Shameli-Sendi, Alireza, Dagenais, Michel and Wang, Lingyu (2017) Realtime Intrusion Risk Assessment Model based on Attack and Service Dependency Graphs. Computer Communications . pp. 1-37. ISSN 01403664 (In Press)
Preview |
Text (application/pdf)
3MBwang-computer-communications-2017.pdf - Accepted Version Available under License Spectrum Terms of Access. |
Official URL: http://dx.doi.org/10.1016/j.comcom.2017.12.003
Abstract
Network services are becoming larger and increasingly complex to manage. It is extremely critical to maintain the users QoS, the response time of applications, and critical services in high demand. On the other hand, we see impressive changes in the ways in which attackers gain access to systems and infect services. When an attack is detected, an Intrusion Response System (IRS) is responsible to accurately assess the value of the loss incurred by a compromised resource and apply the proper responses to mitigate attack. Without having a proper risk assessment, our automated IRS will reduce network performance, wrongly disconnect users from the network, or result in high costs for administrators reestablishing services, and become a DoS attack for our network, which will eventually have to be disabled. In this paper, we address these challenges and we propose a new model to combine the Attack Graph and Service Dependency Graph approaches to calculate the impact of an attack more accurately compared to other existing solutions. To show the effectiveness of our model, a sophisticated multi-step attack was designed to compromise a web server, as well as to acquire root privilege. Our results illustrate the efficiency of the proposed model and confirm the feasibility of the approach in real-time.
Divisions: | Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering |
---|---|
Item Type: | Article |
Refereed: | Yes |
Authors: | Shameli-Sendi, Alireza and Dagenais, Michel and Wang, Lingyu |
Journal or Publication: | Computer Communications |
Date: | 10 December 2017 |
Digital Object Identifier (DOI): | 10.1016/j.comcom.2017.12.003 |
Keywords: | Network attack graph; Network service dependency graph; Attack impact; Forward impact propagation; Backward impact propagation; Response cost computation; Response system; Trace; Kernel event |
ID Code: | 983308 |
Deposited By: | Danielle Dennie |
Deposited On: | 14 Dec 2017 01:41 |
Last Modified: | 08 Dec 2018 01:00 |
References:
R.E. Sawilla, D.J. Wiemer Automated computer network defence technology demonstration project Technologies for homeland security (HST) (2011)E. Serra, S. Jajodia, A. Pugliese, A. Rullo, V.S. Subrahmanian Pareto-optimal adversarial defense of enterprise systems ACM Transactions on Information and System Security (TISSEC), 17 (3) (2015), p. 11
S. Jajodia, S. Noel, B. OBerry Topological analysis of network attack vulnerability In Managing Cyber Threats: Issues, Approaches and Challenges, Springer-Verlag, Germany (2003)
S. Noel, S. Jajodia, L. Wang, A. Singhal Measuring security risk of networks using attack graphs International Journal of Next-Generation Computing, 1 (1) (2010), pp. 135–147
C.V. Zhou, C. Leckie, S. Karunasekera A survey of coordinated attacks and collaborative intrusion detection Computers & Security, 29 (1) (2010), pp. 124–140
P. Ammann, D. Wijesekera, S. Kaushik Scalable, graph-based network vulnerability analysis Proceedings of 9th ACM Conference on Computer and Communications Security (ACM-CCS 2002) (2002), pp. 217–224
M. GhasemiGol, A. Ghaemi-Bafghi, H. Takabi A comprehensive approach for network attack forecasting Computers & security, 58 (2016), pp. 83–105
S. Jha, O. Sheyner, J. Wing Two formal analyses of attack graphs Proceedings of the 15th Computer Security Foundation Workshop (2002)
P. Mell, K. Scarfone, S. Romanosky A complete guide to the common vulnerability scoring system version FIRST-Forum of Incident Response and Security Teams (2007), pp. 1–23
L.P. Swiler, C. Phillips, D. Ellis, S. Chakerian Computer-attack graph generation tool In DARPA Information Survivability Conference and Exposition (DISCEX II01), 2 (2001)
CVE-2008-3257, Stack buffer overflow, 2008 Published in the National Vulnerability Database (NVD) on 22 Jul 2008. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3257.
CVE-2008-5416, 2008, Published in the National Vulnerability Database (NVD) on 10 Dec 2008. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5416.
F. Cuppens, F. Autrel, Y. Bouzida, J. Garcia, S. Gombault, T. Sans Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework Annals of Telecommunications, 61 (1) (2006), pp. 197–217
C.-J. Chung, P. Khatkar, T. Xing, J. Lee, D. Huang NICE: Network intrusion detection and countermeasure selection in virtual network systems IEEE Transactions on Dependable and Secure Computing (TDSC), 5 (4) (2013), pp. 198–211
V.N. Franqueira, R.H. Lopes, P. van Eck Multi-step attack modelling and simulation (msAMS) framework based on mobile ambient Proceedings of the 2009 ACM symposium on Applied Computing (2009), pp. 66–73
W. Kanoun, N. Cuppens-Boulahia, F. Cuppens, S. Dubus, A. Martin Success likelihood of ongoing attacks for intrusion detection and response systems International Conference on Computational Science and Engineering (2009), pp. 83–91
B. Morin, L. Me, H. Debar, M. Ducasse A logic-based model to support alert correlation in intrusion detection Information Fusion, 10 (4) (2009), pp. 285–299
L. Wang, A. Singhal, S. Jajodia Measuring the overall security of network configurations using attack graphs Proceedings of the 21st Annual IFIP WG 11.3 Working Conference on Data and Application Security (2007), pp. 98–112 Redondo Beach, CA
T. Toth, C. Kregel Evaluating the impact of automated intrusion response mechanisms Proceedings of the 18th Annual Computer Security Applications Conference, Los Alamitos, USA (2002)
L. Wang, T. Islam, T. Long, A. Singhal, S. Jajodia An attack graph-based probabilistic security metric In Proceedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security (2008), pp. 283–296 London, U.K.
S. Wang, Z. Zhang, Y. Kadobayashi Exploring attack graph for cost-benefit security hardening: A probabilistic approach Computers & Security, 32 (2013), pp. 158–169
M. Frigault, L. Wang Measuring network security using bayesian network-based attack graphs In Proceedings of the 32nd Annual IEEE International Computer Software Applications Conference (2008), pp. 698–703 Turku, Finland
N. Poolsappasit, R. Dewri, I. Ray Dynamic security risk management using bayesian attack graphs IEEE Transactions on Dependable and Secure Computing, 9 (1) (2012), pp. 61–74
D. Saha Extending logical attack graph for efficient vulnerability analysis In Proceedings of the 15th ACM conference on Computer and communications security (2008), pp. 63–73 Alexandria, VA
A. Shameli-Sendi, M. Dagenais ORCEF: Online response cost evaluation framework for intrusion response system Journal of Network and Computer Applications, 55 (2015), pp. 89–107
L. Wang, T. Islam, T. Long, A. Singhal, S. Jajodia An attack graph-based probabilistic security metric Proceedings of The 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSEC08) (2008)
L. Wang, S. Jajodia, A. Singhal, P. Cheng, S. Noel K-zero day safety: a network security metric for measuring the risk of unknown vulnerabilities IEEE Transactions on Dependable and Secure Computing, 11 (1) (2014), pp. 30–44
A. Shameli-Sendi, M. Cheriet, A. Hamou-Lhadj Taxonomy of intrusion risk assessment and response system Computers & Security, 45 (2014), pp. 1–16
Z. Gu, J. Li, B. Xu Automatic service composition based on enhanced service dependency graph IEEE International Conference on Web Services (2008), pp. 246–253
S. Noel, S. Jajodia Understanding complex network attack graphs through clustered adjacency matrices Proceedings of the 21st Annual Computer Security Conference (ACSAC) (2005), pp. 160–169
L. Wang, A. Liu, S. Jajodia Using attack graph for correlating, hypothesizing, and predicting intrusion alerts Computer Communications, 29 (15) (2006), pp. 2917–2933
M. Jahnke, C. Thul, P. Martini Graph-based metrics for intrusion response measures in computer networks Proceedings of the 3rd LCN Workshop on Network Security. Held in conjunction with the 32nd IEEE Conference on Local Computer Networks (LCN), Dublin, Ireland (2007)
W. Kanoun, N. Cuppens-Boulahia, F. Cuppens, J. Araujo Automated reaction based on risk analysis and attackers skills in intrusion detection systems Third International Conference on Risks and Security of Internet and Systems (2008), pp. 117–124
R. Dantu, K. Loper, P. Kolan Risk management using behavior based attack graphs Proceedings of the International Conference on Information Technology : Coding and Computing (ITCC04) (2004), pp. 445–449
N. Kheir, N. Cuppens-Boulahia, F. Cuppens, H. Debar A service dependency model for cost sensitive intrusion response Proceedings of the 15th European Conference on Research in Computer Security (2010), pp. 626–642
C.P. Mu, X.J. Li, H.K. Huang, S.F. Tian Online risk assessment of intrusion scenarios using d-s evidence theory Proceedings of ESORICS (2008), pp. 35–48
A.A. rnes, K. Sallhammar, K. Haslum, T. Brekne, M. Moe, S. Knapskog Real-time risk assessment with network sensors and intrusion detection systems In International Conference on Computational Intelligence and Security (CIS 2005) (2005), pp. 388–397
A. Gehani, G. Kedem Rheostat : Real-time risk management Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (2004), pp. 15–17
K. Haslum, A. Abraham, S. Knapskog Fuzzy online risk assessment for distributed intrusion prediction and prevention systems Tenth International Conference on Computer Modeling and Simulation, IEEE Computer Society Press (2008), pp. 216–223 Cambridge
F. Cuppens, R. Ortalo Lambda: A language to model a database for detection of attacks Third International Workshop on Recent Advances in Intrusion Detection (RAID2000), Toulouse, France (2000)
M. Desnoyers, M. Dagenais LTTng: Tracing across execution layers, from the hypervisor to user-space Linux Symposium (2008) Ottawa, Canada
A. Shameli-Sendi, N. Ezzati-Jivan, M. Jabbarifar, M. Dagenais Intrusion response systems: Survey and taxonomy International Journal of Computer Science and Network Security, 12 (1) (2012), pp. 1–14
W. Kanoun, N. Cuppens-Boulahia, F. Cuppens, F. Autrel Advanced reaction using risk assessment in intrusion detection systems Second International Workshop on Critical Information Infrastructures Security (CRITIS07) (2007) Springer, Ed., Spain
A. Shameli-Sendi, M. Dagenais ARITO: Cyber-attack response system using accurate risk impact tolerance International Journal of Information Security, 13 (4) (2014), pp. 367–390
E. Totel, B. Vivinis, L. Mé A language driven intrusion detection system for event and alert correlation Proceedings at the 19th IFIP International Information Security Conference, Kluwer Academic, Toulouse (2004), pp. 209–224
J. Goubault-Larrec An introduction to logweaver Technical report, LSV (2001)
N. Ezzati-Jivan, M. Dagenais, A stateful approach to generate synthetic events from kernel traces, in: A Stateful Approach to Generate Synthetic Events from Kernel Traces, Advances in Software Engineering, Volume 2012, 12 pages.
A. Montplaisir Stockage sur disque pour accès rapide dàttributs avec intervalles de temps M. Sc.A. thesis, École Polytechnique de Montréal (2011)
A.A. rnes, P. Haas, G. Vigna, R. Kemmerer Using a virtual security testbed for digital forensic reconstruction Journal in Computer Virology, 2 (2007), pp. 275–289
Common Vulnerability and Exposures, http://cve.mitre.org/.
N. Elhage, 2010, https://access.redhat.com/security/cve/CVE-2010-4258.
S.H. Ahmadinejad, S. Jalili, M. Abadi A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs Computer Networks, 55 (9) (2011), pp. 2221–2240
X. Ou, S. Govindavajhala, A.W. Appel MulVAL: a logic-based network security analyzer Proc. of 14th USENIX Security Symp. (2005), pp. 113–128
S. Roschke, F. Cheng, C. Meinel A new alert correlation algorithm based on attack graph Computational Intelligence in Security for Information Systems, volume 6694 (2011), pp. 58–67
Repository Staff Only: item control page