Optimization of NIDS Placement for Protection of Intercommunicating Critical Infrastructures

Many Critical Infrastructures (CI) use the Internet as a means of providing services to citizens and for dispatching their own transactions. CIs, like many other organizations connected to the Internet, are prone to cyber-attacks. The attacks can originate from their trusted customers or peer CIs. Distributed network intrusion detection systems (NIDS) can be deployed within the network of national Network Service Providers to support cyber-attack mitigation. However, determining the optimal placement of NIDS devices is a complex problem that should take into account budget constraints, network topology, communication patterns, and more. In this paper we model interconnected CIs as a communication overlay network and propose using Group Betweenness Centrality as a guiding heuristic in optimizing placement of NIDS with respect to the overlay network. We analyze the effectiveness of the proposed placement strategy by employing standard epidemiological models and compare it to placement strategies suggested in the literature.

[1]  Hervé Rivano,et al.  Optimal positioning of active and passive monitoring devices , 2005, CoNEXT '05.

[2]  Roger Stough,et al.  The Revenge of Distance: Vulnerability Analysis of Critical Information Infrastructure , 2003, cond-mat/0310427.

[3]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  S. Borgatti,et al.  The centrality of groups and classes , 1999 .

[5]  W. Timothy Strayer,et al.  A Topological Analysis of Monitor Placement , 2007, Sixth IEEE International Symposium on Network Computing and Applications (NCA 2007).

[6]  Guanrong Chen,et al.  Behaviors of susceptible-infected epidemics on scale-free networks with identical infectivity. , 2006, Physical review. E, Statistical, nonlinear, and soft matter physics.

[7]  Ulrik Brandes,et al.  On variants of shortest-path betweenness centrality and their generic computation , 2008, Soc. Networks.

[8]  David M. Nicol,et al.  Simulating realistic network worm traffic for worm warning system design and testing , 2003, WORM '03.

[9]  M. Newman,et al.  Scientific collaboration networks. II. Shortest paths, weighted networks, and centrality. , 2001, Physical review. E, Statistical, nonlinear, and soft matter physics.

[10]  Béla Bollobás,et al.  Robustness and Vulnerability of Scale-Free Random Graphs , 2004, Internet Math..

[11]  R. Downey,et al.  Parameterized Computational Feasibility , 1995 .

[12]  Martin G. Everett,et al.  A Graph-theoretic perspective on centrality , 2006, Soc. Networks.

[13]  Leonard M. Freeman,et al.  A set of measures of centrality based upon betweenness , 1977 .

[14]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[15]  Kihong Park,et al.  Scalable Protection Against DDOS and Worm Attacks , 2004 .

[16]  Marcelo Kuperman,et al.  Effects of immunization in small-world epidemics , 2001, cond-mat/0109273.

[17]  R. May,et al.  Infectious Diseases of Humans: Dynamics and Control , 1991, Annals of Internal Medicine.

[18]  U. Brandes A faster algorithm for betweenness centrality , 2001 .

[19]  Rami Puzis,et al.  Collaborative attack on Internet users' anonymity , 2009, Internet Res..

[20]  Duncan J. Watts,et al.  Collective dynamics of ‘small-world’ networks , 1998, Nature.

[21]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[22]  Petter Holme,et al.  Congestion and Centrality in Traffic Flow on Complex Networks , 2003, Adv. Complex Syst..

[23]  Michael Bloem,et al.  Malware Filtering for Network Security Using Weighted Optimality Measures , 2007, 2007 IEEE International Conference on Control Applications.

[24]  Donald F. Towsley,et al.  Locating network monitors: complexity, heuristics, and coverage , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[25]  Christopher Krügel,et al.  Stateful intrusion detection for high-speed network's , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[26]  M. Barthelemy Betweenness centrality in large complex networks , 2003, cond-mat/0309436.

[27]  Wenke Lee,et al.  Simulating Internet worms , 2004, The IEEE Computer Society's 12th Annual International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, 2004. (MASCOTS 2004). Proceedings..

[28]  Shanshan Song,et al.  Collaborative Internet Worm Containment , 2005, IEEE Secur. Priv..

[29]  Stefan Savage,et al.  The end-to-end effects of Internet path selection , 1999, SIGCOMM '99.

[30]  Alessandro Vespignani,et al.  Immunization of complex networks. , 2001, Physical review. E, Statistical, nonlinear, and soft matter physics.

[31]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[32]  Stanley Wasserman,et al.  Social Network Analysis: Methods and Applications , 1994 .

[33]  Rami Puzis,et al.  Fast algorithm for successive computation of group betweenness centrality. , 2007, Physical review. E, Statistical, nonlinear, and soft matter physics.