A Probabilistic Approach to Autonomic Security

Management

Stefano Iannucci

Distributed Analytics and Security Institute

Mississippi State University

Starkville, Mississippi

Summarized by Pranav Veldurthy

Sherif Abdelwahed

Department of Electrical and Computer Engineering

Mississippi State University

Starkville, Mississippi

2016 IEEE International Conference on Autonomic Computing

Presentation Summary

• Introduction• System Overview• Contributions and Organizations

• System Model• States Characterization• Reward Function• Response Actions• Termination Function

• Performance Evaluation • Experimental Results

• Vulnerabilities • Snort Configuration • Simulation of Controller Behavior

• Conclusion and Future Works

Introduction

• Increase in the attack frequency (more than doubled) compared to the previous year.

• Intrusion Detection System (IDS) – Complexity and Number of alerts; Probability success resulting to constant damage.

• Intrusion Response Systems (IRS) • Static Mapping – Detected Attack and Countermeasure.• Dynamic Evaluation of All Response Time.

• Markov Decision Process (MDP) – To compose response policies using atomic response actions.

System Overview

• Autonomic Systems :• Controller – Implements Self-management Algorithm• Controlled Subsystem – Domain Functionality

M A P E - K

Contributions and Organizations

• MDP-based Controller҈ Design ҉ Realization◊ Evaluation

• Adopting long-term response policies can be more effective than single response actions.

• → Result : Reduction of threat resolution by 56%.

* Design and Realization of IDS Event Manager and system learning behavior of the controller are OUT OF THE SCOPE of the present work.

System Model

•

Where S = Finite set of States ; A = Finite set of Actions.

Set of target states.

Reward Function.

γ = discount factor.

• Aim = Optimal Policy (π).

•

•

•

States Characterization

• Specialization in 7 different attacks and 11 system attributes. • P scan, P vsftpd, P smbd, P phpcgi, P ircd, P distccd, P rmi

• System Attributes• firewall ∈ {true, false}• {blocked_ips}• {flowlimit_ips}• alert ∈ {true, false}• {honeypot_ips}• logVerb ∈ {0,1,2,3,4,5}• active ∈ {true, false}• quarantined ∈ {true, false}• rebooted ∈ {true, false}• backup ∈ {true, false}• updated ∈ {true, false}

Reward Function

• Reward function as a penalty score.

• Evaluates response actions by: • Response Time R(x) ∈ R• Cost C(x) ∈ R• Impact index I(x) ∈ [0,1]

• Reward Function =

Response Actions

• To avoid potentially disruptive response actions, two thresholds are introduced with probability p in 4 stages.• p < T1

• T1 < p < T2

• T2 < p < 1• p = 1

Response Actions • Firewall Activation

• Block source IP (badIP)

Response Actions • Flow Rate Limit (badIP)

• Closed Network Connection

Termination Function • Termination function (T) for a set of target states (Stgt) is defined as :

T : S {true, false}

• A termination is done when the system reaches control anomaly (Sano) or state of fully clean system (Sclean)

• Sano

• Sclean

• Stgt = Sano ꓴ Sclean

Performance Evaluation

Comparing performance of the Value Iteration(VI) algorithm with the performances of the sub-optimal rollout-based Monte-Carlo algorithm named UCT.

Comparing the planning time of VI algorithm with discount factor = 0.9 with UCT algorithm.

Comparing the obtained rewards by VI are close to -10 as it always selects the best response action.

Experimental Results

VulnerabilitiesOnly selected vulnerabilities are considered because the software is exploited by downloading metasploitableVM and is freely available.

• OSVBD – 73753 –Trojaned Distribution. :) . Result : TCP callback shell.

• CVE-2007-2447 –username map script. Attackers execute an arbitrary constant.

• CVE-2012-1823 –Run as CGI is vulnerable to argument injection. ‘=‘ is passed, the string is split on ‘+’ character and passes them to CGI binary.

• CVE-2010-2075 –UnrealIRCd 3.2.8.1. DEBUG3_DOLOG_SYSTEM allows attackers to execute arbitrary commands.

• CVE-2004-2687 –distcc 2.x; executed by the server without authorization checks.

• CVE-2011-3556 –RMI Registry and RMI Activation loads classes from remote URL.

Snort Configuration • Snort helps in detecting malicious traffic but cannot stop it. • Three rule set :

• Community Set - Publicly Available.• Registered Rules – Freely Available.• Subscribes Rules – Cisco Subscription plan.

• CVE – 2012 – 2335 was detected.

• Wireshark is implemented to find characteristic signatures.

• OSBVD – 73753 Exploit Analysis

• Result = “ :) “ for every suspicious login alert.

•

Simulation of Controller Behavior

• Three simulations are run 1000 times to use VI algorithm. • Portscan Attack :

• Response time optimization and discount factor = 0.9 yields 14 equivalent policies such as : generateAlert, increaseLogVerb, increaseLogVerb, increaseLogVerb, increaseLogVerb, increaseLogVerb, activateFirewall, blockSrcIP, unblockScrip, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb.

• Policies are split into i) Preparation, ii) Response, iii) Conclusion.

Simulation of Controller Behavior

• Vulnerability Exploit :

• Response time optimization and discount factor = 0.9 yields 15 equivalent policies such as : increaseLogVerb , generateAlert, activateFirewall, increaseLogVerb, increaseLogVerb, increaseLogVerb, increaseLogVerb, systemReboot, backup, software-Update, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb.

• Policies are split into i) first preparation, ii) first response attempt, iii) second preparation, iv) second response attempt, v) conclusion.

Simulation of Controller Behavior

• Combined Vulnerability and Response Time

• Response time optimization and discount factor = 0.9 yields 17 equivalent policies such as : generateAlert, increaseLogVerb, activateFirewall, increaseLogVerb, blockSrcIP, increaseLogVerb, increaseLogVerb, increaseLogVerb, systemReboot, backup, softwareUpdate, unblockSrcip, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb, decreaseLogVerb.

• Policies are split into i) first preparation, ii) first response attempt, iii) second preparation, iv) second response attempt, v) third response, vi) third response attempt, vii) conclusion.

Conclusions and Future Work

• During the last decade many IRSs have been proposed to face the increasing frequency and complexity of attacks.

• All the proposed approaches, however, only considered either a static mapping of the best response action to the currently detected attack or the dynamic evaluation of the available response actions according to a set of pre-defined attributes.

• This paper introduced MDP-based controller which helps in long-term planning by exploiting the concept of system state by decoupling the attack from the response.

• Experimental results show that long-term planned policies provide better results than short-term ones and the threat resolution time can be reduced up to 56% in the considered scenario.

• For future work, a meta-model is realized in which we will define standard components and connections that could be used by the system administrators to visually design the model of their system.

• Having such a meta-model will enable the development of standard attacks and response libraries that, integrated with the personalized system model, will allow the IRS to provide response policies tailored for the specific system.