Combining Moving Target Defense with Autonomic Systems. Warren Connell 7 Dec 15

Similar documents
A Quantitative Framework for Cyber Moving Target Defenses

A Survey of Self-Protecting Computing Systems

Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses

An Autonomic Framework for Integrating Security and Quality of Service Support in Databases

Advanced Security Solution in IPv6

Comparing Chord, CAN, and Pastry Overlay Networks for Resistance to DoS Attacks

An Introduction to Network Address Shuffling

Secure Enhanced Authenticated Routing Protocol for Mobile Ad Hoc Networks

Whack-a-Mole: Software-defined Networking driven Multi-level DDoS defense for Cloud environments

A Framework for Moving Target Defense Quantification

On the Use of Performance Models in Autonomic Computing

Analysis of Concurrent Moving Target Defenses

Leveraging SDN & NFV to Achieve Software-Defined Security

Handling DDoS attacks in Cloud

Analyzing a Human-based Trust Model for Mobile Ad Hoc Networks

Avoiding The Man on the Wire: Improving Tor s Security with Trust-Aware Path Selection

International Journal of Advance Research in Computer Science and Management Studies

On the Design of QoS aware Multicast Algorithms for Wireless Mesh Network. By Liang Zhao Director of Study: Dr. Ahmed Al-Dubai (CDCS)

Distributed Energy-Aware Routing Protocol

Building a Self-Adaptive Content Distribution Network Gawesh Jawaheer Department of Computing, Imperial College London

Model-Based Load Testing for Performance and Security. Cornel Barna, Mark Shtern, Michael Smit, Marin Litoiu

Analysis of Network Address Shuffling as a Moving Target Defense

Alexandru G. Bardas. Curriculum Vitae (last update: January 2018) Education. Appointments

FRVM: Flexible Random Virtual IP Multiplexing in. software-defined networks

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

Inferring the Source of Encrypted HTTP Connections

Energy Efficient in Cloud Computing

Specification-based Intrusion Detection. Michael May CIS-700 Fall 2004

Analysis of Attacks and Defense Mechanisms for QoS Signaling Protocols in MANETs

A new method for VoIP Quality of Service control using combined adaptive sender rate and priority marking

Provision of Quality of Service with Router Support

Sprinkler: Distributed Content Storage for Just-in-Time Streaming. CellNet Taipei, Taiwan Presented By: Sourav Kumar Dandapat

Can randomized mapping secure instruction caches from side-channel attacks?

An Overlay Architecture for End-to-End Internet Service Availability

Flow Control Packet Marking Scheme: to identify the sources of Distributed Denial of Service Attacks

AutoLock: Why Cache Attacks on ARM Are Harder Than You Think

A Network Intrusion Detection System Architecture Based on Snort and. Computational Intelligence

Framework for Optimizing Cluster Selection using Geo-assisted Movement Prediction

A Framework for Utility-Based Service Oriented Design in SASSY

Safely Measuring Tor. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems

SARA: Segment Aware Rate Adaptation for DASH Video Services

Things We Have Learned From This Project

Differential Privacy. Seminar: Robust Data Mining Techniques. Thomas Edlich. July 16, 2017

Activity-Based Congestion Management for Fair Bandwidth Sharing in Trusted Packet Networks

Key Grids: A Protocol Family for Assigning Symmetric Keys

HSM: A Hybrid Streaming Mechanism for Delay-tolerant Multimedia Applications Annanda Th. Rath 1 ), Saraswathi Krithivasan 2 ), Sridhar Iyer 3 )

Estimating Persistent Spread in High-speed Networks Qingjun Xiao, Yan Qiao, Zhen Mo, Shigang Chen

Discriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric

Coding and Scheduling for Efficient Loss-Resilient Data Broadcasting

Characterizing the Running Patterns of Moving Target Defense Mechanisms

Resource allocation for autonomic data centers using analytic performance models.

A Security Management Scheme Using a Novel Computational Reputation Model for Wireless and Mobile Ad hoc Networks

Module 1 - Distributed System Architectures & Models

PERFORMANCE COMPARISON OF TCP VARIANTS FOR WIRELESS SENSOR NETWORKS

New-fangled Method against Data Flooding Attacks in MANET

Power Aware Hierarchical Epidemics in P2P Systems Emrah Çem, Tuğba Koç, Öznur Özkasap Koç University, İstanbul

Low Rate DOS Attack Prevention

Malware models for network and service management

Mobility Control for Complete Coverage in Wireless Sensor Networks

Summarizing and mining inverse distributions on data streams via dynamic inverse sampling

Safely Measuring Tor. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems

A REVIEW ON DATA AGGREGATION TECHNIQUES IN WIRELESS SENSOR NETWORKS

Provider-based deterministic packet marking against distributed DoS attacks

Prof. N. P. Karlekar Project Guide Dept. computer Sinhgad Institute of Technology

Mean Waiting Delay for Web Object Transfer in Wireless SCTP Environment

On Distributed Algorithms for Maximizing the Network Lifetime in Wireless Sensor Networks

Defenses against Large Scale Online Password Guessing by Using Persuasive Cued Click Points

Random Neural Networks for the Adaptive Control of Packet Networks

PEERLESS JAMMING ATTACKS AND NETWORK FORTIFICATION POLICIES IN WIRELESS SENSOR NETWORKS

MULTIMEDIA PROXY CACHING FOR VIDEO STREAMING APPLICATIONS.

hash chains to provide efficient secure solutions for DSDV [7].

Primitives for Active Internet Topology Mapping: Toward High-Frequency Characterization

A Smart Card Based Authentication Protocol for Strong Passwords

INTRUSION DETECTION SYSTEM USING BIG DATA FRAMEWORK

Leveraging SDN for Collaborative DDoS Mitigation

A Feedback-based Multipath Approach for Secure Data Collection in. Wireless Sensor Network.

Overlay Networks for Multimedia Contents Distribution

Improved QoS Optimization Approach in Sensor Network using Convolutional Encoding

A Study on Issues Associated with Mobile Network

Towards Pervasive and Mobile Gaming with Distributed Cloud Infrastructure. Teemu Kämäräinen, Matti Siekkinen, Yu Xiao, Antti Ylä-Jääski

Linkability of Some Blind Signature Schemes

CONTENT DISTRIBUTION. Oliver Michel University of Illinois at Urbana-Champaign. October 25th, 2011

Optimal Cluster Expansion-Based Intrusion Tolerant System to Prevent Denial of Service Attacks

SmartGossip: : an improved randomized broadcast protocol for sensor networks

Network Architectures for Emerging Services Riad Hartani & Joe Neil Caspian Networks

IP Spoof Prevented Technique to Prevent IP Spoofed Attack

Multi-Tier Mobile Ad Hoc Routing

Evolutionary Approaches for Resilient Surveillance Management. Ruidan Li and Errin W. Fulp. U N I V E R S I T Y Department of Computer Science

PhD Student E&CE Department University of Waterloo Spring 2005

A Survey of Current Directions in Service Placement in Mobile Ad-hoc Networks

The Impact of the DOCSIS 1.1/2.0 MAC Protocol on TCP

Energy-Efficient Cooperative Communication In Clustered Wireless Sensor Networks

Performance Analysis of Heterogeneous Wireless Sensor Network in Environmental Attack

An Efficient Load Balancing Strategy for Scalable WAP Gateways

PhD Thesis Defense Performance Improvements in Software-defined and Virtualized Wireless Networks

Impact of Black Hole and Sink Hole Attacks on Routing Protocols for WSN

A Survey on Load Balancing Algorithms in Cloud Computing

Comparative Study of blocking mechanisms for Packet Switched Omega Networks

Identification and Verification of Security Relevant Functions in Embedded Systems Based on Source Code Annotations and Assertions

Data Security & Operating Environment

Transcription:

Combining Moving Target Defense with Autonomic Systems Warren Connell 7 Dec 15

Problem / Motivation Related to area of Moving Target Defense (MTD) Few research papers devoted to effectiveness Few devoted to cost/overhead of MTD Still fewer related to both Security must be balanced with Quality of Service Possible with autonomous systems Metrics may be too coarse-grained / subjective Marry MTD technique with known performance with autonomic techniques for better overall utility Practice selection and design of utility functions

Background / Related Work One MTD technique: Randomly reassign roles, VM, hosts, and IP addresses Zhuang, Rui, et al. "Simulation-based approaches to studying effectiveness of movingtarget network defense." National Symposium on Moving Target Research. 212.

Background / Related Work Another MTD technique: protect against DDoS attacks by utilizing a rotating layer of secret proxies QuanJia; Kun Sun; Stavrou, A., "MOTAG: Moving Target Defense against Internet Denial of Service Attacks," incomputer Communications and Networks (ICCCN), 213 22nd International Conference on, pp.1-9, July 3 213-Aug. 2 213.

Background / Related Work Combining QoSand Security in a streaming media application for various user preferences: MouradAlia, Marc Lacoste, RuanHe, and Frank Eliassen. 21. Putting together QoSand security in autonomic pervasive systems. InProceedings of the 6th ACM workshop on QoSand security for wireless and mobile networks(q2swinet '1). ACM, New York, NY, USA, 19-28.

Approach Multiple utility functions: Security utility from detection rates of database IDPS (use exponential average if multiple IDPSs): Response time utility from sigmoid based on SLO and parameters from linear queuing model: Global utility: Alomari, F.; Menasce, D., "An Autonomic Framework for Integrating Security and Quality of Service Support in Databases," insoftware Security and Reliability (SERE), 212 IEEE Sixth International Conference on, pp.51-6, 2-22 June 212.

Approach Another MTD technique: dynamically re-map association between addresses and systems Uses probabilistic models Static case: Probability of successful probe given k draws, v vulnerable machines out of n machines: Dynamic case: perfect shuffling (1 / probe attempt) Carroll, T.E.; Crouse, M.; Fulp, E.W.; Berenhaut, K.S., "Analysis of network address shuffling as a moving target defense," incommunications (ICC), 214 IEEE International Conference on, pp.71-76, 1-14 June 214

Approach Chances of finding 1 vulnerable computer as network size increases using perfect shuffling 1/e =.63 Carroll, T.E.; Crouse, M.; Fulp, E.W.; Berenhaut, K.S., "Analysis of network address shuffling as a moving target defense," incommunications (ICC), 214 IEEE International Conference on, pp.71-76, 1-14 June 214

Approach Experimentally determine failure rate as a function of shuffle rate Carroll, T.E.; Crouse, M.; Fulp, E.W.; Berenhaut, K.S., "Analysis of network address shuffling as a moving target defense," incommunications (ICC), 214 IEEE International Conference on, pp.71-76, 1-14 June 214

Preliminary Results 1 Leave U(security) = 1 (attacker success rate) Choose sigmoid parameters for connection loss: U(loss) = δ =.95 (SLO) σ= -1 (steepness) ( ) Initially choose α = β =.5 for relative weights U(g) = α*u(security) + β*u(loss)

Preliminary Results 1 Utility.7.6.5.4.3.2 α = β =.5 α =.75; β =.25 Utility vs. Shuffle Rate.5 5.2.25.3.35.4.45.5.55.6.65.7.75.8.85.9.95 1 Shuffle Rate α =.9; β = Utility.4.35.3.25.2 5.5 Utility.5.45.4.35.3.25.2 5.5.2.3.4.5.6.7.8.9 1 Shuffle Rate Utility vs. Shuffle Rate.5 5.2.25.3.35.4.45.5.55.6.65.7.75.8.85.9.95 1 Shuffle Rate U(Loss) U(Security)

Preliminary Results 2 Introduce additional 5% packet loss (α = β =.5) Utility function compensates by reducing shuffle rate Utility.7.6.5.4.3.2 Utility vs. Shuffle Rate.5 5.2.25.3.35.4.45.5.55.6.65.7.75.8.85.9.95 1 Shuffle Rate Utility.35.3.25.2 5.5 Utility vs. Shuffle Rate.5 5.2.25.3.35.4.45.5.55.6.65.7.75.8.85.9.95 1 Shuffle Rate U(Loss) U(Security)

Conclusion Can combine measures of security effectiveness with QoSin a utility function Need objective measure for security effectiveness QoS easily measured (connection loss, response time) Proper choices of utility function and parameters still require input from domain experts Sigmoidsmay not be required in all cases

Sources Carroll, T.E.; Crouse, M.; Fulp, E.W.; Berenhaut, K.S., "Analysis of network address shuffling as a moving target defense," incommunications (ICC), 214 IEEE International Conference on, pp.71-76, 1-14 June 214. QuanJia; Kun Sun; Stavrou, A., "MOTAG: Moving Target Defense against Internet Denial of Service Attacks," incomputer Communications and Networks (ICCCN), 213 22nd International Conference on, pp.1-9, July 3 213-Aug. 2 213. Zhuang, Rui, et al. "Simulation-based approaches to studying effectiveness of movingtarget network defense." National Symposium on Moving Target Research. 212. RuiZhuang; Su Zhang; Bardas, A.; DeLoach, S.A.; XinmingOu; Singhal, A., "Investigating the application of moving target defenses to network security," inresilient Control Systems (ISRCS), 213 6th International Symposium on, pp.162-169, 13-15 Aug. 213. Alomari, F.; Menasce, D., "An Autonomic Framework for Integrating Security and Quality of Service Support in Databases," insoftware Security and Reliability (SERE), 212 IEEE Sixth International Conference on, pp.51-6, 2-22 June 212. MouradAlia, Marc Lacoste, RuanHe, and Frank Eliassen. 21. Putting together QoSand security in autonomic pervasive systems. In Proceedings of the 6th ACM workshop on QoS and security for wireless and mobile networks(q2swinet '1). ACM, New York, NY, USA, 19-28.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback