Summary: Case study (experiments) related to intrusion response, security analysis

Here is my problem on doing such research:

As most of existing work did before, they developed a tool/package/system aiming at specific environment or they have data set with intrusions injected inside already. At least, they are doing security measurement, analysis or security modeling at some kind of specific physical system or research object. If they do how to response, they will have their intrusion alerts from some kind of intrusion detection system (e.g.bro, snort) as their input, or simply use some trace. It cannot come from nowhere. It has to base on some kind of actual real system or results from other tools. Maybe I myself still stuck with engineering thought, not academic thought. Correct me here, please. Thanks.

Below is a list of most representive examples:

William H Sanders from UIUC

RRE: A Game Theoretic Intrusion Response and Recovery Engine

cited by 12, Dependable System and Networks (DSN 2009)

This paper develop a Response and Recovery Engine (RRE) uses alert notifications from Snort, and then choose an optimal response actions by solving a partially observable competitive Markov decision process. They made process control network for a power grid and SCADA as their case study. In order to investigate how such RRE works in reality, they implemented RRE on top of Snort, running on Ubuntu system.

ADEPTS: adapative intrusion response using attack graphs in an e-commerce environment

Saurabh Bagchi from Purdue

cited by 29, DSN 2005

This paper develop ADEPTS to monitor and track intrusions in real-time and deploy responses to contain and restrict the spread of attacks in the system. It also has a testbed for experiments on ADEPTS. The author setup a payload system to mimic an e-commerce webstore, with web servers running applications. Different from RRE, it uses multiple detectors which communicate with ADEPTS, such as Snort and Libsafe. Three experiments were set to demonstrate this ADEPTS 1) for survivabilitity 2) ability to deploy response as the speed of attack varies, 3) adaptation in ADEPTS in choosing responses. Attack graph is used in this paper to show attack goals, since it could provide a possible path of spread of the intrusion.

Intrusion Response as a resource allocation problem

Michael Bloem, Tansu Alpcan, Tamer Basar from uiuc, information trust institute

This paper develop an algorithm for optimal allocation of the systm administrator's time available for responding to attacks, by modeling the interaction between malicious attackers and the intrusion detection system as a noncooperactive non-zero sum game. For the experiment part, this paper implement an IDS prototype in MATLAB and demonstrate its operation under various scenarios with and without such algorithm. One common thing is that it studies intrusion response in an access control systems (PR-BAC), developed by the Boeing company.

other works like Feedback control applied to survivability: A host-based autonomic defense system, which describes the design of a prototype host-based ADS intended to protect a Linux-based web server from automated Internet worm attacks; Using alert verification to identify successful intrusion attempts, presents tool that performs real-time verification of attacks detected by an intrusion detection system. It is not a response, but to verify the alert produced by IDS.

security analysis using Fault Trees (FT)

There are many previous work on using fault trees in reliability and availability modeling. Very few is on safety modeling and security modeling of cyber physical system. Fault trees are more powerful than reliability block diagrams (RBD) with shared nodes.

One potential idea is that I could transform the system model into fault trees and then compared them. Fault trees could be used to validate the system model. Fault trees are well suited for this purpose because they are specifically intended to capture the relationship between component failure and system faults, with an assumption that all basic events be statistically independent.

But there is a key problem here: What's your research object? At least there should be a real system or existing model you can investigate into, some people have there physical system like UAV, while some other people may have their SCADA simulation system. What do you have? Simulation model of NCS? Maybe.

Combinatorial models

--Reliability Block Diagrams: (RBD) map the operational dependency of a system on its components and not the physical structure of the system, including blocks, edges, and dummy nodes. Some software packages have been developed to support construction and solution of RBD models and now it is frequently used in reliability and availability modeling. We have yet to see an application of RBDs in security modeling, but needs to create a compositional theory of security first.

Here is a brief introduction of RBDs: http://www.reliabilityeducation.com/rbd.pdf

It defines logical interaction of failures within a system that are required to sustain system operation. Once the blocks are configured properly and block data is provided, the failure rate, MTBF(mean time between failures), reliability, and availability of the system can be calculated. When it comes to security field, we need to care confidentiality and integrity, using the same method. It is also a good idea if we could use RBD to do security modeling and then quantitatively measure the security of system in order to help IT manager to manage the trade-off between functionality and security.

Weekly Summary

This week I have been doing two things basically.

One is to quantitatively measure the performability and security of the system, that is to quantify the amount of security provided by a system-level method. It needs first to specify the security policy, describe the vulnerabilities of the target system, and then quantitatively evaluation based on some model, like privilege graph model. One crucial factor is to define "cost" for them, such as intrusion damage cost, response cost. I was considering relate this cost to their performance.

Second is that I'm trying to build a intrusion response system based on our cps. First I have to get some intrusion alerts as the input to this IRS from some kind of intrusion detection system. Right now I'm doing with Bro developed by a researcher in UCB. It may need at least one week to get familiar with such system.

some existing intrusion response system

Bro: http://www.bro-ids.org/

Developed by Vern Paxon, a research at UC Berkely, it is a network-based, misuse intrusion detection system. Packets are passively captured from the network and processed into an event stream. The event stream is then compared against a policy script interpreter to detect intrusions. Reports are generated in the form of connection summaries and real-time alerts. Approximately 40 Mb of connection summaries and 20 real-time notifications occur each day. While automatic intrusion response beyond reporting and alerts is discussed as future research, it is currently not implemented.

Besides, I have saw a good paper <Cyber-Critical Infrastructure Protection Using Real-time Payload-based Anomaly Detection> written by Patrick. It uses the transport layer packets captured by Bro and then extract features from those TCP payload.

I am thinking if you want to do intrusion response, you may have to get some output/alerts from some kind of intrusion detection system. Right now I am getting myself familiar with this great tool.

Snort: http://www.snort.org/

It is also a famous network misuse intrusion detection system consists of three components: a packet decoder, a rule-based detection system, and an alert system. Intrusion response is limited to reports and alarms. Little of the work is based on such detection system.

The ultimate goal:

Expand all these network tools to cyber-physical system and come up with my own detection and response system. Theoretical part would be how to define abnormal behavior, build a model to quantitatively denote or rate the security level.

quantitatively measure the performance, dependability, perfomability and security

A unified approach for specifying measures of performance, dependability and performability

--W.H.Sanders

Using some mathematical structure, it is also possible to measure cps security in terms of the amount of "reward(or some other term)" during a specified interval of time, or the rate of accumulation of reward at a specified instant of time or in steady state. It is an evaluation of performance, perfomability based on stochastic activity network model, which could be expanded to security region.

--However, it is hard to understand this reward model, need more thoughts here!

Quantitative Evaluation of Information System Security

--R. Ortalo

This paper first specify the security policy, describe the vulnerability of target system (or organization), and then a quantitative evaluation approach based on the privilege graph model (could be some other model). This method then applied to a security-critical real organization: a medium size bank agency. Also, it is important to illustrate the security measures.

Overall, the goal is to maintain a satisfactory level of security, without impeding the operation of the system. System is still running (well) under malicious attack.

Usual security evaluation methods: evaluation criteria (ITSEC, Information Technology Security Evaluation Criteria, 1991) or risk analysis (Anderson, Comparing Risk Analysis Methodologies, 1991)

Cons: Previous work only focus on the information system design, rather than on the actual system operation (case study).

The method proposed in this paper is also model-based evaluation approach.

1)definition of security policy: security objectives and security rules (specification language)

2)modeling vulnerabilities of the organization, adopted from Dacier and Deswarte, 1994, called a privilege graph. The arcs, the nodes, and the transformation

Using model to quantitatively measure the security of cps for sure would be an promising field. to my best knowledge, I have seen two model, one is use Petri-net with stochastic model, and the other one is use privilege graph. Soon, I will get details for such method and finally come up with my own method.

prospective research

I found that no system-level methodology currently exists that can quantify the amount of security provided by a particular system-level research. Most of security methods have been qualitative. We may find a way that can quantitatively rate the security for cps, and give them a score just like what the security software does to our windows system. It is therefore useful to categorize measures of system behavior. There are some previous works related with "reward models" using the amount of reward accumulated during a specified interval of time, or a "reward rate" at a specified instant of time in steady state.

an idea on intrusion response

Intrusion response, as it said, it is kind of a reaction to some attacks happening (ongoing) in the system already. It effects after the adversary successfully attacked the system. The goal for such research is to bring an insecure network (CPS) under ongoing attacks to its normal operational mode with the minimum possible cost.

For example, if our CPS is under light DoS attack, controller and plant could still talk with each other, but there is large delay on the network caused by DoS attack. The UAV plant may not track the signal well. This is the cost, if we could define it formally, it would be much better. Then how could we response/react to this insecure network to make the possible cost minimum, which strategy should we choose to response/react based on which kind of selection algorithm.

But if we do so, that will make this problem as mitigating the attack.

Intrusion response and recovery

RRE: A Game Theoretic Intrusion Response and Recovery Engine (good paper)

--Saman Zonouz, Himanshu Khurana

This paper has implemented RRE on top of Snort, which is an open-source signature based IDS. RRE employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. An important term used here is Attack-Response Trees (ARTs) to analyze undesired security events. By solving a partially observable competitive Markov decision process that is derived from attack-response trees, RRE will choose an optimal response actions. Basically, it depends the detection of Snort (alerts from here), using its alert to figure out respective response.

RRE is based on automated cost-sensitive model. What's great in this paper is that it modeled the security maintenance of computer networks as a two-player game in which the attacker and response engine try to maximize their own benefits by taking optimal adversary and response actions, respectively. Using ART, RRE explicitly takes inherent uncertainties into account along with alerts from Snort.

It is good method for small network (LAN) IDs.

Automated Response Using System-Call Delays

--Anil somayaji

This paper developed a system called pH (for process homeostasis), which can detect and stop intrusions before the target system is compromised. It monitors every executing process on a computer at the system-call level, and responds to anomalies by either delaying (slowing down) or aborting system calls. Normal behavior is determined by the currently running binary program.

pH is implemented as a patch for the Linux 2.2 kernel. They modified the system call dispatcher so that it calls a pH function prior to dispatching the system call. Basically, the author insert a independent process into Linux to monitor the entire process and detect the abnormal process.

It is good for single-host IDs.

Cooperating Security Managers: A Peer-Based Intrusion Detection System

--Maj. Gregory B. White, Eric A. Fisch

This paper designed and implemented CSM, which could perform a larger network IDS. Individual CSM works on each individual hosts. There is a security manager working to cooperatively and autonomously communicate with them and determine the current state of a system.

The prototype of CSM was developed using a Sun SPARC-station LX running SunOS v5.3. Basically, CSM is a package patched in OS to detect intrusive activities. Applied to a network, CSM is designed to perform intrusion detection and reporting functions in a distributed environment without requiring a designated central site or server to perform the analysis of network audit data.

Toward Cost-Sensitive Modeling for Intrusion Detection and Response (good paper)

--Wenke Lee@gatech

This paper builds a cost-sensitive intrusion detection model, including development cost, operational cost, damage cost and the cost of manual and automated response to intrusions. this kind of cost-sensitive machine learning techniques can produce detection models that are optimized for user-defined cost metrics.

The experiment uses the data from a military network with a wide variety of intrusions injected into the network over a period of 7 weeks. The data was divided into two parts: training set and test set.

The main objective in applying such a model is to compare intrusion damage and response cost to

Here is what I thought:

As we have seen above, almost all the previous work has developed a tool/package/system aiming at specific environment or they have data set with intrusions injected already. Since we don't have such kind of data set/trace, we could try to take advantage of the unique environment --- our cps simulation environment to develop a similar detection and response engine, as a goal. One problem is that this may not be easily ported to other internetworked environment. But one good thing is that it could be used to test different kinds of response strategy used to pick out a best response against the adversaries.