo,G.-J.Ahn,andY.Zheng,Dynamicandrisk-awarenetworkaccessmanagement, SACMAT'03:ProceedingsoftheeighthACMsymposiumonAccesscontrol modelsandtechnologies ,pp.217,2003. [39]N.Stakhanova,S.Basu,andJ.Wong,Ataxonomyofintrusionresponsesystems, Int.J.Inf.Comput.Secur. ,vol.1,no.1/2,pp.169,2007. [40]S.Manganaris,M.Christensen,D.Zerkle,andK.Hermiz,Adatamininganalysisof rtidalarms, ComputerNetworks ,vol.34,pp.571,102000. [41]J.Wang,B.Jin,andJ.Li, Anontology-basedpublish/subscribesystem .SpringerVerlagNewYork,Inc.,2004.1045676232-253. 137

PAGE 138

[42]H.Wache,V.Ogele,T.Visser,U.Stuckenschmidt,H.Schuster,G.Neumann, andH.Ubner,Ontology-basedintegrationofinformation-asurveyofexisting approaches,Seattle,WA,pp.108,2001. [43]H.Debar,D.A.Curry,andB.S.Feinstein,Theintrusiondetectionmessageexchangeformatidmef,2007.RequestForCommentsExperimental. [44]SunMicrosystems,Xacmlimplementation,AccessedNovember2007. http://sunxacml.sourceforge.net/. [45]R.S.Sandhu,E.J.Coyne,H.L.Feinstein,andC.E.Youman,Role-basedaccess controlmodels, Computer ,vol.29,pp.38,1996. [46]R.S.SandhuandP.Samarati,Accesscontrol:Principlesandpractice, IEEE CommunicationsMagazine ,vol.32,pp.40,1994. [47]R.Heady,G.Luger,A.Maccabe,andM.Servilla,Thearchitectureofanetwork levelintrusiondetectionsystem,Aug.1990. [48]E.Fisch, IntrusionDamageControlandAssessment:ATaxonomyandImplementationofAutomatedResponsestoIntrusiveBehavior .PhDthesis,TexasA&M University,1996. [49]C.Carver,Jr.andU.Pooch,Anintrusionresponsetaxonomyanditsrolein automaticintrusionresponse, IEEEWorkshoponInformationAssuranceand Security ,2000. [50]H.Debar,D.Curry,andB.Feinstein, TheIntrusionDetectionMessageExchange FormatIDMEF .No.4765inRequestforComments,IETF,Mar.2007. [51]F.Cuppens,Managingalertsinamulti-intrusiondetectionenvironment, Computer SecurityApplicationsConference,2001.ACSAC2001.Proceedings17thAnnual pp.22,2001. [52]F.Valeur,G.Vigna,C.Kruegel,andR.A.Kemmerer,Acomprehensiveapproachto intrusiondetectionalertcorrelation, IEEETransactionsonDependableandSecure Computing ,vol.01,pp.146,2004. [53]G.Giacinto,R.Perdisci,andF.Roli,Alarmclusteringforintrusiondetection systemsincomputernetworks, MachineLearningandDataMininginPattern Recognition ,pp.184,2005. [54]S.Staniford,J.A.Hoagland,andJ.M.McAlerney,Practicalautomateddetectionof stealthyportscans, JournalofComputerSecurity ,vol.10,pp.105,2002. [55]P.Ning,Y.Cui,D.S.Reeves,andD.Xu,Techniquesandtoolsforanalyzing intrusionalerts, ACMTrans.Inf.Syst.Secur. ,vol.7,pp.274,2004. 138

PAGE 139

[56]D.XuandP.Ning,Alertcorrelationthroughtriggeringeventsandcommonresources,in 20thAnnualComputerSecurityApplicationsConference,2004 ,pp.360 369,2004. [57]P.Ning,D.Reeves,andY.Cui,Correlatingalertsusingprerequisitesofintrusions, Dec.2001. [58]B.MorinandH.Debar, CorrelationofIntrusionSymptoms:AnApplicationof Chronicles ,vol.RecentAdvancesinIntrusionDetection,pp.94.2003. [59]S.Godik,T.Moses,andetal,Extensibleaccesscontrolmarkuplanguagexacml version2.0.OASISStandard,February2005. [60]D.J.Weber, Ataxonomyofcomputerintrusions .PhDthesis,MassachusettsInstitute ofTechnology.,1998. [61]C.AlbertsandA.Dorofee,Octavecriteria,version2.0,Dec.2001. [62]F.SwiderskiandW.Snyder, ThreatModeling .Redmond,Wash:MicrosoftPress, 2004. [63]P.Mell,K.Scarfone,andS.Romanosky,Acompleteguidetothecommonvulnerabilityscoringsystemversion2.0.http://www.rst.org/cvss/cvss-guide.pdf,June 2007. [64]L.Viljanen, Trust,PrivacyandSecurityinDigitalBusiness ,vol.Volume3592/2005 of LectureNotesinComputerScience ,ch.TowardsanOntologyofTrust,pp.175 184.SpringerBerlin/Heidelberg,August312005. [65]D.J.Essin,Patternsoftrustandpolicy,in Proceedingsofthe1997NewSecurity ParadigmsWorkshop ,ACMPress,1997. [66]A.Avizienis,J.Laprie,B.Randell,andC.C.Landwehr,Basicconceptsandtaxonomyofdependableandsecurecomputing, IEEETransactionsonDependableand SecureComputing ,vol.1,pp.11,Jan.-March2004. [67]T.Ryutov,C.Neuman,D.Kim,andL.Zhou,Integratedaccesscontrolandintrusion detectionforwebservers, DistributedComputingSystems,2003.Proceedings.23rd InternationalConferenceon ,pp.394,2003. [68]C.A.Carver, AdaptiveAgent-BasedIntrusionResponse .PhDthesis,TexasA&M UniversityatCollegeStation,May2001. [69]M.Ahmed,E.Al-Shaer,andL.Khan,Anovelquantitativeapproachformeasuring networksecurity, INFOCOM2008.The27thConferenceonComputerCommunications.IEEE ,pp.1957,April2008. 139

PAGE 140

[70]MITLincolnLaboratory,2000DARPAIntrusionDetectionScenarioSpecicDataSets.,http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000data.html,AccessedSeptember2008. [71]A.HessandN.Karowski,Automatedprotectionofend-systemsagainstknown attacks,in ProceedingsofIEEE/ISTWorkshoponMonitoring,AttackDetectionand Mitigation ,Tuebingen,Germany,2006. [72]CommonVulnerabilitiesandExposures,CommonVulnerabilitiesandExposures List.http://cve.mitre.org/,AccessedSeptember2008. [73]C.KruegelandW.Robertson,Alertverication:Determiningthesuccessofintrusionattempts,in 1stWorkshopontheDetectionofIntrusionsandMalwareand VulnerabilityAssessmentDIMVA2004 ,July2004. [74]U.ShankarandV.Paxson,Activemapping:Resistingnidsevasionwithoutaltering trac,in SP'03:Proceedingsofthe2003IEEESymposiumonSecurityandPrivacy Washington,DC,USA,p.44,IEEEComputerSociety,2003. [75]JoeDogSoftware,Siege.http://www.joedog.org/index/siege-home,November2008. [76]Compete.com.http://www.compete.com,February2009. 140

PAGE 141

BIOGRAPHICALSKETCH HassanRasheedwasbornin1981inFloridatoHowardandBarbaraRasheed. HegraduatedfromKingHighSchoolinTampa,Floridain2000.In2004,heearned aBachelorofSciencedegreeincomputerengineeringfromtheUniversityofFlorida. Aftercompletinghisbachelor'sdegree,hebeganworkingonhisDoctorofPhilosophy incomputerengineeringattheUniversityofFlorida.Hisgraduatestudiesfocusedon distributedsystems,informationsecurityandthedesignandimplementationofcontextawaresystems. 141