ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network...
Transcript of ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network...
![Page 1: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/1.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
ConfigSynth: A Formal Framework for Network Security Design Synthesis
Mohammad Ashiqur Rahman and Ehab Al-Shaer
CyberDNA Research Center, UNC Charlotte
![Page 2: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/2.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Motivation • Complexity of Security Configuration is a major source of network
vulnerability: – “inappropriate or incorrect security configurations were responsible for
80% of United States Air Force vulnerabilities.”, Center for Strategic and International Studies Report on "Securing Cyberspace for the 44th Presidency“, December 2008.
– “human error is blamed for 50 to 80% of network outages.” , Juniper Networks Report, May 2008
– “the human factor” themselves cause more than 30% of network outages, “a major concern for carriers and causes big revenue-loss.” , British Telecom 2009
• Lack of security design analytics and automation tools
![Page 3: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/3.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Security Design Automation Problem
Automating the design synthesis of security configurations by determining security countermeasures along with device placements that reduces risk (attack surface) while satisfying different constraints: – Security requirements – Business (Usability and Cost) constraints – Mission objective (Connectivity requirements)
![Page 4: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/4.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Challenge: 1 – Contention between the security and
usability constraints. – Lack of metrics to measure these factors. – Budget constraints. – Security architecture should consider large-scale networks.
![Page 5: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/5.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Challenges: 2 – Contention between the security and usability constraints.
– Lack of metrics to measure these factors. – Budget constraints. – Security architecture should consider large-scale networks.
![Page 6: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/6.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Challenge: 3 – Contention between the security and usability constraints. – Lack of metrics to measure these factors.
– Budget constraints. – Security architecture should consider large-scale networks.
![Page 7: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/7.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Challenge: 4 – Contention between the security and usability constraints. – Lack of metrics to measure these factors. – Budget constraints.
– Security architecture should consider large-scale networks.
![Page 8: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/8.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Architecture
Security
Usability
Cost Security-Device Placements
Security Policy
Configuration Synthesis
SMT Solver
Security Specifications
Usability Specifications
Device Placement Model
Isolation, Usability, and Cost Model
Constraint Model
Network Topology and Placement Strategy
Connectivity Requirements
User-defined Constraints
ConfigSynth
Cost Specifications
ConfigSynth
![Page 9: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/9.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Architecture
Security
Usability
Cost Security-Device Placements
Security Policy
Configuration Synthesis
SMT Solver
Security Specifications
Usability Specifications
Device Placement Model
Security, Usability, and Cost Model
Constraint Model
Network Topology and Placement Strategy
Connectivity Requirements
User-defined Constraints
ConfigSynth
Cost Specifications
![Page 10: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/10.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Architecture
Security
Usability
Cost Security-Device Placements
Security Policy
Configuration Synthesis
SMT Solver
Security Specifications
Usability Specifications
Device Placement Model
Security, Usability, and Cost Model
Constraint Model
Network Topology and Placement Strategy
Connectivity Requirements
User-defined Constraints
ConfigSynth
Cost Specifications
Evaluation
![Page 11: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/11.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Security in terms of Isolation • Security requirements are indicated by isolation measures
between the hosts. • An isolation pattern signifies the type of security
resistance. • Network level isolation patterns:
– Access deny – Trusted communication, i.e., authenticated/encrypted communication. – Payload inspection. – Source identity hiding communication. – Traffic forwarding through proxy.
![Page 12: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/12.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Isolation Model
![Page 13: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/13.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Isolation Score
![Page 14: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/14.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Isolation Requirement
![Page 15: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/15.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Usability Constraint
![Page 16: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/16.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Cost Constraint
![Page 17: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/17.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Miscellaneous Constraints
![Page 18: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/18.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Analytical Result
The maximum possible isolation with respect to the usability constraint considering a fixed cost constraint
![Page 19: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/19.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Evaluation
The model synthesis time with respect to the number of hosts.
![Page 20: ConfigSynth: A Formal Framework for Network Security ...ConfigSynth: A Formal Framework for Network Security Design Synthesis Mohammad Ashiqur Rahman and Ehab Al-Shaer CyberDNA Research](https://reader033.fdocuments.in/reader033/viewer/2022052722/5f0cea3a7e708231d437c269/html5/thumbnails/20.jpg)
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Summary • Our work has been accepted for publication in IEEE
ICDCS 2013 (13% acceptance rate). • Future works
– We are investigating the methodologies for the risk evaluation of the synthesized security design, and hypothesis generation for feedback controls to the synthesis engine.
– Interactive security analytics
Thanks