|
Citation |
- Permanent Link:
- https://ufdc.ufl.edu/UFE0024262/00001
Material Information
- Title:
- Integrating Access Control with Real-Time Assessment Adaptive Security Through the Acquisition, Analysis and Application of Context Data
- Creator:
- Rasheed, Hassan
- Place of Publication:
- [Gainesville, Fla.]
- Publisher:
- University of Florida
- Publication Date:
- 2009
- Language:
- english
- Physical Description:
- 1 online resource (141 p.)
Thesis/Dissertation Information
- Degree:
- Doctorate ( Ph.D.)
- Degree Grantor:
- University of Florida
- Degree Disciplines:
- Computer Engineering
Computer and Information Science and Engineering
- Committee Chair:
- Chow, Yuan-Chieh R.
- Committee Members:
- Chen, Shigang
Dobra, Alin Sanders, Beverly A. Dukes, Walter E.
- Graduation Date:
- 5/2/2009
Subjects
- Subjects / Keywords:
- Abacus ( jstor )
Access control systems ( jstor ) Authentication ( jstor ) Data security ( jstor ) Databases ( jstor ) Domain ontologies ( jstor ) Intrusion detection systems ( jstor ) Risk analysis ( jstor ) Simulations ( jstor ) Web servers ( jstor ) Computer and Information Science and Engineering -- Dissertations, Academic -- UF access, awareness, context, control, distributed, information, security, systems
- Genre:
- Electronic Thesis or Dissertation
born-digital ( sobekcm ) Computer Engineering thesis, Ph.D.
Notes
- Abstract:
- The need for adaptive security mechanisms is growing, driven by the increasing automation and modularity of attack tools, the prevalence of dynamic service-oriented architectures and the greater availability of network analysis data. In order to facilitate the evaluation and enforcement of access control policies based on real-time analysis data, a framework for the collection, analysis and dissemination of security data is proposed. In demonstrating its implementation, the framework is integrated with a web server and is used to provide a quantitative risk assessment based on data from vulnerability exploitation attempts. While maintaining high availability for non-affected entities, the percentage of denied intrusive requests is increased by triggering more restrictive permissioning in the face of escalating risk from external nodes and to system resources. A detailed performance analysis is also conducted that compares the proposed framework with an ordinary webserver and demonstrates the ability of the framework to handle high request loads in excess of one million transactions per day. ( en )
- General Note:
- In the series University of Florida Digital Collections.
- General Note:
- Includes vita.
- Bibliography:
- Includes bibliographical references.
- Source of Description:
- Description based on online resource; title from PDF title page.
- Source of Description:
- This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
- Thesis:
- Thesis (Ph.D.)--University of Florida, 2009.
- Local:
- Adviser: Chow, Yuan-Chieh R.
- Statement of Responsibility:
- by Hassan Rasheed.
Record Information
- Source Institution:
- University of Florida
- Holding Location:
- University of Florida
- Rights Management:
- Copyright Rasheed, Hassan. Permission granted to the University of Florida to digitize, archive and distribute this item for non-profit research and educational purposes. Any reuse of this item in excess of fair use or other copyright exemptions requires permission of the copyright holder.
- Resource Identifier:
- 665066676 ( OCLC )
- Classification:
- LD1780 2009 ( lcc )
|
Downloads |
This item has the following downloads:
|
Full Text |
PAGE 1
INTEGRATINGACCESSCONTROLWITHREAL-TIMEASSESSMENT:ADAPTIVE SECURITYTHROUGHTHEACQUISITION,ANALYSISANDAPPLICATIONOF CONTEXTDATA By HASSANRASHEED ADISSERTATIONPRESENTEDTOTHEGRADUATESCHOOL OFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENT OFTHEREQUIREMENTSFORTHEDEGREEOF DOCTOROFPHILOSOPHY UNIVERSITYOFFLORIDA 2009 1
PAGE 2
2009HassanRasheed 2
PAGE 3
HetheCreatoristheEverLiving,nonehastherighttobeworshippedbutHe;soinvoke HimmakingyourworshippureforHimalone.AllthepraiseandthanksbetoAllah,the Lordofallthatexists.Qur'an40:65 3
PAGE 4
ACKNOWLEDGMENTS IthanktheCreatorforHiscontinuousmercyandfavorandmyparentsfortheir continualsupportandself-lesscare;andIthankallofthosewhohavecontributedtomy intellectualdevelopmentthroughoutmystudies. 4
PAGE 5
TABLEOFCONTENTS page ACKNOWLEDGMENTS.................................4 LISTOFTABLES.....................................9 LISTOFFIGURES....................................10 ABSTRACT........................................15 CHAPTER 1INTRODUCTION..................................16 1.1Motivation:ParadigmShiftsinSystemSecurity...............16 1.1.1ChangingNatureofAttacks......................16 1.1.2ChangingDeploymentEnvironments.................17 1.1.3GreaterEmphasisonDistributedDataAnalysis...........18 1.2ChallengesFaced................................19 1.2.1TheNatureofContextInformation..................19 1.2.2ApplyingSecurityDataforImprovedAccessControl........20 1.3Approach....................................21 1.4SummaryofResults..............................21 1.5SignicanceandImpact............................22 1.6OrganizationofthisReport..........................23 2RELATEDWORK..................................24 2.1ContextInformation..............................24 2.1.1ExistingDenitionsofContext.....................24 2.1.2RedeningContext...........................24 2.1.3ContextRepresentation.........................26 2.2SystemsIntegration...............................26 2.2.1HorizontalIntegration..........................27 2.2.2VerticalIntegration...........................29 2.2.3SummaryonIntegration........................30 2.3IntegrationofSecurityControls........................31 2.4UseofThreat,RiskandTrustinAccessControl...............33 2.5IntrusionResponse...............................33 3GENERALAPPROACHPART1:CONTEXTACQUISITION.........35 3.1IntroductionandDesignGoals.........................35 3.2SurveyofContextAcquisitionApproaches..................36 3.2.1Closed/CoalitionApproach.......................37 3.2.2Open/FederationApproach.......................39 3.3ACoalition-BasedSystemforContextAcquisition..............41 5
PAGE 6
3.3.1InformationModel...........................41 3.3.1.1Accesscontrol.........................41 3.3.1.2Intrusiondetection......................43 3.3.1.3Intrusionresponse......................44 3.3.1.4Modeloverview........................45 3.3.1.5Securityevent.........................45 3.3.1.6Accessrequest.........................46 3.3.1.7Intrusionattempt.......................46 3.3.1.8Intrusionresponse......................46 3.3.2Implementation.............................47 3.3.3SummaryoftheCoalitionApproachtoContextAcquisition.....49 3.4AFederatedSystemforContextAcquisition.................49 3.4.1Approach.................................49 3.4.2TheUseofEventCorrelationinFederatedSystem..........50 3.4.3AvailableCorrelationMethods:ATaxonomyofEventCorrelation ApproachesforSecurityData.....................50 3.4.3.1Taxonomyofalertcorrelationmethodsbasedonoutcome.50 3.4.3.2Taxonomyofalertcorrelationmethodsbasedonmeans..52 3.4.4SelectinganEectiveOntologyApproach...............54 3.4.5AHybridEventOntology.......................55 3.4.5.1Thebasisforacommonontology..............55 3.4.5.2Theproposedontology....................56 3.5Summary....................................59 4GENERALAPPROACHPART2:CONTEXTANALYSIS...........67 4.1IntroductionandDesignGoals.........................67 4.2AHigh-LevelOntologyofSecurityAssessmentInformation.........68 4.2.1CoreAssessments............................69 4.2.1.1Risk..............................69 4.2.1.2Trust..............................69 4.2.1.3Dependabilityandimportance................70 4.2.2CompositeAssessments.........................71 4.2.2.1Threat.............................71 4.2.2.2Impact.............................72 4.3Summary....................................72 5GENERALAPPROACHPART3:CONTEXTAPPLICATION.........75 5.1Introduction...................................75 5.2Context-BasedPolicyEvaluation.......................75 5.2.1AccessControlSchemaExtension...................76 5.2.2ApplicationScenarios..........................78 5.3Context-BasedThreatResponse........................79 5.4Summary....................................81 6
PAGE 7
6ADAPTIVERISK-AWAREACCESSCONTROLFORWEBSERVERS....87 6.1Introduction...................................87 6.1.1ConnectionBetweentheImplementationandPreviousChapters..87 6.1.2ImplementationOverview........................88 6.2IntrusionResponseandAttackResistance..................89 6.2.1StrategySelection............................89 6.2.2ResponseTriggering...........................90 6.3NotionofRiskandaPreliminaryRiskAssessmentModel..........90 6.3.1AnalysisModel.............................90 6.4TriggeringRestrictedPermissioningWithRiskData.............93 6.5AbacusFrameworkArchitecture........................94 6.6UpdatesandModicationstotheInitialModelandArchitecture......99 6.6.1PerformanceIssuesWiththeInitialArchitecture...........99 6.6.2Solution1:Caching...........................99 6.6.3Solution2:RedesigningtheAnalysisAlgorithmandRefactoring theArchitecture.............................100 6.6.4RevisedRiskAssessmentModel....................100 6.6.5RestructuredArchitecture.......................101 6.7Summary....................................101 7RESULTS.......................................106 7.1TestingSetup..................................106 7.2ValidationofAnalysisModel..........................106 7.3WebServerAttackResistanceResults....................108 7.4PerformanceAnalysis..............................111 7.4.1PerformanceTestingMethodology...................111 7.4.2PerformanceofInitialAbacusFramework...............112 7.4.3PerformanceofAbacusFrameworkwithRecursiveAnalysisModel.113 7.4.4PerformanceComparisonforABACUSFrameworkandOrdinary ApacheWebserver...........................113 8CONCLUSIONS...................................130 8.1ConclusionsProducedByExaminationoftheGeneralApproach......130 8.1.1DataAcquisition............................130 8.1.2DataAnalysis..............................130 8.2ConclusionsOntheImplementationandTestingoftheConcreteImplementation....................................131 8.2.1DataQuality...............................131 8.2.2ChangesFromtheGeneralApproachtotheConcreteImplementation132 8.2.3EectivenessandPerformance.....................133 8.3FutureWork...................................133 7
PAGE 8
REFERENCES.......................................135 BIOGRAPHICALSKETCH................................141 8
PAGE 9
LISTOFTABLES Table page 5-1Escalationofthreatinsubsequentrequestsbytwodierentsources.Whenthe threatisassignedtoindividualsourcesseperately,thesystemisabletodistinguishbetweenmaliciousandnon-malicioussubjects................83 5-2Escalationofthreatinsubsequentrequestsbythreedierenthostsonacommontarget.Whentheeectofrequestsfromdierentsubjectstothesameobjectareconsideredinaggregate,thesystemisabletocontextualizeindividual requestsintoanoverallpatternofinteractionwiththeobject...........83 5-3Selectedintrusionresponsestrategies.Eachgeneralresponsestrategyislisted alongwithitsappropriateusecase,itsimplementationattheaccesscontrol levelandthecontextualpropertiesthatconstrainitsapplication.........86 7-1Asummaryofthesimulationresultsforscenarioonesimulatinganattackfrom asinglesourceonmultiplesystemresources.....................119 7-2Asummaryofthesimulationresultsfromscenariotwowhilesimulatinganattackfrommultiplesourcesonasinglesystemresource...............120 7-3Asummaryofthesimulationresultsfromscenariothreewhilesimulatingan attackfrommultiplesourcesonmultiplesystemresources.............121 7-4TracstatisticsforthreetopwebsitesinDecember2008..............129 7-5EstimatedpeakperformanceforABACUSframeworkwithcurrenttestingconstraints.........................................129 9
PAGE 10
LISTOFFIGURES Figure page 3-1Diagramofasecuritycoalition.Eachsecuritycomponenthastointeractwith alloftheothercomponentsinordertoaccesstheirdata.Thisarchitectureis limitedinextensibilitybecauseeachtimeanewmemberisaddedtothecoalition,alloftheothermembersmustbeadaptedtouseitsinterface........60 3-2Theanatomyofasecuritycomponentinanopenarchitecture.Thecoredecisionmechanismisresponsibleforplacingneweventsintothemechanismsevent datastorewhichsubsequentlyprovidesthedatatootherconsumers.Thecore decisionmechanismalsopullsdatafromthecomponent'seventconsumermoduleinordertoenforcepolicybasedonexternaleventinformation.Theevent consumermoduleincludesapolicydescribingthedierenttypesofeventsthat shouldbedrawnfromtheeventproviderthisinteractionisdepictedinFigure 3-3...........................................61 3-3Securitycomponentswithacommoneventprovider.Ratherthanhavingtointeractwitheachothermemberofthesystem,thecomponentscannowaccess datathroughacommoneventprovider.......................62 3-4Theanatomyofasecuritycomponentinanopenarchitecture.Thecoredecisionmechanismisresponsibleforplacingneweventsintothecommonevent providerthatisnowanexternalserviceinsteadofthepreviousdatastorethat wascontainedinthemechanismitself.Thecoredecisionmechanismalsopulls datafromthecomponent'seventconsumermoduleinordertoenforcepolicy basedonexternaleventinformation.Theeventconsumermoduleincludesa policydescribingthedierenttypesofeventsthatshouldbedrawnfromthe eventproviderthisinteractionisdepictedinFigure3-3..............63 3-5Securityeventinformationmodel..........................64 3-6TheowofdatabetweenanIDSandawebserverunderthecoalition-based implementation.....................................64 3-7Taxonomyofthemeansusedtoachievealertcorrelation..............65 3-8Ontologyforinter-domaineventcorrelation....................66 4-1Coreassessmentclasses.Importance,trustanddependabilityassessmentsfor entities.Threatandimpactassessmentsforaccessrequests.Valueandriskassessmentsfortheactionofanaccessrequest.....................73 10
PAGE 11
4-2Assessmentfactorsforthreeassessmenttypes:trust,riskanddependability. TheclassAssessmentisalsoasubclassofAssessmentFactorbecauseofthecompositeassessmentsthatarederivedfromotherassessments.Theassessmentfactorsforthreataretheriskoftherequestandthetrustgrantedtothesubject. Theassessmentfactorsfortheimpactarethedependabilityandimportanceof theobjectandtheriskoftherequest.........................74 5-1XACMLruleincludingsource-centeredthreat.ThisruledemonstratestheextensionoftheXACMLschemawithanewproperty total-source-threat. This propertyisdesignatedasanattributeofthesubjectoftherequest.Aninteger functionisusedtocomparethevaluereturnedforthispropertywiththedesignatedvalueof20.Ifthetotal-source-threatpropertyisgreaterthanorequalto thisvalue,thentherulehastheeectofcausingtherequesttobedenied....83 5-2XACMLruleincludingtarget-centeredthreat.ThisruledemonstratestheextensionoftheXACMLschemawithanewproperty total-target-threat. This propertyisdesignatedasanattributeoftheresourcebeingaccessed.Anintegerfunctionisusedtocomparethevaluereturnedforthispropertywiththe designatedvalueof30.Ifthetotal-target-threatpropertyisgreaterthanorequal tothisvalue,thentherulehastheeectofcausingtherequesttobedenied...84 5-3XACMLruleincludinganattributeindicatingthataresourceislocked.This ruledemonstratestheextensionoftheXACMLschemawithanewproperty resource-lock-status. Thispropertyisdesignatedasanattributeoftheresource beingaccessed.Abooleanfunctionisusedtocomparethevaluereturnedfor thispropertywiththedesignatedvalueof'true'.Iftheresource-lock-statuspropertyistrue,thentherulehastheeectofcausingallrequeststothisresource tobedenied......................................84 5-4XACMLruleincludinganattributeindicatingthatauseraccountislocked. ThisruledemonstratestheextensionoftheXACMLschemawithanewproperty resource-lock-status. Thispropertyisdesignatedasanattributeofthesubjectinitiatingtherequest.Abooleanfunctionisusedtocomparethevaluereturnedforthispropertywiththedesignatedvalueof'true'.Iftheuser-accountlock-statuspropertyistrue,thentherulehastheeectofcausingallrequests fromthissourcetobedenied.............................85 5-5XACMLruleincludingapropertytorestrictaspecicpermission.Thisrule demonstratestheextensionoftheXACMLschemawithanewproperty userwrite-prohibit. Thispropertyisdesignatedasanattributeofthesubjectinitiatingtherequest.ThePolicyDecisionPointwillbeextendedwithanewmodule thatprovidesthelogictoprovideacurrentvalueforthisproperty.Anboolean functionisusedtocomparethevaluereturnedforthispropertywiththedesignatedvalueof'true'.Iftheuser-write-prohibitpropertyistrue,thentherule hastheeectofcausingtherequesttobedenied..................85 11
PAGE 12
6-1Sampleriskprogressionforanintruderexecutingintrusiverequestsofmoderate severity......................................103 6-2ArchitecturefortheABACUSframework......................103 6-3Apachecongurationdirectivethatestablishesa SourcePermissionRestrict accesshandlertoevaluateallrequeststoresourcesinthedirectory'/s'.Thedirectivealsoestablishesfourriskthresholds,eachforadierentaction.These thresholdsaresubsequentlyusedbytheaccesshandlertocompareagainstthe currentriskevaluationforthesourceoftherequest,withtherequestbeingdeniedifthesource'sriskexceedsthethreshold.Thenalvariable SourceLockoutThreshold establishesthatonetheriskattachedtothesourceexceeds41,all requestsfromthatsourcewillbedenied.......................104 6-4Psuedocodefortheaccesscontrolmodelthatperformsrestrictionofsourcepermissionsbasedonariskassessmentobtainedfromananalysisserver.Itretrieves ariskassessmentforthesourcefromtheanalysisserverandthencomparesit withtheappropriatethresholdfortheactionbeingperformed...........104 6-5Apachecongurationdirectiveforacustomauthenticationhandler.Threedifferentthresholds,orpropertiesareestablishedwhichcouldbeusedtotrigger theuseofauthentication.Avalueisalsosetfor AuthExpiration whichensures that,oneauthenticated,usersareonlyre-authenticatedevery300secondve minutesatmost....................................105 6-6Pseudocodeforauthenticationmodule.Authenticationisrequiredifanyofthe establishedriskthresholdsareexceeded.......................105 7-1Simulationresultsfromthevalidationoftheanalysismodelshowingriskestimatesforthesourcesdetectedasintrusive.Ausingonlyconcretevulnerability lteringBusingconcretevulnerabilitylteringandcongurationverication..118 7-2Simulationresultsfromthevalidationoftheanalysismodelshowingriskestimatesfortargetsbeingattackedbyintrusiverequests.Ausingonlyconcrete vulnerabilitylteringBusingconcretevulnerabilitylteringandconguration verication.......................................119 7-3Accesscontrolpoliciesforthetwoserversduringscenarioonewhilesimulatinganattackfromasinglesourceonmultiplesystemresources.Aservertwo Bserverone.TherstpolicyAestablishesanaccesshandlerthatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusessourceriskdataandsetsathresholdof45forthesourcerisk,beyond which,requestsfromthatsourcewillbedenied...................120 7-4Thegrowthoftheriskfromtheintruderinscenarioone..............120 12
PAGE 13
7-5Accesscontrolpoliciesforthetwoserversduringscenariotwowhilesimulatinganattackfrommultiplesourcesonasinglesystemresource.Aservertwo Bserverone.TherstpolicyAestablishesanaccesshandlerthatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusestargetriskdataandsetsathresholdof45forthetargetrisk,beyond which,requeststothattargetwillbedenied.....................121 7-6Thegrowthofriskforthetargetedresourceinscenariotwo............121 7-7Accesscontrolpoliciesforthetwoserversduringscenariothreewhilesimulatinganattackfrommultiplesourcesonmultiplesystemresources.Aservertwo Bserverone.TherstpolicyAestablishesanaccesshandlerthatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusesthreedierentriskpropertiestotriggertherequirementofauthentication.Thesystemriskthresholdis65,thesourceriskthresholdis33andthe targetriskthresholdis45.Atimelimitfortheexpirationofavalidauthenticationissetat300secondsusingthe AuthExpiration property...........122 7-8StatisticsforABACUSframeworkversion1duringasimulationwithtenconcurrentusers,oneofwhichwasanintruder.Graphsshowtimetoserverequests fordierentbreakdownsofthesetofrequestingusers.Arequestsfromallusers BrequestsfromtheintruderCrequestsfromnon-intrusiveusers.Thesegraphs establishthatthetimetoprocessrequestswasincreasingthroughoutthesimulationandthatthiswasduetotheincreasedtimeintooktoprocessrequests fromtheintruderthatrequiredmoredatatobeaggregatedandanalyzedinordertoproduceariskassessment...........................123 7-9StatisticsforABACUSframeworkversiontwo.Atimetoserverequestsfor thewebserverBtimetoserverequestsfortheanalysisserver.Thegraphscorrespondtoasimulationwith100concurrentusersfortheentiredurationofthe test10minutestresstest...............................124 7-10StatisticsforABACUSframeworkversiontwo.AalertprocessingtimeBalert receivingtime.Thegraphscorrespondtoasimulationwith100concurrentusers fortheentiredurationofthetest10minutestresstest..............125 7-11AdditionalstressteststatisticsforABACUSframeworkversiontwo.Ausing 110concurrentclientsBusing175concurrentclientsCusing200concurrent clients.........................................126 7-12Webservercomparisonusingarandomizeddelayfrom0and1secondbetween requests.AresponsetimeBconcurrencyCtransactionrate..........127 7-13Webservercomparisonusingarandomizeddelayfrom0and10secondsbetweenrequests.AresponsetimeBconcurrencyCtransactionrate.......128 13
PAGE 14
7-14SummaryofthefactorincreaseinwebserverresponsetimefortheABACUS frameworkversiontwocomparedtotheperformanceofanunmodiedwebserver.129 14
PAGE 15
AbstractofDissertationPresentedtotheGraduateSchool oftheUniversityofFloridainPartialFulllmentofthe RequirementsfortheDegreeofDoctorofPhilosophy INTEGRATINGACCESSCONTROLWITHREAL-TIMEASSESSMENT:ADAPTIVE SECURITYTHROUGHTHEACQUISITION,ANALYSISANDAPPLICATIONOF CONTEXTDATA By HassanRasheed May2009 Chair:RandyY.C.Chow Major:ComputerEngineering Theneedforadaptivesecuritymechanismsisgrowing,drivenbytheincreasing automationandmodularityofattacktools,theprevalenceofdynamicservice-oriented architecturesandthegreateravailabilityofnetworkanalysisdata.Inordertofacilitate theevaluationandenforcementofaccesscontrolpoliciesbasedonreal-timeanalysisdata, aframeworkforthecollection,analysisanddisseminationofsecuritydataisproposed. Indemonstratingitsimplementation,theframeworkisintegratedwithawebserver andisusedtoprovideaquantitativeriskassessmentbasedondatafromvulnerability exploitationattempts.Whilemaintaininghighavailabilityfornon-aectedentities, thepercentageofdeniedintrusiverequestsisincreasedbytriggeringmorerestrictive permissioninginthefaceofescalatingriskfromexternalnodesandtosystemresources. Adetailedperformanceanalysisisalsoconductedthatcomparestheproposedframework withanordinarywebserveranddemonstratestheabilityoftheframeworktohandlehigh requestloadsinexcessofonemilliontransactionsperday. 15
PAGE 16
CHAPTER1 INTRODUCTION Oneofthemostsignicantchallengesinthesecuritydomainisthedevelopmentof securitymechanismswiththecapabilitiesofdynamic,contextawarebehavior.Theword contextawarenessmeansdierentthingsinvariousdomains,butherewerefertothe generalabilityofasoftwaredevicetoadjustitsbehaviorbasedonitsperceptionofthe environmentitoperatesin.Thisisstillaverybroadconcept,butwillbefurtherspecied inthecourseofthediscussion. Securitymechanismsoftenoerassessmentsorevaluationsofvariousrequestsand events,forexample:evaluatingthevalidityofarequestforauthorizationoranalyzingan eventforintrusivecharacteristics.Anyassessmentisbasedonassumptionsbothimplicit andexplicitaboutthecurrentenvironment:explicitassumptionsmayoftenbemodeled inapolicywhereasimplicitassumptionsaresubsumedintheunderlyingmodelusedfor decisionmaking.Theroleofcontextdataisthentoeitherkeepthoseexplicitassumptions accurateiftheyexist,ortointroduceimportantparametersinthedecision-makingprocess iftheyhavebeenleftout.Therearethreeprimarymotivationsforthecurrentapproach: theenvironmentsinwhichsecuritymechanismsaredeployedarechanging,theattacks themselvesthatmustbeguardedagainstarechanging,andtheemergingopportunityto leveragedatasourcesprovidingvaluablesecuritydata. 1.1Motivation:ParadigmShiftsinSystemSecurity 1.1.1ChangingNatureofAttacks Therearetwoprimarymotivatingsub-factorstowardsproducingsecuritymechanisms withanimprovedabilitytodealwithachangingenvironment:thechangingnatureof attacks,andmovetowardsutilizingsecuritymechanismsinserviceorientedarchitectures. Thechangingnatureofattackswasnotedin[1]andhassincebeenconrmedinvarious otherreports.Amongstthefactorsnotedinthereportwerethefollowing: 1. Theautomationandspeedofattacktools -eachofthefourcommonphasesofautomatedattacksscanning,compromising,propagatingandcoordinatedmanagement 16
PAGE 17
arebeingdonemorequicklyandeectively.Attacktoolsuseexploitsinthemidst ofscanningandautomaticallyinitiateattackcycles.Coordinatedmanagementis facilitatedbywidelyusedcommunicationsprotocolssuchasinstantmessaging.As aresult,thewindowofresponsebeforeanattackmovesontothenextstageisno longerbasedontheresponsetimeofahumanattackerandthereforeeasilyoutpaces ahumanadministratorsabilitytorespond. 2. Theincreasingsophisticationofattacktools -attackersincreasinglyusetechniques toconcealthenatureofthetoolstheyuse.Toolsthemselvesaremoremodular andexhibitmoredynamicbehavior.Becauseoftheanti-forensicbehavior,previous detectionmethodsusinglow-levelorisolatedindicatorsmayfailtodetectattacks thatotherwisemightbeevidentusingmultiplerelatedpiecesofevidence. 3. Fasterdiscoveryofvulnerabilities -thenumberofnewvulnerabilitiesreported morethandoubleseachyear,oftenduetoexaminationofexistingcodefornewly discoveredvulnerabilityclasses.Thisimpliesawidernumberofavailableattack vectorsatanygivenpointintime.Italsoimpliesthatthepotentialforpublicizing vulnerabilitieswillcreatemoreoccurrencesofwidespreadexploitationofthesame vulnerability.Inits2007annualreportIBM'sInternetSecuritySystemsISSgroup reportedthatvulnerabilitiesin2007weredownvepercentcomparedto2006. However,thenumberofthosevulnerabilitiesthatwereclassiedasseverehigh impactroseby28percent[2].Highimpactvulnerabilitiesarethosethatallow immediateremoteorlocalaccess,orimmediateexecutionofcodeorcommands withunauthorizedprivileges.Thereportalsonotedthatofallofthevulnerabilities newlydiscoveredin2007,thatonly50%ofthemarecorrectablewithavendor patch,meaningthatmoreandmorevulnerabilitiesareofasevere,uncorrectable nature. 4. Increasinglyasymmetricthreat -attackscannowbelaunchedusinglargenumbers ofdistributedsystems,meaningthatthetraditionalone-to-onerelationshipbetween victimandattackerwillincreasinglybeaone-to-manyrelationship. 1.1.2ChangingDeploymentEnvironments Thesecondmotivatingfactoristheneedforsecuritytasksimplementedundera serviceabstractionthatcanbeusedindistributedserviceorientedarchitectures.Service orientedcomputinghasgrownduetothegrowthoftheWebandWebServices.Withthis growth,hascomeagreaterneedfordatasecurity.In[3]severalchallengestoproviding securityservicesarediscussed.Anumberofthesechallengesarerelatedtothenotionof context-awarenessandcontextdatasharing.Thechallengesinthisregardfallinthree 17
PAGE 18
mainareas:contextdataacquisition,analysisandapplication.Amongthequestionsraised arethefollowing: Shoulddecisionpointtodecisionpointinteractionsforshareddecisionmakingbe directormediated Howwillsharedcontextinformationbemanaged Howcanwebuildservicesthatcanmakeuseofpastcontexthistoryandgetaround thestatelessinput/outputmodelforservices Howcaninherentlycontext-dependentservicessuchasintrusiondetectionbe implementedasservices Allofthesechallenges,however,leadtotheconclusionthatcontextinformationand consequentlymechanismsadaptedtousecontextdataarecriticaltothedevelopmentof secureserviceorientedarchitectures.Asoneofthethreeprimarysystemsecurityfunctions notedin[4],therequirementsplacedonaccesscontrolsystems,andconsequentlytheir needtoexhibitcontextawarenessareamongthehighestofanysecuritymechanism. Accesscontrol,morethanperhapsanyothersecuritymechanism,isalsoinneedofthis capabilityasitoftenservesastherstlineofdefenseagainstattacksandintrusionsboth attheapplicationandnetworklevel. 1.1.3GreaterEmphasisonDistributedDataAnalysis Astherealizationhasgrownthattherearesomefundamentallimitationswith individualintrusiondetectionsystems[5],interesthasgrowninleveragingmultiple intrusiondetectionsystemswiththeexpectationthatmoredatawillleadtomoreaccurate analyses.Theseeortsbeganwithcorrelationresearch[6,7,8,9,10,11,12]whichfocused onrelativelysmallsetsofdatacontributors.Ithasalsorecentlygrowntoincludewideareaorglobaldataanalysiseortsthatutilizelargesetsofintrusiondetectionsystems [13,14,15,16]inlookingfornewandemergingthreats.Thequestionofwhattodowith thesevastamountsofdataoncewehavethemhaslargelygoneignoredhowever-the primaryassumptionbeingthatadministratornoticationistheonlydependableway 18
PAGE 19
tomakeuseofsuchdata.Thereis,however,anopportunityforthedesignofsecurity mechanismssuitedtousingsuchdatathatcanperformsomelimitedtaskstoimprove responsetime. 1.2ChallengesFaced Therearechallengesontwomainlevelstotheconstructionofeectivecontext-aware securitysystems.Thersttyperelatetoalltypesofsystemsinwhichcontext-awareness isadesigngoal.Thesearedicultiesrelatedtotheacquisition,analysisandapplication ofthecontextinformation.Theseproblemsarisefromthenatureofthedatabeing collectedandthesensorsprovidingthedata:thefactthattheyarelargelyautonomous, heterogeneousanddistributed. Thesecondtypeofchallengearethosearisingfromtheparticularapplicationdomain. Theseproblemsincludetherateofincomingdata,thehighrateofinaccuracieswith securitydataandtheresultinguncertaintyforaectingresponsestointrusions.Another challengeatthislevel-becauseweareseekingtoutilizecontextdataattheaccesscontrol level-isensuringthatadaptingthesystemtorelyoncontextualinformationdoesnot proveprohibitivelyslowfromaperformanceperspective.Thechallengesforapplying contextdataalsoincludepreventingandmitigatingthenegativeeectsofintrusionswhile maintainingahighlevelofserviceavailability. 1.2.1TheNatureofContextInformation Dealingwithrepresentationsofcontextdatatomakesuchresponsivenesspossible,is inherentlycomplex.Thereareseveralinherentdicultiesdealingwithcontextinformation discussedin[17]includingthefollowing:therangeoftemporalcharacteristicsexhibited, highdegreeofinterrelatedness,inaccuraciesorimperfectionsinthedataandlarge numberofalternaterepresentations.Addtothis,thefactthatservicestodealwith contextareapplicationspecic[18]andthetaskofmanagingcontextdatabecomeseven moreimposing.Thesediculties,however,haveonlybeenconfrontedintherealmof securityinaverylimitedway.Someapproachestoalertcorrelationdealwithreceiving 19
PAGE 20
heterogeneous,interdependentandpossiblyimperfectpiecesofdata,butthegoalhasyet tobemakingthatdatausablebyothersecuritycomponents. Tofurtherspecifythechallengesinthisarena,webreakthetaskofcontext-awareness downintothreesub-tasks:acquisition,analysisandapplication.Contextdataacquisition iscomplicatedbythefactthatthesourcesforcontextdatainthisdomainarevery diverse,sometimespossessingtheirownspecializeddomain-specicstandards.Thisisa somewhatuniquechallengeastheapproachestoacquiringcontextdatainapervasive computingenvironmentrelyondatasourcesthatarepassivesensorsproducingrelatively low-leveldata.Morespecically,aneectiveapproachtowardscontextdataacquisition amongstsecurityservicesmustdealwiththeinherentautonomy,heterogeneityand distributionpresentincurrentsecuritymechanisms. Asaresultoftheintricaciesanduniquenessesinsecuritydata,ecientcontext analysistechniquessuitedtosecuritydatamustalsobedesignedtoderivekeysecurity measuresfromdatathathassignicantsemanticheterogeneities.Thesecontextanalysis techniquesmustalsobefocusedonproducing actionabledata :informationthatcan subsequentlybeusedtoadaptpolicies,behaviorsandenactresponsestochanging circumstances. 1.2.2ApplyingSecurityDataforImprovedAccessControl Thenotionofusingsecuritydataforpolicyenforcementassumesalevelofaccuracy forthesensorsthatisoftennotpresentforsecuritysensors.Inparticular,considering theclassofintrusiondetectionsystems,anumberofissueswithdatainaccuracyhave beennotedintheresearch,bothonapracticalandtheoreticallevel[5].Generically,the problemsaredividedintotwotypes:1falsepositives,whichareincidentsdetectedas intrusivethatareinrealitybenignand2falsenegatives,whichareincidentsthatare intrusivebutarecategorizedasbenignorsimplymissedaltogether.Anotherissueisthe sheernumberofalertsthataregeneratedbyintrusiondetectionsystems-thisplaces 20
PAGE 21
constraintsontheperformanceofthetechniquesusedforstorageanalysistobeableto keepupwiththeincomingstreamofdata. 1.3Approach Inordertoaddressthegeneralissuesregardingarchitectingcontext-awaresystems, wedevelopageneralframeworkforthecollection,analysisanddisseminationofsecurity data.Theacquisitionapproachwillfocusonthedierentarchitecturesandmechanism thatcanbeemployedforintegratingdatafrommultiplesources.Onesuchsolutionwill beatightlyintegratedsystemsuitedtosmalldeploymentsbutlackinginextensibility. Theotheracquisitionarchitecturewillprovidegreaterextensibilitybyutilizingaserviceorientedabstraction.Theanalysisapproachwilldevelopasetofcriticalanalysismeasures afterexamingthereasonabletechniquesforanalyzingsecuritydata.Theapproachto applicationwillbemoredomain-specic,surveyingtheavailableintrusionresponse controlsandthetechniquesforactivatingthem. Animplementationwillbedicussedthatfocusesonaddressingsomeoftheconcerns specictotheuseofsecuritydataincludingperformanceanddatainaccuracies.This systemwillalsoprovideaplatformfortestingtheenforcementofaccesscontrolpolicies basedonreal-timeanalysisdata.Theimplementationframeworkwillincludeawebserver astheprimaryaccesscontrolmechanism.Theanalysisprocesswillthenproduceentityspecicriskassessmentsbasedondatafromvulnerabilityexploitationattempts.Thedata willthenbeappliedtoresolvecontextdependenciesattheaccesscontrolpolicyleveland regulatepermissionsbasedonestablishedriskthresholds. 1.4SummaryofResults Whilemaintaininghighavailabilityfornon-aectedentities,weareabletoshowan increasedratioofdeniedintrusiverequestsbytriggeringmorerestrictivepermissioningin thefaceofescalatingriskfromexternalnodesandtosystemresources.Wealsoprovide performanceanalysiscomparingtheproposedframeworkwithanordinarywebserverand 21
PAGE 22
demonstratingtheabilityoftheframeworktohandlehighrequestloadsinexcessofone milliontransactionsperday. 1.5SignicanceandImpact Thisapproachdemonstratesthefeasibilityofsuchadaptivesecuritymeasuresboth intermsofeectivenessatlimitingattacksandinmaintaininghighrequestthroughput. Theimpactoftheapproachisprimarilyindemonstratingmorecareful,tailoredresponse usageasaresultofmoredetaileddataanalysis.Previousapproachesthatuseddatafrom assessmentmechanismsintheperformanceofaccesscontrolwereprimarilyfocusedon integratingtheperformanceofintrusiondetectionandaccesscontrolinonemechanismasaresult,thedataanalysiswasminimalandtheresultingresponsesbasedoncontext datawereappliedatasystemwidelevel.Bygeneratingcontextanalysisdataforspecic sourcesandtargets,preventativemeasuressuchasforcingadditionalauthenticationare appliedmoreecientlyandonlywhennecessary.Strongerresponsemethodssuchas lockingoutuseraccountscanalsobeutilizedbecausethescopeismoregranular. Experimentationwillfocusontheutilizationofafewkeyresponsesattheaccess controllevel:forcingadditionalauthentication,restrictinguserpermissions,lockinguser accountsandrestrictingaccesstothreatenedservices.Wewillshowthattheresultant systemisableto: 1.Useresponsemethodsmoreeciently-decreasethenumberofrequestsforadditionalauthenticationthatmustbehandledinsituationsofelevatedthreat,by elevatingthreatlevelsonlyforspecicsourcesandtargets 2.Limitintrusivebehaviorwhilemaintainingresourceavailability-decreasethe numberofrequestscomingfromthreateningsourcesthatarepermittedusing permissionrestrictionandaccountlockingwhilemaintainingresourceavailability forlegitimaterequests. 3.Ensuregreaterintegrityandcondentialityprotectionforselectresources-limit riskstocondentialityandintegritybyrestrictingaccesstoselectedservicesincases wherecondentialityandintegrityareofgreaterconcernthancompleteavailability 22
PAGE 23
1.6OrganizationofthisReport Therstsectionwillfocusonrelatedwork.Inthissectionpreviousresearchin contextinformation,systemsintegrations,theintegrationofsecuritycontrols,theuse ofkeyassessmentsinaccesscontrolandintrusionresponsewillbeaddressed.Thenext threesectionswilleachaddressoneaspectofthegeneralchallengesdiscussedrelatedto architectingcontext-awaresystems:dataacquisition,dataanalysisanddataapplication. Followingthiswillbeadiscussionofthesystemimplentation:theanalysismodel,the architectureandtheintegrationbetweentheframeworkandthepre-existingaccesscontrol system.Nextacomprehensivesetoftestingresultsfromexperimentationwiththesystem implementationwillbepresented.Concludingthesections,willbeachapteronthe conclusionsdrawnfromtheresearchandastatementonfuturework. 23
PAGE 24
CHAPTER2 RELATEDWORK 2.1ContextInformation 2.1.1ExistingDenitionsofContext Therearetwodenitionsofcontextthatwillbeconsideredwhendeningcontext forthepurposesofthisstudy:alinguisticdenitionandadenitionfromthepervasive computingarea. Linguistic. TheAmericanHeritageDictionarydenescontextasThepartofatext orstatementthatsurroundsaparticularwordorpassageanddeterminesitsmeaning.[19] TheMerriuamWebsterDictionarydenescontextas,Theinterrelatedconditionsin whichsomethingexistsoroccurs[20]. Pervasivecomputing. SchilitandTheimerrstmentionedtheterm context-aware morethanadecadeagowiththeexplanationthatsuchsystems,[adapt]accordingtothe locationofuse,thecollectionofnearbypeople,hosts,andaccessibledevices,aswellas tochangesinsuchthingsovertime.Otherdenitionshavetakenahumanuser-centric viewofcontext,deningitas:anyinformationthatcanbeusedtocharacterizethe situationofanentity.Anentityisaperson,placeorobjectthatisconsideredrelevantto theinteractionbetweenauserandanapplication[21].Broaderdenitionsalsoexistsuch as,alltheknowledgethatconstrainsproblemsolvingatagivenstepwithoutintervening initexplicitly[22]. 2.1.2RedeningContext Thereareafewproblemswithdenitionssuchasthosestatedabove.Firstlythey areeitherareoverlybroad,lumpingmanytypesofinformationtogetherascontext:or theyareoverlyspecic,restrictingcontexttotypesofinformationusefulintheparticular applicationbeingdeemed context-aware Intuitivelycontextisnecessarybecauseitclariesmeaning-butdenitionsthat neglectthiswilladoptinformationascontextthatdoesnotaddtomeaning.Denitions 24
PAGE 25
thatonlyconsidercontexttobeinformationusedinaparticularapplicationwillnot bewidelyusable,andcouldpossiblymisssomeinformationthatmightimprovethe application. Anotherissueisthenotionofcontextownership.Mostofthesedenitionsview contextualinformationasbelongingtoanobjectorentity.Butevents-theoccurrences thatchangethecontextofanobjectorentityalsohavetheirowncontext:timeof occurrence,initiatingentity,receivingentity,location,etc.Consideringeventsseparately fromobjectsallowsustostoretemporalinformationdirectly,andtobeginusingthe abstractionofaneventhistorywithinagivendomain.Thiswouldallowustodescribe thesemanticsattachedtoothereventsinclosespatialortemporalproximitytotheevent underexamination. Manyapplicationsinthesecuritydomainforinstancetypicallyconsiderpatternsof behaviorovertimetobeaprimarytypeofcontext.Foranapplicationsuchasintrusion detection,thephysicalcontextofasystemwiththeexceptionofnetworktopologyis actuallyirrelevant.Inadditionwewouldliketodevelopawayofdescribingcontextand context-ownershipthatfacilitatescontext-sharingamongentitiesinagivendomain.This wouldbedicultifweconsideramodelwhereonlyobjectspossesscontext.Ifwewere todevelopamodelbasedontheadditionalabstractionofaneventalongwithobjects, thenwecouldbegintodescribethecontextofanevent:itstime,itsactor,itssubject. Andcontext-sharingbecomesaseasyasprovidingeventinformationtoallobjectsinthe domainwheretheeventoccurred. Logicalcontextdenition. Contextisthesetofinterrelatedconditionssurroundinganentityorevent,suchthatwhentheyareconsideredtogethergiveafulland complete usage or applied meaningtoanentityorsituation.Thesepropertiesare notinherenttotheentityoreventandmaybechangedwithoutaectingthesemantics inherenttotheitem. 25
PAGE 26
2.1.3ContextRepresentation Strangetal.[23]citethefollowingsixmodelsforrepresentingcontext:keyvalue, markupscheme,graphical,objectoriented,logicbasedandontologybased. Theyalsoestablishsixtypesofrequirementsthataubiquitouscomputingapplication wouldneedfromacontextmodelingapproach.Thesixpropertiesofacontextmodelthat aremostappropriateare: distributedcomposition-theabilitytocomposecontextinformationintheabsence ofacentralentityresponsibleforthe partialvalidation-thecapabilityofvalidatingcontextdatawithoutalloftherelated databeingpresentatthesamenode formality-theoveralllevelofstructureusedtoorganizethecontextdata applicability-thecontextmodelshouldttheapplicationitisbeingusedin incompletenessandambiguityinthedomainofasecuritysystemincompleteness canbemanifestedthroughthemissingofeventsbyanintrusiondetectionsystem qualityofinformationtheconcernaboutthequalityofinformationdeliveredby asinglesensorvaryingovertimeislessofaconcernforwell-connectedintrusion detection,buttheneedforacontextmodelthatcanaccommodatevaryinglevelsof informationqualitybetweensensorsisvalid.Dierentintrusiondetectionsystems providedierenttypesandamountsofdataoneventsinthesystemandthecontext modelmustbeabletoaccommodatethis. Basedontheserequirements,themostappropriatecontext-modelingstrategyisontology based.ThisisalsoconrmedbyKemmereretal.[24]whonotethatacommonontology isanimportantadditiontheeortsbytheInternetEngineeringTaskForceIETFto establishanintrusiondetectionmessageformatandprotocol. 2.2SystemsIntegration Beforeactuallyaddressingtheissuesneededtoachieveanintegratedsecuritysystem, thequestionastowhatconstitutesintegrationmustbeaddressed.Inthisrespect,there 26
PAGE 27
aretwomajorphilosophies,bothofwhichhavehadasignicantamountofattentionin theareasofsystemintegrationandmicroeconomics. Therstideaistopreservetheexistingsystems,sometimescalledlegacysystems, andapplytechnologiestomaketheminteroperableandachievethedesiredoverallsystem, albeitaheterogeneousone.Wewillrefertothisashorizontalintegration.Agreatdealof researchonthistopichasbeendoneintheareaofInformationSystemscalledSystems IntegrationorApplicationIntegration. Thesecondideaistotaketherequirementsfullledbyeachofthelegacysystems anddevelopanentirelynewsystemthatfulllstherequirementsofalloftheoldsystems, butishomogeneous.Wewillcallthisverticalintegration.Althoughtheobjectstobe integratedinourcasearesomewhatdierentthanthoseintheeldswhoseresearchwill becited,manyofthesameanalyzeshold. 2.2.1HorizontalIntegration Therearethreemaincharacteristicsthatdistinguishahorizontallyintegratedsystem [25]:1heterogeneity,2autonomyand3distribution.Fromtheperspectiveofsystems integration,alloftheseissuesareriskswhichmustbemitigated;inotherwords,theyare thingsstandinginthewayofanintegratedsystem.Themitigationprocessoftendoes notchangethefundamentalcharacteristicsoftheconstituentsystemsandsothesame characteristicsareusuallypresentbeforeandafterintegration.Systemsintegrationviews horizontalintegrationasagoalthatmustbefacilitated,whereaseconomicstheoryviews verticalintegrationasaphenomenonthatoccurswhencertainfactorsarepresent.Thus, thedeterminantstobediscussedlaterareusuallydescribedasstrategiesforovercoming thesecharacteristics,buttheyarefactorsthatleadtoahorizontallyintegratedsystem nonetheless.Heterogeneitycanmanifestitselfintwomainareas:technicalandconceptual [26].Technicalheterogeneitycancomefromdierencesinthingssuchas:hardware platforms,operatingsystems,databasemanagementsystemsandprogramminglanguages. Conceptualheterogeneitycanbeproducedbydieringprogramminganddatamodels 27
PAGE 28
ordierencesinmodelingreal-worldconcepts.Autonomyusuallyoccursintheareasof designorcommunicationandexecution. Architecturesforhorizontalintegration. Therstintegrationarchitectureis termedacomponentcoalition.Thearchitectureintegratesindependentcomponentsby providingacustomsolutionthatwilllinktheinterfacesofthetwocomponents.These coalitionsmaintaintheindependenceoftheindividualcomponentsinthefollowingways: eachcomponenthasitsowninterface eachcomponenthasindependentcontrolofitsdataandprocessing componentsmayprovideoverlappingorconict Thesecondtypeofintegrationarchitectureisacomponentfederation.Themainconcept underlyingcomponentfederationsisthecreationofaplatformwhichcansupporta myriadofcomponentsaslongastheyconformtoasetofstandards.Thefederation providesinfrastructureforinter-componentcommunicationanddatasharing.Thereforein contrastwithcomponentcoalitions,componentfederationsaremoregeneral-purposeand moreexible. Mechanismsforhorizontalintegration. Therearetwoprimarymechanism tofacilitatethe persistence aspectofdataintegration:coversionandacommondata store.Undertheconversionapproach,componentsmaintainseparatedatastoresand dataistranslatedtoaformatconsumablebyothercomponents.Withacommondata store,however,thereisasinglesourcethataccumulatesdatafromallofthecomponents. Therearealsotwomechanismscommonlyusedtoensure semantics indataintegration: acommonschemaandcommondataformats.Themainmethodforachieving control integration ismessagepassing.Thismessagepassingsolutionisactuallytheproductofa mechanismtoenablecommunicationandaprotocoltodenethecommunicationpattern. 28
PAGE 29
2.2.2VerticalIntegration Oneofthemaincharacteristicsthatdistinguishesverticalintegrationistheuseof internalexchangeswithinarm,insteadofmarketorcontractualexchanges[27].Contractualexchangesarethoseinwhichthecharacteristicsoftheexchangebetweenthetwo partiestypicallyprice,quantity,etcareregulatedbyacontractualrelationship.Another characteristicofaverticalintegratedprocessiscentralizedcontroloverneighboringstages ofproductionordistribution.Anextensionofthisisthewayinwhichdecisionmakingin averticallyintegratedrmdiersfromdecisionmakinginaverticallydisintegratedone. Determinantsofverticalintegration. Therearethreemainfactorsthatproduce orleadtoverticalintegration:technologicaleconomies,transactioneconomies,andmarket imperfections.Technologicaleconomiesaresituationswherelessofanintermediateinput isnecessarytoproducethesamedownstreamoutput,whentheexchangeiscontrolledby thesamerm.Thisleadstoverticalintegrationbecausebytakingonacertaintaskofa productionprocess,agivencompanycanlessenitsneedforcertainresources.Transaction economiesaresituationswherecostsassociatedwiththeexchangeofcertaininputscan belessenedbyinternalizingtheprocess.Itisverysimilarphenomenontotechnological economies. Advantages. Thetypicallycitedadvantagestoverticalintegrationthatareapplicableherearelowertransactioncostsandsynchronizationofsupplyanddemandalong achainofproducts.Thedisadvantagesarerigidorganizationalstructure,andhigher organizationalcostsofswitchingtoothersuppliers. Manifestationsofverticalintegrationinsoftwaresystems. Thetheoretical pointsmentionedabovehaveimplicationsinsecurityintegrationaswell.Wewillusethe characteristicsofaverticallyintegratedbusinessrmtoestablishwhatwemeanbya verticalintegrationapproachtosecurity.Namelythat: 1.Theexchangeofdatabetweenthemodulesresponsiblefordierenttasksisviewed asaninternaloperation,andutilizesaformatthatisstandardacrosstheentire application 29
PAGE 30
2.Thesameprogrammaticentityisresponsibleforeachphaseofthesecurityassurance process,oreachsecuritytask. 2.2.3SummaryonIntegration AVerticalapproachtointegratedsecuritywouldperformthefunctionsofaccess control,intrusiondetectionandintrusionresponseinabsenceofinterfacesandprotocols betweenthethreemodules.Eachofthesetaskswouldinsteadbeperformedbymodules withasharedorcentralizedcontrolmechanism.Averticallyintegratedarchitecturewould takeadvantageoflowcostdataexchangesbetweenallofthemodulesandwouldalsooer ahigherdegreeofsynchronization. Theapproachdescribedaboveasverticalintegrationroughlycorrespondstothe approachtosecurityintegrationknownasmergedpolicy:theoperationsofaccesscontrol, intrusiondetectionandintrusionresponseareallperformedbyasinglepolicyevaluation mechanism,workingwithasingleuniformpolicy.Theabsenceofdataexchangesbasedon interfacesorprotocolsalsopointtothefactthatalloftheoperationsinamergedpolicy solutionareinternalanddonotrequirecommunicationbetweendierentindependent modules.Consequentlymanyofthedrawbackscitedforverticalintegrationarealso apparentinthemergedpolicysolution:primarilytherigidstructureofthesolutionand theprohibitivecostofusingadataprovideroutsideofthosepackagedintheevaluation mechanism. Thedrawbacksofaverticallyintegratedsolutionhaveseriousimplicationsfora securitysystem.Intrusiondetectionbeganasameanstodetectintrusivebehaviorthat couldnotbeexplicitlyprohibitedinanaccesscontrol-likespecication.Inaddition, manycurrentmethodsforintrusiondetectionusingmethodssuchasneuralnetworks,or immunologymodelscouldnotbesatisfactorilyrepresentedinarule-basedspecication.So therearetheoreticalaswellaspracticallimitstoaverticallyintegratedsecuritysystem. AHorizontalapproachtointegratedsecuritywouldfacilitateinteroperabilitywhile preservingautonomyandconsequentlysomedegreeofheterogeneity.Dependingupon 30
PAGE 31
thearchitecture,itmightbenecessarytodeviseandenforce contractualrelationships betweentheaccesscontrol,intrusiondetectionandintrusionresponsemodulessodata exchangeisperformedinanagreeduponway.Thiscouldtaketheformofinterfaces betweeneachtwomodulesinquestion.Itwouldalsobenecessarytoprovidecontroland dataintegrationtopreservethegranularityofthesystemcomponentsandstillprovidean integratedsolution. AHorizontallyintegratedsolutionismoreconsistentwiththecharacteristicsand needsofadistributedsystemincluding:distribution,heterogeneityandautonomyfor theinvolvedsystems.Itcouldalsoenableavariedsetofintrusiondetectionsystems tointeractwithoutnecessarilyenforcingaparticulardetectionmethodoneachofthe systems.Suchasystemwould,however,havehigherdatatransactionandprocessing costs. Forthosereasons,therefore,theprimaryapproachtointegrationwillbeahorizontal one.Bothofthedatapersistencemethodsmentionedearlierinthischapterconversion andacommondatastorewillbeusedforthissolution.Acommonschemawillbeused toprovidesemantics,andaformofmessagepassingwillbeusedtoprovidesomecontrol integration. 2.3IntegrationofSecurityControls Wewilldenesecurityintegrationlooselytobe:theperformanceofasinglesecurity functionortaskutilizingthedataorfunctionalityfromwhataretraditionallyconsidered dierentsecuritymechanisms.Thisnotionofsoftwarecomponentsthatperformmultiple securitytasksisnotnecessarilynew,buttheformalitywithwhichitisbeingdealt withisincreasing.Franqueria[28]notesthreebasicstrategiesfor`narrowingthegap' betweenaccesscontrolandintrusiondetection:mergedpolicyasinglecomponentfor ACandIDSusingauniformpolicy,correlationbothonlineandoineinlogsand additionalinformationusingaccesscontrolpoliciestomodelnormalbehavior.Withthe exceptionofthemergedpolicyinvestigation,alloftheresearchcitedundercorrelationand 31
PAGE 32
additionalinformationareimplementationsoftherespectivetechnologies,notattemptsto performaccesscontrolandintrusiondetectioninacoordinatedway. Ryutovetal.[29,30,31]takethemergedpolicyapproachandproduceanimplementationthatseekstoperformaccesscontrolandintrusiondetectioninacoordinated manner.Theydevelopamulti-stagepolicyevaluationmechanismthatoperatesonpolicies writteninalanguagethathasconstructsforapplicationlevelaccesscontrolandintrusion detection.Unaddressedinthiseortisatransparentmethodforageneralaccesscontrol mechanismtointerfacewithdataprovidedbydierentintrusiondetectionsystems.In addition,althoughtherehasbeensomerecentworkonspecication-basedIDS[32,33] mostIDSsystemsstilldonotworkonspecications,andtheinabilitytospecifytotraits ofattackscouldbeapotentiallyrestrictivelimitation. Theclassicationwewilluseforapproachestosecurityintegrationwillbebased onthestrategyusedforintegration,ofwhichtherearetwo:horizontalandvertical integration.Wewilldeneaverticallyintegratedsecuritysystemasonewhere:athe exchangeofdatabetweenthemodulesresponsiblefordierenttasksisviewedasan internaloperation,andutilizesaformatthatisstandardacrosstheentireapplicationand bthesameprogrammaticentityisresponsibleforeachphaseofthesecurityassurance process,oreachsecuritytask.Ahorizontallyintegratedsystemthen,wouldbeonewhere: asecuritytasksareperformedbyrelativelyautonomousprogrammaticentitiesandbthe exchangeofinformationbetweenthoseentitiesisbasedonstandardsandanarchitecture tomitigatetheeectsofdistributionandheterogeneity. Verticallyintegratedsystemscanbesomewhatrigidanddiculttoexpandtoinclude newcomponentsorfunctionalityfromoutsidesystems. Inreality,alloftheapproachestoperformingaccesscontrolandintrusionthathave beendonethusfarreectaverticalapproachtointegrationwiththeexceptionof[34] wherethefocusisusingalertcorrelationtopreventlocalsystemresourcesfrombeingused 32
PAGE 33
toassistinadistributedorcoordinatedattack.Thereisstillaneedforanexplorationof anopenapproachtointegratingsecuritycomponents. 2.4UseofThreat,RiskandTrustinAccessControl Inordertoutilizedatafromintrusiondetectionsystemsatanaccesscontrollevel,it isnecessarytohaveafoundationuponwhichthederivedcontextdatacanberelatedto traditionalaccesscontrolconcepts.Solutionstothisissuecanbemanifestedatthepolicy level,orattheimplementationlevel. In[35]anextensiontoRBACisdevelopedtoincorporatethenotionoftrust.They focusontrustbasedauthorizationandmakeprovisionstoadjustthetrustgiventoauser dynamicallybasedontheattributesoftheuserandenvironmentaswellasthepastaccess behavioroftheuser. Thenotionofriskisusedinconjunctionwiththreatin[36,37].Theriskthatagiven requestmightposetothesystemandthetrustthatshouldbeaordedtotherequesting entityareassessedsimultaneously.Basedontheriskoftherequest,atrustthresholdis establishedwhichallrequestingentitiesmustmeetorexceedinorderfortheirrequeststo begranted. Anassessmentofthreatisusedtomakeaccesscontroldecisionsin[38],byassigning athreatthresholdwhichcannotbeexceededtoeachnetworkresourceandthenmaintainingathreatlevelforalloutsidenodesthatisdynamicallyupdatedwhentheydisplay suspiciousbehavior. Whatismissingfromtheprecedingeortsisanimplementationthatcanenable accesscontrolsystemstousetheassessmentdataproducedbyintrusiondetectionsystems tomakedecisionsthatareawareofsystemcontext. 2.5IntrusionResponse In[39]oneofthefactorsusedtoclassifyresponsesystemsistheirmethodfor selectingresponses.Theyaredividedintothreeclasses:thosethatmapattacksstatically, thosethatdosodynamicallybasedonsomeparametersandthosethatuseacalculation 33
PAGE 34
oftherelativecostoftheintrusionwiththecostoftheresponse.Staticresponseselection matchesaparticularattackwithapre-determinedresponse.Dynamicmappingsystems selectanappropriateresponsebasedonattackmetrics.Atdesigntime,eachattackis associatedwithasetofresponsesandtheninrealtimeoneoftheresponsesischosen basedonthecharacteristicsoftheattack.Cost-sensitiveresponseselectiondeterminesthe bestresponsebasedonseveralcostandriskfactors.Thesevaluesmayincludemonetary values,probabilisticmeasurementorotherobjectivemetrics.Theymayalsoinclude relativemeasurementsoforganizationalsecurityandriskfactors. 34
PAGE 35
CHAPTER3 GENERALAPPROACHPART1:CONTEXTACQUISITION 3.1IntroductionandDesignGoals Therstnecessarystageinarchitectingcontext-awarebehavioristogatherthedata whichwillinuencethebehaviorofthemechanism.Becausethedatainquestioniscomingfromlargelyautonomousassessmentmechanismswithhighdegreesofheterogeneity, theacquisitionofcontextdataispartiallyanintegrationproblem.Systemsintegration approachestypicallydiscussthearchitecture,dataintegrationandcontrolintegration strategiesusedtoreduceheterogeneitywhilepreservingtheautonomyoftheinvolved systems.Theotherfacetofthecontextacquisitionmethodisthemeansfordiscovering relevantcontextinformationonceheterogeneityhasbeenreduced.Designgoalsforthe approachforcontextacquisitioninclude: DynamicContextDiscovery-Oneoftheprimarycharacteristicsoftheapproach forcontextacquisitionwillbetoprovidesupportforwhatwewillcalldynamic contextframing.Usingthenotionthatthecontextofaneventconsistsofother, relatedeventswethenestablishacriteriaforrelatednessthatisappropriatefor eachindividualsecuritymechanismandthenframethecontextofaneventbasedon thosetwofactors.Thiscontextacquisitionstrategymustallowsecuritycomponents toselectandreceive only thatdatathatisrelevanttothedecisiontheyaretryingto make.Becausesecuritymechanismsdealwithevents,theyshouldbeabletoselect theothereventsthatrelatetotheeventunderconsiderationwithoutnecessarily havingtoprocessanddealwitheveryeventthatoccursinthedomain.Asnotedin [40]thispropertyisnotsomuchadesiredtraitasarequiredoneasthevolumeof eventsprocessedsolelybyintrusiondetectionsystemscanreachtensofthousands perday.Thisimpliesalsothatthestrategyforcontextacquisitionmustbeableto searchforeventsbasedoncharacteristicsofrelevance.Sotherstrequiredproperty ofthecontextacquisitionapproachisthatitmustproviderelevantdata. 35
PAGE 36
ImplementationTransparency-Anothergoalofourapproachwithregardsto acquisitionofcontextdataistoallowsecuritymechanismstoacquiredatafrom othersecuritycontrolswhileremainingagnosticoftheirimplementationdetails:that asecuritycomponentcanacquirecontextdatamerelybyknowingthefeaturesofthe dataitwouldliketoreceive.Inthiscasethatwillentailthefeaturesoftheevent thatisbeingevaluatedandthedomainsfromwhichthedatashouldbegathered. ProviderandConsumerDecoupling-Anothernecessaryfeatureisthattheprovider andconsumershouldbedecoupledintimeandspace.Wewouldliketoprovide functionalitywhereaneventprovidercanregisterorpublisheventinformationand thenconsumerscanaccessthatdataaccordingtotheirownconstraintsaround whatconstitutesrelevantcontextdata.Thisalsoimpliesthattheaccessesofthe provideraretobeasynchronous,whilethoseoftheconsumerswillbesynchronous. Decouplinginspaceisalsonecessarytosupportdistribution. AllowingPolicyLevelDescriptionofRelevantContext-Beforewecananalyze contextdata,orevensearchforit,wemusthaveameanstodescribeitsfeaturesand characteristics.Oneprimarywayofachievingthisisthroughpolicy-specications thatincludethefeaturesofcontextdata. 3.2SurveyofContextAcquisitionApproaches Inthissectionweoutlinetwoapproachesforarchitectingasystemcapableofprovidingon-demandcontextdataandthendiscussspecicissuesrelatingtohowaccess controlandintrusiondetectioncanbebroughtclosertogether.Bothoftheapproaches arewithintheclassicationofhorizontalintegrationapproachesasdiscussedpreviously. Theydierprimarilyinwhetherornotdataexchangesarecarriedoutwiththeuseofan externalthirdparty.Therstarchitecturalapproachisaclosedone,basedaroundacomponentcoalition.Thisapproachisappropriateforenvironmentswheretheparticipants inthearchitecturearefewandwillnotneedtobeextended.Itreliesonpoint-to-point integrationbetweentheinterfacesofeachparticipatingmechanism.Thesecondapproach 36
PAGE 37
wewilldiscussisanopenapproach,basedaroundafederation.Thisapproachfocuses onprovidingwhatamountstoamiddle-warethatfacilitatescommunicationbetweenthe dierentmechanismswithahighleveloftransparency,butacorrespondingincreasein requireddevelopmenteort. 3.2.1Closed/CoalitionApproach Acomponentcoalitionintegratesindependentcomponentsbyprovidingacustom solutionthatwilllinktheinterfacesofthetwocomponents.Thesecoalitionsmaintainthe independenceoftheindividualcomponentsinthefollowingways: eachcomponenthasitsowninterface eachcomponenthasindependentcontrolofitsdataandprocessing Becauseeachcomponentmaintainscontroloveritsowndataandprocessingthisarchitectureallowsforthedesiredtransparencyofintrusiondetectionmethod.Inaddition,this architectureallowsthefocustoremainondevelopingeectiveinterfacesforeachofthe components. ThearchitectureofthecoalitionispicturedinFigure3-1.Themovementofdatain thisarchitectureisachievedthroughapullmechanismonthepartoftheeventconsumers. Thisisnecessary,becauseonlyselecteventsareactuallyofinteresttotheconsumers, andtheactualattributesofthoseeventsaredynamicallydetermined.Eachcomponentis picturedasbothaproviderandconsumer,butanyonecomponentcanserveasaprovider orconsumer,bothorneither. ThediagraminFigure3-2describesthesub-partsofeachsecuritycomponent.The CoreDecisionMechanismCDMistheportionofthecomponentthatisresponsiblefor fulllingtheprimarytasksandresponsibilitiesdesignatedforthatcomponent.Theow ofdatafromtheEventConsumerECtotheCDMisbasedonapullrequestfromthe CDM.Thisisbasedontheassumptionthatnoteverycontexteventisrelevanttothe tasksthattheCDMistryingtoperform.Thus,as-needed,theCDMcanrequestcontext datausingthecontextdiscoverypolicythattheECcontains.Theowofdatafromthe 37
PAGE 38
CDMtotheEventProviderEPisapushmechanismformuchthesamereason.Itis assumedthatnoteveryeventprocessedbytheCDMwillbeusefultopublishascontext data,andsotheCDMcanpublishselecteventsatitsdiscretion. Dataintegration:datastoreandcommonschema. Inthissystem,itwillbe necessarytoprovidebothdatasemanticsanddatapersistence.Therearetwoprimary strategiesforachievingdatapersistence.Therstisconversionwhereeachcomponent maintainsitsowndatastoreanddataistranslatedintoformatsthatareconsumableby othercomponents.Thesecondmechanismfordatapersistenceisacommondatastore. Thisdatastoreismerelyasinglesourcethataccumulatesinformationfromallofthe components.Bothofthesestrategieswillbeusedtoprovidethenecessarytransparency. Acommondatastoreisnecessarytocollectdatafromalloftheintrusiondetection systemsinasingleformat.Thestrategyforclusteringandlinkingalertsdependsona standardfortherepresentationofintrusiondetectionalerts.Theseclusteringandlinking algorithmsuseconversionoperateonintrusiondetectiondatawhilestillreturningavalue consistentwiththeaccesscontrolschema. Themechanismusedfordatasemanticsisacommonschema.Thiscommonschema isgenerateddierently,however,thanthemergedpolicyschema.Inthemergedpolicy approachtwoormoreschemasaremergedtoproduceanewschemaandtheoriginalsare discarded.Theapproachbeingusedhere,however,istoaugmentoneschemae.g.the accesscontrolschemawithessentialelementsfromanotherschemaintrusiondetection, butpreservethatotherschemaforrepresentingdatainthatdomainandconvertbetween thetwoasnecessary.Theaugmentedschemaservesasacommonpointofreferencefor thetwoseparatedomains. Controlintegration:messagepassing. Themechanismforcontrolintegration inthecoalitionbasedapproachismessagepassing.ThealertsfromIDSsystemstothe centraldatastore.Messagepassingwillalsobethemeansthroughwhichaccessrequests andresponsesaresenttoandfromthedecisionpoint. 38
PAGE 39
3.2.2Open/FederationApproach Architecture:contextmanagementservices. Thedesiredfunctionalityfroman architecturalpointofviewistoprovideservicesthatcanaggregatecontextinformation frommultipleproviders,andthensubsequentlydisseminatethatcontextinformationback toconsumerson-demand.Thereareanumberofdistributedsystemarchitectureswhich couldbeusedinthisscenario,however,Publisher/Subscriberpub-subsystemsarebest suitedtotheproblemofacontextdata-sharingframeworkforanumberofreasons.First isthefactthatallpub-subsystemssupportdecouplingoftheproducerandconsumer intimeandspace,whichisanessentialdesignrequirementforthissystem.Inaddition thereisexistingworkoncontentbased,andevenontologybasedpub-subsystems[41] thatcanbebuiltuponforallowingtheselectionofappropriatecontextdatawhichwillbe consistentwiththechosenapproachformodelingcontextdata. ServiceOrientedArchitecturesalsoprovideadditionalformalismsontopofabasic publish-subscribearchitecturetofacilitateregistrationandlookupofserviceorinthis casecontextprovidersthatwillalsobenecessary.Thebasicmodelusedwillconsistofa networkofcontextprovidersandcontextaggregators.Theaggregatorsarehierarchically structuredandsubsequentlyfeedcontextconsumers.Anysecuritycomponentinthe networkcanserveaseitheracontextprovider,consumer,orboth.Thesecuritycomponentswillbeprimarycontextprovidersandsecondarycontextconsumers.Themeditative serviceswillprimarycontextconsumersandsecondarycontextproviders. InFigure3-3,securitycomponentsareagainpicturedcontainingeventconsumers. Inthisinstance,however,theeventproviderisacommonservice.Insteadofrequesting eventsfromthedierentprovidersbasedonknowingwhichproviderhaswhichevents, theeventscanbeacquiredfromoneservice,merelybyknowingthefeaturesofthedesired events. 39
PAGE 40
InFigure3-4,theanatomyofasecuritycomponentundertheopenarchitectureis showningreaterdetail.Thecoredecisionmechanismnowpusheseventstothecommon eventproviderservicewhichisexternaltothecomponent. Dataintegration:low-levelcontextmodeling. Thisapproachisbasedona dierentconceptofcontextthaniscommonlyused.Inpervasivecomputingresearch,the primaryconcernishavingapplicationsrespondtochangesinthephysicalenvironment generatedbyusersandotherphysicalobjects.Insecurity,however,theprimaryconcern iseventsinavirtualenvironmentwheremostoftheobjectsarepassivedataelements. Securitycontrolssuchasaccesscontrolandintrusiondetectionfunctionaseventclassiers.Asaresult,thefocusshiftsfromdecomposinganeventintothestatechangesthat itproducesinphysicalobjectstomaintainingtheeventitselfastheprimaryobjectof concernwhichmustexamined.Consequently,amoreappropriatedenitionofcontext wouldbetheeventsrelatedtoagiveneventthatprovideadditionalinformationabout thecircumstancesunderwhichthateventoccurred.Inthisway,thecontextofanevent consistsofother,relatedevents. In[23]sixmethodsformodelingcontextdataarecitedandtheontologybased modelingtechniqueiscitedastheonemostcapableofprovidingthefeaturesusedto evaluateallofthemodelingmethods.Thefeaturesmostrelevanttothediscussionathand are:distributedcomposition,partialvalidation,handlingincompletenessandambiguity, sucientformalityandapplicabilitytoexistingenvironments.Thissurvey,inadditionto thefrequentuseofontologiesinserviceorientedarchitecturesindicatethatanontology basedcontextmodelwouldbethemostsuitabletoachievetheaimsofthisproject. Asforactualconstructionoftheontology,itisnotedin[42]therearethreeprimary methodsforusingontologiestofacilitateintegration.Thosemethodsarethefollowing: establishmentofasingleglobalontology,useofmultipleontologieseachforaspecicsub domain,orahybridapproachthatallowsformultiplespecicontologies,butbasesthem allonasharedvocabularytofacilitateinteroperability. 40
PAGE 41
Thefactthattherearesomeexistingstandardsforrepresentingsecurityeventdata [43,44]andtheneedtomakethecontextmodelextendableadvocateinfavorofahybrid approach.Themajortaskthen,forthiscontextmodelistwo-fold:1thecontentofthe sharedvocabulary,and2thetransformationofexistingeventrepresentationsintoaform thatiscompatiblewiththesharedvocabulary.Thesharedvocabularywillconsistoftwo primaryelements:1asetofattributescommontotwoormoresecuritydomainsthat canbebuiltupontoestablishspecicdomainontologiesand2asetofpredicatesthat expresscertainrelationships,bothsemanticandsyntactic,betweentwoormoreevents. Controlintegration:ontology-basedeventcorrelation. Theprecedingtwo researchfocusescontextmodelingandcontextmanagementserviceshavebeennecessary toprovideaframeworkandinfrastructuresupportfortherstpillaroftheapproach, namely:contextacquisition.Theactualprocessofcontextacquisitionwillrelyon correlatingeventsusingtheattributesinthesharedvocabularyandthepredicatesfor expressingrelatednessbetweeneventsthatwillalsoformpartofthecontextmodel. 3.3ACoalition-BasedSystemforContextAcquisition 3.3.1InformationModel 3.3.1.1Accesscontrol Deningaccesscontrol. SandhuandSamarati[45,46]deneaccesscontrolasa familyofstrategiesforonepartytopreciselycontrolwhatotherpartieswillbeallowedto dowithresourcesthatitcontrols.Theyrestrictit,however,tolimitingandcontrollingthe actionsthatauthorizedusersofasystemareallowedtoperform.Theyalsonotethattrue informationsecurityistheproductofaccesscontrolinconjunctionwithauthentication andauditing.Theyhighlightwhatareperhapsthethreemostprominentaccesscontrol policies: DiscretionaryAccessControlDAC:informationaccessisgovernedbyrulesthat stateforeachuserandforeachdataitemwhichaccessmodestheuserisallowed onthatobject.DACisveryexiblewhichmakesitadaptabletoavarietyof 41
PAGE 42
environments,butitdoesnotprovidetrueguaranteesontheowofinformationina system. MandatoryAccessControlMAC:alsoknowaslattice-based.Securitylevelsare associatedwitheachuseranddataobjectinasystem.Userscanonlyreaddown readitemsofalowersecuritylevel,andmayonlywriteupwritetodataobjects whosesecuritylevelisgreaterthantheirown.Preventsinformationfromhigher securityareasowingtolowersecurityones. RoleBasedAccessControlRBAC:aroleisasetofactionsandresponsibilities associatedwithacertainworkactivity.Accessauthorizationsarethenspeciedfor roles,andindividualusersadoptrolesasneededwithcertainrestrictions. Tasksandresponsibilitiesinintegratedsecurity. Inanintegratedsecurityarchitecture,accesscontrolpoliciesshouldtakeadvantageofstateinformationfromother partsofthearchitecturesothatpoliciescanenforceaccesslimitswithahighlevelof granularityandspecicity.Inaddition,thesedependenciesshouldbeallowedtochange dynamicallyandautonomously.AccessControlalsotakesontheadditionalroleasthe pointofinectionandtheplacewherechangesarereected. Dataprovidedbyaccesscontrol. Theaccesscontrolmechanismhasaccessto thepoliciesgoverningeachresourceandthereforecanprovideinformationonhoweach resourceisbeingcontrolled.Inaddition,inmostsystemsanaccesscontrolmechanismwill interveneoneveryresourcerequestthatpassesthroughthesystemandthusaccesscontrol canprovidedetailedinformationonarequest-by-requestbasis.Suchinformationwould includethefollowing:abnormalitiesinaccessrequests,operationrequestsandfailures, resourceusage,login/logoutinformationandexceptionconditions. Informationneededbyaccesscontrol. Toachievethegoalofaccesscontrol beingbasedontheoverallcontextofthesystem,itisnecessaryfortheaccesscontrol systemtoresolvedependenciesinaccesspolicies.Thesedependenciescouldinclude informationaboutanyattacksthathavetakenplace,orchangesinthepolicytohelpthe 42
PAGE 43
systemrecoverfromandpreventfutureattacks.Anoutlineoftheinformationneedsfor accesscontrolisthefollowing: Vulnerabilityofeachavailablesystemresource Stateofcompromiseofeachavailablesystemresource Compromised/Misuseduseraccounts Attackdescription:user,operation,resource,means PolicyModications/Updates Aggregatesystemdataforpolicyevaluation 3.3.1.2Intrusiondetection Intrusiondetectiontraditionaldenition. Awidelyaccepteddenitionofan intrusionis,anysetofactionsthatattempttocompromisetheintegrity,condentiality oravailabilityofaresource"[47].SandhuandSamaratimentionintrusiondetectionas amethodforensuringauditcontrolsanddivideintrusiondetectionsystemsbasedon reactivityintopassiveusedtoanalyzeauditdataandreportanomalousbehaviorand activedetectionanalyzeauditdatainrealtimeandmayrespondtoprotectsystems. Otherauthorsclassifyintrusiondetectionstrategiesbasedonhowtheydetectanintrusion: eitherdetectingmisuse,whichreliesonrecognizingwell-knownattacks,ordetecting anomalies,whichmerelytriestoestablishadeviationfromnormaluserbehavior.Misuse detectionsystemstypicallyrelyonmatchingeventswithknownattackscenariosor signatures.Anomalydetectionsystemsestablishmodelsfornormalbehaviorthrough techniquesfromstatistics,articialintelligenceorotherelds. Tasksandresponsibilitiesinintegratedsecurity. Thenotionofanintrusion detectionsystemthatusesauditrecordsisinherentlydependentuponatleastoneother securitymechanism:namelyaccesscontrol.Introducingthenotionthatinformationwill owback'upstream'fromintrusiondetectiontoaccesscontrol,howevergivesrisetonew opportunitiesfortheintrusiondetectionsystem. 43
PAGE 44
Informationprovidedbyintrusiondetection. Ingeneral,anintrusiondetection systemshouldprovidethefollowinginformationregardingaperceivedintrusion:certainty ofanalysis,attackimpact,andattackcharacteristics. Informationneededbyintrusiondetection. Theinformationthattheintrusion detectionsystemusestoperformitstasksmainlyconsistsofinformationonspecic accessrequests,suchasthefollowing:theuserperformingtheaction,theactionbeing performed,theresourcebeingusedandanyexceptionconditionsgenerated. 3.3.1.3Intrusionresponse Intrusionresponsetraditionaldenition. Themainfunctionofanintrusion responsesystemistotakestepstobothpreventfutureattacksandmitigatethedamage fromcurrentattacksbasedoncharacteristicsoftheattackandthetypeofthesystem resource.TheFischTaxonomy[48]providesthefollowingclassicationofthetypesof intrusionresponse:activedamagecontrol,passivedamagecontrol,damageassessment anddamagerecovery. Tasksandresponsibilitiesinintegratedsecurity. Inadditiontotraditional responsetechniques,theintegrationofanintrusionresponsesystemwithaccesscontrol providestheopportunitytomakeaccesscontrolpolicymodications. Informationprovidedbyintrusionresponse .Anintrusionresponsesystem willhavevariousresponsescenariosfordierentattacktypes.Itwillbeabletoprovide informationabouthowtomitigateattackvulnerabilities,andthemeasuresnecessaryto counterattackdierentattacktypes.Includingpolicychangesforthefollowing:intrusion mitigationorrecoveryandintrusionprevention. Informationneededbyintrusionresponse. TheCarverIntrusionResponse Taxonomy[49]classiesintrusionresponsesinsixdimensions.Eachofthesedimensions is,inreality,aninputtotheintrusionresponsemechanismthatdeterminesthetypeof response.Thetaxonomyconsistsofthefollowingelements:timing,typeofattack,type ofattacker,attackimplications,strengthofsuspicionandenvironmentalconstraints.The 44
PAGE 45
attackimplicationsdimensionreferstohowcriticaltheresourceistothesystemasa whole.Theenvironmentalconstraintsareanylimitsonthetypeofresponsethatcanbe takenwhethertheybelegal,technicalorotherwise.Thestrengthofsuspicionisameasure ofcertaintytheIDSsystemhasintheintrusivenessoftheeventunderquestion.Ifthe goalistointegrateintrusionresponsedirectlywithaccesscontrol,theresponseshould bebasedonthepolicyusedtocontrolaccesstotheresource:theunderlyingmodel,the policytargetandtheoperationspermittedbythepolicy. 3.3.1.4Modeloverview ThisinformationmodelseeFigure3-5isbasedonthemainabstractionofa SecurityEvent.ThethreemainsubclassesofeventsareAccessRequest,Intrusion AttemptandIntrusionResponsewhichwilleachbediscussedseparatelybelow. Thismodelrelatestheconditionsforanaccessrequesttothedatafromanintrusion analysisbyplacingthelatterasattributesofasubclass.Intrusionattemptsarelinked tointrusionresponsesbyincludingoneormoreofthemasapropertyofeachresponse. Therearefourmainclasses: SecurityEvent AccessRequest IntrusionAttempt and IntrusionResponse 3.3.1.5Securityevent Attributes: 1.Source:theinitiatoroftheevent.Possiblesourcesare:Node,User,Processor Service aTarget:theintendedobjectoftheevent.Possibletargetsare:Node,User, Process,ServiceorFile Subclasses: 1.AccessRequest:anattemptbysomesourcetoperformandoperationona target. 2.IntrusionResponse:theresponsetoanintrusionattempt. 45
PAGE 46
3.3.1.6Accessrequest Attributes: 1.EvaluationResult:theresultoftheevaluationofthesetofpreconditions applicabletothisrequest.Possibleresultsare:PermitorDeny 2.Requirements:setofconditionsthatmustbesatisedfortherequesttobe granted.PreconditionscanbespeciedfortheEnvironment,Subject,or Resource 3.Consequences:specicationofactionsthatshouldbetakenonrequestcompletion. Subclass: 1.IntrusionAttempt:Anaccessrequestthatisdeemedintrusive. 3.3.1.7Intrusionattempt Attributes: 1.Means:whatwasusedtoperpetratetheattack.Couldbeinoneofthree subcategories:BypassingControl,PassiveMisuseorActiveMisuse 2.Assessment:thesystemsjudgmentoftheeventon:itsImpactinthesystem, theCondenceoftheanalysisandtheClassicationoftheattempt 3.Results:theneteectoftheintrusionattempt.Thiscouldfallintooneofthree categories:DenialofService,ExposureorErroneousOutput 3.3.1.8Intrusionresponse Attributes: 1.Constraints:anysystemfactorsthatlimittheresponsethatcanbetaken againsttheintrusionattempt 2.IntrusionAttempt:oneormoreintrusionattemptsthatarebeingrespondedto Subclasses: 1.ResponseDuringtheAttack:couldbeeitherActiveorPassive 2.ResponseAftertheAttack:couldwiththeaimofAssessmentorRecovery 46
PAGE 47
3.3.2Implementation Wehaveimplementedasystembasedontheproposedinformationmodel.This implementationconsistsoftwoprimarysystems:anaccesscontrolsystemandanintrusion detectionsystem.Inthisinitialimplementationwemakeuseoftheclosed/coalition approachwithreactivedataanalysistoproducethreatinformation. OuraccesscontrolsystemisbasedaroundtheeXtensibleAccessControlModeling LanguageXACML[44].XACMLspeciesalanguageforaccesscontrolpoliciesaswell asaccessrequestsandresponses,allinXML.Thelanguagesupportspoliciesthatare composedofthefollowingelements: Atarget:thesetofresources,subjects,actionsandenvironmentstowhichthepolicy willapply Arule-combiningalgorithm:aspecicationofhowdierentrulesshouldbecomposed Asetofrules:eachruleisacombinationofatarget,eectandacondition obligations:operationsthatareperformedbytheparentofthecurrentpolicy containerwhenaspeciedauthorizationdecisionisreturned Theeectportionoftheruleindicateswhethertheruleisanegativeorpositiveaccess right.Theconditionelementofaruleoersthepossibilityoffurthernarrowingthe applicabilityofarule,byspecifyingsomethingsthatmustbetruefortheruletocome intoeect. Themotivationbehindthislanguageistoprovideacommonpolicylanguagefor enterprisestoeasethedicultiesthatcomewiththecurrentheterogeneityinpolicy representationsfordierentsecuritydomains.Duetoitsdescriptivenessandexpansive rangesomeoftheelementsoftheXACMLdatamodelhavebeenincludedintheproposed informationmodel. TheXACMLspecicationalsoincludesabstractionsforanaccesscontrolarchitecture.Theprimaryelementsofthisarchitecturethatwewilldiscussare: 47
PAGE 48
PolicyDecisionPointPDP-evaluatespoliciesandreturnsadecisiononthe request. PolicyEnforcementPointPEP-responsibleformakingrequeststothePDPbased onaccessrequestsandactuallyenforcingthedecisionsreturnedbythePDP TheinformationowinthissystemisdetailedinFigure3-6.Itincludesthefollowing steps: 1.Aninitialaccessrequestismadeforaresourceunderthecontrolofthewebserver. InthiswaythewebserverfulllstheroleofaPolicyEnforcementPointPEP discussedintheXACMLarchitecturedescription. 2.ThewebserverinitiatesarequesttotheAccessControlSystemthePolicyDecision Pointindicatingtheresourcebeingrequestedandthesourceoftherequest 3.Theaccesscontrolsystemndsthepolicythatgovernsthatresourceandextracts anyrulesindicatingtherequestresponseshouldbebasedonthreatinformation,and whatarethedimensionsofthethreatprolesource,targetorboth 4.Basedonthedimensionsofthethreatproleandthefeaturesoftheactualrequest, theaccesscontrolsystemestablishescriteriaforasetofrelatedevents 5.AlloftherelatedeventsareselectedfromtheIDSdatastore 6.Thecalculationmethodforthethreatproleisappliedacrossthesetofselected eventsandthevalueischeckedagainstthethresholdfromthepolicy 7.Arequestresponseisreturnedtothewebserverwhichthenregulatesaccesstothe resource Inourimplementationsystem,thePEPisabasicwebserver,modiedtopassaccess requestsrstthroughanXACMLPDPwrittenwiththeSunMicrosystemsXACML API.ThePDPfunctionsasamoduleonthewebserver,butcouldbeimplementedasa standaloneservice. AlloftheintrusiondetectiondataisgeneratedthroughaninstanceofSnort,conguredtoreportalertsinIDMEF[50]format.AlertsaregeneratedbytheIDSandsent totheservicethatreceivesthealertsandstorestheminanXMLdatabase.Foreach 48
PAGE 49
accessrequest,thedatabaseisthenqueriedforalertsbasedonthepolicythatgovernsthe resourcebeingaccessed. 3.3.3SummaryoftheCoalitionApproachtoContextAcquisition Wehavemodeledandimplementedasystemthatusesacoalitionapproachoroneto-onemappingtointegrateanaccesscontrolandintrusiondetection.Thebenetsof thisapproachareitsrelativesimplicityandlackofrelianceoninfrastructuresupport. Becausethereislessoverheadinselectingrelevantcontextdata,thisapproachisalsomore ecient.Overallthecoalitionapproachdescribedwouldonlybeappropriateforaccess controlsystemsembeddedintonetworkedapplicationsthathavestricttimerequirements anddonotneedafullrangeofassessmentdatatoselectfrom.Themainstrengthofthe federatedapproachistheabilitytousethesameinterfaceandaccesscontextdatafroma varietyofassessmentmechanisms:ifthisfunctionalityisnotrequired,thenthecoalition approachcouldbesucient.Theimplementationdiscussedservedtoelucidatesomeof thecriticallimitationsofpursuingthecoalitionapproachtocontextacquisition. Whilethecoalitionapproachiseasytoimplementandprovideseciencybecause ofitslimitedscope,itstillfailstofullyprovideallofthedesignobjectivesthatwere identiedinSection3.1.Thefederatedapproach,incontrast,providesforthingslike providerandconsumerdecoupling,implementationtransparencyanddynamiccontext discoveryinamorecompletewayduetotheuseofsecondarycontextaggregationservices. Forthatreason,thefederatedapproachtocontextdataacquisitionwillnextbeexamined. 3.4AFederatedSystemforContextAcquisition 3.4.1Approach Theapproachforaddressingthedesignoffederatedsystemswillbedierentthan theapproachusedforcoalitionsystems.Becausecoalitionsystemsrelyonone-to-one interactionsbetweenthedierentcomponents,itisnecessarytoeliminatetheheterogenity orprovideacommonschemathatallowsinteroperabilitybetweeneachpairofsystems.In thefederatedapproach,thefocusshiftstomaintaingtheautonomyandexistingschemas 49
PAGE 50
butmitigatingthosefactorswithsecondarymechanisms.Wewillemployastrategyof eventcorrelationastheprimarymeansforaggregatingcontextualinformationacross multipledomains. 3.4.2TheUseofEventCorrelationinFederatedSystem InSection3.2.2,theuseofontology-basedeventcorrelationforcontrolintegration wasdiscussed.Eventcorrelation,however,isabroadeldencompassingmanydierent approaches.Inordertoselecttheappropriateapproachesforcorrelationwewillrst surveywhathasbeendoneinthisregardandthenevaluatethosemethodsinlightofthe requirementsthatmustbesatisedtofacilitateeventcorrelationacrossmultipledomains. Inaddition,theconstructionoftheontologymustbedealtwithinsomedepth.Various approacheswillbeexploredforconstructinganontologyaimedatintegratingvarious datasources.Basedonthedesignrequirementspreviouslydiscussed,thebestapproach willbeselectedandanontologyforcorrelationwillbeproposed.Finally,thedesignand implementationofacontextaggregationserviceincorporatingontology-basedcorrelation willbediscussed. 3.4.3AvailableCorrelationMethods:ATaxonomyofEventCorrelation ApproachesforSecurityData Wenextsurveyrelevantresearchintheareaofalertcorrelation,oertwotaxonomies ofeventcorrelationapproachesusedspecicallywithIDSdata.Thersttaxonomyis basedonthegoalofthecorrelationprocessandthesecondclassiesapproachesbasedon thetypeofrelationshipthatisestablishedbetweenthealertsinquestion. 3.4.3.1Taxonomyofalertcorrelationmethodsbasedonoutcome Tosummarizetheprecedingsurvey,weoertherstoftwotaxonomies.Thereare threeprimarygoalsforeventcorrelationseenintheexistingliterature:1alertreduction 2alertassociationand3alertanalysis. Correlationmethodsthatachievealertreductionaretypicallyreferredtoasfusion ormerging.Inreality,mostofthemergingtechniquesdonotmergealertsinthesenseof 50
PAGE 51
replacingtwodistinctalertswithanewonethatsomehowaddressesthemboth.Instead, oftheapproachesthatperformmerging,suchas[51,52,53]utilizethenotionofametaalertwhichrepresentstheinformationpresentinseveraldistinctalertthroughlistsfor discretevaluessuchasIPaddressesandports,orrangesforcontinuousvaluessuchas time.Theeectofcreatingameta-alertachievesalertreductionbecause,ostensibly, theadministratorcaninspectameta-alertinsteadofthemultitudeofalertsthatitis constitutedby.Inthisway,thereductionofalertsisonlyfromtheperspectiveofthe administrator. Thenextdivisionofcorrelationmethodscontainstechniquesthatdetectorassertan associationbetweentwoormorealerts.Thisclassencompassesthefollowingapproaches: aggregation[9,52],clustering[51,53,54,55,56],multi-stepattackdetection[8,52,57], sessionreconstruction[52]anddetectionbychronicles[58].Allofthesetechniqueshave beengroupedtogetherbecauseintheendtheyallexpressarelationshipbetweenthe alertsthatarethesubjectoftheapproach.Inthecaseofclustering,therelationshipisa similaritybasedonperceiveddistance.Foraggregation,theassociationisasetofoneor moresharedattributesinthatsenseitisastricterformofclustering.Multi-stepattack detectionassociatesalertsthatarepropersubsetsofthesameset.Ahigh-levelattack sequenceisviewedasanorderedsetofdistinctactionsthatachieveacertainobservable eectonthesystem.Theindividualalertsarethereforeassociatedtoeachotherthrough membershipinaspecichighlevelattack-sequence.Thechroniclesapproachissimilar tothemulti-stepdetectionapproachwiththeadditionoftemporalconstraintsbetween variousstates. Thecorrelationtechniquesinthealertanalysisclassareimpactanalysisandprioritization[52].Bothoftheseapproachesmakeadeterminationaboutanindividualalert usingonlyitsfeaturesanddataabouttheoverallcontextofthesystem.Inthecaseofimpactanalysisthecontextinformationisanassetdatabaseandwhetherornottheattack 51
PAGE 52
succeeded.Forprioritizationthecontextinformationisaweightingassignedtotheclassof theattackaswellastheassetdatabasealsousedforimpactanalysis. 3.4.3.2Taxonomyofalertcorrelationmethodsbasedonmeans Thetaxonomyforalertcorrelationmethodsbasedonmeansincludesthefollowing techniques:1attributecongruence2attributesimilarity3membershipincommon supersetand4ontologicalrelationship.Theaimofthistaxonomyistodistinguish betweencorrelationapproachesbasedonhowtheyareconducted. Intherstcategoryofattributecongruence,therearetwosubcategories:syntactic andsemantic.Aggregationistheonlycorrelationapproachthatreliesoncomplete syntacticattributecongruencetoassociateoneormorealerts.Thisisasaresultof establishingcriteriaformembershipinanoutputsetthatcertainattributevaluesa 1 ,a 2 anda 3 mustbeequaltovaluesa 1 ,a 2 ,a 3 respectivelyinthecasewhereallthreevalues areused.Themostthoroughexaminationofaggregationisfoundin[9]butitisalso discussedunderthenameofin[52],whereitisdividedintotwodistincttasks.Attack threadreconstructionisaggregationofalertswiththesamesourceandtarget,while attackfocusrecognitionisaggregationofalertswitheitherthesamesource,orthesame target. Thesessionreconstructionapproachin[52]reliesonwhatwillbereferredtoas semanticattributecongruence.Sessionreconstructionlinkstwoalerts,issuedatdierent deploymentlevels,thatrefertodierenttargetssyntacticallyaportnumberandservice name,butareinrealitydescribingthesamesystementity. Underthecategoryofattributesimilarityweplacetheclustering[51,53,54,55,56]. Implicitly,mergingisalsoplacedinthiscategory,becauseitisalmostalwaysprecededby clustering.Aclusterofalertsistheproductofusingasetofexpert-designedsimilarity measurestodeterminewhichalertsaremostlikeoneanother.Withinthecommon membershipclassaremulti-stepdetection[8,52,57]andthechroniclesapproach[58], 52
PAGE 53
bothofwhichlinkalertsbasedonthefactthattheyareassociatedwiththesamehighlevelattackdescription. Underontologicalmethods,therstisthepre/post-conditionapproach.This approachismostthoroughlydiscussedin[8,57]andreliesonaspecicationofpreconditionsandpost-conditionsforeachattack.Whenalertsarriveindicatinganattack itiscomparedwithotheravailablealertstondmatchesbetweenitsconditionsand theconditionsofotheralerts.Thesecondapproachisthecauseandeectortriggering approachusedin[56].Althoughthepre/postconditionapproachisalsoapartofthis methodspecicallytheoneusedin[8],itissomewhatdistinctbecausethecomplete functionalityreliesonaspecicationofeventsandthealertsthattheytrigger. ThefulltaxonomyispresentedinFigure3-7. Attacks:relationshipsbetweendistinctattackswewillassumethatcertainattacks canbeidentiedbythepresenceofafewspecicpropertiessuchasclassication, action,etc. OntologicalRelationship:thoserelationshipsthatidentifyaspeciclogical relationshipsbetweentwoattacks Pre/PostCondition: Cause/Eect:oneattackisidentiedasthetriggerorcauseforanother SharedMembership AttackClassication:bothattacksareinthesameclass.Aclassmaybe identiedbyspecicvaluescertainelds HighLevelAttackScenario:bothattacksaremembersofahigh-level attackscenariomadeupofmultipleevents AlertAttributes:relationshipsthatcanbeestablishedbetweenindividualeldsinan alert Congruence 53
PAGE 54
* Semantic:thetwoattributesarerelatedthroughathirdelementthat indicatesthattheyrefertothesameentity Syntactic:thevalueforthespeciedattributeisthesameinbothalerts Similarity PositiveProximity:basedonapre-designeddistancemeasure,the attributesforthetwoalertsexceedathresholdforthemaximumseparation NegativeSeparation:basedonapre-designeddistancemeasure,the attributesforthetwoalertsexceedathresholdforminimumseparation Covariance:specicsetsofattributesvaryinthesamewayfromonealert totheother 3.4.4SelectinganEectiveOntologyApproach In[42]threemethodsarediscussedfordevelopingontologieswhosepurposeiscontent explicationinanintegratedsystem:aglobalsharedontology,multipleisolatedontologies andahybridapproach.Intherstapproach,oneglobalontologyisdevisedtoprovide asharedsemanticvocabularyacrossalloftheinformationsources.Thisapproachis mostsuitedtosituationswherealloftheinformationsourcesshareasimilarviewof thedomainifeventoneinformationsourcehasaslightlydierentviewitcanbecome diculttoproduceaneectiveglobalontology.Thesecondapproachofconstructinga separateontologyforeachinformationsourcehastheadvantagethatitsupportsevolution oftheinformationsource,andtheadditionandremovalofinformationsource.Under thisapproach,however,inordertocompareontologies,itisnecessarytodeneaninterontologymapping.Inter-ontologymappings,howevercanbediculttodeneinpractice, nottomentionthefactthatasthenumberofinformationsourcesexpandsthenumber ofmappingsthatarenecessarygrowsexponentially.Thehybridapproachallowsforthe semanticsofeachinformationsourcetobedescribedbyitsowndatabase,butwiththe requirementthattheindividualontologiesarebuiltfromaglobalsharedvocabulary. Thesharedvocabularycontainsthebasictermsthatarecombinedinlocalontologiesto 54
PAGE 55
producemorecomplexsemantics.Thehybridapproachsupportsadditionandevolutionof ontologies,buthasthedrawbackthatexistingontologiesmustberebuiltfromscratch. Comparisonofontologyapproaches. Theglobalontologyoptionisnotsuited toprovidinginter-domaineventcorrelation,becausedierentviewsofthedomaindo exist,evenifonlyconsideringaccesscontrolandintrusiondetection.Whilethetaskof producingaglobalontologyforaccesscontrolandintrusiondetectionmightnotbethat infeasible,thereareafewadditionalgoalspresentinthiscasewhichmakethisoption inappropriate.Onesuchgoalistoprovideasemanticallyexplicitdescriptionofthe elementsincurrentdatamodelstofacilitateadoptionandinteroperability.Anotheristo preserveadegreeofmodularitybetweenthesystems.Theapproachofproducingmultiple, isolatedontologiesalsodoesnotmeetthedesignrequirementsinthiscase,becausethe primarygoalistocompareeventsbasedontheseontologies.Andtheneedtoprovide pairwisemappingsbetweeneverysetofontologieswouldmakessuchasystemdicult toproduce.Thehybridapproachbestmeetstherequirementsinthissituation.Itcan allowaparticularsecuritymechanismtodiscovereventsfromavarietyofpotentialdata sources,onlyusingtheinformationcontainedinthebasevocabulary.Itcanalsoallowthe ontologiesfortheindividualdomainstoevolveindividually. 3.4.5AHybridEventOntology 3.4.5.1Thebasisforacommonontology InordertoproduceabasevocabularywewillusetheIDMEFandXACMLschemas, bothofwhichproviderepresentationsforevents,althoughindierentdomains.Thegoal ofthisprocessistoextractenoughcommonelementsfromthesetwodatamodelstoform thebasisofasharedvocabularyforcross-domaineventcorrelation. AsurveyoftheXACMLeventschemas. TheXACMLschemaprovidestwo eventrepresentations:accesscontrolrequestsfromasource,andtheresponsefrom thepolicyenforcementmechanism.TheXACMLrequestcontextschemacontainsthe followingelements:1Subjectinformationaboutthesubjectoftherequest2Resource 55
PAGE 56
theresourceorresourcesforwhichaccessisbeingrequested3Actionattributes abouttheactionbeingrequested4Environmentattributesoftheenvironmentinwhich therequestisoccurring.TheXACMLresponsecontextschemaincludesthefollowing elements:1Decision2Status3Obligations. TheIDMEFeventschema. AmessageintheAlertClasscontainsthefollowing relevantclasses:1Classication-Thenameofthealert2Source-Thesourceofthe eventdescribedinthealert3Target-Thetargetoftheeventdescribedinthealert4 Assessment-Informationabouttheimpactoftheevent,actionstakenbytheanalyzer inresponsetoit,andtheanalyzer'scondenceinitsevaluation5AdditionalDataInformationincludedbytheanalyzerthatdoesnottintothedatamodel. 3.4.5.2Theproposedontology TheontologybeingproposedseeFigure3-8consistsofthreemainparts:abase vocabulary,anaccesscontroldomainontologyandanintrusiondetectionassessment ontology. Thebasesecurityeventvocabulary. Thecommonelementstothesetwoevent schemasaretheaccesssource,targetandtheactionbeingperformed.Combiningallof theprecedingdiscussionregardingexistingdatamodelsandthetaxonomyofsystemactions,wethereforeoerabasevocabularyforinter-domaineventcorrelationofassessment datainaccesscontrolsystemsbasedonthefollowingprimaryelements: SystemEntity theclasscontainingallvalidsystementities.TheSubclassesof SystemEntityareNode,Process,User,ServiceandFile.Therstfoursubclassesare validdomainsfortheEventSourceproperty,andthelatterfoursubclassesarevalid domainsfortheEventTargetproperty. SecurityEvent agenerictypeofeventpossessingthepropertiesofaneventsource, eventtargetandeventaction.ThesubclassesofSecurityEventneededfordetailed datadescriptionare AccessRequest AccessResponse and Assessment 56
PAGE 57
Action theclasscontainingallofthedistinctsystemactions.Subclassesneededfor detaileddatadescriptionareClientActionandServerAction. Accesscontroldomainontology. Inordertoprovideamoredetaileddescriptionofinformationattheaccesscontrollevelutilizingthebasevocabulary,wedevelop twosubclassesoftheSecurityEventClass AccessRequest and AccessResponse and twosubclassesoftheSystemActionclass ClientAction and ServerAction .Theclass AccessRequesthastheproperties hasSource,hasTarget and requestAction. Thersttwo propertiesrangeoverSystemEntityandareinheritedfromtheparentSecurityEvent classes. requestAction rangesovertheclassofClientAction.TheAccessResponsehas the respondsTo propertywhichreferencesanAccessRequest,a responseString dataType propertythatcontainstheactualrequestresponsepermitordenyanda hasResponseAction hasarangeofthesetofServerActionactions.InthecaseoftheAccessResponse, thehasSourceandhasTargetpropertiesarestillpresent,buttherelationshipbetween clientandserverhasbeenipped:thesourceoftheAccessResponseistheserverthatwas initiallycontactedwiththeaccessrequest. TherearetwosubclassesoftheActionclassgeneratedforaccesscontrol: ClientAction and ServerAction .ClientActionarethedesiredmanipulationsofsystemresourcesthatare speciedinAccessRequests.TheyaresubdividedintoMaliciousandNon-Malicious.NonMaliciousactionsinclude CommandExecution DataAccess and DataAlteration .Subclasses ofServerActionactionsare RequestDecision and EvaluationObligation .RequestDecisions arethebasicpermit/denydecisionissuedforeachrequest:EvaluationObligationrefersto theobligationsmentionedintheXACMLschema[59],whichconstituteactionsperformed bythepolicydecisionpointasaresultofevaluatinganaccessrequest. Intrusionassessmentdomainontology. Assessmentistheclassofanalyses regardingeventsorentities.Eachassessmenthasan assessmentSource propertywhose rangeisanAssessmentSensor.Each AssessmentSensor hasacondenceRatingthat aectsthewayitsanalysesareviewed;inthiscasethecondenceratingisgivenbythe 57
PAGE 58
accesscontrolsystemutilizingeventsfromthatsensor.Theprimarysubclassincluded intheeventontologyisthe IntrusionAssessment class.Otherassessmenttypeswillbe discussedunderthetopicofcontextanalysis. EachIntrusionAssessmenthasthefollowingdataTypeproperties: impactSeverity impactType and attackCompletion indicatingwhethertheattackcompletedsuccessfully ornot.Assessmentsalsohavethefollowingobjectproperties: describedBy,triggeredBy hasIntrusiveAction,hasSource and hasTarget .The describedBy propertyhastherange ofaVulnerabilityDescriptionanddenotesthatthevulnerabilitywhoseexploitationwas detectedisdescribedinthereferenceddescription.EachVulnerabilityDescriptionhas a referenceID ,an originDB anda referenceURL .The triggeredBy propertyhasarange ofthesetofAccessRequestsanddenotestheaccessrequesttowhichtheassessment applies.ThepropertieshasSourceandhasTargetbothrefertoSystemEntitesthatarethe sourceandtargetoftheintrusiveevent,respectivelyandareinheritedfromtheparent SecurityEventclass.The hasIntrusiveAction propertyhasarangeoftheclassof Malicious clientactions,whichgivesageneraldescriptionofthekindofattackbeingperpetrated. Thefollowingsubclassesofmaliciousclientactionareincludedintheontologyandare basedonthetaxonomyfrom[60]: Probing allactivitiesrelatedtogatheringdataaboutasystem.Subdividedinto probingofusers,servicesandnodes. DenialofService hinderinglegitimateaccesstothesystem.Subdividedinto Temporary Administrative and Permanent .Atemporarydenialofserviceisone thatwillbeautomaticallyrecoveredfrom.Anadministrativedenialofserviceisone thatwillrequireadministratorinterventionforrecovery.Permanentdenialofservice attacksarethosewhoseeectsareindenite. Interception/ReadingData subdividedintointerceptionoflesorofnetwork trac. 58
PAGE 59
Alteration/CreationofData subdividedintomodifyingsystemdataormodifying intrusiontracessuchaslogles 3.5Summary Twocontrastingapproacheswerepresentedforfacilitatingtheprocessofacquiring contextdataandachievingtheintegrationnecessarytoovercomecomponentautonomy, heterogeneityanddistribution.Acoalitionarchitecturewaspresentedwhereeachsecurity componentmustestablishaninterfacetoprovidedatatoothercomponentsserving asconsumers.Underthecoalitionarchitecture,eachmechanismisalsoresponsiblefor explicitlyperformingtheone-to-oneinteractionwitheachcomponentthatitwantsto obtaininformationfrom.Afederationarchitecturewasalsopresentedthatusesacommon contextaggregationservicetofacilitatethedisseminationofcontextdata.Thefederation alsohastheaddedbenetthatthearchitectureisoverallmoreextensibleinthateach componentofthearchitectureonlyneedstobeupdatedtopullnewinformationfrom thecommondatastoreratherthaninteractingwithanewcomponentwithaseparate interface.Twotaxonomiesofcurrentmethodsforintrusiondetectionalertcorrelation areprovided:onebasedonthemeansusedtocorrelatethealertsandanotherbasedon theoutcomeofthecorrelation.Afterexaminingapproachesforintegratingdatacoming fromheterogenousdomains,ahybridontologyisproposedforthepurposeofallowing relatedeventsindierentdomainstobeaggregated.Theontologyusesabasevocabulary, synthesizedfromcommonelementsinexistingschemasforsecurityeventsandallows extensionwithdomainspecicclassesandattributes.Thisontologywillbetranslatedinto arelationaldatabasemodelthatservesastheschemafortheeventdatabasediscussedin Section6.5.Also,basedontheconclusionthatthefederatedapproachmorecompletely fulllstheneededdesigngoals,theimplementationwillfollowafederatedmodelasthe architectureforthesystem. 59
PAGE 60
Figure3-1.Diagramofasecuritycoalition.Eachsecuritycomponenthastointeractwith alloftheothercomponentsinordertoaccesstheirdata.Thisarchitectureis limitedinextensibilitybecauseeachtimeanewmemberisaddedtothe coalition,alloftheothermembersmustbeadaptedtouseitsinterface. 60
PAGE 61
Figure3-2.Theanatomyofasecuritycomponentinanopenarchitecture.Thecore decisionmechanismisresponsibleforplacingneweventsintothemechanisms eventdatastorewhichsubsequentlyprovidesthedatatootherconsumers. Thecoredecisionmechanismalsopullsdatafromthecomponent'sevent consumermoduleinordertoenforcepolicybasedonexternalevent information.Theeventconsumermoduleincludesapolicydescribingthe dierenttypesofeventsthatshouldbedrawnfromtheeventproviderthis interactionisdepictedinFigure3-3. 61
PAGE 62
Figure3-3.Securitycomponentswithacommoneventprovider.Ratherthanhavingto interactwitheachothermemberofthesystem,thecomponentscannow accessdatathroughacommoneventprovider. 62
PAGE 63
Figure3-4.Theanatomyofasecuritycomponentinanopenarchitecture.Thecore decisionmechanismisresponsibleforplacingneweventsintothecommon eventproviderthatisnowanexternalserviceinsteadofthepreviousdata storethatwascontainedinthemechanismitself.Thecoredecisionmechanism alsopullsdatafromthecomponent'seventconsumermoduleinorderto enforcepolicybasedonexternaleventinformation.Theeventconsumer moduleincludesapolicydescribingthedierenttypesofeventsthatshouldbe drawnfromtheeventproviderthisinteractionisdepictedinFigure3-3. 63
PAGE 64
Figure3-5.Securityeventinformationmodel Figure3-6.TheowofdatabetweenanIDSandawebserverunderthecoalition-based implementation. 64
PAGE 65
Figure3-7.Taxonomyofthemeansusedtoachievealertcorrelation. 65
PAGE 66
Figure3-8.Ontologyforinter-domaineventcorrelation 66
PAGE 67
CHAPTER4 GENERALAPPROACHPART2:CONTEXTANALYSIS 4.1IntroductionandDesignGoals Contextanalysisistheprocessoftakingeventdataprovidedbyasecondarysource andderivinginformationfromthatdatawhichprovidesmoreusefulindicationsaboutthe stateofthesystem.Weexaminethetaskofcontextdataanalysisontwolevels:therst providinganoverviewofthemajorsecuritymeasuresandindicatorsandtherelationships betweenthemandthesecondbyprovidingadetailedapproachfortheanalysisofa specictypeofcontextdata.Thischapterwillproposeaframeworkwhichstructures severalcriticalsecuritymeasuresandtheirdeterminingfactors.Chapter6willdiscussthe specicanalysisandsubsequentusageofaparticularsecurityproperty. Theobjectivesforcontextanalysishavebeendividedintotwomaintypes:objectives involvinghowdataisanalyzed,andobjectivesinvolvingwhattheproductofthose analysesshouldbe.Contextanalysiscoversallofthetasksinthesystembetweenwhen thedataisacquiredbyasecuritycomponentandwhenthatisusedinadecision-making process.Designgoalsfortheapproachtocontextanalysisinclude: ActionableData-Theprimaryaimofthecontextanalysisprocessistoproduce informationthatrepresentscomplexsystemeventsinarelativelystraightforward waythatcanenableautonomousresponses.Thisrequiressynthesizingmultiple piecesofdataintohigherlevelassessmentinformation.Theaimistoprevent theaccesscontrolsystemfromnecessarilyincorporatingallofthefactorsthatan intrusiondetectionsystemconsidersinmakingitsdecision,byprovidingprocedures thatmapthosepropertiestohigh-levelconcepts.Suchhigh-levelconceptscanthen beincorporatedintoaccesscontrolpoliciestoallowtheuseofreal-timeassessment information. Extensibility-Anothergoalisthattheanalysisprocessbebasedonastructured modelthatallowsadditionalanalysisproceduresandassessmentpropertiestobe 67
PAGE 68
addedeasily.Thisrequiresaverydetaileddenitionofeachtypeofassessmentand howtheyrelatetooneanother. Anontologyisusedasthemediumtodenetheassessmentpropertiesbecauseitoersa moreprecisedenitionofthetermsthanwouldbepossiblewithonlywords.Inaddition, becauseontologiesaredescribedwithrstorderpredicatelogic,areasoningenginecould bedevelopedbasedonthespecicationtoperformfusionofsensordatatoproducedthe desiredproperties. 4.2AHigh-LevelOntologyofSecurityAssessmentInformation AnoverviewoftheproposedontologyisdepictedinFigure4-1,withFigure4-2 providingfurtherdetailonthefactorsusedtoarriveatthevariousassessments.Atthe coreoftheontologythereisan AccessRequest thathasthreeaspects:itis initiatedBy a Subject ,itis directedTo an Object theresourcebeingactedupon,andit executes an Action ontheobject.A RequestEvaluation either Permit or Deny isbasedononeor more Assessments .Eachassessmenthasa Source ,aquantitative Value ,apercentageof Certainty andoneormore Constraints Assessmentscanbecategorizedinmultipleways:basedonwhatisassessedandbased onthetypeofdatathatisusedtoproducetheassessment.Undertherstcategorization, assessmentsaredividedintotwomaintypes: EntityAssessments and EventAssessments EntityAssessmentsapplytoentitiessuchasthesubjectandobject.EventAssessments applytotheaccessrequestitself.Underthesecondcategorizationbythetypeofdata usedtoproducetheassessmentthereare CoreAssessments and CompositeAssessments. CoreAssessmentsareproducedbasedondatafromaneventdescriptionsuchasan intrusiondetectionalert.CompositeAssessmentsutilizeoneormoreCoreAssessments, andprovideinformationthatcontrastspropertiesoftheeventunderconsiderationwith propertiesofanentity. Subjectsarecharacterizedprimarilybya TrustAssessment .Objectsarecharacterized by Dependability and Importance assessments Eventsareassigneda Risk .A Threat 68
PAGE 69
assessmentcontraststhetrustgrantedtothesubjectwiththeriskoftherequestitself. The Impact assessmentcontraststheriskoftherequestwiththedependabilityand importanceoftheobject.Eachoftheseassessmentswillbediscussedinmoredetail. 4.2.1CoreAssessments 4.2.1.1Risk Ingeneralriskdenotesaprobablelosstosomeassetorvaluablepropertyofanentity. Specically,inthiscontext,riskisusedtoquantifytheprobableimpactofaneventonthe threeprimarysecurityproperties:condentiality,availabilityandintegrity.Someexisting denitionsofriskincludethefollowing:"ameasureoftheexpectedlossintheabsence ofanymitigationactionsofcountermeasures"[61],"acharacterizationofthedangerofa vulnerabilityorcondition"[62]and"therelativeimpactthatanexploitedvulnerability wouldhavetoauser'senvironment"[63].Thenaldenitionistheclosesttothemeaning beinginvokedhereandwillalsoprovidethefactorsusedtodeterminerisk. ThefactorsusedforriskinthisontologyarederivedfromtheCommonVulnerability SpecicationStandardCVSS.TheCVSSgivescriteriaforstandardizingtheseverity ratingsgiventosystemandsoftwarevulnerabilities.Thespecicationincludesbase metricswhicharesolelybasedonthevulnerabilitycharacteristics,temporalmetrics andenvironmentalmetrics.Thecoreofthespecicationratesvulnerabilitiesonthe requiredenvironment,whichincludes AccessVector AccessComplexity and Authentication andtheprojectedimpacton Condentiality Availability and Integrity -alloftheseare enumeratedasriskfactorsintheontology. 4.2.1.2Trust Therearetwomainareasofconcernwhendiscussingtrust:whatistrustbasedon, andunderwhatcircumstancesisitvalid.Toaddresstheseissues,theontologyincludes TrustFactors and TrustDomains .TrustFactorsarethosesubsidiaryvalueswhich,when consideredtogetherdeterminetheactualtrustassessmentvalue.Thetwotrustfactors includedhereare Capability and Intent 69
PAGE 70
Capabilitywasmentionedin[64]andpreviously[65]torefertoacombinationof demonstrableaccessandauthority.Thiskindofdenitionismostrelevantinthecontext ofpeer-to-peerinteractionwherepartiesarebeingratedaccordingtotheirabilityto fulllaspeciccontractualrelationship.Incontrast,wearefocusedondeningtrustina mannerthatisrestrictedtoanexternalobjectinteractingwithcontrolledresourcesina non-maliciousway.Theconcernisessentiallytoevaluatewhetherornotthetrustedparty willbehaveasexpectedbenevolentlyand,ifnot,towhatdegreetheyhavethecapacity todoharm.Asaresultofthissimplication,someofthecomplexitiesprovidedbyother trustdenitionsarenotrelevanttothecurrentdiscussion.Itisassumedeveryonehas thesamecapabilitytoperformbenevolentlywhichissimplynon-misuse,butthatsome partieshaveagreatercapacityformalevolentormaliciousbehaviorthanothers. Theothertrustfactorconsideredis Intent .Althoughitisadicultconceptto measureandquantify,itistheonlymeansthroughwhichwecanproduceanotionof mistrustnecessaryforsituationsthatrequiredistinguishingbetweenmaliciousandnonmalicioususers.TherearetwostatesforthepropertyofIntent: Benign and Malicious Trustvaluesalsohaveasetofconstraintsthataretypicallycalled TrustDomains TrustDomainsarethesituationsorcontextsinwhichaparticulartrustassessmentapplies orisvalid.Weincludevedomainsasconstraintsforatrustassessment: General or Universal Action-Specic Target-Specic and Context-Specic .A General trustisone thatisvalidacrossanentireapplicationorapplicationdomainandnotconstrainedby anysecondaryfactors. Action-Specic trustisgrantedtoasubjectbasedontheaction beingperformed.Similarly Target-Specic and Object-Specic trustareonlyvalidfora particularresourceorobject,respectively. Context-Specic trustisamoreabstractnotion thatallowstrustactivationbasedoncertaindynamiccontextproperties. 4.2.1.3Dependabilityandimportance Bothdependabilityandimportanceoftheobjectplayaroleinthewaytherequest isviewed.CVSSincludesthesecurityrequirementsofthetargetedassetcondentiality, 70
PAGE 71
integrityandavailabilityunderenvironmentalmetricsthataecttheseverityofa vulnerabilityexploitation.In[66]severalpropertiesarementionedthatcharacterize thedependabilityofsystemsandservices.Anobject'sdependabilityisencapsulatedby thefollowingproperties: Availability Reliability Safety Condentiality and Integrity Availabilityisthereadinessforusage,reliabilityisthecontinuityofserviceandsafety isthenon-occurrenceofdireconsequencesontheenvironment.Condentialityisthe non-occurrenceofunauthorizedinformationdisclosure,integrityisthenon-occurrenceof improperalterationsofinformationandmaintainabilityistheabilitytoundergorepairs andevolutions.ThesepropertiesencompassthoseusedintheCVSSandaddafew additionalpropertiesthatcanbecriticaltocontextualizinganevent. In[52]arelativemeasureoftheobjectsimportanceisusedtomeasuretheimpactof anattack.Alsoin[38],theimportanceofanetworknodeisusedtodetermineasuitable thresholdfortheriskofincomingrequests.Bothoftheseproperties,Dependabilityand Importancehavebeenincludedintheontologyasassessmentsoftheobjectoftherequest thatareneededtoproducehigh-levelassessments. 4.2.2CompositeAssessments 4.2.2.1Threat The Threat assessmentistherstofthecompositeassessmentstobediscussed.Some ofthedenitionsforthreatusedintheresearchareasfollows:"theadversary'sgoalsor whatanadversarymighttrytodotoasystem","anindicationofapotentialundesirable event"[61].and"thelikelihoodorfrequencyofaharmfuleventoccurring"[63]. In[30,67]aglobalsystem-widethreatlevelisusedtointegrateinformationfrom outsideintrusiondetectionsystemsintoanadvancedsecuritypolicythatcanspecify allowedactivities,detectabuseandrespondtointrusions.Teoetal.[38]proposeasystem tomanagenetworklevelsystemaccessthatusessource-centeredthreattoregulateaccess controldecisions.Althoughnotconcernedwithahigher-levelthreatanalysis,Valeuretal. [52]aggregateIDSalertsinmultiplewaystocharacterizethetraccomingfromasingle 71
PAGE 72
sourceorintoasingletargetattackfocusrecognition.Theyalsoconsidersetsofalerts betweenasinglesource-targetpairattackthreadreconstruction. Initsstrictestsense,threatassessmentshouldrelyonbothatrustassessment forthesourceoftherequestandariskassessmentoftherequestitself.Athreatis thereforeaspecic,quantiablesecurityriskcomingfromasubjectthatisalsoassigned acorrespondingtrustvalue.Thisresultsinanotionofthreatthatisprimarilybasedon twofactors:thenatureoftherequestitsrisk,andthesourceoftherequestthedegree oftrustgiventothem. 4.2.2.2Impact Thesecondcompositeassessmentmeasureis Impact .TheImpactcombinestherisk oftherequestwiththeimportanceoftheobjectanditsdependability.Thus,inthecase ofsecurity,animpactassessmentisajudgmentaboutthepotentialsecuritydamage inictedbyanaccessrequestconsideringthegeneralfault-toleranceoftheobjectandits importancetothesysteminwhichitexists. 4.3Summary Thisontologyhelpsdenethegoalsoftheanalysisprocessintermsofconcrete attributesthatshouldbederived.Theyincludemeasurementsusedinvarioussystems andstandards,butareplacedinauniedstructurethatelucidatesthedierencesbetween thevarioustermsmorepreciselythanmeredenitions.Inaddition,thefactorsusedto determineeachassessmentpropertyarealsolistedwhichprovidesclearerinsightastohow asystemcanarriveattheassessmentandwhatlowerleveldataisrequiredasaninput totheprocess.Inanidealsystem,thisontologywouldserveasthebasisforareasoning enginethatcouldproducethenecessaryoutputsgiventherequiredincomingdata.The implementationdiscussedinChapter6seeSection6.3willfocusonasinglesecurity propertynamelyriskandprovidefurtherdetailsonhowananalysisservercanproduce assessmentsofthattypegiveninputdata. 72
PAGE 73
Figure4-1.Coreassessmentclasses.Importance,trustanddependabilityassessmentsforentities.Threatandimpact assessmentsforaccessrequests.Valueandriskassessmentsfortheactionofanaccessrequest. 73
PAGE 74
Figure4-2.Assessmentfactorsforthreeassessmenttypes:trust,riskanddependability.TheclassAssessmentisalsoa subclassofAssessmentFactorbecauseofthecompositeassessmentsthatarederivedfromotherassessments.The assessmentfactorsforthreataretheriskoftherequestandthetrustgrantedtothesubject.Theassessment factorsfortheimpactarethedependabilityandimportanceoftheobjectandtheriskoftherequest. 74
PAGE 75
CHAPTER5 GENERALAPPROACHPART3:CONTEXTAPPLICATION 5.1Introduction Thelastphaseoftheprocessofarchitectingcontext-awarebehavioristheapplication ofcontextdata.Ifwedeneaccesscontrolasafamilyofstrategiesforonepartyto preciselycontrolwhatotherpartieswillbeallowedtodowithresourcesthatitcontrols [46,45]thenitbecomesapparentthataccesscontrolisperformedatvirtuallyeverylayer ofasystem,includingatthenetwork,operatingsystemandapplicationlevels.Toshow concreteimpactoftheapproachitisnecessarytofocustheapplicationofcontextdataon improvingsomeaspectoftheperformanceofaccesscontrol.Someofthedesigngoalsfor contextapplicationarethefollowing: Responsesnativetotheaccesscontrolparadigm Theprimaryelementsofmanipulationforaccesscontrolsystemsarepermissions:themodesofinteractions allowedforvarioussubjectswithsystemresources.Therearemanydierenttypesof responsestointrusions,butasthefocushereisoncontext-awarebehaviorforaccess control,wewillfocusonstrategiesthatmanipulatethepermissioningprocessatthe accesscontrollevel. Applicationlevelcontextapplication Allofthestrategiesusedfortheapplication ofcontextdatawillbedesignedtobeappliedattheapplicationlevel,meaning:any pieceofsoftwarerelyingonanunderlyingoperatingsystemforthemanagementof hardwareresources.Thiswillenableustocontinuetheworkwehavepreviously doneinXACML,awidelyadoptedframeworkforapplication-levelaccesscontrol. Thiswillalsoincreasethepossibilitythatthesystemforcontextapplicationcanbe furtherextendedbyotherresearchers. 5.2Context-BasedPolicyEvaluation Therstapproachtoutilizingcontextdatathatwillbediscussediscontext-based policyevaluation.Thisprocessreliesontheintroductionofcontext-dependenciesintothe 75
PAGE 76
accesscontrolpolicythatareresolvedatpolicyevaluationtimebyusinginformationfrom thecontextanalysisprocess. 5.2.1AccessControlSchemaExtension Usingtheabstractionofaneventastheunifyingfactorforsecurityintegration,it isstillnecessarytondaconcreterepresentationfortheattributesofthoseevents.In mostcurrentsystems,accesscontrolhastheroleofenforcingglobalsecuritypolicy.All requestsforresourcesmustbecheckedagainstanaccesscontrolpolicybeforetheyare granted.Butmostpresentmethodsforaccesscontrolmakelittleornouseofintrusion detectiondata.Themergedpolicyoptiondoessolvethisproblembydevelopingaschema thatincludesconceptsfromallthreerelevantdomains,butintheprocessofmigratingIDS conceptstotheaccesscontroldomain,italsomigratestheintrusiondetectionmethodtoa policyspecication. Ourapproachwillbetoprovideacommonpolicybydevelopingnewattributesthat canbeincludedinantraditionalaccesscontrolpolicy.Theseattributeswilldescribethe following: propertiesofintrusiondetectionalertsthatshouldbetakenintoaccountwhen returningavaluefortheattribute thedesiredprocedureforcalculatingthevaluereturnedfortheattribute Inessence,thecouplingbetweenIDSattributesintheaccesscontrolpolicyandthedetails andinformationusedbytheactualIDSsystemswillbeloosened.Anadditionallayer ofabstractionwillbeaddedtomakethebindingtothoseaccesscontrolattributesIDS implementationindependent. Thisapproachalsodemandsthattheauthorofthemappingfunctionunderstand theoutputoftheIDSsystems.TheuseofastandardschemaforIDSinformationwill enabletheimplementeroftheaccesscontrolpolicyevaluationmechanismtowritea singlefunctionforeachnewattributeaddedtoanaccesscontrolpolicyprovidedthat 76
PAGE 77
theIDSsystemsunderusewilleitherusethatstandardschemanatively,orprovidea transformationfromthenativeformattothestandardone. Thispolicyextensionwillprovidethemeansforsemanticintegration.Oneofthe methodsfordatapersistenceconversionwillbeusedheretoreturnthenecessaryvalue fortheaccesscontrolpolicyfromthesetofrelevantIDSalerts.Thisoperationwillrequire alimitedformofconversionbecausetheschemaforIDSalertsisdierentthantheschema fortheaccesscontrolpolicy. Basedsolelyontheaggregationrelationshipsspeciedin[9]andusingtheconceptof threatoutlinedpreviously,thefollowingattributeswereaddedtotheXACMLschemaof theaccesscontrolmechanismdescribedinSection3.3.2: 1.source-target-class-threat-providesthetotalseverityofthethreatfromthissource tothisresourceinthisclassofattack 2.source-target-all-class-threat-providesthetotalseverityofthethreatfromthis sourcetothisresourceforallclassesofattack 3.source-class-all-targets-threat-providesthetotalseverityofthethreatfromthis sourcetoallresourceswiththisclassofattack 4.all-sources-target-class-threat-providesthetotalseverityofthethreatfromall sourcestothisresourceinthisclassofattack 5.source-all-targets-all-threats-threat-providesthetotalseverityofthethreatfrom thissourcetoallresourcesforallclassesofattack 6.all-sources-target-all-classes-threat-providesthetotalseverityofthethreatfromall sourcestothisresourceforallclassesofattack 7.all-sources-all-targets-class-threat-providesthetotalseverityofthethreatfromall sourcestoallresourcesforthisclassofattack Eachoftheserulescontainsatmosttwoattributes:thethreatthresholdvalueandan attackclassforcases1,3,4and7.Thesourceandtargetwillbespeciedintheaccess controlrequestandthereforedonotneedtobespeciedinthepolicy-thevaluesfor sourceandtargetwillbeinheritedfromtherequestvalues.Examplesofaccesscontrol rulesincorporatingthesepropertiesareprovidedinFigures5-1,5-2,5-3,5-4and5-5. 77
PAGE 78
Theprocessforaccesscontrolschemaextensionunderthefederatedimplementation isdicussedinSection6.5.UnliketheXACML-basedimplementation,becausetheaccesscontrolprocessintheApachewebserverwasnotdesignedtoincorporatecontextual informationintotheschema,theprocessofschemaextensionislessstructured.Thesubsequentdiscussionwill,thereforerelyontheXACMLschemaabstractionsfordiscussingthe incorporateofcontextdataintheapplicationprocess. 5.2.2ApplicationScenarios Weprovidesomeexamplesofsituationswhereourapproachcanbeusedtoprovide verygranularIDS-awareaccesscontrol. Threatescalationbyasinglesource. Inthisrstscenariowehaveasingle sourceperformingmultipleintrusiverequestsagainstvarioussystemresources.Theaimin thiscaseistorestrictaccesstosystemresourcesfromthissourceafterthethreatprole forthatsourcepassedagiventhreshold.Thisapplicationissimilartothetaskofpacket lteringwhichisperformedbysomeIntrusionPreventionSystemsIPSbutwithafew majordierences.Therstisthatthistechniquecanbeapplieddynamicallybasedon thepasthistoryofthesourcewhereaspacketlteringmustbeconguredmanuallyto lterbasedonsource.Thesecondisthat,becausethisrestrictionisperformedatthe applicationlevel,thereisawiderrangeofpossibleresponsesavailable.Accesscouldbe deniedentirely,similartopacketltering,oronlyspecicaccessrightscouldberevoked, allowingamoremeasuredresponse. Inaconcreteexampleweconsiderawebserverwiththreeavailableresources:R 1 R 2 ,R 3 .Eachoftheresourcesisgovernedbyapolicythatdeniesrequestscomingfrom sourceswithathreatproleabove25.ThebasicstructureoftheruleisshowninFigure 5-1.Eachresourceisassignedanimpactvaluerangingbetween1and3,andcondence valuerangesbetween1and5basedonthenumberofsystemsreferencingthevulnerability used. 78
PAGE 79
Twodierenthosts:S 1 andS 2 makerequeststotheserverinparallel.HostS1 attemptsthreewebcgiexploitsagainsttheserver,withitsoverallthreatproleincreasing eachtime.BythetimeitrequestsR1onitsfourthoverallrequesttotheserver,itsthreat proleexceedsthethresholdallowedinthepolicythatcontrolsR1,R2andR3andis thereforedeniedaccesstoallofthem.Simultaneously,becauseS 2 hasmaintainedathreat proleof0,itcancontinuetoaccessalloftheresourcesavailable.Anexampleofthis scenarioissummarizedinTable5-1. Threatescalationagainstasingletarget. Inthissecondscenario,weconsider awebserverwithtwoavailableresources:R 1 ,R 2 .Accesstoeachoftheresourcesis regulatedbyapolicythatdenieswriteandupdaterequestswhenthethreatproleforthe resourceisover30.ThebasicstructureofthethreatruleisshowninFigure5-2.Three dierenthosts:S 1 ,S 2 andS 3 makerequeststotheserverinparallel.Inthiscase,however aftertwoindependentrequestsfromS 1 andS 2 forR 1 ,thethreatproleoftheresourceis at20.Asaresult,athirdrequestforR 1 fromS 3 isdenied.Allofthehosts,however,can stillaccessR 2 becausenoneoftheirindividualthreatprolesexceedsthethresholdsetin thepolicythatcontrolsR 2 .AnexampleofthisscenarioissummarizedinTable5-2. 5.3Context-BasedThreatResponse Thenextstrategyforcontextapplicationextendsthenotionofcontext-basedpolicy evaluationbyidentifyingtraditionalintrusionresponsestrategiesandapplyingthembased oncontextdata,whilestillmaintainingcontextdependenciesintheaccesscontrolpolicies. Wewillrstsurveytheavailableintrusionresponsemethods,notingthefactorsthat determinethecircumstancesunderwhichtheyareusedeectively.Wewillthenutilize theavailablecontextdataproducedduringtheanalysisprocessasacriteriaforemploying appropriatemitigation,preventionandresponsemethods.Anotherdierencebetweenthis applicationtechniqueandthepreviousone,isthateachoftheseresponsemethodswillbe dependentonmultiplepropertiestobeappliedwhereasthepreviouscontextdependencies onlyintroducedasinglepropertyintotheaccesscontrolpolicy. 79
PAGE 80
Carver[68]oersanumberofresponsesalongwiththesituationstheycanbeused appropriately.WepresentasummaryofthemostrelevantmethodsinTable5-3,along withtheirrespectiveimplementationsatanaccesscontrollevel.Implementationsfor fourofthesixaforementionedresponsemethodsareongoing:restrictinguseractivity bothspecicactionsandallactions,blockingaccesstothreatenedservices,andforcing additionalauthentication. Forcingadditionalauthentication -thisapproachwillbeimplementedbyaddinga ruletotheaccesscontrolpolicyforthedesiredresourcesthatspeciesadditional authenticationastheobligationifcertainconditionsaremet.Therequestisdenied pendingfurtherauthentication. CompleteUserActivityRestriction -accomplishedbykeepingadynamically updatedblack-listofsourcesthathaveexceededallowablethresholdsforintrusive behaviorandsimultaneouslyhavealowtrustamount.Anewattributewillbe providedthatwillrequireacustomattributeevaluationmodulesimilartotheones usedtoperformcontext-basedpolicyevaluationinSection5.2.Thismodulewill returnaBooleanvalueindicatingwhethertherequestinguserisunconditionally blockedornot.Thisevaluationmodulewillqueryablacklistingservicethatruns withinthepolicydecisionpointitself.Thisblacklistingservicewillexamineavailable behaviorwithinapre-determinedtimewindowandwillblacklistuserstemporarily whentheirbehaviorexceedstheallowablethreshold.Thethresholdwillalsobe dependentontheleveloftrustaccordedtotheuser-agreateramountoftrustgives acorrespondinglyhigherthreshold.Anexampleofapolicytoblockorlockouta userisshowninFigure5-4. BlockingAccesstoThreatenedServicesalsoachievedthroughanewpolicyattributeevaluatedwithacustomevaluationmodulethatreturnsabooleanvalue indicatingifrequeststothattargetarebeingdeniedduetoanoverwhelming amountofsuspicioustrac.Ifthisattributeisusedinapolicy,thenthismodule 80
PAGE 81
willqueryaservicemonitoringincomingrequeststotheservicesundercontrolofthe policyenforcementpoint.Basedontherequiredavailabilityofthetargetrecordedin anassetdatabaseathresholdwillbesetfortheamountofintrusivebehaviorthat canbeignoredbeforetheaccesstotheresourceshouldbeblocked.Anexampleofa policydesignedtoblockaccesstoathreatenedresourceisshowninFigure5-3. RestrictingUserActivitiesanewsetofpolicyattributeswillbeintroducedto designatetherestrictingofspecicpermissions.Amodulewillbeprovidedforeach attributewhichwillcheckifthesourceoftherequestsmeetsthecriteriatobeable toperformthatspecicaction-ifnotthatspecicrequestwillbeblocked.Each resourcewillhavethresholdsforsourcetrust,theseverityofthethreatandthe certaintyoftheassessmentthatwillbeinputstothefunctionthatdeterminesif thespecicpermissionwillbeallowedforthatrequest.Anexampleofapolicyto restrictuseractivityisshowninFigure5-5. 5.4Summary Twogeneralusesforcontextwithregardstoaccesscontrolareexploredhere:the evaluationofpolicieswithcontextualdependenciesandthetriggeringofresponsesbased oncontextdata.Thecontext-basedevaluationofpoliciesrequiresthatthepolicyschema isextendedwithnewattributesandthatdependenciesareaddedtothepolicythatforce contextinformationtoplayaroleinthedecisionissuedbytheenforcementmechanism. Context-triggeredresponse,however,focusesonidentifyingspecicscenarioswhich canbeindicatedbycontextdataandthenmatchingthosescenarioswithahigh-level countermeasurethatwillhelpmitigatetheriskinthatscenario.Asaresultofthefact thataccesscontrolisprimarilyapolicyenforcementmechanismthereisanelementof commonalitybetweenthetwoapproachesbecausetheimplementationoftheresponse techniqueswilllikelytakeplaceatthepolicylevel.Context-triggeredresponsebuildson theinclusionofcontextdataintothepolicyevaluationprocessandprovidesaresponse basedoncomparingmultipletypesofindividualcontextualproperties. 81
PAGE 82
Bothofthemethodologiesoutlinedherecontext-basedpolicyevaluationandcontextbasedthreatresponseareincorporatedintothesystemimplementationdetailedin Chapter6.Context-basedpolicyevaluationisachievedbydirectingrequestevaluationto customaccesshandlersthatinteractwithananalysisserverandthenreturnadecision aftercheckingtheriskvalueagainstthresholdssetinthepolicyspecication.Contextbasedthreatresponseisincorporatedinthateachaccesscontrolhandlerenablesa dierentresponsemoresuitabletoonesituationoranotherbasedonexamingspecic contextinformation. 82
PAGE 83
20 Figure5-1.XACMLruleincludingsource-centeredthreat.Thisruledemonstratesthe extensionoftheXACMLschemawithanewproperty total-source-threat. This propertyisdesignatedasanattributeofthesubjectoftherequest.Aninteger functionisusedtocomparethevaluereturnedforthispropertywiththe designatedvalueof20.Ifthetotal-source-threatpropertyisgreaterthanor equaltothisvalue,thentherulehastheeectofcausingtherequesttobe denied. Table5-1.Escalationofthreatinsubsequentrequestsbytwodierentsources.Whenthe threatisassignedtoindividualsourcesseperately,thesystemisableto distinguishbetweenmaliciousandnon-malicioussubjects. SourceRequestThreatTotalSourceThreat S 1 1st88 S 1 2nd1018 S 1 3rd826 S 2 1st00 Table5-2.Escalationofthreatinsubsequentrequestsbythreedierenthostsona commontarget.Whentheeectofrequestsfromdierentsubjectstothesame objectareconsideredinaggregate,thesystemisabletocontextualize individualrequestsintoanoverallpatternofinteractionwiththeobject. SourceOrderofRequestThreatTotalTargetThreat S 1 1st1010 S 2 2nd1020 S 3 3rd020 83
PAGE 84
30 Figure5-2.XACMLruleincludingtarget-centeredthreat.Thisruledemonstratesthe extensionoftheXACMLschemawithanewproperty total-target-threat. This propertyisdesignatedasanattributeoftheresourcebeingaccessed.An integerfunctionisusedtocomparethevaluereturnedforthispropertywith thedesignatedvalueof30.Ifthetotal-target-threatpropertyisgreaterthan orequaltothisvalue,thentherulehastheeectofcausingtherequesttobe denied. true Figure5-3.XACMLruleincludinganattributeindicatingthataresourceislocked.This ruledemonstratestheextensionoftheXACMLschemawithanewproperty resource-lock-status. Thispropertyisdesignatedasanattributeoftheresource beingaccessed.Abooleanfunctionisusedtocomparethevaluereturnedfor thispropertywiththedesignatedvalueof'true'.Iftheresource-lock-status propertyistrue,thentherulehastheeectofcausingallrequeststothis resourcetobedenied. 84
PAGE 85
true Figure5-4.XACMLruleincludinganattributeindicatingthatauseraccountislocked. ThisruledemonstratestheextensionoftheXACMLschemawithanew property resource-lock-status. Thispropertyisdesignatedasanattributeof thesubjectinitiatingtherequest.Abooleanfunctionisusedtocomparethe valuereturnedforthispropertywiththedesignatedvalueof'true'.Ifthe user-account-lock-statuspropertyistrue,thentherulehastheeectof causingallrequestsfromthissourcetobedenied. true Figure5-5.XACMLruleincludingapropertytorestrictaspecicpermission.Thisrule demonstratestheextensionoftheXACMLschemawithanewproperty user-write-prohibit. Thispropertyisdesignatedasanattributeofthesubject initiatingtherequest.ThePolicyDecisionPointwillbeextendedwithanew modulethatprovidesthelogictoprovideacurrentvalueforthisproperty.An booleanfunctionisusedtocomparethevaluereturnedforthispropertywith thedesignatedvalueof'true'.Iftheuser-write-prohibitpropertyistrue,then therulehastheeectofcausingtherequesttobedenied. 85
PAGE 86
Table5-3.Selectedintrusionresponsestrategies.Eachgeneralresponsestrategyislisted alongwithitsappropriateusecase,itsimplementationattheaccesscontrol levelandthecontextualpropertiesthatconstrainitsapplication. ResponsestrategyUsecasedescriptionImplementationfor accesscontrollevel response Applicationconstraints Lockinguser accounts Compromiseofuser accountinquestion Globalpolicythat deniesrequestsfrom aparticularsource Highcertaintyofattack andhighriskevaluationfor thesourcewithlowto moderateusertrust Disablingthe attackedportsor services Makingtheportor serviceinaccessible Globalpolicythat deniesrequeststoa particulartarget HighCertainty,High target-centeredthreat,Low TargetAvailability requirement Forceadditional authentication Maysloworstop intrusionsespecially automatedones, whileauthorized userswillcontinue Policythatrequires multiple authentication tokensforarequest tobegranted Usedwithlow-certainty, Source,Targetor Pair-CenteredThreatsof ModeratetoHighlevel RestrictuseractivitySuspicioususersmay berestrictedtoa specialusershell thatallowssome functionalitywhile restrictingcertain commands Policythatseparates allowedactionsinto levelsbasedonthe perceivedthreat classoftheuser 1lowtomidcertaintyof attackandlowtomiduser trust 2highcertaintyofattack andhightrustwhich wouldindicatetheaccount hasbeencompromised 3lowtomidthreat severity 86
PAGE 87
CHAPTER6 ADAPTIVERISK-AWAREACCESSCONTROLFORWEBSERVERS 6.1Introduction 6.1.1ConnectionBetweentheImplementationandPreviousChapters Thepreviouschaptershavesoughttoanswersomeofthefundamentalquestions regardinghowcontextawaresecuritysystemscanbedesigned.Thedesignprocesshas beenbrokendownintoafewmainelementstoensurethatateachstephelpsfulllthe largerdesigngoalsofthesystem. Thischapterwillfocusonaddressingsomeofthemorespecicquestionsregarding theuseofintrusiondetectiondatainanaccesscontrolprocess,suchas:dealingwithdata inaccuraciesandensuringperformanceinthefaceoflargeamountsofincomingdataand highrequestfrequency.Thesolutionspresentedintheimplementationwillrelyonthe groundworkestablishedinthepreviouschapters. AfederatedapproachisusedthatfollowstheprinciplesdiscussedinSection3.2.2. ThecorrelationontologyofSection3.4.5isadaptedtoarelationaldatabasemodelthat servesastheschemafortheeventdatabasedescribedinSection6.5.Anindependent analysisserverperformsthefunctionsofaggregatingcontextinformationandthen disseminatingit.Theimplementationfocusesononeofthecontextpropertiesdened intheChapter4ontologyofassessmentproperties-thatofrisk.Amodelisdenedfor derivingriskinformationfromassessmentsproducedbyanintrusiondetectionsystemon attemptstoexploitsoftwarevulnerabilities.Thismodeldesignateshowriskisassigned tobothsubjectsandobjectsofaccessrequests.Detailsarealsoprovidedonhowthe analysisdataisappliedandusedintheaccesscontrolprocess.Context-basedpolicy evaluationpreviouslydiscussedinSection5.2isachievedbyprovidingcustomaccess controlhandlersthatinteractwiththeanalysisservertoreceiveriskinformation.These accesscontrolhandlersalsoimplementtheresponsetechniquesdiscussedinSection5.3. 87
PAGE 88
6.1.2ImplementationOverview Theproposedsolutionforachievingattack-resistantaccesscontrolistheuseofrealtimeassessmentdatainaccesscontrolpolicyevaluationandenforcement.Specically, evidencesofvulnerabilityexploitationarecollectedandanalyzedintoahigherlevelrisk assessmentforthesourcesandtargetsofaccesscontrolrequests.Thisriskassessment issubsequentlyusedasanadditionalparameterorcontextualpropertyinaccesscontrol policiessothatpermitanddenydecisionsforanincomingrequestarebasedonan assessmentoftheriskposedbytherequestingsourceand/ortheriskposedtothetargeted resource.Thisapproachhasbeentermedthe A daptive A ssessmentB ased A ccess C ontrol S ystemABACUSforshort. Twoclosely-relatedstrategiesforimplementingthisapproacharediscussed.The rstisanapproachrelyingonon-demandanalysis,abstractingthethreepartsofthe contextmanagementprocessacquisition,analysisandapplicationintodierentserver mechanismsandperformingtheanalysisbyaggregatingrequestsandderivingarisk assessmentasnewrequestscomein.Asetofresultsarethenprovidedforthetestingdone withanimplementationofthisapproach,alongwithconclusionsontheconstraintsand limitationsofthisapproach. Thesecondapproachdiersinthattheanalysisfunctionistriggeredbynewsecurity eventsinthesystemandconsequently,theanalysisdoesnottakeplaceasafunctionofan incomingrequest.Riskassessmentsarecontinuallymaintainedforalloftheentitiesinthe system.Asnewassessmentdatabecomesavailable,thoseriskassessmentsareupdatedfor theentitiesinthatevent.Asetofresultsarethenprovidedforthetestingdonewiththis approachalongwithconclusionsonitsconstraintsandlimitations.Finally,asummary andrelativecomparisonofthetwoapproachesisoered. 88
PAGE 89
6.2IntrusionResponseandAttackResistance 6.2.1StrategySelection Thestrategiesputforthintheliteratureforrespondingtointrusionsandattempted systemattacksareverynumerousandvaried.Therefore,itisnecessarytoselectonly thosethatmostcloselymatchtherequirementsforachievingthedesiredgoal:namely, attackresistantaccesscontrol.Therstrestrictionisthattheresponsesappliedshould servetomanipulatesomeelementintheaccesscontroldomain.Accesscontrolisprimarily concernedwithasetofsubjects,asetofobjectsandthespecicoperationsthateach subjectcanperformoneachobject.Soourresponsetechniquemustmanipulatethese permissions,eitheratthesubjectsidebydesignatingwhichactionsasubjectcan performorattheobjectsidedesignatingwhatcanbedonewiththeobject.Thesecond requirementisthatthestrategyorresponsecanbetriggeredusingriskdata. Anumberofdierentintrusionresponsesaredetailedin[49,48].Usingthecriteria justdiscussed,however,thefollowingthreestrategieswereselectedasappropriateforthis application:1forcingadditionalauthentication,2restrictingsubjectpermissions3 restrictingobjectpermissions. Forcingauthenticationcouldtakeanumberofforms.Therstwouldbeforcing anonymousauthentication.Thisisastrategythathasbecomesomewhatcommonin theInternettoday,thatimplementsanauthenticationchecknotbasedonashared secretbetweentheuserandthehostsystemsuchasapasswordbutbasedonthe subjectsabilitytoperformanoperationthatdistinguisheshimfromaclassofundesirable usersfrequentlyautomatedattackscripts.Anotherformofauthenticationwouldbea traditionalpasswordcheckthatestablishestheactualidentityoftheuser.Ineitherform, howevertheaimistoensurethattheuserrequestingaccessisnotamemberofthesetof userswhoshouldbedeniedaccesstotheresource. Theresponseofrestrictingsubjectpermissionsalsotakesmorethanoneform. Therstrestrictsthesubjectfromperformingaspecicoperationorrestrictedsetof 89
PAGE 90
operationsacrosstheentiresetofsystemresources.Thissomewhatassumesthatthe setofsystemsresourceshaveasetofcommonactionsoroperations.Thesecondform isanextensionoftherst,thataddsalloftheavailableoperationstotherestrictedset, eectivelylockingthesubjectoutofperforminganyactiononanyofthesystemresources. Similarlytotheprevioustwooperations,theresponseofrestrictingpermissionsona targethastwoforms.Therstrestrictsallsubjectsfromperformingaspecicactionor restrictedsetofactionsontheobjectinquestion.Thenextformblocksallsubjectsfrom performinganyoperationontheobject.Thesetechniquessatisfythepreviouslymentioned requirementsandprovideaframeworkofresponsivebehaviorsthatcanbeusedtocurtail orlimitintrusiveactionsinthesystem. 6.2.2ResponseTriggering Thenextaspecttodetailiswhentheresponsetechniqueswillbeemployed,orbased onwhatconditionswilltheybeactivatedandhowwillthoseconditionsbedescribed. Ourapproachtoresponseselectionisroughlywithinthethirdcategoryoftheintrusion responsetaxonomymentionedin-cost-sensitiveresponseselection.Theauthorofthe accesscontrolpolicyisresponsiblefordecidingwhichsecurityriskfactorsie.global systemrisk,riskfromtherequestingsourceorrisktothetargetwillbeusedduring theprocessofevaluatingwhetherornotarequestwillbepermitted.Theseindividual measuresarethereforetheinputsintotheresponseselectionprocess.Eachriskfactor isthenmatchedwithathresholdthatdetermineswhentheactionassociatedwiththe factorsshouldbeperformed. 6.3NotionofRiskandaPreliminaryRiskAssessmentModel Riskwaspreviouslydened,alongwithitscriticaldeterminingfactors,inthe assessmentontologyfromSection4.2. 6.3.1AnalysisModel Weconsiderthefollowingbasicscenario:anewaccesscontrolrequestisgenerated r 1 .Thisrequesthasasource s 1 andatarget t 1 .Wetakeanapproachtoassessing 90
PAGE 91
theriskoftherequestthatreliesprimarilyonassessingthesourceandtargetofthe request.Therefore,therststepistoaggregatethesetofrequestsgeneratedbythesource R s 1 = r a ;r b ;r c :::r n andthetarget R t 1 = r f ;r g ;r h :::r m andtherebyassignrisktothose entities.Therstsectionwilldealwithhowwearriveatariskassessmentforeachrequest intheaggregatesetsforthesourceandtarget.Thenextsectionwillthendealwithhow thosevaluesarecombinedtoarriveatasingleassessmentfortheentity. Estimatingriskforpastevents. Riskisassociatedwithaprobableintrusion attempt,evidencedbyanattempttoexploitasystemvulnerability.Theriskposedbya request,therefore,isproportionaltotheseverityofthevulnerabilitiesitissuspectedtobe seekingtoexploit. TheCVSSstandardprovidesawidelyaccepted,quantitativemeasurementscalefor theseverityofvulnerabilities,andthereforewewillleveragethatstandardfortherating ofvulnerabilities.Theoverallmethodforprovidingasinglevulnerabilityestimatebased onmultiplevulnerabilitiesspreadoutovertimeisderivedfromthemethodusedin[69]. Themethodhasbeenadapted,however,totakeasinputasetofvulnerabilitiesassociated witharequest,insteadofthesetofvulnerabilitiesthatapplytoaparticularservice.The function R r j givenbelowprovidesanestimationofthetotalriskforarequest r j by takingtheexponentialaverageofallofthevulnerabilitydescriptionsassociatedwiththat request.Theexponentialaveragewaschosen,asnotedin[69],toprovideanriskestimate fortherequestthatisatleastaslargeasthehighestseverityvulnerabilityassociatedwith therequest. R r j = X v k V r j e SS v k Decay r j Decay r j = e )]TJ/F24 7.9701 Tf 6.587 0 Td [( currenttime )]TJ/F24 7.9701 Tf 6.586 0 Td [(requesttime r j Inmanycases,analertistriggeredbyanintrusiondetectionsystemandbecause ofthenatureoftherequestitcouldcorrespondtomultiplevulnerabilities.Theset 91
PAGE 92
V r j isthesetofallvulnerabilityexploitationsignaturestriggeredbytherequest r j SS v k isthemagnitudeofthevulnerability v k Decay r j servesasaweightingforeach vulnerabilitybasedontheageoftherequest.Itdeterminestheamountoftheoriginal magnitudethatremainsasafunctionoftime-thisallowsmorerecentinformationto playamoreprominentroleinariskevaluation. isthedecayperiodafterwhichthe magnitudeoftherequestbeginsdecreasingovertime. Estimatingtheriskposedbyasourceortoatarget. Theriskposedbythe sourceofarequestisthentheweightedsumoftheriskvaluesforalloftherequeststhat canbeattributedtothatsource.Wedenethefunction SR s i tobetheriskassessment assignedtoasource s i .Thisisgivenbythefollowingformula: SR s i = ln + X x f H;M;L g w x X r j HV x s i R r j Alloftherequestsinitiatedbyasource s i andassociatedwithanattempttoexploit asystemvulnerabilityarecontainedintheset HV s i .Thissetisthendividedinto threesubsets HV L s i HV M s i and HV H s i basedonthemagnitudeoftheriskfor therequest.Theset HV x s i denotesalloftherequestswithvulnerabilityexploitation assessmentsofacertainseveritylevelLow,MediumorHighforwhich s i isthesource. Eachsetissummedintothetotalriskevaluationwithaweightingof w x .Thenal weighting ampliestheoutputsothatdierencesbetweendierentsourcescanbe viewedmoreeectively.Theexponentialaverageisusedagain,togiveanoverallestimate thatisatleastaslargeastheweightedsumofthehighestseverityvulnerabilitiesineach ofthethreeclasses.Thelogarithmoftheweightedsumistakentokeeptheoutputwithin arangethatismanageableandwhichcanbe Similarly,theriskassociatedwithatarget t i isgivenbybythefunction TR t i : TR t i = ln + X x f H;M;L g w x X r j HV x t i R r j 92
PAGE 93
Inthiscase,however,theset HV x t i denotesalloftherequestswithvulnerability exploitationassessmentsofacertainseveritylevellow,mediumorhighforwhich t i is thetarget. Contributionsofthisassessmentmodel. Extendingtheworkdoneonsecurity metricsthatassessthestateofthesystematagivenpointintimeweproposeathe useofsecuritymetricstomonitorthesystemstateinrealtimeandbtofocustheuse ofsystemmetricsonassessingtheprincipalentitiesinaccesscontrolrequests,namely: requestsourcesandtargets.Thefocusisthereforeusingvulnerabilityexploitation informationtodevelopriskassessmentsforentitiesinasystem. Inparticular,wehaveusedamethodbasedontheonein[69]tocombinethe magnitudeofmultiplevulnerabilitiesspreadoutovertime,butfocusedonwhenthe requestwasgeneratedinsteadofwhenthevulnerabilitywasdiscoveredasameansfor assessingthesecurityofaparticularservice. 6.4TriggeringRestrictedPermissioningWithRiskData Althoughthecostdeterminationequationsforresponseselectionarehighlysystem dependent,theriskprogressioninFigure6-1isprovidedasanexampleandhasbeen testedusingthemodeldiscussedpreviously.Forthisspecicprogression,theattacker executesexploitationattemptsofmid-severityevery60seconds.Theriskprogression wouldchangeifanyofthevariablessuchastheriskratingoftheindividualrequests,the interarrivaltimebetweenrequests,ortheweightingofthelow,mediumandhighlevel riskeventswereadjusted. Usingtheexampleriskprogression,thefollowingsampleconditionsareprovidedfor performingeachofthepreviouslymentionedintrusionresponses: 1.ifSource_Risk>=36.11ORSystem_Risk>=53.8THENForce_Authentication 2.ifTarget_Risk>=41.11THENRestrict_Permission_X_On_Object 3.ifSource_Risk>=41.11THENRestrict_Permission_X_For_Subject 93
PAGE 94
Therstconditionforcesauthenticationforthesubjectiftheriskgeneratedbythe subjectexceeds36.11roughlythreeexploitationattemptsofmid-severityoriftheoverall systemlevelthreatexceeds53.8fteenexploitationattempts.Thesecondcondition deniesthesubjectfromperformingactionXontheobjectifthetargetriskhasrisenator above41.11meaningithasreceived5ormoreexploitationattempts.Thelastcondition deniesthesubjectfromperformingactionXonanyobjectsifthesourceriskisator above41.11meaningthat5ormoreexploitationattemptshavebeenattributedtothat subject. 6.5AbacusFrameworkArchitecture Thearchitectureabstractstheriskanalysisfunctionsintoanexternalriskanalysis servicewhichtheaccesscontrolsystemisthenadaptedtointeractwith.Theaccess controlsystemusedtodemonstratethisarchitectureistheApachewebserver.This secondapproachcorrespondsroughlytoafederatedorserviceorientedapproach.The threerisktypesdiscussedpreviously:source,targetandsystemareeachimplementedin ananalysismodulewhichcanprovideariskassessmentfortheappropriateentityorin thecaseofthesystemlevelriskforalloftheentities.Alloftheanalysisdataisthen madeavailablebyananalysisservicethatreceivesandservicesrequestsforriskanalysis information.Thewebserverisalsoextendedtoperformthethreeintrusionresponses discussedpreviouslyasthemeanstoattackresistance:forcingadditionalauthentication, restrictinguserpermissionsandrestrictingaccesstoatarget.Basedontheresourceand theactionsavailableonthatresource,athresholdisdeterminedforthesourceandtarget associatedriskabovewhich,requestsaredenied. Eventdatabase.TheeventdatabaseisbackedbyarelationaldatabaseimplementationinthiscaseMuscle.Someofthestructureofthisdatabasewasderivedfrom theIDMEFschema[50].Otherpartsofthestructurewereproducedaspartofalarger ontologyforsecurityassessmentparameters,whichissoontobepublished.Theevent databasecontainsthefollowingtables: 94
PAGE 95
CVSSVulnerabilities-thistablestoresinformationregardingcurrentvulnerabilities fromtheNationalVulnerabilityDatabaseNVD,whichhasadoptedtheCVSS scoringsystem.EachvulnerabilityislistedalongwithitsCVSSbasescore,exploit sub-score,impactsub-score,overallscoreandvector.Thenameofthevulnerability, theproductitaectsandtheversionsofthatproductthatarevulnerablearealso storedinthistable. NetworkAccessRequests-Entriesinthistablearegeneratedonthereceiptofan IDSalertbythealertprocessingengine.TheIPaddressandportofthesourcenode arelistedalongwiththeIPaddressandportofthetargetnode.Thetimeofthe request,actionbeingperformedandtargetentityarealsoincludedinthistable. Files-listingallleentitiesreferencedinrequests;includesthele'spathanda referencetothenodeonwhichtheleishosted Nodes-listingofallnodeentitiesreferencedinrequests;includesthenodesIP address Port-listingofallportsreferencedinrequests;includesthenodethattheportwas on,andtheprotocoltowhichitwasbound User-listingofallusersreferencedinrequests;includestheiruserid IntrusionAssessments-thistablelinksindividualrequeststoanintrusionassessment.Eachassessmentprovidesaclassicationfortheevent,itsseveritywhich maybeprovidedbytheIDSandwhetherornottheattackcompletedsuccessfully. Italsoincludestheidfortheanalyzerwhichproducedtheassessmentandany additionaldatathattheIDSprovides,suchasthepacketpayload,etc. VulnerabilityDescriptions-avulnerabilitydescriptionprovidesinformationona concretesoftwarevulnerability.EachvulnerabilitydescriptionisprovidedbyavulnerabilitydatabaseforthepurposesofthisstudyweonlyuseCVEvulnerabilities becausetheyhaveanobjectivescoringsystem.Eachvulnerabilitydescription, 95
PAGE 96
thereforeonlylinkstooneelementinthetableofCVSSvulnerabilitiesand,consequently,onlyhasonebasescore.ThetablealsostoresthereferencenameandURL, alongwithalinktotheintrusionassessmentwhichreferencesthevulnerability. RequestRiskCache-thistablestoresacalculatedriskvalueforeachrequestidby queryingfortheCVSSscoreforallofthevulnerabilitydescriptionsthatarelinked toanintrusionassessmentandwhichprovideaCVEID.Asmentionedinthe sectiondescribingthemodel,theexponentialaverageofalloftheCVSSscoresfor thevulnerabilitydescriptionsusedinaparticularintrusionassessmentaretaken, andthisvalueisstoredintherequestriskcache.Whenaparticularriskhandler queriestheriskcachetoproduceariskevaluationforaparticularentity,therisk estimateismultipliedbythedecayfactortoproduceadynamicriskestimatefor thatparticularrequest. Dynamicriskmodules. Thethreedynamicriskmodulesimplementthefunctions describedundertheriskmodel.Thefunctionsforeachhandlerarethesame,withthe exceptionoftherststep.Inthecaseofthesourceriskhandler,alloftherequests originatingfromthatsourceareaggregated.Forthetargetriskhandler,alloftherequests directedatthattargetareaggregated.Lastly,forthesystemriskhandler,allofsystem requestsareaggregated.Followingthis,forthoseexistingrequeststhatmaybecachedin therequestriskcache,theestimatevalueispulledandthedecayfunctioniscalculated.If novalueiscached,thentheriskhandlercalculatesariskestimatebyjoiningtherequest, intrusionassessment,vulnerabilitydescriptionandCVSSvulnerabilitytablestondall oftheCVSSscoresforallofthevulnerabilitydescriptionsreferencedasapartofthe intrusionassessmentfortherequest.Basedonthis,astaticriskestimationisproduced andcachedforfutureaccess. Alertprocessingmodule. Thealertprocessingmoduleisresponsibleforextracting theinformationforeachofthetablesmentionedpreviouslyfromthealertsitreceives.In additionitcanperformthefunctionsoflteringoutalertsthatdonotreferenceconcrete 96
PAGE 97
vulnerabilities,oralertsforwhichthevulnerabilitydoesnotmatchthecurrentsystem conguration. ThearchitectureisshowninFigure6-2.Theanalysisserverperformsriskanalysis operations,providingriskassessmentsforvariousentitiessourcesandtargetsbasedon requestsfromtheaccesscontrolsystem.Theintrusiondetectionsystemlistensonthe linkforincomingrequestsandreportsalertsforanyrequeststhatseemintrusiveinthis casespecically,thoserequeststhatappeartobeanattempttoexploitaknownsoftware vulnerability.TherawalertsfromtheIDSarepassedthroughaprocessingmodulethat maylterthealertsusingconcretevulnerabilityorcongurationvericationasmentioned earlier.Finally,thedatafromtheneweventsisstoredinaneventdatabase. TheaccesscontrolsystemusedwiththesecondapproachwastheApachewebserver. Inordertomakeasfewmodicationsaspossibletoitsexistingaccesscontrolpolicy evaluationmechanism,theabilitytomakeandspecifycustomaccesscontrolhandlers forcertainresourceswasutilized.Ratherthanreturningavalueforaspecicattribute andqueryingagainsttheeventdatabasewithintheaccesscontrolhandlers,thequerying andanalysisfunctionswereabstractedintoanexternalanalysisserverthatprovidesrisk analysisasaservice.RequestingaccesscontrolsystemssuchastheApachewebserver implementationsubmitrequeststotheanalysisserverspecifyingthetypeofdesiredrisk analysissource,targetorsystemandtheattributesoftheentitywhichtheanalysis shouldcenteraroundinthecaseofthesourceandtargetanalyses.Basedontherisk assessmentreturnedandtheriskthresholdthatisassignedtothatparticularresourceor actionapermitordenydecisionisreturned. Sourcerestrictionimplementation. Anexcerptfromthehttpd.confleforthe webserverthatestablishestheaccesscontrolhandlerforrestrictingsourcepermissionsis showninFigure6-3.Thisdirectiveestablishesthemodule"SourcePermissionRestrict" asanaccesscontrolhandler.Thismoduleimplementstheattackresponseofrestricting sourcepermission.Inthisparticularexamplevedierentlevelsofgranularityare 97
PAGE 98
established.Action"A1"istheleasttolerantofrisk:athresholdof26issetforthe sourcerisk,abovewhich,requestswillbedenied.Theotheractionsareprogressivelymore risk-tolerant.Thenalthreshold"SourceLockoutThreshold"establishesthatasource willbeblockedfromallactionsonallobjectswhenitssourcerisklevelexceeds41.The correspondingpseudocodeforthehandlerisshowninFigure6-4. Theprocessingstepsforthesourcerestrictionandtargetrestrictionhandlersare relativelythesame,summarizedinthefollowingsteps: 1.Thepropertiesoftherequestsubjectandobjectoftherequestandtheactionbeing performedareextractedfromtheURLandtherequestproperties. 2.Arequesttotheriskanalysisserverisgeneratedspecifyingawhichtypeofanalysis dataisrequiredandbtheidentierforthesubjectorobjectoftherequest 3.Oncetheriskvalueisreturned,itiscomparedwiththethresholdsspeciedinthe congurationletodetermineiftherequestshouldbedenied. 4.Ifnoneofthethresholdsareviolated,therequestispermitted. Forceauthenticationimplementation. Thepolicycongurationfortheaccesscontrol moduletoforceauthenticationisshowninFigure6-5.Theauthenticationmodulewas actuallywrittenasacontenthandler,becausetheAuthenticationhandlersaresomewhat restrictedandwouldnotallowforthetypeofrandomchallengeauthenticationthatwas desiredinthiscase.Theexampleshownestablishesthreeindependentthresholds,anyof whichcouldbeusedtotriggerauthenticationfortherequestingsource.Thecorresponding pseudocodefortheauthenticationmoduleisshowninFigure6-6.Thesystemthreshold ishighertolimitthenumberofauthenticationrequeststhatarenecessarywhenthe riskforaparticularsourceortargetisnotyetatasuspiciouslevel.Italso,however, oersprotectionforas-yetuntouchedresourceswhenthemajorityofintrusivetracis concentratedelsewhereinthesystem.Theanalysisserverreceivesrequestsandthenloads theappropriateriskanalysismodule,dynamicallygeneratingqueriestotheeventdatabase toselecttheappropriateevents.Theriskmodulethengeneratestheriskmeasurewhichis returnedtotheservicerequester. 98
PAGE 99
6.6UpdatesandModicationstotheInitialModelandArchitecture 6.6.1PerformanceIssuesWiththeInitialArchitecture Theproblemwiththeinitialarchitecturewasthefactthattheeventswerebeing aggregatedonthedemandoftheclient,andeachtimearequestwasmadeallofthe relatedeventswerebeingre-examinedandhavingriskvaluesre-calculatedbasedonanew decayfactorthataccountedfortheaccuratetimedierencebetweentherequestandthe timetheeventactuallyoccurred.Asthenumberofeventsthatwerestoredintheevent databaseandneededtobeanalyzedaspartoftheaggregatesetincreased,thetimeto processeachrequestwasalsoincreasing. 6.6.2Solution1:Caching Theschemeforcachingofriskdatareliedonthecreationofabackgroundthread topre-fetchriskdata.Thegoalwastoeliminatetheincreasedresponsetimeproblem describedpreviously.Underthecachingscheme,theanalysisservercreatesabackground threadthatcontinuallyextractsallofthesourcesandtargetsfromtheeventdatabase.It thenevokestheriskhandlersoneachoftheentitiesextracted,producingsource,target andsystemlevelriskwhereappropriateandstoringthedatabackintotheeventdatabase. Whentheanalysisserverreceivesarequestforariskevaluationonasystementity, insteadofinvokingthehandlerforthatindividualrequest,itperformsalookuponthe cachetablesintheeventdatabase. Althoughthecachingapproachaddressedtheissueoftheresponsetimebetweenthe partoftheanalysisserverthatservicesrequestsandthedataconsumer,italsointroduced anotherissue:thetimelinessofthedatathatisreturnedtotheconsumer.Theincreasing timetakentoexecuteacachingrunthatre-calculatestheriskvaluesforsystementitiesis approximatelythesameastheincreasingresponsetimefromtheserver.Intesting,after asignicantnumberofrequests,thetimetakentoperformafullrefreshoftheriskcache foralloftheentitiesbecameprohibitivelylong,suchthatrequestsfromconsumersfor riskinformationwouldreceiveoutdated,inaccurateinformation.Inessence,thecaching 99
PAGE 100
approachdidnotaddressthecomplexityofthealgorithmforriskcalculationapproach whichwastheprimaryreasonfortheincreasingresponsetime-itmerelydetachedthe calculationofanupdatedriskassessmentfromthefulllmentofaclientdatarequest. Thisanalysisledtothedevelopmentofasecondimplementationapproachtoaddress theseshortcomings. 6.6.3Solution2:RedesigningtheAnalysisAlgorithmandRefactoringthe Architecture Thesecondimplementationapproachprovidesmoreecientanalysisofevents-each eventisseenandanalyzedonlyonce,whenitrstarrives.Riskassessmentsforaected entitiesareupdatedwhenanewalertarrives,andthefunctionoftheanalysisserver istopullthestoredassessmentnotcalculateitasbeforeandreturntheresulttothe requestingclient. 6.6.4RevisedRiskAssessmentModel Theriskmagnitudeassignedtoavulnerabilityexploitationattemptisstillthe exponentialaverageofallofthemagnitudesofallofthevulnerabilitiesreferencedinthe alert.Thealgorithmforcalculatingriskbasedonmultipleeventsisnolongeriterative, butrecursive.Thedecayfunctionhasbeenremovedsothattheweightofeachrequest doesnotneedtobere-assessed.Instead,the valueservestoweightthepreviousrisk assessmentfortheentitywithrespecttotheriskassessmentforthenewestevent.This servesthesamefunctionofdecreasingtheinuenceofolderdatainfavorofnewerdata, butdoessoastriggeredbynewevents,andnotmerelyauniformtimedependency. Thisalsoaccommodatesbetterassessingrisktoentitieswithvastlydierentrequest frequencies. R r j = ln X v k V r j e w x SS v k TR t i ;r t +1 = ln e TR t i ;r t + R r t +1 100
PAGE 101
SR s i ;r t +1 = ln e SR s i ;r t + R r t +1 Theset V r j ,withmembers v k isthesetofallvulnerabilityexploitationsignatures triggeredbytherequest r j SS v k isthemagnitudeofthevulnerability v k TR t i ;r t +1 istheriskassessedtothetarget t i asaresultofintrusiverequest r t +1 SR s i ;r t +1 isthe riskassessedtothesource s i asaresultofintrusiverequest r t +1 6.6.5RestructuredArchitecture Theprimarychangetothearchitectureisthedistributionofanalysisfunctions betweenthealertserverresponsibleforcontextacquisitionandtheanalysisserver. Inthepreviousapproach,thealertserveronlyreceivedalerts,extractedthenecessary information,andstoredthemintheeventdatabase.Theanalysisserverwasresponsible forreceivingclientrequestsforriskdata,performingtherequiredanalysisoperationsand thesendingaresponsetotheclient.Thechangeintheriskmodelhowever,demandsthat theupdatingofriskinformationoccursasneweventsareprocessed.Thisrequiresthat theprimaryanalysisfunctionupdatingriskvaluesforentitiesoccursastheeventsare processedandconsequentlymustbeperformedbythealertserver. Anotherchange,usedtofacilitatethepreservationoftheincominganalysisdata, wastoqueueincomingalertsinthedatabaseuntiltheycouldbeprocessedbyoneofthe availableprocessingthreads.Thisallowedthenumberofactivealertprocessingthreadsto bedecreasedsothatthetotalprocessingtimeforeachalertwouldbeless. 6.7Summary Asystemimplementationisdetailedbasedonthegeneralframeworkpreviously discussedandsatisfyingthekeydesigngoalsoutlinedundertheacquisition,analysis andapplicationofcontextinformation.Afederatedapproachisusedthatfollowsthe principlesdiscussedinSection3.2.2andadaptingthecorrelationontologyofSection3.4.5 toarelationaldatabasemodelthatservesastheschemafortheeventdatabasedescribed inSection6.5.Anindependentanalysisserverperformsthefunctionsofaggregating 101
PAGE 102
contextinformationandthendisseminatingit.Theimplementationfocusesononeofthe contextpropertiesdenedintheChapter4ontologyofassessmentproperties-thatof risk.Amodelisdenedforderivingriskinformationfromassessmentsproducedbyan intrusiondetectionsystemonattemptstoexploitsoftwarevulnerabilities.Thismodel designateshowriskisassignedtobothsubjectsandobjectsofaccessrequests.Detailsare alsoprovidedonhowtheanalysisdataisappliedandusedintheaccesscontrolprocess. Context-basedpolicyevaluationpreviouslydiscussedinSection5.2isachievedby providingcustomaccesscontrolhandlersthatinteractwiththeanalysisservertoreceive riskinformation.Theseaccesscontrolhandlersalsoimplementtheresponsetechniques discussedinSection5.3. 102
PAGE 103
Figure6-1.Sampleriskprogressionforanintruderexecutingintrusiverequestsof moderateseverity RequestNumberRiskEstimationNumberofPreviousRequests 100 225.651 332.192 436.113 538.924 641.115 742.916 844.437 945.758 1046.929 1147.9610 1249.7711 1350.5712 1451.9913 1553.2314 1653.815 1754.3416 1854.8517 1955.3418 2055.819 Figure6-2.ArchitecturefortheABACUSframework. 103
PAGE 104
PerlAccessHandlerSourcePermissionRestrict PerlSetVarAction_A1_RiskThreshold26 PerlSetVarAction_A2_RiskThreshold32 PerlSetVarAction_A3_RiskThreshold36 PerlSetVarAction_A4_RiskThreshold39 PerlSetVarSourceLockoutThreshold41 Figure6-3.Apachecongurationdirectivethatestablishesa SourcePermissionRestrict accesshandlertoevaluateallrequeststoresourcesinthedirectory'/s'.The directivealsoestablishesfourriskthresholds,eachforadierentaction.These thresholdsaresubsequentlyusedbytheaccesshandlertocompareagainstthe currentriskevaluationforthesourceoftherequest,withtherequestbeing deniedifthesource'sriskexceedsthethreshold.Thenalvariable SourceLockoutThreshold establishesthatonetheriskattachedtothesource exceeds41,allrequestsfromthatsourcewillbedenied. readthreshold_values; readrequest_properties; requestsource_riskfromanalysisserver; setresponse=OK; ifsource_risk>lockout_threshold {response=DENY_REQUEST;} elseifrequest_action==A1ANDsource_risk>A1_threshold {response=DENY_REQUEST;} elseifrequest_action==A2ANDsource_risk>A2_threshold {response=DENY_REQUEST;} elseifrequest_action==A3ANDsource_risk>A3_threshold {response=DENY_REQUEST;} elseifrequest_action==A4ANDsource_risk>A4_threshold {response=DENY_REQUEST;} returnresponse; Figure6-4.Psuedocodefortheaccesscontrolmodelthatperformsrestrictionofsource permissionsbasedonariskassessmentobtainedfromananalysisserver.It retrievesariskassessmentforthesourcefromtheanalysisserverandthen comparesitwiththeappropriatethresholdfortheactionbeingperformed. 104
PAGE 105
SetHandlerperl-scriptPerlHandlerAuthChain PerlSetVarSystemRiskThreshold55 PerlSetVarSourceRiskThreshold33 PerlSetVarTargetRiskThreshold45 PerlSetVarAuthExpiration300000 Figure6-5.Apachecongurationdirectiveforacustomauthenticationhandler.Three dierentthresholds,orpropertiesareestablishedwhichcouldbeusedto triggertheuseofauthentication.Avalueisalsosetfor AuthExpiration which ensuresthat,oneauthenticated,usersareonlyre-authenticatedevery300 secondveminutesatmost. readthreshold_values; readrequest_properties; requestsource_riskfromanalysis_server; requesttarget_riskfromanalysis_server; requestsystem_riskfromanalysis_server; ifsource_risk>source_thresholdORtarget_risk>target_thresholdORsystem_risk> system_threshold { sendauthentication_request; ifcredentials_incorrect {returnAUTHENTICATION_REQUIRED;} else {returnAUTHENTICATION_GRANTED;} } else{returnNO_AUTHENTICATION_REQUIRED;} Figure6-6.Pseudocodeforauthenticationmodule.Authenticationisrequiredifanyof theestablishedriskthresholdsareexceeded. 105
PAGE 106
CHAPTER7 RESULTS 7.1TestingSetup Hardwaresetup. Allofthetestingtobediscussedwasperformedusingtwo identicalLinuxvirtualimageseachrunningUbuntuLinux8.04witha1.86Ghzprocessor and1GBofRAM.Onemachineservedastheserverandtheotherastheclientortrac generationnode.Theservermachinecontainedthewebserver,IDS,alertserver,analysis serverandeventdatabasementionedinthearchitecture.Forthepurposeoftestingand implementation,thewebserverusedwasApacheversion2.2.10.Snortversion2.8.1was usedastheintrusiondetectionsystem.TheeventdatabasewassupportedbytheMySQL DBMSversion5.0.51.BoththeanalysisandalertprocessingserverswerewritteninJava. TheaccesscontrolmodulesforApachewerewritteninPerlusingmod_perl2.0.4. 7.2ValidationofAnalysisModel Therstsetofresultspertaintotheevaluationoftheriskanalysismodel.Thegoal ofthistestingistodemonstratethefollowing: 1.thattheessentialassumptionofthemodel-thatofescalatingrisk-isvalidfor scenariosthatinvolvesuccessive,relatedintrusionattempts 2.thatthisassumptioncanbevalidatedexperimentallyusingrealdatasets 3.thatvarioustechniquesexist,andcanbeusedeectively,todealwithsomeofthe problemsregardingdataqualityincluding:falsepositivesandfalsenegatives Thedataforthetestswerefromthetherstofthetwoscenario-specicdatasets providedbytheLincolnLaboratory[70].Thedatasetrecordsadistributeddenialof serviceattackandwasdividedintothefollowingvephases:1anIPsweepofthetarget networkfromaremotesite2aprobeofliveIP'stolookforthesadminddaemonrunning onSolarishosts3breakinsviathesadmindvulnerability,bothsuccessfulandunsuccessful onthosehosts4installationofthetrojanmstreamDDoSsoftwareonthreehostsinthe targetnetworkand5launchingthedenialofserviceattack.Initialtestresultsshowed theintruderasdescribedintheprovidedlabelingdatawiththehighestriskratingafter 106
PAGE 107
amajorityoftheattackhadconcluded.Unsatisfactorily,however,duetofalsepositives earlyinthetestssomeothernodeswereinitiallygivenhigherriskratingsduringthe rstphasesoftheattack.Inaddition,theoverallnumberofnodesthatwereassessed aspotentialintruderswashigh.Twodierentalertlteringtechniqueswereapplied,in aneorttoimprovethedataaccuracyandreducefalsepositives.Therstwastousea techniqueproposedin[71]tolteroutalertsthatdonotcorrespondtotheexploitation ofa'concretevulnerability'.Aconcretevulnerabilityisdenedinthiscaseasonewhich islistedintheCVE[72],astandardizeddatabaseforsoftwarevulnerabilities.Inorder tocompileaworkingdatabasetocheckvulnerabilitysignatures,thelatestCVEentries weredownloadedandstoredinarelationaldatabase.Theresultsforthesecondroundof testingusingtheconcretevulnerabilitylteringareshowninFigure7-1onpage118. Thelatterpartoftheriskprogressionisrelativelyatbecausetheintrusiondetection systembeingusedfailedtodetectsomeofthelatereventsinvolvedintheattacksequence. Andwhiletheriskmodeldoesnotmakeprovisionsfordetectingattackswhicharemissed byintrusionassessmentmechanism,theuseofhistoricaldatatoassessthethreatposedby thesourceatleastensuresthatthesamerisklevelbasedonearlierbehaviorismaintained. Inthisway,themodelistolerantofmisseddetections. Theriskassessmentsinthesecondsetoftestresultswerestillsomewhatinaccurate;a numberofnodesonthelocalnetworkwereratedassuspiciousandupuntilapproximately the9thsamplingiterationtheactualintruderdoesnothavethehighestriskrating.Asecondalertlteringtechniquewasusedtofurtherincreasetheaccuracyoftheassessment: congurationverication.Thisissimilartotheapproachofverifyalertsusingnetwork knowledgeasdiscussedin[73,74].Inthiscase,adatabasewasconstructedwithallof theknown,labelednodesinthedataset,theoperatingsystemrunningonthenodeand itsversionoftheoperatingsystem.Eachtimeanalertwasgeneratedthisdatabasewas consultedtoseeifthevulnerabilitybeingreportedactuallymatchedthecongurationof thetargetedmachine.Iftherewasnomatch,thealertwasdiscarded.Usingthesetwo 107
PAGE 108
lteringtechniquesinconjunctiontheriskassessmentreectedthesingle-intrudernature ofthedataset,asshowninFigure7-1. Afterapplyingthelteringtechniques,theresultsfortargetriskestimationwere improved.ResultsfortargetriskestimationareshowninFigure7-2partAandFigure 7-2partB.InthenalriskestimationgraphfortargetednodesFigure7-2partB,only thenodesactuallyattackedarerated,andthosenodesforwhichsuccessfulattacksare launchedareratedwiththehighestriskvalues. 7.3WebServerAttackResistanceResults Thissecondsetoftestingresultsisdesignedtodemonstrateresultsoftestingthe secondofthetwoarchitecturestheriskanalysisserverintegratedwithApachewith realtimeincomingrequests.Inordertoeectivelyillustratetheeectofthethree chosenresponsetechniques,threedierentscenariosweregeneratedwithawebserver tracsimulatorandrequestsweresenttotwodierentwebservers:oneusingthethree analysismodulesdescribedpreviously,andanotheronlyusingthenotionoftheglobal systemthreattotriggerresponsetechniques.Whereasvalidationoftheriskmodelcould beperformedwithacaptureddatasetbeingreplayedoverthenetwork,theuseofthe responsestrategieswillrequireactiveconnectionstotheaccesscontrolsystemandhence demandslivetrac. ThetracsimulatorcreatesanarrayofrequestingnodesSwhere s i isamemberof S,eachwithanintrusivenessrating i r ,aninter-requestperiodpandatotalrequestlife l.ThewebserverisarrangedasanarrayoftargetresourcesTwhere t i isamemberof T.Each t i hasasetofvalidactions a 1 a 2 ,.... a n andinvalidorintrusiveactions i 1 i 2 ,... i k .Everypsecondsorarandomnumberofsecondsbetween0andp,requestsource s i selectsamemberofTandthenbasedonitsintrusivenessrating,selectseitheranormal orintrusiveactiontoperformontheresource.Sourceswithahigher i r haveagreater probabilityofselectinganintrusiveactionforeachrequest.Inpractice,theseintrusiveness ormaliciousnessratingsrangefrom0%to90%. 108
PAGE 109
Fortheriskanalysismodel,vulnerabilityweightingswerethefollowing:highseverity w H =3 ,mediumseverity w M =2 andlowseverity w L =1 .Theriskmultiplier wassetto10,toprovideamorenoticeabledierencebetweenvariousassessments. Scenario1:singleintruder,vulnerabilityprobing. Inthisrstscenario,a singleintruderexecutesintrusiverequestsonseveralsystemresources-amethodindicativeofprobingforwhichvulnerabilitieshavebeenpatchedorwhichcongurationholes havebeenclosed.Therestofthesourcesgeneratingsystemrequestsarenormalusersexecutinglittleornorequeststhatcouldbecategorizedasintrusive.Therequestswere generatedoverthecourseofathreehoursimulation.Therequesttracefortheintruder demonstratesthatrequestsfordierentactionsaredeniedbasedonhisoverallriskprole andeventuallytheintruderislockedoutfromallsystemrequests.Meanwhile,requests fromtheotherusersarestillpermitted.Asummaryoftheresultsforasimulationofthis scenarioarepresentedinTable7-1.Figure7-4chartsthegrowthoftheriskassessedto theintruder.Inthisscenarioalloftheintrusiverequestswerefromthesingleintruder. Server1begantodenyrequestsfromtheintruderaftertheirsourceriskpassedthethresholdof45.Thenormalrequestsblockedbyserver1werealsofromtheintruder.Oncethe systemriskforserver2passesthethreshold,itbeginstodenyrequestsfromallsources. Thecongurationdirectivesusedinthetwoserversduringthisscenarioareshownin Figure7-3. Scenario2:multipleintruders,singletarget,many-to-oneattack. Inthe secondscenario,multipleintruderstargetthesameresourcewithtwodierentattacks. Thiscouldcorrespondtothepublicationofanewvulnerabilityforanexistingservice.In theinterimperiodsomenon-intrusiverequestsareallowedontheresource,butwhenthe targetriskreachesthethreshold,allrequeststothetargetaredenied.Asummaryofthe resultsforasimulationofthisscenarioarepresentedinTable7-2.Thegrowthoftherisk assessedtothetargetischartedinFigure7-6. 109
PAGE 110
Thetestingforscenariotwodemonstratesthatusingtargetriskwhenaparticular resourceisbeingtargetedcanincreasethenumberofintrusiverequeststhatareblocked whilemaintainingavailabilityfortheothersystemresources.Duringthissimulation, boththesystemriskandthetargetriskforthetargetedresourcepeakedat83.Thiswas duetothefactthatalloftheintrusiverequestsintheentiresystemweredirectedatthe sameresource.Whilethesystemriskthresholdcouldhavebeenraisedtodecreasethe percentageofnormalrequeststhatweredenied,itwouldhavealsoincreasedthenumber ofintrusiverequeststhatwereblocked.Thecongurationdirectivesusedinthetwo serversduringthisscenarioareshowninFigure7-5. Scenario3:multipleattackersonvariousresources. Inthethirdscenario, multipleintrudersattackmultiplesystemresources.Thiscouldcorrespondtoasystem withhightraclevelsthatseesexploitationattemptsonmultipleresourcesfrommultiple sourcesinagivenperiodoftime.Usingbothsourceandtargetrisklevels,requestsat variouspointsintheoverallrequesttracearerespondedtobyarequestforauthentication.Eventuallywhenthesystemrisklevelpassesthethreshold,allinitialrequestsare respondedtobyrequestsforauthentication.Asummaryoftheresultsforasimulation ofthisscenarioarepresentedinTable7-3.Thesimulationwasrunforapproximately2.5 hourswithnodesgeneratingrequestsatalllevelsofmaliciousnessandthusthereisno clearintruder. Duetotheuseofsource,targetandsystemriskinformation,thepolicyforserverone wasstricter.Despitethis,theproportionofnon-intrusiverequeststhatwereresponded tobyarequestforauthenticationwasonlyfourpercenthigherthanforservertwo.This numberofnon-intrusiverequestsalsoincludesrequestsfromnodeswithhighmaliciousness ratingssuchas90%,whichwouldotherwisebedeemedintrudersbutwereclassied atnon-intrusivebecausetheparticularrequestbeingclassiedwasnotintrusive.The congurationdirectivesusedduringthisscenarioareshowninFigure7-7.Thepolicyused fortheserverwithintheABACUSframeworkwasmorestringentthantheserveronly 110
PAGE 111
usingsystemrisk.Theformerusedthreedierentriskpropertiestotriggerauthentication, butonlyexperienceda3.9%increaseinthenumberofnon-intrusiverequests. Theresultsforthisscenarioessentiallyrepresentthebehaviorofanauthentication mechanismthathasanimmediateexpirationofauthenticationcredentialsafterauthenticationandthusre-authenticatesforeachrequest.Inasimulationinvolvinghumanusers whowouldbecapableofsuccessfullycompletingauthentication,manyofthesubsequent authenticationrequestswouldbeeliminatedbyalongerperiodbeforetheexpirationof theauthentication.Insuchsituationswhereahighpercentageoftherequestsarebeing authenticated,theservercouldpotentiallycutoverallresponsetimebybypassingthe requestforanalysisdatafromtheanalysisserverwhichtypicallydominatesthelength oftheresponseandjustauthenticatingeachrequestimmediately.Thiswouldmovethe numberofnon-intrusiveandintrusiverequestsauthenticatedto100%whenthesystem riskreachesasucientlevel.However,iftheprocessofauthenticationrequiresmoretime thantherequestforanalysisdataitmightstillbeslightlymoreecienttoeliminatesome ofthetheauthenticationrequests;intheend,thisishighlydependentontherelativetime requiredforeachprocess. 7.4PerformanceAnalysis 7.4.1PerformanceTestingMethodology InordertocomparetheperformanceofthenalversionoftheAbacusframework againsttheearlierversionandalsoagainstanormalApachewebserver,eachserverwas stress-tested.Thispartofthetestingreliedonaregressiontestingandbenchmarking utilitycalledSiege[75].Thebasicaimofthistestingwastoexaminethebehaviorof eachserversubjecttoincreasingload.Thefollowingparameterswereusedinthetesting process: Numberofclients-withtheuseofawrapperforSiegecalledBombard,theuseris abletospecifyaninitialnumberofclientsanincrementofhowmanyclientstheload 111
PAGE 112
shouldbeincreasedbyforeachiterationandatotalnumberofiterationswhichalso limitsthemaximumnumberofclients AsetofURLs-thesameURLsfromthescenariotestingwereusedbothnormal andintrusive.Theywereplacedinacongurationleandreadintomemorybythe utilitywhenitstarts.TheclientsthenrandomlyrequestoneoftheURLsinthele foreachrequest. Delaybetweenrequests-beforeeachrequest,theclientwaitsarandomnumberof secondsbetween0andd,wheredisthemaximumdelaybetweenrequestsspecied bytheuser Bytestinginthisway,wehopetodrawconclusionsonthefollowing:thedegreeof improvementprovidedbythethirditerationoftheAbacusframeworkovertherst, thepointatwhicheachoftheservertypesbecomeoverwhelmedgiventhehardware constraintsaswellasthespecicreasonsthataccountfortheperformancedierences. 7.4.2PerformanceofInitialAbacusFramework InFigure7-8thetimetoserverequestsonServer1isshownasthenumberof requestsincreases.Forthecollectionofthisdata,thesimulatorwassettogenerate3 hoursoftracfrom10dierentnodes,onlyoneofthemexecutingintrusiverequests scenariooneasdescribedabove.Inpartaofthegurethetimetoserveisshownfor alloftherequests.Inpartb,onlythetimetoserverequestsfromtheintruderisshownthisgraphhasthesamelinearlyincreasingpatternthatisapparentwhenlookingatthe peaksofthegraphinparta.InpartcofFigure7-8thetimetakentoserverequestsfrom thenon-intrudernodesisgraphed.Thetimetoservetheserequestsremainedrelatively constantthroughouttheentiresimulation,oscillatingbetweenzeroandoneseconds.The reasonthattheincreaseonlyoccuredfortheintrudernodeisthatwhenthewebserver requestsriskdataonthatnode,thereisaconstantlyincreasingamountofeventdatato analyze.Fortheothernodes,thereisnosuchincreaseofdatatoanalyzeand,asaresult, requestsareservedinthesameamountoftimeforthedurationofthesimulation.This 112
PAGE 113
isundesirable,however,andcouldpotentiallycreateascalabilityissueinscenarioswhere therearemorenodeswithintrusivebehavior.Inordertoamelioratetheseperformance issues,acachingschemewasdevisedtofacilitatefastergenerationofriskdata. 7.4.3PerformanceofAbacusFrameworkwithRecursiveAnalysisModel Afteradaptingtheanalysismodelasdescribedin6.6toberecursiveinsteadofthe previousiterativeformulationandmodifyingthealertservertomaketheupdatesfor theriskvaluesasnewdatacamein,theperformanceoftheframeworkwasimproved signicantly.Whereastherstversionwasnotstablewithtenconcurrentusers,the modicationsallowedtheframeworktohandleupto100concurrentusersstablyfor anindeniteperiodoftime.Thisdemonstratesthatthemodicationsmadetothe modelenabletheframeworktoprocessincomingrequestswithoutnoticinganincrease inresponsetimeforincreasedamountsofdata,whichwastheproblemintheprevious version.ThegraphsinFigures7-9and7-10summarizetheperformanceofthedierent aspectsoftheframework.Thewebserverandanalysisserverexperiencedsomelocal spikesbasedontheshortdelaybetweensubsequentrequestsfromthestresstesting application,butoverallmaintainedaconsistentresponsetime.Thealertserversee graphsinFigure7-10experiencedaninitialspikeinprocessingtimeduetoprovisioning newthreadstoprocessthehighvolumeofincomingalerts.Performancestabilizedquickly andremainedstablethroughouttheremainderofthesimulation. 7.4.4PerformanceComparisonforABACUSFrameworkandOrdinary ApacheWebserver Results. Figures7-12and7-13summarizetheserverresponsetime,concurrencyand transactionrateasseenfromtheclientforthreedierentservertypes:anormalApache webserver,withnointegrationofriskinformation,anApacheserverintegratedwiththe rstversionoftheanalysisframeworkasdiscussedaboveAbacusServerversionone, andanApacheserverintegratedwiththenalversionoftheanalysisframeworkAbacus Serverversiontwo.Therangeofdelaybetweenrequestsdiersbetweenthetwogures: 113
PAGE 114
inFigure7-12alltestingthreadswereconguredtodelaybetween0and1secondbefore initiatinganotherrequest.InFigure7-13therangewasbetween0and10seconds. Figure7-12indicatesthattheAbacusFrameworkversiontwowasabletoserve 100simulatedclientswitharesponsetimeof5.16comparedto1.73secondsforthe unmodiedApachewebserver.AtthisloadtheAbacusFrameworkwasmaintainingthe requestfrequencywithoutanoticeableincreaseinprocessingtimeduringtheduration ofthetest,asdemonstratedbyFigure7-9.Figure7-13wherethedelayforthestress testingsimulationwasbetween0and10secondsforsubsequentrequestsplacesthe maximumnumberofclientsat210witharesponsetimeof6.35beforetheresponsetime spikedatthenextincrementofclients.Whatisconsistentinbothgures,however,is thetransactionrateortheaveragenumberofconnectionsprocessedpersecond.With thedelaybetweenzeroandone,themaximumtransactionratewas18.76andwith thedelaybetweenzeroandten,themaximumwas18.Afewindividualsimulationsat highernumbersofconnectingclientswererunandtheresultsareshowninFigure7-11. Thesegures,particularlypartsBandCdemonstratethattheincreasingresponsetime generatesmoretimeoutsathigherconcurrency,becausethereisalsoahigherrateof incomingconnections.PartCinparticular,where200simulatedclientswereused,shows theeectonresponsetimefromalargenumberofrequesttimeouts. Discussion. Itwouldbediculttosaythattherstversionoftheframework beforethecachingapproachcouldrealisticallysupportanynumberofusersforan extendedperiodoftime.AsshowninFigure7-8partA,thetimetoserverequestsforthe rstversionoftheserverwasincreasingevenwhenthenumberofsimulatedclientswas heldconstantatten.Theperformancedeterminantfortherstversionoftheframework wasthenumberofrequests:increasingthenumberofsimulatedclientsjustcausedthe numberofrequeststoincreasemorerapidly.Thetimetoserviceeachrequestwaslinear inthenumberofrequeststhattheserverhadreceiveduptothatpoint.Thecaching 114
PAGE 115
approachallowedforaconstanttimetoserveeachrequest,butattheexpenseofdata accuracy,wherethealgorithmiccomplexitywasstillthesame. Itislikelythattheresourcesoftheservermachinewereexhaustedwhenthetests movedtohighernumbersofsimulatedclients110forthehigherfrequencyteststhanthe servertransactionratecouldhandleandnewconnectionswerestillcominginresultingin queuing.TheApachewebserverlimitsthenumberofforkedclientprocessesto256by defaultthislimitiscompiledintothesoftware.Itappearsbasedonthedatathatatthe failurepoints,whentheresponsetimespikes,theserverresourceswereexhaustedbefore thelimitof256clientprocessesbytheincreasingnumberofforkedclientprocesses beingcreatedbytheApacheserver.Duringtesting,thisledtoincidenceswherethe servermachinelockedupandrequiredrestartingwhentestingwithboththeABACUS frameworkandwiththeunmodiedApacheserver.Thisiscorroboratedbythefactthat theunmodiedApachewebserverfailedinasimilarwayalbeitatahighertransaction rate. AratelimitingmechanismwasbuiltintotheAbacusFrameworkv3wherebyonce acertainnumberofrequestsarequeued,theserverbeginstodenyincomingrequests untilmoreworkerprocessesbecomeavailabletoavoidforkingtoomanyprocessesto serverequests.TheApacheserveraccesslogsduringthesetestsdemonstratethatsome oftherequestsforanalysisdatafromthewebserveraccesscontrolmoduleswerebeing deniedtodueincreasingload;atthesametime,however,theApachewebserverwas stillacceptingandqueuingnewclientconnections.Insummary,thetestingfailureofthe AbacusFrameworkwasduetothedicultyincontrollingserverresources:inparticular ofeectivelylimitingtheincomingclientconnectionsinthefaceofincreasedconcurrency andthereforeincreasedresponsetimeperrequest.Amorerobustsetoftestingconditions wouldlikelyyieldbetterresults. Withthatsaid,thepeaktransactionratefortheAbacusFrameworkv3wasstill15.53 transactionspersecondataresponserateof5.73seconds.Thisroughlyequatesto931.8 115
PAGE 116
transactionsaminute,55,908transactionsanhourand1,341,792transactionsperday.By wayofcomparison,accordingtoCompete.com[76]webstatistics,Facebook.comreceived 874,806,456pagevisitsinDecember2008withanaverageof62.1pagesaccessedpervisit foratotalof54,325,480,917.6pageaccessinDecember,or1,810,849,363.92pageaccesses eachday.TheUFL.EDUdomainandallofitssubdomainsreceived2,385,137visits inthemonthofDecember2008,withanaverageof17.5pagespervisitor41,739,897.5 pageviewsinthatmonth.Thisequatesto1,391,329.9pageviewsperday.Table7-4 summarizesstatisticsforthreetopwebsites,whileTable7-5providesanestimateforthe peakperformanceoftheABACUSframeworkundercurrenttestingconditions.Based onthisdata,wecancanconcludethattheproposedapproachcouldbeimplementedin alarge,hightracwebsite-particularlywithdedicatedserverhardwarewithincreased performance. ThedataalsodemonstratesthatfailureofasimilarnatureoccursfortheApacheweb serverinisolation.Becausetherewasaslowergrowthinresponsetimeperrequest,the Apacheserverinisolationwasabletohandleagreaternumberofclientconnectionsbefore failure,butwhenthefailurehappened,itmanifestedwithmuchthesamebehavioraswas displayedwhentestingthenalversionoftheAbacusFramework. Figure7-14representsthefactorofincreaseintheresponsetimeforthewebserver intheABACUSframeworkcomparedwiththeresponsetimeofthenormalApacheweb server.Afteraninitialspikeinrequesttimeduetoprovisioningofserverresources,the responsetimeincreasefactorstabilizesatapproximatelythree,meaningthatduring themajorityofthetestingperiodtheaveragerequesttotheABACUSframeworktook threetimesaslongtoprocessasarequesttoanormalApachewebserver.Thegure alsoshowsasharpincreaseat110simulatedclientswhichiswherethesimulationrst recordedasignicantnumberoftimeoutsfortheABACUSframework,butwherethe normalApachewebserverremainedstable.Thisincreasefactorislikelyaresultof thefollowingadditionalstepstakenbeforearesponseisgeneratedintheframework: 116
PAGE 117
theaccesscontrolhandlergeneratingarequestforriskinformation,theanalysisserver performingthenecessaryqueriestotheeventdatabaseandformulatingaresponsebackto thewebserver.Inaddition,whiletheanalysisserverandwebserverwererunning,some ofthesystemresourceswereconsistentlybeingconsumedbytheserverresponsiblefor receivingandlteringIDSinformationwhichwasnotrunningalongwiththestandalone webserver. 117
PAGE 118
A B Figure7-1.Simulationresultsfromthevalidationoftheanalysismodelshowingrisk estimatesforthesourcesdetectedasintrusive.Ausingonlyconcrete vulnerabilitylteringBusingconcretevulnerabilitylteringand congurationverication. 118
PAGE 119
A B Figure7-2.Simulationresultsfromthevalidationoftheanalysismodelshowingrisk estimatesfortargetsbeingattackedbyintrusiverequests.Ausingonly concretevulnerabilitylteringBusingconcretevulnerabilitylteringand congurationverication. Table7-1.Asummaryofthesimulationresultsforscenarioonesimulatinganattackfrom asinglesourceonmultiplesystemresources. PropertymeasuredServer1sourceriskServer2systemrisk Totalrequests24722472 Totalintrusiverequests230230 Intrusiverequestsdenied229179 Percentagedenied99.5%77.8% Totalnormalrequests22422242 Normalrequestsdenied161751 Percentagedenied.7%78.1% 119
PAGE 120
A B Figure7-3.Accesscontrolpoliciesforthetwoserversduringscenarioonewhilesimulating anattackfromasinglesourceonmultiplesystemresources.AservertwoB serverone.TherstpolicyAestablishesanaccesshandlerthatusessystem levelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusessourceriskdataandsetsathresholdof45forthesourcerisk, beyondwhich,requestsfromthatsourcewillbedenied. Figure7-4.Thegrowthoftheriskfromtheintruderinscenarioone. StatisticSystem1targetriskSystem2systemrisk Totalrequests10231023 Totalintrusiverequests320320 Intrusiverequestsblocked319274 Percentagedenied93.5%85.6% Totalnormalrequests703703 Normalrequestsdenied65588 Percentagedenied9.2%83.6% Table7-2.Asummaryofthesimulationresultsfromscenariotwowhilesimulatingan attackfrommultiplesourcesonasinglesystemresource. 120
PAGE 121
A B Figure7-5.Accesscontrolpoliciesforthetwoserversduringscenariotwowhilesimulating anattackfrommultiplesourcesonasinglesystemresource.AservertwoB serverone.TherstpolicyAestablishesanaccesshandlerthatusessystem levelriskdataandsetsathresholdof65forthesystemrisk,beyondwhich, requestswillbedenied.ThesecondpolicyBestablishesanaccesshandler thatusestargetriskdataandsetsathresholdof45forthetargetrisk,beyond which,requeststothattargetwillbedenied. Figure7-6.Thegrowthofriskforthetargetedresourceinscenariotwo. Table7-3.Asummaryofthesimulationresultsfromscenariothreewhilesimulatingan attackfrommultiplesourcesonmultiplesystemresources. StatisticServer1Server2 Totalrequestsreceived875875 Totalintrusiverequests437437 Intrusiverequestsauthenticated409252 Percentageauthenticated93.5%57.7% Totalnon-intrusiverequests438438 Non-intrusiverequestsauthenticated385368 Percentageauthenticated87.9%84% 121
PAGE 122
A B Figure7-7.Accesscontrolpoliciesforthetwoserversduringscenariothreewhile simulatinganattackfrommultiplesourcesonmultiplesystemresources.A servertwoBserverone.TherstpolicyAestablishesanaccesshandler thatusessystemlevelriskdataandsetsathresholdof65forthesystemrisk, beyondwhich,requestswillbedenied.ThesecondpolicyBestablishesan accesshandlerthatusesthreedierentriskpropertiestotriggerthe requirementofauthentication.Thesystemriskthresholdis65,thesourcerisk thresholdis33andthetargetriskthresholdis45.Atimelimitforthe expirationofavalidauthenticationissetat300secondsusingthe AuthExpiration property. 122
PAGE 123
A B C Figure7-8.StatisticsforABACUSframeworkversion1duringasimulationwithten concurrentusers,oneofwhichwasanintruder.Graphsshowtimetoserve requestsfordierentbreakdownsofthesetofrequestingusers.Arequests fromallusersBrequestsfromtheintruderCrequestsfromnon-intrusive users.Thesegraphsestablishthatthetimetoprocessrequestswasincreasing throughoutthesimulationandthatthiswasduetotheincreasedtimeintook toprocessrequestsfromtheintruderthatrequiredmoredatatobeaggregated andanalyzedinordertoproduceariskassessment. 123
PAGE 124
A B Figure7-9.StatisticsforABACUSframeworkversiontwo.Atimetoserverequestsfor thewebserverBtimetoserverequestsfortheanalysisserver.Thegraphs correspondtoasimulationwith100concurrentusersfortheentiredurationof thetest10minutestresstest. 124
PAGE 125
A B Figure7-10.StatisticsforABACUSframeworkversiontwo.AalertprocessingtimeB alertreceivingtime.Thegraphscorrespondtoasimulationwith100 concurrentusersfortheentiredurationofthetest10minutestresstest. 125
PAGE 126
A B C Figure7-11.AdditionalstressteststatisticsforABACUSframeworkversiontwo.Ausing 110concurrentclientsBusing175concurrentclientsCusing200 concurrentclients. 126
PAGE 127
A B C Figure7-12.Webservercomparisonusingarandomizeddelayfrom0and1second betweenrequests.AresponsetimeBconcurrencyCtransactionrate 127
PAGE 128
A B C Figure7-13.Webservercomparisonusingarandomizeddelayfrom0and10seconds betweenrequests.AresponsetimeBconcurrencyCtransactionrate. 128
PAGE 129
Table7-4.TracstatisticsforthreetopwebsitesinDecember2008. DomainVisits/MonthPages/VisitPageViews/MonthPageViews/Day Yahoo.com2,211,018,10219.442,893,751,178.81,429,791,705.96 Facebook.com874,806,45662.154,325,480,917.61,810,849,363.92 U.edu2,385,13717.541,739,897.51,391,329.9 Table7-5.EstimatedpeakperformanceforABACUSframeworkwithcurrenttesting constraints. Transactions/SecResponseRatesecTransactions/HourTransactions/Day 15.535.7355,9081,341,792 Figure7-14.SummaryofthefactorincreaseinwebserverresponsetimefortheABACUS frameworkversiontwocomparedtotheperformanceofanunmodiedweb server. 129
PAGE 130
CHAPTER8 CONCLUSIONS Theaimofthisstudywasprimarilytwofold:rstly,todemonstrateacohesive, generalapproachtodesigningandconstructingcontext-awareoradaptivesecurity mechanismsandsecondlytodemonstratetheapplicationofthoseprinciplesbydesigning suchasystemanddemonstratingitsfeasibilityandeectiveness. 8.1ConclusionsProducedByExaminationoftheGeneralApproach Thedesigndecisionwasmadethatthenebulousconceptofcontextawarenesswas bestevidencedbycontext-awarebehavior,orbehaviortodemonstratesanawarenessof changingsystemstate.Theprocessofmakingadecisionawareofcontextwasabstracted intothreephases:acquiringthatdata,analyzingitandapplyingitinthedecisionmaking process. 8.1.1DataAcquisition Acquisitionwasapproachedasanintegrationissue,particularwithregardstothe integrationofsecuritymechanismsthatoftenexhibithighdegreesofautonomy,heterogeneityanddistribution.Thetrade-osbetweentwodierentintegrationapproacheswere discussedatlength.Whileaverticalintegrationstrategyprovidesatightandseamless integration,itisalsoverydiculttoextend.Thethreefactorsmentionedpreviouslyautonomy,heterogeneityanddistributionareessentiallydealtwithbymergingthedistinct mechanismsintoone.Horizontalintegrationpresentsmanychallengesandrequirestheuse ofindividualintegrationtechniquestodealwithdata,controlandprocessintegration.The result,however,isahighlyextendablesystem. 8.1.2DataAnalysis Oneoftheprimaryconclusionsregardingdataanalysiswasthatthisphasemust produceconcrete,quantiable,actionabledata.Thisconclusionseemsintuitive,but contrastsstarklywithmanyoftheeortsforanalyzingsecuritydata,particularlythat whichcomesfromintrusiondetectionsystems.Oneoftheprimaryobstaclespreventing 130
PAGE 131
dataanalysistechniquesfromimprovinginastructuredwaywasthelackofanexplicit frameworkwithinwhichspecicassessmentpropertiescouldbedenedprecisely.Terms suchasthreatandriskareusedfrequentlyintheliterature,butrarely-ifever-given explicitdenitionsthatcoulddistinguishthemfromrelatedterms.Forthisreasonan ontologyofassessmentpropertieswasdevelopedthatincorporatesthemostcritical securitypropertieswithdenitionsbasedonindustrystandardssuchasCVSSand IDMEF. 8.2ConclusionsOntheImplementationandTestingoftheConcrete Implementation 8.2.1DataQuality Oneofthecriticalissuesthatwereconfrontedduringthisinvestigationwastheaccuracyoftheassessmentdata.Twodierentlteringtechniqueswereemployedinorder toincreasedataaccuracybyeliminatingfalsepositives.Therstwasconcretevulnerabilityltering,whichallowedustoeliminateincomingalertsthatdidnotcorrespondtoa specic,exploitablesoftwarevulnerability.ThiswasdonebyverifyingthatthealertreferencedanentryinthecommonvulnerabilitiesandexposuresdatabaseCVE.Thesecond techniqueusedtoimprovethequalityoftheincomingdatawascongurationverication. Byemployingcongurationverication,thesystemonlyconsideredalertsthatpresented arealizablethreattooneofthenodesorservicesbeingmonitoredbytheframework.This approachinvolvedaugmentingthelocalsystemvulnerabilitydatabasewithinformation regardingtheaectedsoftwareforeachvulnerability.Simultaneously,adatabaseoflocal systemnodes,thesoftwarerunningonthemandversioninformationforeachsoftware productisestablished.Bycheckingthattheincomingvulnerabilityexploitationattempt wouldactuallyaecttheversionofsoftwarerunningonthenode,manyofthefalsepositivesgeneratedduringtestingwereeliminated.Thesetwostrategieswerekeyinincreasing thequalityofincomingdataandconsequentlytheaccuracyoftheattackresponses. 131
PAGE 132
8.2.2ChangesFromtheGeneralApproachtotheConcreteImplementation ExtensivetestingandmultipleiterationsoftheAbacusframeworkledtotheconclusionthatalthoughtheprocessofcontext-awaredecisionmakingmaybeabstracted intothreeprocesses,theinstantiationofthoseprocessesintoactualsoftwaremodulesmay requiresomeadaptation.Thebestperformancewasachievedwithanimplementation thatvirtuallyjoinedtheacquisitionandanalysisphases,suchthatalloftheanalysistasks wereperformedasnewdatawasacquired.Theinitialstrategyofgeneratingtheanalysis datawhenitwasrequestedbytheclientprovedtobeprohibitivelyslowgiventheamount ofdatabeinggeneratedinthesystem.Thisstrategy,however,wasonlyfeasiblebecause thesystemwaseventbasedessentiallythatthedatawasdiscreteandnotcontinuous. Forsystemswheretherearenosucheventstotriggertheanalysistasksitwillstillbe necessarytocollectthedataandperformtheanalysistaskswhentheinformationisrequested-althoughinthesecases,therewillbenosuchtimepenaltyforanalyzingmultiple events.Theonlyothersituationtofavortheon-demandanalysiswouldbewheremostof theincomingdataprovedtobeirrelevanttothenalanalysisandthuspayingthetime penaltyforanalyzingeacheventwouldproveunreasonable. Anotherkeyquestionthatneededtobeansweredwashowtodesignanattack responsethatwastemperedandstilleective.Wechosetouseastrategyofrestricting accesspermissionsastheresponsetolikelyintrusivebehavior.Thisresponsewasin concertwiththeapplicationdomainbeinginvestigatedanditwasalsolessinvasivethan otherresponsetechniquesintheliteraturethatinvolvetakingactionagainstthesuspected intruder.Ariskassessmentwassynthesizedfromtheprovideddataonvulnerability exploitationattemptsinordertoprovideaquantiablemeasurementofthechanging stateofsystementitiesinrelationtotheirprospectofbeingattacked.Becausetherisk assessmentswerecalculatedforindividualsystementities,theassessmentdataalso allowedformoregranularresponses. 132
PAGE 133
8.2.3EectivenessandPerformance Oneoftheimportantconclusionswecandrawfromthetestingdatafortheproposed approachisthefeasibilityofadaptivesecuritymechanisms.Theactualresultsofthe attacksimulationsshowedamarkedimprovementfortheratioofintrusiverequests thatweredeniedusingtheriskassessments.Inthescenariothatsimulatedanattacker performingvulnerabilityprobingagainstthewebserver,99%oftheintrusiverequests weredenied,whileonly.7%ofthenormalrequestsweredenied.Inthecaseofmultiple intrudersforonetargetattack,theframeworkdenied93.5%oftheintrusiverequestswhile onlydenying9.2%ofthenon-intrusiverequests.Eveninthescenarioofmultipleintruders onmultipleresources,whereauthenticationwasemployedasaresponse,moreintrusive requestswereauthenticatedthannon-intrusiveones.5%to87.9%,respectively, leadingtoamoreecientuseofresourcesovertheapproachofauthenticatingallrequests insituationsofelevatedrisk. Theperformanceoftheframeworkwasanotheraspectoftheapproachthatneeded tobedemonstratedandvalidated.Thetestingresultsshowedthattheframework,given limitedserverresources,wasabletoreceiveandprocessrequestsatarateofover1.3 millionperday,exceedingtheprocessingrequirementsformanyhightracdomainsand websites. 8.3FutureWork Theareaofdesigningadaptivesecuritymechanismsisverybroadandthereremains asignicantamountofworktoprovidesystemswithsuchcapabilitiesthataresuitable forusebyindustryandthegeneralpublic.Thesystemforacquiringcontextdatacould beextendedtoincludeagreatervarietyofsensors.Othertypesofcorrelationbesides matchingvaluescouldalsobeincorporatedintotheacquisitionapproachtoenable assessmentsthataremorepredictive. Areasoningenginebasedontheproposedassessmentontologycouldbeaddedtothe analysisservertomakeallofthedierenttypesofassessmentsavailableattheapplication 133
PAGE 134
phase.This,however,wouldalsodemandthatawidevarietyofsensorsareintegratedin theacquisitionphasesothatthenecessaryinputsarepresent. Thevariousserversalertandanalysiscouldberelocatedtoindependentmulti-core machinestoinvestigatetheimpactofgreaterparallelismonexpandingthecapabilitiesfor thehandlingofcontextinformation.Additionalmeasurestosecurethedatatransmissions betweensecuritycomponentscouldalsobeadded. 134
PAGE 135
REFERENCES [1]CERTCoordinationCenter,Overviewofattacktrends,2002. [2]IBMGlobalTechnologyServices,IBMInternetSecuritySystemsX-force2007Trend Statistics,tech.rep.,InternetSecuritySystems-IBMGlobalTechnologyServices, 2007. [3]E.BertinoandL.D.Martino,Aservice-orientedapproachtosecurity-concepts andissues,in ISADS'07:ProceedingsoftheEighthInternationalSymposium onAutonomousDecentralizedSystems ,Washington,DC,USA,pp.7,IEEE ComputerSociety,2007. [4]R.SandhuandP.Samarati,Authentication,accesscontrol,andaudit, ACM Comput.Surv. ,vol.28,pp.241,1996. [5]S.Axelsson,Thebase-ratefallacyandthedicultyofintrusiondetection, ACM TransactionsonInformationandSystemSecurityTISSEC ,vol.3,pp.186, 2000. [6]C.Abad,J.Taylor,C.Sengul,W.Yurcik,Y.Zhou,andK.Rowe,Logcorrelationfor intrusiondetection:aproofofconcept, ComputerSecurityApplicationsConference, 2003.Proceedings.19thAnnual ,pp.255,2003. [7]N.Carey,A.Clark,andG.Mohay, IDSInteroperabilityandCorrelationUsing IDMEFandCommoditySystems ,pp.252.2002. [8]F.CuppensandA.Miege,Alertcorrelationinacooperativeintrusiondetection framework, SecurityandPrivacy,2002.Proceedings.2002IEEESymposiumon pp.202,2002. [9]H.DebarandA.Wespi,Aggregationandcorrelationofintrusion-detectionalerts, RAID'00:Proceedingsofthe4thInternationalSymposiumonRecentAdvancesin IntrusionDetection ,pp.85,2001. [10]B.Morin,L.M,H.Debar,andM.Ducass, M2D2:AFormalDataModelforIDS AlertCorrelation ,vol.RecentAdvancesinIntrusionDetectionof LectureNotesin ComputerScience .SpringerBerlin/Heidelberg,October2002. [11]P.Ning,Y.Cui,andD.S.Reeves, AnalyzingIntensiveIntrusionAlertsviaCorrelation ,vol.ProceedingsofRecentAdvancesinIntrusionDetection:5thInternational Symposium,RAID2002,Zurich,Switzerland,October16-18,2002,pp.74.2002. [12]P.A.Porras,M.W.Fong,andA.Valdes, AMission-Impact-BasedApproachto INFOSECAlarmCorrelation ,pp.95.2002. [13]V.Yegneswaran,P.Barford,andS.Jha,Globalintrusiondetectioninthedomino overlaysystem,in InProceedingsofNetworkandDistributedSystemSecurity SymposiumNDSS ,2004. 135
PAGE 136
[14]Symantec,Deepsightthreatmanagementsystem.https://tms.symantec.com/,2008. [15]MyNetWatchman,http://mynetwatchman.com/,2008. [16]Dshield,http://www.dshield.org,2008. [17]K.Henricksen,J.Indulska,andA.Rakotonirainy, ModelingContextInformationin PervasiveComputingSystems ,pp.79.2002. [18]T.Gu,H.K.Pung,andD.Q.Zhang,Aservice-orientedmiddlewareforbuilding context-awareservices, JournalofNetworkandComputerApplications ,vol.28, pp.1,2005. [19]Context, TheAmericanHeritageDictionaryoftheEnglishLanguage,Fourth Edition ,Feb2009.http://dictionary.reference.com/browse/context. [20]Context, Merriam-WebsterOnlineDictionary ,Feb2009.http://www.merriamwebster.com/dictionary/context. [21]A.K.Dey,Understandingandusingcontext, PersonalUbiquitousComput. ,vol.5, pp.4,2001. [22]P.Brezillon,G.K.Mostefaoui,andJ.Pasquier-Rocha,Context-awarecomputing:A guideforthepervasivecomputingcommunity, PervasiveServices,2004.ICPS2004. IEEE/ACSInternationalConferenceon ,2004. [23]T.StrangandC.Linnho-Popien,Acontextmodelingsurvey,in Workshopon AdvancedContextModelling,ReasoningandManagementaspartofUbiComp 2004-TheSixthInternationalConferenceonUbiquitousComputing ,Nottingham, England,2004. [24]R.A.KemmererandG.Vigna,Intrusiondetection:Abriefhistoryandoverview supplementtocomputermagazine, Computer ,vol.35,pp.27,2002. [25]W.Hasselbring,Informationsystemintegration, CommunicationsoftheACM vol.43,pp.32,2000. [26]V.Stavridou,Integrationinsoftwareintensivesystems, JournalofSystemsand Software ,vol.48,pp.91,1999. [27]M.K.Perry,Verticalintegration:Determinantsandeects,in HandbookofIndustrialOrganization R.SchmalenseeandR.Willig,eds.,vol.1,ch.4,pp.183255, Elsevier,July1989. [28]V.N.L.Franqueira,Accesscontrolfromanintrusiondetectionperspective, TechnicalReportTR-CTIT-06-10,CenterforTelematicsandInformationTechnology, UniversittofTwente,February2006. 136
PAGE 137
[29]T.RyutovandC.Neuman,Thespecicationandenforcementofadvancedsecurity policies, PoliciesforDistributedSystemsandNetworks,2002.Proceedings.Third InternationalWorkshopon ,pp.128,2002. [30]T.Ryutov,C.Neuman,K.Dongho,andZ.Li,Integratedaccesscontrolandintrusiondetectionforwebservers, ParallelandDistributedSystems,IEEETransactions on ,vol.14,pp.841,2003. [31]T.Ryutov,C.Neuman,andD.Kim,Dynamicauthorizationandintrusionresponse indistributedsystems, DARPAInformationSurvivabilityConferenceandExposition, 2003.Proceedings ,vol.1,pp.50vol.1,2003. [32]C.-Y.Tseng,P.Balasubramanyam,C.Ko,R.Limprasittiporn,J.Rowe,and K.Levitt, Aspecication-basedintrusiondetectionsystemforAODV .ACMPress, 2003.986876125-134. [33]P.UppuluriandR.Sekar, ExperienceswithSpecication-BasedIntrusionDetection p.172.2001. [34]J.Garcia,F.Autrel,J.Borrell,S.Castillo,F.Cuppens,andG.Navarro, DecentralizedPublish-SubscribeSystemtoPreventCoordinatedAttacksviaAlertCorrelation pp.223.2004. [35]R.Bhatti,E.Bertino,andA.Ghafoor,Atrust-basedcontext-awareaccesscontrol modelforweb-services, WebServices,2004.Proceedings.IEEEInternational Conferenceon ,pp.184,2004. [36]N.Dimmock,A.Belokosztolszki,D.Eyers,J.Bacon,andK.Moody,Usingtrust andriskinrole-basedaccesscontrolpolicies, SACMAT'04:Proceedingsoftheninth ACMsymposiumonAccesscontrolmodelsandtechnologies ,pp.156,2004. [37]N.Dimmock,Howmuchis"enough"?riskintrust-basedaccesscontrol, WETICE '03:ProceedingsoftheTwelfthInternationalWorkshoponEnablingTechnologies p.281,2003. [38]L.Teo,G.-J.Ahn,andY.Zheng,Dynamicandrisk-awarenetworkaccessmanagement, SACMAT'03:ProceedingsoftheeighthACMsymposiumonAccesscontrol modelsandtechnologies ,pp.217,2003. [39]N.Stakhanova,S.Basu,andJ.Wong,Ataxonomyofintrusionresponsesystems, Int.J.Inf.Comput.Secur. ,vol.1,no.1/2,pp.169,2007. [40]S.Manganaris,M.Christensen,D.Zerkle,andK.Hermiz,Adatamininganalysisof rtidalarms, ComputerNetworks ,vol.34,pp.571,102000. [41]J.Wang,B.Jin,andJ.Li, Anontology-basedpublish/subscribesystem .SpringerVerlagNewYork,Inc.,2004.1045676232-253. 137
PAGE 138
[42]H.Wache,V.Ogele,T.Visser,U.Stuckenschmidt,H.Schuster,G.Neumann, andH.Ubner,Ontology-basedintegrationofinformation-asurveyofexisting approaches,Seattle,WA,pp.108,2001. [43]H.Debar,D.A.Curry,andB.S.Feinstein,Theintrusiondetectionmessageexchangeformatidmef,2007.RequestForCommentsExperimental. [44]SunMicrosystems,Xacmlimplementation,AccessedNovember2007. http://sunxacml.sourceforge.net/. [45]R.S.Sandhu,E.J.Coyne,H.L.Feinstein,andC.E.Youman,Role-basedaccess controlmodels, Computer ,vol.29,pp.38,1996. [46]R.S.SandhuandP.Samarati,Accesscontrol:Principlesandpractice, IEEE CommunicationsMagazine ,vol.32,pp.40,1994. [47]R.Heady,G.Luger,A.Maccabe,andM.Servilla,Thearchitectureofanetwork levelintrusiondetectionsystem,Aug.1990. [48]E.Fisch, IntrusionDamageControlandAssessment:ATaxonomyandImplementationofAutomatedResponsestoIntrusiveBehavior .PhDthesis,TexasA&M University,1996. [49]C.Carver,Jr.andU.Pooch,Anintrusionresponsetaxonomyanditsrolein automaticintrusionresponse, IEEEWorkshoponInformationAssuranceand Security ,2000. [50]H.Debar,D.Curry,andB.Feinstein, TheIntrusionDetectionMessageExchange FormatIDMEF .No.4765inRequestforComments,IETF,Mar.2007. [51]F.Cuppens,Managingalertsinamulti-intrusiondetectionenvironment, Computer SecurityApplicationsConference,2001.ACSAC2001.Proceedings17thAnnual pp.22,2001. [52]F.Valeur,G.Vigna,C.Kruegel,andR.A.Kemmerer,Acomprehensiveapproachto intrusiondetectionalertcorrelation, IEEETransactionsonDependableandSecure Computing ,vol.01,pp.146,2004. [53]G.Giacinto,R.Perdisci,andF.Roli,Alarmclusteringforintrusiondetection systemsincomputernetworks, MachineLearningandDataMininginPattern Recognition ,pp.184,2005. [54]S.Staniford,J.A.Hoagland,andJ.M.McAlerney,Practicalautomateddetectionof stealthyportscans, JournalofComputerSecurity ,vol.10,pp.105,2002. [55]P.Ning,Y.Cui,D.S.Reeves,andD.Xu,Techniquesandtoolsforanalyzing intrusionalerts, ACMTrans.Inf.Syst.Secur. ,vol.7,pp.274,2004. 138
PAGE 139
[56]D.XuandP.Ning,Alertcorrelationthroughtriggeringeventsandcommonresources,in 20thAnnualComputerSecurityApplicationsConference,2004 ,pp.360 369,2004. [57]P.Ning,D.Reeves,andY.Cui,Correlatingalertsusingprerequisitesofintrusions, Dec.2001. [58]B.MorinandH.Debar, CorrelationofIntrusionSymptoms:AnApplicationof Chronicles ,vol.RecentAdvancesinIntrusionDetection,pp.94.2003. [59]S.Godik,T.Moses,andetal,Extensibleaccesscontrolmarkuplanguagexacml version2.0.OASISStandard,February2005. [60]D.J.Weber, Ataxonomyofcomputerintrusions .PhDthesis,MassachusettsInstitute ofTechnology.,1998. [61]C.AlbertsandA.Dorofee,Octavecriteria,version2.0,Dec.2001. [62]F.SwiderskiandW.Snyder, ThreatModeling .Redmond,Wash:MicrosoftPress, 2004. [63]P.Mell,K.Scarfone,andS.Romanosky,Acompleteguidetothecommonvulnerabilityscoringsystemversion2.0.http://www.rst.org/cvss/cvss-guide.pdf,June 2007. [64]L.Viljanen, Trust,PrivacyandSecurityinDigitalBusiness ,vol.Volume3592/2005 of LectureNotesinComputerScience ,ch.TowardsanOntologyofTrust,pp.175 184.SpringerBerlin/Heidelberg,August312005. [65]D.J.Essin,Patternsoftrustandpolicy,in Proceedingsofthe1997NewSecurity ParadigmsWorkshop ,ACMPress,1997. [66]A.Avizienis,J.Laprie,B.Randell,andC.C.Landwehr,Basicconceptsandtaxonomyofdependableandsecurecomputing, IEEETransactionsonDependableand SecureComputing ,vol.1,pp.11,Jan.-March2004. [67]T.Ryutov,C.Neuman,D.Kim,andL.Zhou,Integratedaccesscontrolandintrusion detectionforwebservers, DistributedComputingSystems,2003.Proceedings.23rd InternationalConferenceon ,pp.394,2003. [68]C.A.Carver, AdaptiveAgent-BasedIntrusionResponse .PhDthesis,TexasA&M UniversityatCollegeStation,May2001. [69]M.Ahmed,E.Al-Shaer,andL.Khan,Anovelquantitativeapproachformeasuring networksecurity, INFOCOM2008.The27thConferenceonComputerCommunications.IEEE ,pp.1957,April2008. 139
PAGE 140
[70]MITLincolnLaboratory,2000DARPAIntrusionDetectionScenarioSpecicDataSets.,http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000data.html,AccessedSeptember2008. [71]A.HessandN.Karowski,Automatedprotectionofend-systemsagainstknown attacks,in ProceedingsofIEEE/ISTWorkshoponMonitoring,AttackDetectionand Mitigation ,Tuebingen,Germany,2006. [72]CommonVulnerabilitiesandExposures,CommonVulnerabilitiesandExposures List.http://cve.mitre.org/,AccessedSeptember2008. [73]C.KruegelandW.Robertson,Alertverication:Determiningthesuccessofintrusionattempts,in 1stWorkshopontheDetectionofIntrusionsandMalwareand VulnerabilityAssessmentDIMVA2004 ,July2004. [74]U.ShankarandV.Paxson,Activemapping:Resistingnidsevasionwithoutaltering trac,in SP'03:Proceedingsofthe2003IEEESymposiumonSecurityandPrivacy Washington,DC,USA,p.44,IEEEComputerSociety,2003. [75]JoeDogSoftware,Siege.http://www.joedog.org/index/siege-home,November2008. [76]Compete.com.http://www.compete.com,February2009. 140
PAGE 141
BIOGRAPHICALSKETCH HassanRasheedwasbornin1981inFloridatoHowardandBarbaraRasheed. HegraduatedfromKingHighSchoolinTampa,Floridain2000.In2004,heearned aBachelorofSciencedegreeincomputerengineeringfromtheUniversityofFlorida. Aftercompletinghisbachelor'sdegree,hebeganworkingonhisDoctorofPhilosophy incomputerengineeringattheUniversityofFlorida.Hisgraduatestudiesfocusedon distributedsystems,informationsecurityandthedesignandimplementationofcontextawaresystems. 141
|
|