1 / 14

SCIT and IDS Architectures for Reduced Data Ex-filtration

SCIT and IDS Architectures for Reduced Data Ex-filtration. 4th Workshop on Recent Advances in Intrusion-Tolerant Systems WRAITS 2010 – Chicago , Illinois , USA – June 28 th , 2010 SUBSET OF PRESENTATION. Presented by: Arun Sood Co-Author: Ajay Nagarajan

varana
Download Presentation

SCIT and IDS Architectures for Reduced Data Ex-filtration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SCIT and IDS Architectures for Reduced Data Ex-filtration 4th Workshop on Recent Advances in Intrusion-Tolerant Systems WRAITS 2010 – Chicago , Illinois , USA – June 28th, 2010 SUBSET OF PRESENTATION Presented by: Arun Sood Co-Author: Ajay Nagarajan Department of Computer Science & International Cyber Center http://cs.gmu.edu/~asood/scit {asood, anagara1}@gmu.edu

  2. SCIT State Diagram Every virtual server is rotated through 4 states. Additional states can be used for archiving and analysis. • Exposed state is the state in which the virtual server is on-line. • The queries that are in the queue of a virtual server and are not processed during its exposed state are processed in its quiescent state. • The virtual server is killed and restarted in the stop / start state. • A virtual server in live-spare state suggests that it’s ready to go on-line. SCIT and IDS Architectures ....

  3. SCIT / IDS Architectures Compare the performances of 4 SCIT/IDS architectures with regard to the amount of data ex-filtrated: • Standalone Network Intrusion Detection System (NIDS) • Standalone SCIT • NIDS + Host Intrusion Detection System (HIDS) • NIDS + SCIT SCIT and IDS Architectures ....

  4. Methodology to calculate data ex-filtration costs • Decision trees are used to represent functionality of each of the security architectures. • The probabilities in the decision trees help characterize their security properties. • These decision trees with probability values are incorporated into Gnumeric - an open-source spreadsheet software suitable for Monte Carlo simulation. • The decision trees take incoming traffic (in terms of queries) as input and divide the traffic into 4 categories: Confirmed Intrusion (CI), No-intrusions (NI), False Alarms (FA) and Missed Intrusions (MI). • Confirmed Intrusion and Missed Intrusion cases have associated Intruder Residence Times (IRT) which is used to model data ex-filtration costs. SCIT and IDS Architectures ....

  5. Assumptions made to calculate data ex-filtration costs • In malicious data ex-filtration process, records are stolen at a uniform rate. • No records are stolen if the IDS correctly identifies an intrusion (confirmed intrusion). • There is a constant cost associated with: • Performing Intrusion Detection on a single query (incoming traffic) --- C(I) . • SCIT processing of a query (incoming traffic) --- C(T) . • Responding to one intrusion alarm --- C(R) . • Our objective is to characterize the effectiveness of the security architecture in terms of least data ex filtrated and so we ignore the constant costs. • However, there is provision in the decision trees to include these costs if need be. SCIT and IDS Architectures ....

  6. Scenario 1: NIDS SCIT and IDS Architectures ....

  7. Scenario 2: SCIT • In SCIT, all potential attacks are successful since there are no IDS / IPS to check for them. • The incoming traffic is classified as either being a successful attack or not. However, this is not done by the system since SCIT treats all incoming traffic in the same manner. SCIT and IDS Architectures ....

  8. Scenario 3: NIDS + HIDS This is a SERIAL NIDS-HIDS setup. SCIT and IDS Architectures ....

  9. Scenario 4: NIDS + SCIT Intruder Residence Time (IRT) is unbounded in NIDS. On adding SCIT, IRT is no longer unbounded. It is now bounded by SCIT’s “Exposure-Time” metric. SCIT and IDS Architectures ....

  10. Monte-Carlo Simulation • Assumption: • Out of the 50,000 incoming queries – 500 are potential attacks . • Probability values chosen for the simulation: • The values of (q1...q2) and (p1...p13) are the same for NIDS and NIDS+SCIT. These values are presented in NIDS decision tree within parenthesis next to respective variables. • In the case of SCIT, probability values are presented in SCIT decision tree. • In case of NIDS + HIDS, the probability values are given below – variables followed by their value: q1 (0.35) | q2, q5 (0.1) | q3, p7 (0.01) p8, p9 (0.95) | p18, q4, q6, p23 (0.001) | p33 (0.9999) p1 (0.021) | p2,p6,p22,p19 (0.05) | p5,p21 (0.3) p4,p12,p14,p20,p28,p30 (0.8) | p16,p32 (0.7) p17,p3,p10,p11,p13,p15,p24,p25,p26,p27,p29,p31 (0.9) SCIT and IDS Architectures ....

  11. Monte-Carlo Simulation Parameters used in the simulation

  12. Monte-Carlo Simulation Results of the simulation • The potential for damage is high for stand-alone NIDS and NIDS + HIDS alternatives. The records ex-filtrated are about the same for both scenarios. • If SCIT is deployed then the ex-filtration losses are significantly reduced. The loss rate is dramatically impacted by the exposure time chosen. SCIT and IDS Architectures ....

  13. Conclusion • The SCIT architecture provides a robust security mechanism that limits the potential for damage / data ex-filtration by reducing the intruder residence time. • An important advantage of SCIT compared to IDS solutions is that SCIT does not generate false alarms, and can thus help reduce the intrusion alerts management costs. • The simulation studies presented suggest that a combination of an NIDS with SCIT on host servers provides a robust architectural solution in the face of new attacks. SCIT and IDS Architectures ....

  14. SCIT Publications + Contact Info • SCIT technical publications • Links to media reports • Links to demo videos cs.gmu.edu/~asood/scit www.scitlabs.com Questions? ArunSood asood@gmu.edu SCIT and IDS Architectures ....

More Related