Monitor placement for large-scale systems

System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.

[1]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[2]  Carolyn L. Talcott,et al.  Reduction-Based Formal Analysis of BGP Instances , 2012, TACAS.

[3]  Trent Jaeger,et al.  Using Security Policies to Automate Placement of Network Intrusion Prevention , 2013, ESSoS.

[4]  G. Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[5]  Trent Jaeger,et al.  Analyzing Integrity Protection in the SELinux Example Policy , 2003, USENIX Security Symposium.

[6]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[7]  W. F. Dowling,et al.  Tractable Constraints in Finite Semilattices , 1996 .

[8]  Robert N. M. Watson,et al.  TrustedBSD: Adding Trusted Operating System Features to FreeBSD , 2001, USENIX Annual Technical Conference, FREENIX Track.

[9]  Trent Jaeger,et al.  Transforming commodity security policies to enforce Clark-Wilson integrity , 2012, ACSAC '12.

[10]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[11]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.

[12]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[13]  Layne T. Watson,et al.  Security Optimization of Dynamic Networks with Probabilistic Graph Modeling and Linear Programming , 2016, IEEE Transactions on Dependable and Secure Computing.

[14]  Mick Bauer,et al.  Paranoid penguin: an introduction to Novell AppArmor , 2006 .

[15]  Sushil Jajodia,et al.  Scalable Detection of Cyber Attacks , 2011, CISIM.

[16]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[17]  Somesh Jha,et al.  Automating Security Mediation Placement , 2010, ESOP.

[18]  Lee Pike,et al.  Post-Hoc Separation Policy Analysis with Graph Algorithms , 2009 .

[19]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[20]  Benjamin Livshits,et al.  Towards fully automatic placement of security sanitizers and declassifiers , 2013, POPL 2013.

[21]  William R. Harris,et al.  DIFC programs by automatic instrumentation , 2010, CCS '10.

[22]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[23]  Mihalis Yannakakis,et al.  The Complexity of Multiterminal Cuts , 1994, SIAM J. Comput..

[24]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[25]  Sushil Jajodia,et al.  Advanced Vulnerability Analysis and Intrusion Detection through Predictive Attack Graphs , 2009 .

[26]  Hong Chen,et al.  Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems , 2009, NDSS.

[27]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[28]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[29]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[30]  S. Stoller,et al.  Policy Analysis for Security-Enhanced Linux ∗ , 2003 .

[31]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[32]  Aart J. C. Bik,et al.  Implementation of fourier - motzkin elimina - tion , 1994 .

[33]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[34]  Sumit Gulwani,et al.  Computing Procedure Summaries for Interprocedural Analysis , 2007, ESOP.