research direction introduction advisor: professor frank, y.s. lin presented by chi-hsiang chan...
TRANSCRIPT
1
Research Direction Introduction
Advisor: Professor Frank, Y.S. Lin
Presented by Chi-Hsiang Chan
2011/10/11
2
Agenda Introduction
Collaborative Attack Virtualization
Problem description Scenario
2011/10/11
3
Agenda Introduction
Collaborative Attack Virtualization
Problem description Scenario
2011/10/11
4
Collaborative Attack Collaborative attacks are characterized by the
prevalence of coordination before and during attacks. [1]
Collaborative attacks in general would involve multiple human attackers or criminal organizations that have respective adversarial expertise but may not fully trust each other.
Collaborative attacks are more powerful than the sum of the underlying individual attacks that can be launched by the individual attackers independently.
2011/10/11
5
Collaborative Attack
2011/10/11
11
Collaborative Attack Advantages of Collaborative Attack [2]
Coordinated attacks could be designed to avoid detection.
It is difficult to differentiate between decoy and actual attacks.
There is a large variety of coordinated attacks.
2011/10/11
12
Virtualization Definition
Virtualization refers to technologies designed to provide a layer of abstraction between computer hardware systems and the software running on them.[3]
Source: vmware2011/10/11
13
Virtualization Benefit
cost down efficiency scalability easy to have multiple operating system
environment increase the space utilization efficiency in your
data center by server consolidation
Virtualization is the key to cloud computing
2011/10/11
14
IDS an Intrusion detection system (IDS) is a
security system that monitors computer systems and network traffic and analyzes that traffic for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization.[4]
Do more protect than firewall which filter incoming traffic from the Internet.
2011/10/11
15
IDS Two types of IDS
Host IDS(HIDS) Network IDS(NIDS)
The trade-off is evident when comparing HIDS and NIDS NIDS offers high attack resistance at the cost of
visibility. HIDS offers high visibility but sacrifice attack
resistance.
2011/10/11
16
Agenda Introduction
Collaborative Attack Virtualization
Problem description Scenario
2011/10/11
17
Problem Description
?
2011/10/11
18
Attacker View Commander Attackers
Initial location Budget Capability
Objective Steal confidential information Service disruption
2011/10/11
19
Defender View Special Defense Resource
Cost budget VM IDS (Signature) [5] Cloud security service
Costless(Decrease QoS) VM local defense Dynamic topology reconfiguration [6]
2011/10/11
20
Per Hop Decision Period decision
Early stage Late stage
Strategy decision by criteria compromise → risk avoidance pretend to attack → risk tolerance
No. of Attackers Choose ideal attackers
Aggressiveness Attack Energy
Budget Capability
m
m m
T
T t
2011/10/11
21
Time Issue Attackers
Compromise time Recovery time
Defender Signature generate Reconfiguration impact QoS
2011/10/11
22
Synergy Pros
Decrease Budget cost of each attacker Less recovery time Less compromise time
Cons Probability of detected
2011/10/11
23
Early Period, Risk Avoidance Purpose
Try to compromise nodes as fast as they can Keep the stronger attackers for compromise core
nodes
2011/10/11
24
Agenda Introduction
Collaborative Attack Virtualization
Problem description Scenario
2011/10/11
25
Scenario
General node Core node Cloud security agent
VMM environment
Third party’s defense center
Cloud security provider
2011/10/11
26
Scenario
A
B
C
D
E
F
G
H
I
J
2011/10/11
27
Early Stage Attack Strategy
A
B
C
D
E
F
G
H
I
J
2011/10/11
28
Local Defense
A
B
C
D
E
F
G
H
I
J
2011/10/11
29
IPDS request signature
A
B
C
D
E
F
G
H
I
J
Signature generating…
2011/10/11
30
Late Stage Attack Strategy
Signature generating…
A
B
C
D
E
F
G
H
I
J
2011/10/11
31
Attack VMM
Signature generating…
A
B
C
D
E
F
G
H
I
J
2011/10/11
32
Risk Level 、 Reconfiguration
Signature generating…
A
B
C
D
E
F
G
H
I
J
2011/10/11
33
Cloud Security Service
Signature generating…
A
B
C
D
E
F
G
H
I
J
2011/10/11
34
Transfer Signature
A
B
C
D
E
F
G
H
I
J
2011/10/11
35
Failure of Attacker
A
B
C
D
E
F
G
H
I
J
2011/10/11
36
Failure of Defender
A
B
C
D
E
F
G
H
I
JQoS2011/10/11
37
Thanks for your listening!!
2011/10/11
38
Reference [1] S. Xu, “Collaborative Attack vs. Collaborative Defense”,
Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Volume 10, Part 2, pp.217-228, 2009
[2] S. Braynov and M. Jadliwala, “Representation and Analysis of Coordinated Attacks”, FMSE'03, 2003
[3] J. K. Waters, “Virtualization Definition and Solutions”, 2008, http://www.cio.com/article/40701/Virtualization_Definition_and_Solutions
[4] SANS Institute InfoSec Reading Room, "Intrusion Detection Systems: Definition, Need and Challenges," 2001.
[5] T. Garfinkel and M. Rosenblum, “A Virtual Machine Introspection Based Architecture for Intrusion Detection”, Proc. Network and Distributed Systems Security Symposium, 2003 2011/10/11
39
Reference [6] M. Atighetchi, P. Pal, F. Webber and C. Jones,
“Adaptive Use of Network-Centric Mechanisms in Cyber-Defense”, BBN Technologies LLC
2011/10/11
40
Appendix
2011/10/11
41
Host-based IDS HIDS obtains information by watching local
activity on a host : processes, system calls, logs, etc.
Advantages : Detailed information about system activities. Greater accuracy and fewer false positives.
Weakness : Highly dependent on host systems.
Can be deactivated or tampered by a successful intruder.
2011/10/11
42
Network-based IDS NIDS obtains data by monitoring the traffic in
the network. Advantages :
Operating System-independent. Can detect attack attempts outside the firewall. Difficult for attackers to displace their evidences.
Weakness : In high-traffic networks, a network monitor could
potentially miss packets, or become a bottleneck. Hard to get detailed information of hosts.
2011/10/11
43
Period
N : The total numbers of nodes in the Defense Networks.
F : The total numbers of node which is compromised in the Defense Networks.
2011/10/11
44
Selection Criteria
2011/10/11
45
No. of Attackers
M : Number of selected candidates Success Rate (SR) = Risk Avoidance
Compromised / Risk Avoidance Attacks
2011/10/11