A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A...
Transcript of A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A...
![Page 1: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/1.jpg)
A Probabilistic Approach to Autonomic Security
Management
Stefano Iannucci
Distributed Analytics and Security Institute
Mississippi State University
Starkville, Mississippi
Summarized by Pranav Veldurthy
Sherif Abdelwahed
Department of Electrical and Computer Engineering
Mississippi State University
Starkville, Mississippi
2016 IEEE International Conference on Autonomic Computing
![Page 2: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/2.jpg)
Presentation Summary
• Introduction• System Overview• Contributions and Organizations
• System Model• States Characterization• Reward Function• Response Actions• Termination Function
• Performance Evaluation • Experimental Results
• Vulnerabilities • Snort Configuration • Simulation of Controller Behavior
• Conclusion and Future Works
![Page 3: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/3.jpg)
Introduction
• Increase in the attack frequency (more than doubled) compared to the previous year.
• Intrusion Detection System (IDS) – Complexity and Number of alerts; Probability success resulting to constant damage.
• Intrusion Response Systems (IRS) • Static Mapping – Detected Attack and Countermeasure.• Dynamic Evaluation of All Response Time.
• Markov Decision Process (MDP) – To compose response policies using atomic response actions.
![Page 4: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/4.jpg)
System Overview
• Autonomic Systems :• Controller – Implements Self-management Algorithm• Controlled Subsystem – Domain Functionality
M A P E - K
![Page 5: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/5.jpg)
Contributions and Organizations
• MDP-based Controller҈ Design ҉ Realization◊ Evaluation
• Adopting long-term response policies can be more effective than single response actions.
• → Result : Reduction of threat resolution by 56%.
* Design and Realization of IDS Event Manager and system learning behavior of the controller are OUT OF THE SCOPE of the present work.
![Page 6: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/6.jpg)
System Model
•
Where S = Finite set of States ; A = Finite set of Actions.
Set of target states.
Reward Function.
γ = discount factor.
• Aim = Optimal Policy (π).
•
•
•
![Page 7: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/7.jpg)
States Characterization
• Specialization in 7 different attacks and 11 system attributes. • P scan, P vsftpd, P smbd, P phpcgi, P ircd, P distccd, P rmi
• System Attributes• firewall ∈ {true, false}• {blocked_ips}• {flowlimit_ips}• alert ∈ {true, false}• {honeypot_ips}• logVerb ∈ {0,1,2,3,4,5}• active ∈ {true, false}• quarantined ∈ {true, false}• rebooted ∈ {true, false}• backup ∈ {true, false}• updated ∈ {true, false}
![Page 8: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/8.jpg)
Reward Function
• Reward function as a penalty score.
• Evaluates response actions by: • Response Time R(x) ∈ R• Cost C(x) ∈ R• Impact index I(x) ∈ [0,1]
• Reward Function =
![Page 9: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/9.jpg)
Response Actions
• To avoid potentially disruptive response actions, two thresholds are introduced with probability p in 4 stages.• p < T1
• T1 < p < T2
• T2 < p < 1• p = 1
![Page 10: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/10.jpg)
Response Actions • Firewall Activation
• Block source IP (badIP)
![Page 11: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/11.jpg)
Response Actions • Flow Rate Limit (badIP)
• Closed Network Connection
![Page 12: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/12.jpg)
Termination Function • Termination function (T) for a set of target states (Stgt) is defined as :
T : S {true, false}
• A termination is done when the system reaches control anomaly (Sano) or state of fully clean system (Sclean)
• Sano
• Sclean
• Stgt = Sano ꓴ Sclean
![Page 13: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/13.jpg)
Performance Evaluation
Comparing performance of the Value Iteration(VI) algorithm with the performances of the sub-optimal rollout-based Monte-Carlo algorithm named UCT.
Comparing the planning time of VI algorithm with discount factor = 0.9 with UCT algorithm.
Comparing the obtained rewards by VI are close to -10 as it always selects the best response action.
![Page 14: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/14.jpg)
Experimental Results
![Page 15: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/15.jpg)
VulnerabilitiesOnly selected vulnerabilities are considered because the software is exploited by downloading metasploitableVM and is freely available.
• OSVBD – 73753 –Trojaned Distribution. :) . Result : TCP callback shell.
• CVE-2007-2447 –username map script. Attackers execute an arbitrary constant.
• CVE-2012-1823 –Run as CGI is vulnerable to argument injection. ‘=‘ is passed, the string is split on ‘+’ character and passes them to CGI binary.
• CVE-2010-2075 –UnrealIRCd 3.2.8.1. DEBUG3_DOLOG_SYSTEM allows attackers to execute arbitrary commands.
• CVE-2004-2687 –distcc 2.x; executed by the server without authorization checks.
• CVE-2011-3556 –RMI Registry and RMI Activation loads classes from remote URL.
![Page 16: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/16.jpg)
Snort Configuration • Snort helps in detecting malicious traffic but cannot stop it. • Three rule set :
• Community Set - Publicly Available.• Registered Rules – Freely Available.• Subscribes Rules – Cisco Subscription plan.
• CVE – 2012 – 2335 was detected.
• Wireshark is implemented to find characteristic signatures.
• OSBVD – 73753 Exploit Analysis
• Result = “ :) “ for every suspicious login alert.
•
![Page 17: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/17.jpg)
Simulation of Controller Behavior
• Three simulations are run 1000 times to use VI algorithm. • Portscan Attack :
• Response time optimization and discount factor = 0.9 yields 14 equivalent policies such as : generateAlert, increaseLogVerb, increaseLogVerb, increaseLogVerb, increaseLogVerb, increaseLogVerb, activateFirewall, blockSrcIP, unblockScrip, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb.
• Policies are split into i) Preparation, ii) Response, iii) Conclusion.
![Page 18: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/18.jpg)
Simulation of Controller Behavior
• Vulnerability Exploit :
• Response time optimization and discount factor = 0.9 yields 15 equivalent policies such as : increaseLogVerb , generateAlert, activateFirewall, increaseLogVerb, increaseLogVerb, increaseLogVerb, increaseLogVerb, systemReboot, backup, software-Update, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb.
• Policies are split into i) first preparation, ii) first response attempt, iii) second preparation, iv) second response attempt, v) conclusion.
![Page 19: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/19.jpg)
Simulation of Controller Behavior
• Combined Vulnerability and Response Time
• Response time optimization and discount factor = 0.9 yields 17 equivalent policies such as : generateAlert, increaseLogVerb, activateFirewall, increaseLogVerb, blockSrcIP, increaseLogVerb, increaseLogVerb, increaseLogVerb, systemReboot, backup, softwareUpdate, unblockSrcip, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb.
• Policies are split into i) first preparation, ii) first response attempt, iii) second preparation, iv) second response attempt, v) third response, vi) third response attempt, vii) conclusion.
![Page 20: A Probabilistic Approach to Autonomic Security Managementmenasce/cs788/slides/0925... · A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics](https://reader034.fdocuments.in/reader034/viewer/2022042401/5f107c217e708231d44956de/html5/thumbnails/20.jpg)
Conclusions and Future Work
• During the last decade many IRSs have been proposed to face the increasing frequency and complexity of attacks.
• All the proposed approaches, however, only considered either a static mapping of the best response action to the currently detected attack or the dynamic evaluation of the available response actions according to a set of pre-defined attributes.
• This paper introduced MDP-based controller which helps in long-term planning by exploiting the concept of system state by decoupling the attack from the response.
• Experimental results show that long-term planned policies provide better results than short-term ones and the threat resolution time can be reduced up to 56% in the considered scenario.
• For future work, a meta-model is realized in which we will define standard components and connections that could be used by the system administrators to visually design the model of their system.
• Having such a meta-model will enable the development of standard attacks and response libraries that, integrated with the personalized system model, will allow the IRS to provide response policies tailored for the specific system.