170 likes | 192 Views
Intrusion Countermeasures Security Model based on Prioritization Scheme for Intranet Access Security. Authors Professor Shambhu Upadhyaya Professor H. R. Rao Manish Gupta Shamik Banerjee. Contributions of Paper. Framework for Effective Response Mechanism
E N D
Intrusion Countermeasures Security Model based on Prioritization Scheme for Intranet Access Security Authors Professor Shambhu Upadhyaya Professor H. R. Rao Manish Gupta Shamik Banerjee
Contributions of Paper • Framework for Effective Response Mechanism • RBAC and Prioritization based Vulnerability assessment scheme • Optimize Alert Engine detections • Faster turn-around time-to-detection • Proposed model can be used as a plug-in for an Alert Engine
Existing Intranet security access control models • Access Control List • Discretionary Access Control • Mandatory Access Control • Role Based Access Control Model • RBAC1 • RBAC2 • RBAC3
Framework based on RBAC (contd..) • Traditionally approach granting specific permissions for each application for each user within an organization. • ! Access Management is cost-prohibitive and error-prone • RBAC uses the user’s role as the key to access rather than the user’s identification • Task-based authorizations map the access permissions at the application and enterprise level based on the end transaction • The current paper suggests a model that • Synergizes the RBAC with transaction based access control approach • Enhances Alert Engine’s Proactively • Improves Turn-Around Time for intrusion remediation
Our Framework based on RBAC Nomenclature • Applications (A) {A1, A2, A3,……,An}. • Application transactions (X) {X1, X2, X3, X4….. Xm} • Application roles /access levels (L) AiLj • Application Access Level Transaction (ALAX) Map • Organizational functional departments (D) {D1, D2, D3, D4…, Dp} • Organizational roles(R) • Application Access Level Departmental Role (ALDR) MapAiLj DkRp.
Proposed framework to derive access priority scheme The paper proposes generic framework for any corporate intranet to prioritize its security events monitoring and design a model for its access scheme based on expense/impact severity levels of misuse of intranet • STEPS • Identify and categorize transactions based on importance and cost-levels in terms of impact in case of misuse. • Analyze and Identify Known Risks • Analyze and Identify Known Exceptions • Let each application/transaction be assigned an individual criticality weight, denoted by ωi. Thus each application may be uniquely qualified by a security criticality measure given as AiXjωk. • Cm = {A1X2, A3X2,….,AiXj,…..} • m denotes priority level as defined by security needs of the organization
Proposed framework to derive access priority scheme (Contd..) • 2. (contd..) The overall aggregate weighted score for any such level of Cm can be represented as Ωm • The value of Ω for the prioritization scheme can be decided based on the organizational security policies. • Combined criticality and priority level of transactional cost • Simultaneous occurrence of a combination of transactions may be more critical than the individual transactions • The rules of analysis on logs of events to generate alarms should look for patterns of such combinations which would be aided by the priority levels and transactions assigned to these levels. • The proposal recommends that dependency of inter-application transactions as opposed to intra-application transactions be given equal consideration while preparing the matrix.
Proposed framework to derive access priority scheme (Contd..) • The proposal recommends that dependency of inter-application transactions as opposed to intra-application transactions be given equal consideration while preparing the matrix. • the model develops on RBAC, prioritization based on access levels or departmental roles could be also achieved. Departmental roles monitoring aligns to decisions about privilege levels to respective users in role-group. • The proposed model can be extended by retracing departmental roles from access level assignments and henceforth the application transactions. Example: DR {AL(s)} {AX(s)}
Proposed framework to derive access priority scheme (Contd..) • With this schematic structure for all the applications in the organization’s framework, we can get the following advantages in terms of optimizing the processing capability of the anomaly detection engine and promote an easier and faster detection of true alarms in the system, and hence effective response and countermeasure system. • Increase the operational efficiency of the detection engine. • Efficient access security monitoring • Efficient response and countermeasures to alerts
Cj Criticality Set This is a global security access level boundary decided by the organization for security monitoring C2 A3X3 C1 Reducing A1X1 ωi Individual Criticality Weight A2X2 Ωmax A4X4 Reducing Ωi Aggregate Weight Model Representation The model always tries to build the most critical information domain by re-arranging the priorities of the individual elements. Along the X-axis, the individual application transaction criticality weights have been plotted. On the Y-axis each individual critical set is represented, with C1 considered as the most critical, closer to the origin having high values of Ω. On the Z-axis, the values of Ω are plottedstarting from the origin, with the maximum value as the origin. This model can be extended for any prioritization and categorization of any information distribution and sharing to get the maximum value from it. Representation of the model operating in a 3-dimensional space domain
An Example • A1 = Customer Credit Card Transaction Monitoring Application • A2 = Customer Account Information Application • Each of the 2 applications can have many transactions in it, denoted by Xi. • Let X1: View Customer Credit Card Transaction • X2 : Update Transaction Amount • X3 : View Customer Personal Information • X4: Update Customer Account Information. • From the sensitivity / criticality perspective, the following hypothetical weights may be assigned as follows on a scale of 100 to each of the above mentioned transactions. These criticalities will vary depending upon the business impact to the organization. • X1: ω1 = 15 • X2 : ω2 = 40 • X3: ω3 = 25 • X4: ω4 = 35 • Thus we can now build the vulnerability dependency matrix to derive the optimal access security monitoring model can be drawn as in the adjacent figure • C1 Ω 1A1X1 + A1X2 + A2X3: Ω1 = 15+25+35 = 75 • C1 Ω 2A1X1+ A2X3: Ω2 = 15+25 = 40
Model Comparison with RBAC • RBAC • One-time Policy Definition and Access Role • Does not monitor ongoing patterns • Alert Engine generates Extensive Logs • No Prioritization • Sub-optimal cost-effectiveness threat detection • Current Model • Operate at a user-defined threshold level • Eliminate redundant scans • Save Information Security costs • Business Risk = Business Value x Vulnerabilities x Threats x Time to Detection ( the model reduces this component )
Application of criticality matrix to IDS and Alert Mechanisms • Forms basis for forensic monitoring module and caters to real time business rules of the org. • This includes a way to scan the alert logs based on a real-time dynamic business rule definition. • This would include component criticality weighting, linking to the changing business scenarios and priorities. • Advantages to security management policies and endeavors • Dynamic monitoring • Learning Capability • More effective than quantitative evaluation • Efficient resource usage
includes Application Transaction Is Accessed By has Includes Access_Level Incl. has Org_Role Dept Implementation Scenario • The access security model can be integrated as a module, in alert engine software in particular with the Event Log Scanning functionality. • From the implementation perspective, the organization as a part of their systems implementation methodology should make it mandatory to estimate the business criticality of the application and its individual transactions. • As an input to the alert engine security access module, which will prioritize the monitoring of the security logs. Thus the event scanning engine has a reduced set of data sets to monitor and setup alarms for anomalies. TypicalERD for Prioritization Model
Conclusion Summary of proposed framework • Tries to minimize the perceived cost of security in terms of lost productivity • Improvises for better quality of security and overall manageability of information assets on intranet. • Future Research Directions • Impact of different sequences of transactions on development of prioritization matrix • Incorporation of constraints and other boundaries to the access control model • Obtain aggregate criticality matrix by using other algorithms which would can reflect improved consideration of criticalities of individual transactions.
Thank You!! Questions??