automated security using sarnet - de laat · introducon problem: -...
TRANSCRIPT
![Page 1: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/1.jpg)
Automated security using SARNET
Ralph Koning
SNE Research Group
![Page 2: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/2.jpg)
Introduc on
Problem:- Amount of attacks increase in quan-tity, size, and complexity.
- Security departments need to dealwith these threats.
- Security departments want to dealwith important or new threats.
1
![Page 3: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/3.jpg)
Introduc on
Problem:- Amount of attacks increase in quan-tity, size, and complexity.
- Security departments need to dealwith these threats.
- Security departments want to dealwith important or new threats.
Solution:
2
![Page 4: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/4.jpg)
Research ques on
How do we create a network capable of automated response to attacks?
- How do we research such a network without harming others?
- How do we evaluate defenses?
- How do we measure defense performance?
- Can collaboration help in defending distributed attacks?
3
![Page 5: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/5.jpg)
SARNET control loop
Detection phase:Detect, Classify, Analyze
Decision phase:Risk, Decide
Respond phase:Respond, Measure, Adjust
Learn phase:Learn (used as input for decide)
Learn
Analyze
Detect
RiskRespond
Measure
Classify
Decide
Adjust
4
![Page 6: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/6.jpg)
Pla orm and Technologies
PlatformExoGENI, Openstack
TechnologiesAlpine, mqtt, Quagga(BGP), Docker.
Container typesclient, service, honeypot, reflector.
VM typeshost, router, switch, nfv/cluster, do-main.
uva-nl
ExoGENI rack
VNET
Multitouch Table
Virtual machines
VNET-agent
Network Functions
VNET-agent
UI controller
Infrastructure controller Monitoring system Network
controller
VNET-visualization UI
S2
SARNET UI
SARNETagent
5
![Page 7: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/7.jpg)
Metrics, Observables
6
![Page 8: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/8.jpg)
SARNET 2017
7
![Page 9: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/9.jpg)
Response selec on
How do we pick the bestresponse to an attack in thedecide phase?
- Risk evaluation
- Response selection
8
![Page 10: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/10.jpg)
Efficiency based response selec on12
We can use metric efficiency tolearn the best defense.
Revenue
Threshold
Attack Start
Detect
Recovered
Implement
Impact
Timeout
Figure 1: Efficiency requires the impact of an attack; impact is the bluearea under the graph
E(isRecovered?, I, Ct) �=
{β + αB·T−I
B·T + (1− β − α)C·T−CtC·T Recovered,
α( β1−β )
B·T−IB·T + (1− β − α)( β
1−β )C·T−CtC·T otherwise,
Figure 2: Equation for efficiency
Attack First choice Second Choicecpu_attack captcha honeypotpwd_bf_attack honeypot/captcha -ddos_attack udp-filter -ddos_attack(light) udp-filter udp-rateup
Table 1: Defence options per attack ranked by efficiency
1koning2017netsoft.2koning2018fgcs.
9
![Page 11: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/11.jpg)
Mul -Domain SARNET
10
![Page 12: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/12.jpg)
Mul -domain defense: block immediately
Time: 1
Cost: 0Impact: 10
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
11
![Page 13: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/13.jpg)
Mul -domain defense: block immediately
Time: 2
Cost: 10Impact: 10
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
T1
11
![Page 14: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/14.jpg)
Mul -domain defense: block immediately
Time: 3
Cost: 20Impact: 10
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
T1
T2
11
![Page 15: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/15.jpg)
Mul -domain defense: block immediately
Time: 4
Cost: 40Impact: 10
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
T1
T2 T4
T3
11
![Page 16: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/16.jpg)
Mul -domain defense: block immediately
Time: 5
Cost: 50Impact: 10
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
T1
T2 T4
T3 T5
11
![Page 17: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/17.jpg)
Defense approaches
Invoking a multi domain defense can be done in multiple ways.How do these approaches perform in terms of efficiency?
We look at three of them:
- Approach 1: Block everywhere (starting at victim).
- Approach 2: Minimise amount of countermeasures.(or defend close to attacker).
- Approach 3: Minimise defense propagation.
12
![Page 18: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/18.jpg)
The effect of budget on approach efficiency
- Approach 1 is not so efficient; it al-ways consumes the complete bud-get.
- For single attacker far situations Ap-proach 2 scores higher than 3.
As a general purpose approach wereccommend Approach 3.However, Approach 3 is not very alliance’friendly’ as it only removes traffic fromthe target.
Figure 3: approach performance for different budget sizes
0.4
0.5
0.6
0.7
0.8
0.9
effic
ienc
y
single attacker far single attacker near
300 600 900budget
0.4
0.5
0.6
0.7
0.8
0.9
effic
ienc
y
two attackers 1 far 1 near
300 600 900budget
all clients attacking
approach123
13
![Page 19: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/19.jpg)
From metrics to tasks
Defences can be comprehensive, tasks are basic and take few parameters.
Each task can be fulfilled by any (capable) member in the alliance.
Metric Observable Classification Defence Taskbandwith >80% DDoS Wait it out start scrubbingtcp/udp ratio >0.9 Filter locally redirect cleantransactions <0.8 Filter remotely redirect dirty
remote scrubbing
14
![Page 20: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/20.jpg)
Computa onal Trust based algorithm
A computational Trust Model allows us to:
- Identify and isolate untrustworthy members
- Estimate the interaction risk
- Deciding whether and with whom to interact
Trustworiness’ Factors3
- Competence: The potential ability of the member.
- Integrity: Whether the member fulfills commitments (assumed for now).
- Benevolence: Whether the member acts good and out of kindness.
3deljoo2018sctm.15
![Page 21: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/21.jpg)
Remote help selec on based on social trust
Benevolence based algorithm.
Assume integrity of alliance mem-bers (for now)
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
T1
T2
T3 T4
T5
T6
16
![Page 22: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/22.jpg)
Remote help selec on based on social trust
Benevolence based algorithm.
Assume integrity of alliance mem-bers (for now)
Rank nodes on competence to per-form task ‘t‘
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
2
1
1
16
![Page 23: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/23.jpg)
Remote help selec on based on social trust
Benevolence based algorithm.
Assume integrity of alliance mem-bers (for now)
Rank nodes on competence to per-form task ‘t‘
Resolve ties using on benevolence
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
2,1
1,3
1,4
16
![Page 24: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/24.jpg)
Remote help selec on based on social trust
Benevolence based algorithm.
Assume integrity of alliance mem-bers (for now)
Rank nodes on competence to per-form task ‘t‘
Resolve ties using on benevolence
Ask node with highest ranking
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
1,4
16
![Page 25: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/25.jpg)
Computa onal trust in prac ce
1
2
3
4
5
6
7
8
9
rank
ing
single attacker close single attacker far
1 2 3 4 5attempt
1
2
3
4
5
6
7
8
9
rank
ing
two attackers 1 foo far 1 close
1 2 3 4 5attempt
all clients attacking
hosttransit51transit58transit57transit54transit52transit56transit55transit53nfv61
0.2
0.4
0.6
0.8
efficienc
y
single attacker far single attacker close
0 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 9attempt
0.2
0.4
0.6
0.8
efficienc
y
two attackers 1 foo far 1 close
0 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 9attempt
all clients attacking Algorithm4
17
![Page 26: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/26.jpg)
Conclusion
Main contributions:
- A framework for evaluating defenses in different topologies.
- A method to compare and evaluate countermeasure performance.
- Insights in how to defend collaboratively.
New questions:
- How to resolve conflicting requests?
- How do we optimize for the alliance globally (with limited data)?
18
![Page 27: Automated security using SARNET - de Laat · Introducon Problem: - Amountofattacksincreaseinquan-tity,size,andcomplexity. - Security departments need to deal withthesethreats. - Security](https://reader036.vdocument.in/reader036/viewer/2022062917/5ecf46a7070bbd004957e816/html5/thumbnails/27.jpg)
Thank you!
For more information (slides, papers, demos):https://sarnet.uvalight.net
19