Optimizing the network diversity to improve the resilience of networks against unknown attacks

Abstract Diversity as a security mechanism is receiving renewed interest due to its potential for improving the resilience of software and networks against previously unknown attacks. Recent works show diversity can be modeled and quantified as a security metric at the network level. However, such efforts do not directly provide a solution for improving the network diversity. On the other hand, existing network hardening approaches largely focus on handling vulnerabilities and do not pay special attention to diversity. In this paper, we propose an automated approach to diversifying network services under various cost constraints in order to improve the network’s resilience against unknown attacks. Specifically, we first define models for network services and their relationships, diversification options, and the costs. We then formulate the optimization problem of diversifying network services under given cost constraints. We devise optimization and heuristic algorithms for efficiently solving the problem, and we evaluate our approach through simulations.

[1]  Jackie Rees Ulmer,et al.  Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach , 2006, Decis. Support Syst..

[2]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[3]  Marcus Pendleton,et al.  A Survey on Systems Security Metrics , 2016, ACM Comput. Surv..

[4]  H. Md. Azamathulla,et al.  Comparison between genetic algorithm and linear programming approach for real time operation , 2008 .

[5]  Tom Fifield,et al.  OpenStack Operations Guide , 2014 .

[6]  Sushil Jajodia,et al.  Diversifying Network Services Under Cost Constraints for Better Resilience Against Unknown Attacks , 2016, DBSec.

[7]  Lingyu Wang,et al.  Measuring the security posture of IEC 61850 substations with redundancy against zero day attacks , 2017, 2017 IEEE International Conference on Smart Grid Communications (SmartGridComm).

[8]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[9]  Sushil Jajodia,et al.  k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks , 2010, ESORICS.

[10]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[11]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[12]  Indrajit Ray,et al.  Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[13]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[14]  Manuel Arias Carmen: An open source project for probabilistic graphical models , 2008 .

[15]  Nils Gruschka,et al.  Attack Surfaces: A Taxonomy for Attacks on Cloud Services , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[16]  Youki Kadobayashi,et al.  Exploring attack graph for cost-benefit security hardening: A probabilistic approach , 2013, Comput. Secur..

[17]  Sushil Jajodia,et al.  Modeling Network Diversity for Evaluating the Robustness of Networks against Zero-Day Attacks , 2014, ESORICS.

[18]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[19]  Indrajit Ray,et al.  Optimal security hardening on attack tree models of networks: a cost-benefit analysis , 2012, International Journal of Information Security.

[20]  Sushil Jajodia,et al.  Network Diversity: A Security Metric for Evaluating the Resilience of Networks Against Zero-Day Attacks , 2016, IEEE Transactions on Information Forensics and Security.

[21]  Sushil Jajodia,et al.  Network Hardening: An Automated Approach to Improving Network Security , 2014 .

[22]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[23]  David E. Goldberg,et al.  Genetic Algorithms in Search Optimization and Machine Learning , 1988 .

[24]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[25]  Sushil Jajodia,et al.  Surviving unpatchable vulnerabilities through heterogeneous network hardening options , 2018, J. Comput. Secur..

[26]  Emil C. Lupu,et al.  Efficient Attack Graph Analysis through Approximate Inference , 2016, ACM Trans. Priv. Secur..

[27]  Alysson Neves Bessani,et al.  OS diversity for intrusion tolerance: Myth or reality? , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[28]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[29]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[30]  Debin Gao,et al.  Behavioral Distance Measurement Using Hidden Markov Models , 2006, RAID.

[31]  P. Festa A brief introduction to exact, approximation, and heuristic algorithms for solving hard combinatorial optimization problems , 2014, 2014 16th International Conference on Transparent Optical Networks (ICTON).

[32]  Sushil Jajodia,et al.  Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[33]  John McHugh Quality of protection: measuring the unmeasurable? , 2006, QoP '06.

[34]  Sushil Jajodia,et al.  Threat Modeling for Cloud Data Center Infrastructures , 2016, FPS.

[35]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[36]  Sebastian Muller Openstack Operations Guide , 2016 .

[37]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[38]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[39]  Angappa Gunasekaran,et al.  Organizational Advancements Through Enterprise Information Systems: Emerging Applications and Developments , 2009 .

[40]  K. Deb An Efficient Constraint Handling Method for Genetic Algorithms , 2000 .