1 / 33

Integrated "Mixed'' Network Security Monitoring A Proposed Framework

Integrated "Mixed'' Network Security Monitoring A Proposed Framework. William T. Scherer, Leah L. Spradley and Marc H. Evans, University of Virginia NSF/NIJ Symposium on ““intelligence and security informatics” TUESDAY, JUNE 3, 2003 – Tucson, AZ.

garron
Download Presentation

Integrated "Mixed'' Network Security Monitoring A Proposed Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Integrated "Mixed'' Network Security MonitoringA Proposed Framework William T. Scherer, Leah L. Spradley and Marc H. Evans, University of Virginia NSF/NIJ Symposium on ““intelligence and security informatics” TUESDAY, JUNE 3, 2003 – Tucson, AZ. Session B: Monitoring & Visualization 3:50-4:30 SESSION CHAIR: LINA ZHOU

  2. Introduction: Agenda • Intro – Background and what to do? • Conceptual Model • Communication options • Security vectors • Analytical services • Prototype • Questions? • The End… go golf or look at the great scenery University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  3. Introduction: Background • Large networks are integrating in function with other large networks without handing off overall control • The Capital Wireless Integrated Network (CapWIN), is such a system, integrating Police, Fire, EMS, and Transportation • University of Virginia (UVA) provides its experience in large scale transportation networks - Intelligent Transportation System (ITS) • ITS services heavily rely on technologically facilitated information flow • ITS is a “Mixed” computer network • Security solutions are highly complicated • Analyzing network attacks and vulnerabilities and determining the security status of the network are important early step. • How to address ‘super-network’ trust/security? University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  4. Introduction: CapWIN University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  5. Introduction: What to do • Determine sub-system security “state” • Determine entire system security “state” • Develop a classification scheme for individual component system state • Develop a classification system to determine a system-wide-state • Develop possible policies and control strategies that could be used for any system-wide state University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  6. Conceptual Model: Main Components • A communication system that allows for each participating agency to provide security information. • A data management system that maintains the current and historical information provided by the agencies. • An analytical engine that can determine the overall system state by integrating the individual systems security states. • A web-based interface that can present the analysis to an overall system monitor and to member agencies. University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  7. Conceptual Model: Communication and Database Systems • Communications Systems • Numerous methods for a network such as CapWIN considering the various disparate systems and practices in place • Examples/considerations include: • ‘Ping’ sent from core system - Test connectivity and limited network characteristics • SMTP, FTP, etc. • Data Management System • To maintain time/participant referenced incoming security information • To maintain time/calculated security states University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  8. Conceptual Model: Analytical Engine • Security vectors • Subsystem security score • Adjusted subsystem security score • System security score University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  9. Conceptual Model: Analytical Engine • Security Vectors • Severity: Level of potential risk involved, e.g., 1, 2 or 3 • Exposure: Level of security practiced, e.g., 1, 2 or 3 • Current Status: For instance, 1 is “no detected events”, 2 means “suspicious activities”, 3 means “known to be under attack.” University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  10. Conceptual Model: Analytical Engine • Subsystem security score… • The individual agency score, IAi, for an agency i is: • N = # agencies (or subsystems) • M = # components of the security vector • K = # of possible integer values (non-zero) for each of the vector elements, e.g., if K = 3 then the set of values is (1,2,3). These are assumed to be ordered from best to worst. • Vit = vector of length M for each agency i at time t. • wj= weight of component i of the security vector, where ∑wj = 1. University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  11. Conceptual Model: Analytical Engine • Adjusted Subsystem Security Score… • The IAit is adjusted based on the time delay in reports from the agency. Assume that it has been Li minutes since the last report from agency i. Also assume the mean reporting interval for agency i is μi and the standard deviation is σi. Then the individual score is adjusted to AIAit, where AIAit = IAit If (Li - μi) ≤ 0, AIAit = IAit*ec(Li- μi)If 0  (Li - μi) ≤ gσi , and AIAit = 1.00If (Li - μi) gσi , where g is a constant and c = ln(1/ IAit)/ gσi. University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  12. Conceptual Model: Analytical Engine • System Security Score… • awi = weight for agency i, where the weights are assumed to be integers between 1 and Q. • ISt = integrated security score. University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  13. Conceptual Model: Analytical Engine • System-Wide State Example… • Level 1 - 0.01 < ISt < 0.05: No known system security problems • Level 2 - 0.05 < ISt < 0.10: Minor security problems, considered non-threat, no action • Level 3 - 0.10 < ISt < 0.20: Security problem, nuisance threat, managed locally, no action • Level 4 - 0.20 < ISt < 0.45: Serious major threat being assessed, some systems partially disconnected from system • Level 5 - 0.45 < ISt < 0.65: Major threat, system under administrator control, numerous system isolation. • Level 6 - 0.65 < ISt < 01.00: Complete isolation of all sub-systems until state change. University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  14. Data Analysis: Composite Index University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  15. Prototype: CapWIN Agencies for Demo System University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  16. Prototype: Information Exchange University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  17. Prototype: Web Page Design University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  18. Prototype: Web Page Design University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  19. Prototype: Web Page Design University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  20. Prototype: Next Step – Expansion – CapWIN “Front End” • Information exchange between the CapWIN control center and the mobile units of the participating agencies of CapWIN. • It would be beneficial for CapWIN to identify the if the cause of difficulties with communications lies in service providers. University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  21. Prototype: Next Step – Expansion – CapWIN “Front End” University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  22. Prototype: Next Step – Expansion – CapWIN “Front End” • Use the average data rates to estimate the availability of each service providers network. • Routinely send data packets to a single, stationary probe located in cells belonging to each of the three service providers and record the round trip time. • This concept is very similar to estimating the “network status” for the back end of CapWIN. University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  23. CapWIN “Front End” University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  24. Conclusions • An initial design of a security monitoring system for integrated, multi-agency/entity, systems • Architecture of the system and prototype that uses simulation to illustrate the concept • Our future efforts will involve, as described in an earlier section, building a working system for the CapWIN project that includes user state and database state University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  25. Acknowledgement • For fiscal and … support, we would like to thank: • Tom Jacobs of the Capital Wireless Integrated Network (CapWIN) program • Mike O’Shea of the National Institute of Justice’s Office of Science and Technology • Brian Smith, Ph.D., of the University of Virginia’s Department of Civil Engineering • For research, programming, and etc., we would like to thank: • K.P. White, Ph.D. of the University of Virginia’s Department of Systems and Information Engineering • And the tireless efforts of UVA students: Yiyi Zhang, Adam Shartzer, Lindsey Lane, and Loren Bushkar who assisted in an earlier version of this paper and research efforts. University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  26. Questions University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  27. Contact Information • William T. Scherer, Associate Professor, Department of Systems and Information Engineering, University of Virginia, Charlottesville, VA 22904; Telephone (434) 982-2069, Fax (434) 982-2792, E-mail: wts@virginia.edu • Leah L. Spradley, BBN Technologies, 1300 North 17th Street, Arlington, VA, 22209; Telephone (703) 284-1200 • Marc H. Evans, Research Engineer, Smart Travel Lab, Department of Civil Engineering, University of Virginia, Charlottesville, VA 22904; Telephone (434) 293-1992, Fax (434) 982-2972, E-mail: mhe8e@virginia.edu University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  28. Additional slides University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  29. Communication System: XML Schema <?xml version="1.0" encoding="ISO-8859-1" ?> <xs:schema <xs:element name="securitydata"> <xs:complexType> <xs:element name="agecnyid" type="xs:integer"/> <xs:element name="current status" type="xs:integer"/> <xs:element name="alert"> <xs:complexType> <xs:sequence> <xs:element name="analyzer" type="xs:string"/> <xs:element name="createtime" type="xs:string"/><xs:element name="detecttime" type="xs:string"/><xs:element name="analyzertime" type="xs:string"/><xs:element name="source" type="xs:string"/><xs:element name="target" type="xs:string"/><xs:element name="classification" type="xs:string"/><xs:element name="assesment" type="xs:string"/><xs:element name="additional data" type="xs:string"/> </xs:sequence> </xs:complexType></xs:complexType> <xs:attribute name="securitydataid" type="xs:string" use="required"/> </xs:complexType> </xs:element> </xs:schema> University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  30. Prototype: Web Page Design University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  31. Simulated time series of the system security score data University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  32. Data Analysis: Histogram University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

  33. Data Analysis: CUSUM University of Virginia - Integrated "Mixed'' Network Security Monitoring--A Proposed Framework

More Related