A Probabilistic Approach to Autonomic Security Management

Transcription

1 2016 IEEE International Conference on Autonomic Computing A Probabilistic Approach to Autonomic Security Management Stefano Iannucci Distributed Analytics and Security Institute Mississippi State University Starkville, Mississippi Summarized by Pranav Veldurthy Sherif Abdelwahed Department of Electrical and Computer Engineering Mississippi State University Starkville, Mississippi

2 Presentation Summary Introduction System Overview Contributions and Organizations System Model States Characterization Reward Function Response Actions Termination Function Performance Evaluation Experimental Results Vulnerabilities Snort Configuration Simulation of Controller Behavior Conclusion and Future Works

3 Introduction Increase in the attack frequency (more than doubled) compared to the previous year. Intrusion Detection System (IDS) Complexity and Number of alerts; Probability success resulting to constant damage. Intrusion Response Systems (IRS) Static Mapping Detected Attack and Countermeasure. Dynamic Evaluation of All Response Time. Markov Decision Process (MDP) To compose response policies using atomic response actions.

4 System Overview Autonomic Systems : Controller Implements Self-management Algorithm Controlled Subsystem Domain Functionality M A P E - K

5 Contributions and Organizations MDP-based Controller Design Realization Evaluation Adopting long-term response policies can be more effective than single response actions. Result : Reduction of threat resolution by 56%. * Design and Realization of IDS Event Manager and system learning behavior of the controller are OUT OF THE SCOPE of the present work.

6 System Model Where S = Finite set of States ; A = Finite set of Actions. Set of target states. Reward Function. γ = discount factor. Aim = Optimal Policy (π).

7 System Attributes firewall {true, false} {blocked_ips} {flowlimit_ips} alert {true, false} {honeypot_ips} logverb {0,1,2,3,4,5} active {true, false} quarantined {true, false} rebooted {true, false} backup {true, false} updated {true, false} States Characterization Specialization in 7 different attacks and 11 system attributes. P scan, P vsftpd, P smbd, P phpcgi, P ircd, P distccd, P rmi

8 Reward Function Reward function as a penalty score. Evaluates response actions by: Response Time R(x) R Cost C(x) R Impact index I(x) [0,1] Reward Function =

9 Response Actions To avoid potentially disruptive response actions, two thresholds are introduced with probability p in 4 stages. p < T 1 T 1 < p < T 2 T 2 < p < 1 p = 1

10 Response Actions Firewall Activation Block source IP (badip)

11 Response Actions Flow Rate Limit (badip) Closed Network Connection

12 Termination Function Termination function (T) for a set of target states (S tgt ) is defined as : T : S {true, false} A termination is done when the system reaches control anomaly (S ano ) or state of fully clean system (S clean ) S ano S clean S tgt = S ano ꓴ S clean

13 Performance Evaluation Comparing performance of the Value Iteration(VI) algorithm with the performances of the sub-optimal rollout-based Monte-Carlo algorithm named UCT. Comparing the planning time of VI algorithm with discount factor = 0.9 with UCT algorithm. Comparing the obtained rewards by VI are close to -10 as it always selects the best response action.

14 Experimental Results

15 Vulnerabilities Only selected vulnerabilities are considered because the software is exploited by downloading metasploitable VM and is freely available. OSVBD Trojaned Distribution. :). Result : TCP callback shell. CVE username map script. Attackers execute an arbitrary constant. CVE Run as CGI is vulnerable to argument injection. = is passed, the string is split on + character and passes them to CGI binary. CVE UnrealIRCd DEBUG3_DOLOG_SYSTEM allows attackers to execute arbitrary commands. CVE distcc 2.x; executed by the server without authorization checks. CVE RMI Registry and RMI Activation loads classes from remote URL.

16 Snort Configuration Snort helps in detecting malicious traffic but cannot stop it. Three rule set : Community Set - Publicly Available. Registered Rules Freely Available. Subscribes Rules Cisco Subscription plan. CVE was detected. Wireshark is implemented to find characteristic signatures. OSBVD Exploit Analysis Result = :) for every suspicious login alert.

17 Simulation of Controller Behavior Three simulations are run 1000 times to use VI algorithm. Portscan Attack : Response time optimization and discount factor = 0.9 yields 14 equivalent policies such as : generatealert, increaselogverb, increaselogverb, increaselogverb, increaselogverb, increaselogverb, activatefirewall, blocksrcip, unblockscrip, decreaselogverb, decreaselogverb, decreaselogverb, decreaselogverb, decreaselogverb. Policies are split into i) Preparation, ii) Response, iii) Conclusion.

18 Simulation of Controller Behavior Vulnerability Exploit : Response time optimization and discount factor = 0.9 yields 15 equivalent policies such as : increaselogverb, generatealert, activatefirewall, increaselogverb, increaselogverb, increaselogverb, increaselogverb, systemreboot, backup, software-update, decreaselogverb, decreaselogverb, decreaselogverb, decreaselogverb, decreaselogverb. Policies are split into i) first preparation, ii) first response attempt, iii) second preparation, iv) second response attempt, v) conclusion.

19 Simulation of Controller Behavior Combined Vulnerability and Response Time Response time optimization and discount factor = 0.9 yields 17 equivalent policies such as : generatealert, increaselogverb, activatefirewall, increaselogverb, blocksrcip, increaselogverb, increaselogverb, increaselogverb, systemreboot, backup, softwareupdate, unblocksrcip, decreaselogverb, decreaselogverb, decreaselogverb, decreaselogverb, decreaselogverb. Policies are split into i) first preparation, ii) first response attempt, iii) second preparation, iv) second response attempt, v) third response, vi) third response attempt, vii) conclusion.

20 Conclusions and Future Work During the last decade many IRSs have been proposed to face the increasing frequency and complexity of attacks. All the proposed approaches, however, only considered either a static mapping of the best response action to the currently detected attack or the dynamic evaluation of the available response actions according to a set of predefined attributes. This paper introduced MDP-based controller which helps in long-term planning by exploiting the concept of system state by decoupling the attack from the response. Experimental results show that long-term planned policies provide better results than short-term ones and the threat resolution time can be reduced up to 56% in the considered scenario. For future work, a meta-model is realized in which we will define standard components and connections that could be used by the system administrators to visually design the model of their system. Having such a meta-model will enable the development of standard attacks and response libraries that, integrated with the personalized system model, will allow the IRS to provide response policies tailored for the specific system.