Accountable SDNs for Cyber Resiliency UIUC/R2 Monthly Group Meeting. Presented by Ben Ujcich March 31, 2017

Similar documents
Amani Abu Jabal 1 Elisa Bertino 2. Purdue University, West Lafayette, USA 1. 2

Effective Audit Trail of Data With PROV-O Scott Henninger, Senior Consultant, MarkLogic

Leveraging Data Provenance to Enhance Cyber Resilience

Provenance Data Model

Preserving Data Privacy in the IoT World

Enhanced Immutability of Permissioned Blockchain Networks by Tethering Provenance with a Public Blockchain Network

Transactions Between Distributed Ledgers

Introduction to Cryptoeconomics

BBc-1 : Beyond Blockchain One - An Architecture for Promise-Fixation Device in the Air -

DisLedger - Distributed Concurrence Ledgers 12 August, 2017

Hyperledger fabric: towards scalable blockchain for business

Towards an Accountable Software-Defined Networking Architecture

CONSENSUS PROTOCOLS & BLOCKCHAINS. Techruption Lecture March 16 th, 2017 Maarten Everts (TNO & University of Twente)

Distributed Concurrence Ledgers 16 May, 2016

The power of Blockchain: Smart Contracts. Foteini Baldimtsi

Distributed Ledger Technology & Fintech Applications. Hart Montgomery, NFIC 2017

Exceptional Access Protocols. Alex Tong

DELIVERING SIMPLIFIED CYBER SECURITY JOURNEYS

Key concepts of blockchain

Decentralized Identity for a Decentralized World. Alex Simons Partner Director Program Management, Identity Division Microsoft

Privacy Policy. LAST UPDATED: 23 June March 2017

University of Pittsburgh Security Assessment Questionnaire (v1.7)

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Privacy-Enabled NFTs: User-Mintable, Non-Fungible Tokens With Private Off-Chain Data

SCP: A Computationally Scalable Byzantine Consensus Protocol for Blockchains

Why is blockchain exciting? Data Sharing.

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Blockchain and Additive Manufacturing

Proposal for Implementing Linked Open Data on Libraries Catalogue

A Scalable Smart Contracts Platform

A Formal Definition of RESTful Semantic Web Services. Antonio Garrote Hernández María N. Moreno García

SmartPool: practical decentralized pool mining. Loi Luu, Yaron Velner, Jason Teutsch, and Prateek Saxena August 18, 2017

Why you should adopt the NIST Cybersecurity Framework

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Performance Benchmarking & Optimizing Hyperledger Fabric Blockchain Platform

FIBO Metadata in Ontology Mapping

NPP & Blockchain Have you thought about the data? Ken Krupa, CTO, MarkLogic

PT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017

Comparing Provenance Data Models for Scientific Workflows: an Analysis of PROV-Wf and ProvOne

Clarity on Cyber Security. Media conference 29 May 2018

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

ENEE 457: E-Cash and Bitcoin

How Formal Analysis and Verification Add Security to Blockchain-based Systems

Practical Byzantine Fault Tolerance Consensus and A Simple Distributed Ledger Application Hao Xu Muyun Chen Xin Li

W3C Provenance Incubator Group: An Overview. Thanks to Contributing Group Members

Information Security Is a Business

Leveraging Smart Contracts for Automatic SLA Compensation The Case of NFV Environments

IBM SmartCloud Engage Security

GDPR: A technical perspective from Arkivum

Algorand: Scaling Byzantine Agreements for Cryptocurrencies

The Point of View Axis: Varying the Levels of Explanation Within a Generic RDF Data Browsing Environment

QuickBooks Online Security White Paper July 2017

SOLUTION ARCHITECTURE AND TECHNICAL OVERVIEW. Decentralized platform for coordination and administration of healthcare and benefits

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Contractual Compliance. Text. IPC Meeting. Tuesday, 24 June 2014 #ICANN50

Semantic Technologies for the Internet of Things: Challenges and Opportunities

Technical White Paper of. MOAC Mother of All Chains. June 8 th, 2017

Hyperledger Fabric v1:

Smart Transactions: An In-To-Out Manageable Transaction System

A View From the Top. Mark Hughes BT Group Security Director

P1752 Working Group Meeting

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

TC307 SG3 - SECURITY & PRIVACY

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Management Information Systems. B15. Managing Information Resources and IT Security

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

Trustworthy Whole-System Provenance for the Linux Kernel

Information Governance, the Next Evolution of Privacy and Security

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Using Chains for what They re Good For

A Blockchain-based Mapping System

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Protect Your Organization from Cyber Attacks

SMARTDATA: Leveraging Blockchain to Securely Capture & Verify Scientific Provenance Data

Introduction to ISO/IEC 27001:2005

Blockchain, cryptography, and consensus

raceability Support in OpenModelica Using Open Services for Lifecycle Collaboration (OSLC)

IT Services IT LOGGING POLICY

Resilient Linked Data. Dave Reynolds, Epimorphics

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Blockchains & Cryptocurrencies

Building a Resilient Security Posture for Effective Breach Prevention

Direct, DirectTrust, and FHIR: A Value Proposition

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C

Blockchain, Throughput, and Big Data Trent McConaghy

Designing and Building a Cybersecurity Program

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

White Paper. Blockchain alternatives: The case for CRAQ

How Secure is Blockchain? June 6 th, 2017

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Who s Protecting Your Keys? August 2018

Federated Authentication for E-Infrastructures

Turning Risk into Advantage

Mobile and Heterogeneous databases Distributed Database System Transaction Management. A.R. Hurson Computer Science Missouri Science & Technology

FIBO Shared Semantics. Ontology-based Financial Standards Thursday Nov 7 th 2013

PRIVACY COMMITMENT. Information We Collect and How We Use It. Effective Date: July 2, 2018

Building Bridges to Business Context is Essential to Data Governance

Transcription:

Accountable SDNs for Cyber Resiliency UIUC/R2 Monthly Group Meeting Presented by Ben Ujcich March 31, 2017

Outline Motivation for accountability Our accepted paper: Towards an Accountable Software-Defined Networking Architecture. B. E. Ujcich, A. Miller, A. Bates, and W. H. Sanders. Proceedings of the 3rd IEEE Conference on Network Softwarization (NetSoft 2017), July 3-7, 2017. Early stage work on implementing SDN accountability Ideas and feedback 2 Outline

Motivation SDNs provide flexibility, but also new opportunities for attacks What assurances do we have about previous system events? NIST definition of accountability: actions of an [agent] [that can] be traced uniquely to that [agent] that supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action Why accountability in SDN? Attributing causal actions is difficult; needed for assigning blame fairly and to take appropriate response actions Multiple (potentially distrusting) parties or agents with different incentives 3 Motivation

Uses of Accountability A posteriori compliance control Collect relevant data about agents actions in order to blame one or more agents based on agreed-upon (a priori) policies Forensics Collect all data about agents actions under adversarial conditions in order to blame one or more agents Troubleshooting Collect relevant/all data about agents actions for testing or debugging purposes under non-adversarial (but possibly faulty) conditions 4 Motivation

RRE, Accountability, and Cyber Resiliency RRE Concepts Monitoring and fusion Response decisions Response actions Recovery maps to Data for monitoring inputs Structured semantic data for logical reasoning Responses based on who to blame Penalties for policy breaches System actions by agents Data provenance Policy checking Blame and attribution Response actions Recovery provides Accountability Process Situational Awareness Cyber Resiliency 5 Motivation

Approach Applying accountability regime design 1 to SDNs based on CS and social science notions of accountability [1] J. L. Mashaw, Accountability and institutional design: Some thoughts on the grammar of governance, in Public Accountability: Designs, Dilemmas, and Experience, M. W. Dowdle, Ed., 2006. 6 Towards an Accountable SDN Architecture

1. Who is accountable to whom Notion of agents and their relationships among each other SDN ecosystem encompasses many interrelated agents that requires looking at the system holistically 7 Towards an Accountable SDN Architecture

2. What one is accountable for Notions of entities that store system state and actions that can be taken on the entities by the agents Broader view than just simply a representation of the network as a forwarding graph 8 Towards an Accountable SDN Architecture

3. Assurance mechanisms What assurances or guarantees can we make about the data that we collect? Important research areas: Data provenance Blockchains and cryptocurrencies 9 Towards an Accountable SDN Architecture

4. Standards Two views of accountability standards Accountability by design to support (external) legal systems Accountability by design to create a system for self-executing policy/compliance enforcement Automated enforcement of standards via smart contracts 10 Towards an Accountable SDN Architecture

5. Effects of breach Go beyond just collecting data for auditing; must use it somehow Deterrence and resiliency as complementary aspects Completes the RRE loop 11 Towards an Accountable SDN Architecture

Implementing Accountability Goal: Design and build a realized accountable SDN system Major components: Data provenance / provenance language for formally describing system state (i.e., how data came to be) in a structured way Blockchains as replicated, fault tolerant distributed consensus ledgers to store commitments about past data provenance Smart contracts to implement a priori policy agreements among (distrusting) agents for meeting system invariants/predicates and for defining consequences if invariants are breached 12 Early Stage Implementation

Components: Data Provenance RDF triples for building distributed provenance graph Ontology constrains language Extend W3C PROV ontology with SDN semantics Use provenance data model to form queries with networking/security semantics E.g., Was there a path between hosts A and B at this time? actedonbehalfof Diagram source: A Walk Through PROV-O, Tim Lebo, 2012. URL: https://www.w3.org/2011/prov/wiki/iswcprovtutorial wasderivedfrom Entity wasattributedto wasgeneratedby Agent used wasassociatedwith Activity startedattime endedattime xsd:datetime wasinformedby xsd:datetime 13 Early Stage Implementation

Components: Blockchains Blockchain data stored and executed by all participating nodes for fault-tolerance and replication purposes Can store self-executing smart contracts Consensus through proof-ofwork or BFT-like protocols Agents commit hashes of provenance data to blockchain s smart contracts Auditing protocol Consensus about which blocks comprise the blockchain Diagram source: Bitcoin Block Data, Matthäus Wander, Wikimedia Commons. URL: https://commons.wikimedia.org/wiki/file:bitco in_block_data.png Merkle trees storing transactions/data 14 Early Stage Implementation

Components: Smart Contracts Self-executing pieces of code and data that live on the blockchain In cryptocurrency context, can exchange financial value Store policy agreements among agents and relevant commitments related to provenance Translate high level network policies to executable code Agents involved in agreement compiles to Escrow amounts Smart Contract Code Provenance storage agreements Storage Policy invariants or predicates Liability/blame policies 15 Early Stage Implementation

Proposed Case Studies Multiple administrative domains Different administrators Different ownership/trust assumptions of equipment, processes, or data Network applications Extensions to SDN controller functionality for providing services (e.g., IDSes, firewalls) Proliferation of network applications makes it challenging to assign blame, especially with apps of equal permission levels 16 Early Stage Implementation

Ideas and Feedback Alignment with research goals Uses of accountable systems or networks with highly granular provenance metadata and/or automated penalties and responses Extension to end host application semantics Questions? 17 Ideas and Feedback

Thanks! 18 Ideas and Feedback

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback