automated security using sarnet - de laat · introducon problem: -...
TRANSCRIPT
Automated security using SARNET
Ralph Koning
SNE Research Group
Introduc on
Problem:- Amount of attacks increase in quan-tity, size, and complexity.
- Security departments need to dealwith these threats.
- Security departments want to dealwith important or new threats.
1
Introduc on
Problem:- Amount of attacks increase in quan-tity, size, and complexity.
- Security departments need to dealwith these threats.
- Security departments want to dealwith important or new threats.
Solution:
2
Research ques on
How do we create a network capable of automated response to attacks?
- How do we research such a network without harming others?
- How do we evaluate defenses?
- How do we measure defense performance?
- Can collaboration help in defending distributed attacks?
3
SARNET control loop
Detection phase:Detect, Classify, Analyze
Decision phase:Risk, Decide
Respond phase:Respond, Measure, Adjust
Learn phase:Learn (used as input for decide)
Learn
Analyze
Detect
RiskRespond
Measure
Classify
Decide
Adjust
4
Pla orm and Technologies
PlatformExoGENI, Openstack
TechnologiesAlpine, mqtt, Quagga(BGP), Docker.
Container typesclient, service, honeypot, reflector.
VM typeshost, router, switch, nfv/cluster, do-main.
uva-nl
ExoGENI rack
VNET
Multitouch Table
Virtual machines
VNET-agent
Network Functions
VNET-agent
UI controller
Infrastructure controller Monitoring system Network
controller
VNET-visualization UI
S2
SARNET UI
SARNETagent
5
Metrics, Observables
6
SARNET 2017
7
Response selec on
How do we pick the bestresponse to an attack in thedecide phase?
- Risk evaluation
- Response selection
8
Efficiency based response selec on12
We can use metric efficiency tolearn the best defense.
Revenue
Threshold
Attack Start
Detect
Recovered
Implement
Impact
Timeout
Figure 1: Efficiency requires the impact of an attack; impact is the bluearea under the graph
E(isRecovered?, I, Ct) �=
{β + αB·T−I
B·T + (1− β − α)C·T−CtC·T Recovered,
α( β1−β )
B·T−IB·T + (1− β − α)( β
1−β )C·T−CtC·T otherwise,
Figure 2: Equation for efficiency
Attack First choice Second Choicecpu_attack captcha honeypotpwd_bf_attack honeypot/captcha -ddos_attack udp-filter -ddos_attack(light) udp-filter udp-rateup
Table 1: Defence options per attack ranked by efficiency
1koning2017netsoft.2koning2018fgcs.
9
Mul -Domain SARNET
10
Mul -domain defense: block immediately
Time: 1
Cost: 0Impact: 10
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
11
Mul -domain defense: block immediately
Time: 2
Cost: 10Impact: 10
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
T1
11
Mul -domain defense: block immediately
Time: 3
Cost: 20Impact: 10
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
T1
T2
11
Mul -domain defense: block immediately
Time: 4
Cost: 40Impact: 10
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
T1
T2 T4
T3
11
Mul -domain defense: block immediately
Time: 5
Cost: 50Impact: 10
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
T1
T2 T4
T3 T5
11
Defense approaches
Invoking a multi domain defense can be done in multiple ways.How do these approaches perform in terms of efficiency?
We look at three of them:
- Approach 1: Block everywhere (starting at victim).
- Approach 2: Minimise amount of countermeasures.(or defend close to attacker).
- Approach 3: Minimise defense propagation.
12
The effect of budget on approach efficiency
- Approach 1 is not so efficient; it al-ways consumes the complete bud-get.
- For single attacker far situations Ap-proach 2 scores higher than 3.
As a general purpose approach wereccommend Approach 3.However, Approach 3 is not very alliance’friendly’ as it only removes traffic fromthe target.
Figure 3: approach performance for different budget sizes
0.4
0.5
0.6
0.7
0.8
0.9
effic
ienc
y
single attacker far single attacker near
300 600 900budget
0.4
0.5
0.6
0.7
0.8
0.9
effic
ienc
y
two attackers 1 far 1 near
300 600 900budget
all clients attacking
approach123
13
From metrics to tasks
Defences can be comprehensive, tasks are basic and take few parameters.
Each task can be fulfilled by any (capable) member in the alliance.
Metric Observable Classification Defence Taskbandwith >80% DDoS Wait it out start scrubbingtcp/udp ratio >0.9 Filter locally redirect cleantransactions <0.8 Filter remotely redirect dirty
remote scrubbing
14
Computa onal Trust based algorithm
A computational Trust Model allows us to:
- Identify and isolate untrustworthy members
- Estimate the interaction risk
- Deciding whether and with whom to interact
Trustworiness’ Factors3
- Competence: The potential ability of the member.
- Integrity: Whether the member fulfills commitments (assumed for now).
- Benevolence: Whether the member acts good and out of kindness.
3deljoo2018sctm.15
Remote help selec on based on social trust
Benevolence based algorithm.
Assume integrity of alliance mem-bers (for now)
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
T1
T2
T3 T4
T5
T6
16
Remote help selec on based on social trust
Benevolence based algorithm.
Assume integrity of alliance mem-bers (for now)
Rank nodes on competence to per-form task ‘t‘
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
2
1
1
16
Remote help selec on based on social trust
Benevolence based algorithm.
Assume integrity of alliance mem-bers (for now)
Rank nodes on competence to per-form task ‘t‘
Resolve ties using on benevolence
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
2,1
1,3
1,4
16
Remote help selec on based on social trust
Benevolence based algorithm.
Assume integrity of alliance mem-bers (for now)
Rank nodes on competence to per-form task ‘t‘
Resolve ties using on benevolence
Ask node with highest ranking
S2S1
T3
T4
T5
T6T1
T2
E1
E2
E5
E3
E4
1,4
16
Computa onal trust in prac ce
1
2
3
4
5
6
7
8
9
rank
ing
single attacker close single attacker far
1 2 3 4 5attempt
1
2
3
4
5
6
7
8
9
rank
ing
two attackers 1 foo far 1 close
1 2 3 4 5attempt
all clients attacking
hosttransit51transit58transit57transit54transit52transit56transit55transit53nfv61
0.2
0.4
0.6
0.8
efficienc
y
single attacker far single attacker close
0 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 9attempt
0.2
0.4
0.6
0.8
efficienc
y
two attackers 1 foo far 1 close
0 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 90 1 2 3 4 5 6 7 8 9attempt
all clients attacking Algorithm4
17
Conclusion
Main contributions:
- A framework for evaluating defenses in different topologies.
- A method to compare and evaluate countermeasure performance.
- Insights in how to defend collaboratively.
New questions:
- How to resolve conflicting requests?
- How do we optimize for the alliance globally (with limited data)?
18
Thank you!
For more information (slides, papers, demos):https://sarnet.uvalight.net
19