Proposal defense presentation

  • 1,769 views
Uploaded on

Presentation that I used for proposal defense

Presentation that I used for proposal defense

More in: Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,769
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • - Hacking community as it is, has been gathering momentum with dedicated forums that not only provide powerful, ready-to-use tools to script kiddies, but also an excellent communication medium for the professionals -Example: Electricity in hospitals
  • Mission survivability: doesn’t differentiate between benign or malign cause
  • Mode 1: A short running mission with a definite timeline Usually for such missions, final phase is the most crucial. If we hold off the aggressive behavior of an attacker for long enough, while still maintaining the mission integrity, we can assure mission survivability. Mode 2: A long running mission with an unbounded timeline In long running missions, it may not be possible to hold off the attacker forever. This is especially true for mission critical systems with infinite timelines (like, web based businesses). A full system recovery will be essential. However, as we will see later in Section 4, recovery can be attacked if we recover the system to the same vulnerable state that was exploited before. Thus, the need is to identify the precise vulnerability that resulted in the exploit and close it during the recovery. Such analysis takes time and hence a smart solution will buy the defender more time, without triggering a change in attacker’s rational behavior. If not, the defender can risk the attacker executing his contingency plans
  • Multi-stage delivery of malware Botnet’s stealthy command and control execution model Stealth features of Stuxnet sniffs for a specific configuration and inert itself if it does not find it. limited spread (one to three) Erases itself on a specific date on which it erases itself. Spread in industry “ Stuxnet is the new face of 21st-century warfare: invisible, anonymous, and devastating ”
  • Recovery based: Assumes system is compromised as soon as it goes online
  • mapping and vulnerability analysis of US critical infrastructure to plan for future attacks Rapid adoption of technology like smart grids more vulnerable due to automation and remote access people working on the smart grid are not concerned about security. “ The emergence of Stuxnet points to an overriding need for critical infrastructure companies to acknowledge the changes in the cyber threat landscape and focus attention not only on denial-of-service attacks, but also on more sophisticated threats, like stealthy infiltration from state-sponsored actors or cyber-extortionists. As our research has shown, the critical infrastructure sector has been slow to adjust to this realization.” cyber-security experts concerned about the surveillance of U.S. power grid by other nation states. A classified 2008 Defense Science Board Report highlights the cyber vulnerabilities in the US electric grid. Potential opponents have been observed to engage in cyber-reconnaissance of US critical infrastructure electrical utilities to plan for attack. A statistic reported by this survey shows a stable and high number of perceived nation-sate network attacks against domestic critical infrastructure. Cyber security experts concerned about international surveillance Potential opponents have been observed to engage in cyber-reconnaissance of US critical infrastructure electrical utilities to plan for attack
  • Knapp and Boulton and make a strong case for why cyber warfare is not just a military domain issue now. They study trends that demonstrate the transformation of information warfare from primarily a military-domain related issue to an industry-related issue. Coporate spionage Nation states avoiding direct confrotation Terrorism, extortion and hacktivism Baskerville discusses the expansion of information warfare to electronic business domain. He discusses the asymmetric warfare theory and how it relates to information warfare. Attackers are not restricted by time to develop exploit as much as defenders are. Another asymmetry is attacker’s advantage of stealth. Therefore, a defense system needs to be agile and adaptive in order to balance out this asymmetry.
  • Component 1: Surreptitious intrusion detection by keeping the IDS tamper-proof Component 2: Making the integrity signature invisible and accessible to the attacker Component 3: deception-based proactive recovery scheme, and multi-phase evaluation framework
  • Antivirus virus (retrovirus) Attacks/disables or infects the antivirus Software assets become defenseless Attacks bypass AV protection Called “argument-switch” attack, exploits driver hooks the AV programs use Send benign code and later swap with malicious payload E.g., remove McAfee and install malware Easier to do in a multi-thread, multi-core setup
  • AMD SimNow is installed on Ubuntu which is the host operating system. Inside AMD SimNow, we run a guest operating system, i.e., FreeBSD. All experiments run on this guest operating system. This system is configured to use emulated hardware of AMD Awesim 800Mhz 8-core processor with 1024 MB RAM. We use kernel level filters to implement process monitoring. This is because inter-process communication support provided by UNIX-like systems (like pipes or sockets) does not suffice for our framework. Inter-process communication delivers messages only between two live processes. However, we require that a communication (alert) be initiated when a process is terminated. For this purpose, we use an event delivery/notification subsystem called Kqueue, which falls under the FreeBSD family of system calls. Under this setup, a process monitor interested in receiving alerts/notifications about another process creates a new kernel event queue (kqueue) and submits the process identifier of the monitored process. Specified events (kevent) when generated by the monitored process are added to the kqueue of the process monitor. Kevent in our implementation is the termination of the monitored process. Process monitors can then retrieve this kevent from their kqueues at any time. A process monitor can monitor multiple processes in parallel using POSIX threads.
  • The initial setup time is defined as the time taken for the kqueue subsystem to get loaded before an attacker tries to subvert the process monitors. This is the only major time delay this system has been observed to incur. Initial setup time increases linearly with increasing degree of incidence. With 8 process monitors in a circulant digraph topology, the worst case initial setup delay of 0.3ms is obtained with a maximum degree of incidence.
  • We experimented with different circulant digraph topologies with varying number of process monitors and degree of incidence, as shown in the table. We experiment with the worst case scenario where the attacker already knows the correct order of the nodes in this topology. We assume that he also identifies the windows of vulnerability and uses them to his advantage (again, the worst case). In the figure, the number of alerts generated shows the sensitivity of this framework toward a crash attack executed using SIGKILL, under light system load.
  • Composability : The functionalities of the potential sub-modules can be composed to provide the functionalities of their parent module. Sufficiency : The functionalities of the potential sub-modules collectively describe the entire set of functionalities of their parent module.
  • For our analysis, checkpoint interval is assumed to be 1 hour. Fig. 2 presents the execution times for the four Scimark workloads on a logarithmic scale. It can be seen that the execution time overhead increases only a little when the system transitions from Case 1 to Case 2 (i.e., employing the proposed scheme as a preventive measure). For instance, an application that runs for 13.6 hours for Case 1 will incur an execution time overhead of only 13.49 minutes in moving to Case 2. However, the execution time overhead increases somewhat rapidly when the system transitions from Case 2 to Case 3. The increase in execution overhead will be substantial only if there are too many faults/attacks present, which is not very common. Fig. 3 shows the percentage increase in execution times of various workloads when the system transitions from a lower case to a higher one. It is assumed that these executions do not have any interactions (inputs/outputs) with the external environment. The percentage increase in execution time is only around 1.6% for all the workloads when system transitions from Case 1 to Case 2. The overhead for a transition from Case 1 to Case 3 (with mean time to failure, M =10 hours) is around 9%. These percentages indicate acceptable overheads in most fault tolerant systems.
  • Need for extending the framework to a decentralized environment: As with all centralized architectures, the framework that we developed has a single point of failure. Its trusted computing base is limited only to the coordinator. This can be advantageous because it is easier to ensure whether a single system is running tamper-free or not. However, since it will be connected to compromised systems during a mission cycle, we cannot assume that it will stay secure forever. Thus, we would like to go beyond our extreme dependence on this single entity. While moving towards decentralization, we will conduct a detailed investigation about the various candidate topologies, the candidate voting procedures, the limited trusted computing base, etc. A user will submit his job randomly to multiple replicas in this decentralized framework. Similarly, it will obtain information from randomly selected multiple replicas and will perform a majority voting. Following are the prime areas that we will investigate for building the solution: Choosing the topology The topology can range from anything completely decentralized, to cluster formation, to even having a trusted computing base with multiple coordinators. We add a replica to the blacklist till either the mission is complete or the suspected replica has been completely profiled and believed to be uncompromised. This is because if we keep adding replicas to the blacklist aggressively and predictably, we may risk availability of the service and it can lead to a denial of service attack. Thus, we predict that there will be some centralized components in the new framework because it will not be very efficient to have each replica profile every other replica.   Choosing the secure, distributed voting algorithm We plan to leverage features from [49] and other secure voting algorithms to reach a distributed consensus about the integrity status of replicas. Since the system requirements here are very different from any of the work done before, we will have to modify the presented algorithms in order to suit our purpose. Reputation-based mechanisms We will investigate the possibility of using reputation mechanisms as a substitute for blacklisting. Possible use of Nexus In an ideal environment, COTS paradigm is most useful since stronger system could be built without depending on any dedicated or specially designed components. However, the proposed solution requires some minimal intervention to harvest the built-in redundant logics in a chip. So, as an alternative solution, we propose software approaches such as the Nexus platform [50] to achieve the same effect of trusted monitoring using the built-in hardware.
  • Status

Transcript

  • 1. PROACTIVE SCHEMES FOR MISSION ASSURANCE IN CRITICAL SYSTEMS Ruchika Mehresh Ph.D. Dissertation Proposal Defense Department of Computer Science and Engineering University at Buffalo, The State University of New York December 20, 2011 Advisor : Dr. Shambhu Upadhyaya Committee Members : Dr. H. Raghav Rao Dr. Murat Demirbas
  • 2. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 3. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 4.
    • Mission Critical Systems
      • essential services whose failure disrupts business operations
      • not restricted to military domain
      • day-by-day increasing complexity
        • leads to residual bugs and security vulnerabilities
        • worsened by increasing intelligence of attackers
      • example: electricity, communication channel for e-business
    • Mission assurance
      • diverse measures required to make the missions resilient
        • System engineering
        • Risk management
        • Etc.
    INTRODUCTION
  • 5.
    • Basic needs for mission assurance:
    • Mission survivability
      • subset of mission assurance
      • ability of a system to fulfill its mission in a timely manner
      • focus is on an event’s impact on the mission, not its cause
      • phases: prevention, detection, recovery, adaptation
    INTRODUCTION Focus
      • Against benign faults: Fault tolerance
      • Against malign attacks: Security
      • Prevention
      • +
      • Detection
      • +
      • Recovery
  • 6. INTRODUCTION Prevention Detection Recovery
  • 7.
    • Attacker’s profile
      • smart
      • adaptive (not unpredictable)
      • resourceful (well sponsored)
      • stealthy
        • aggressive behavior easier to spot
        • stealth causes more damage
        • political, cooperate-espionage, hacktivism, cyber-extortionism
    • ‘ Single-shot’ vs. ‘multi-stage stealth attacks’
      • multi-stage: initial low-risk, sniffing phases to obtain information, installing backdoors, etc.
    • Attacker executes well-planned multi-stage stealth attacks with a contingency plan
    INTRODUCTION
  • 8.
    • Need: Another layer of defense beyond conventional recovery
    • Aim: Develop and evaluate a secure proactive recovery scheme to ensure mission survivability against smart and determined attackers.
    MOTIVATION
  • 9.
    • Attacker’s behavior is generally categorized as
      • Rational: Attackers that care about both cost and incentive
      • Irrational: Attackers that care only about incentive
    • When risk is a cost
      • As in cyber warfare, industrial espionage
      • Rational attackers execute stealth attacks
      • Irrational attackers are aggressive and do not show stealth behavior
    MOTIVATION
  • 10. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Deception as a tool Component 1 Component 2 Component 3 Threat Model Solution Evaluation
  • 11.
    • Design a realistic attack model that represents today’s era of cyber warfare and competitive open market
    • Provide mission assurance
      • By further strengthening the recovery phase of a mission critical system
    • Mission survivability
      • Satisfy timeliness property ( low overhead )
    MOTIVATION
  • 12. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 13. PROBLEM FORMULATION 1. System type : Mission critical 2. Last wall of defense : secure recovery phase for mission survivability 3. Mission Survivability : Satisfy timeliness property 4. Indefinite missions : time-independent security strength 5. Focus : on event’s impact, not cause 6. Attack model : basis for solution design 7. Tamper-proof : ‘Who watches the watcher ?’ 8. Effective Evaluation 9. Integrity over availability
  • 14. PROBLEM FORMULATION
    • Mode 1: A short running mission with a definite timeline
      • Example: Countdown timer for space shuttle launch
      • Final phase is the most crucial
      • Hold off the attacker from causing major damage till the mission completes
    • Mode 2: A long running mission with an unbounded timeline
      • Example: Electricity to run life-support system
      • Full system recovery is essential if an attack is suspected
      • Need to buy defender more time to figure out exact vulnerabilities exploited so the next recovery cycle can be more effective
  • 15. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 16. BACKGROUND National Counter Intelligence executive mentioned malicious sleeper code left behind by other nation-states Multi-stage delivery of malware
    • Stuxnet
      • Configuration- specific actions
      • limited spread
      • Self-erasing
      • Spread in industry
      • “ Stuxnet is the new face of 21st-century warfare: invisible, anonymous, and devastating ”
    Botnet ‘command and control’
  • 17.
    • Intrusion tolerance
      • Ensures that system provides service even in the presence of faults
      • Necessary for mission survivability
    • Types of intrusion tolerant systems
      • Detection triggered: Relies on IDS to trigger recovery (reactive)
      • Algorithm driven: employs algorithms like voting, threshold cryptography, fragment redundancy scattering, etc.
      • Recovery based: Periodic restoration
      • Hybrid: Proactive and reactive
    BACKGROUND
  • 18. BACKGROUND
      • McAfee survey report, 2011. includes 200 IT executives from critical infrastructure enterprises in 14 countries
      • Ongoing cyber-reconnaissance of US critical infrastructure by nation-states
      • Some electric companies report thousands of probes every month
      • Focus on resilience against denial-of-service-like cyber-attacks rather than a high-end attack intended to sabotage equipment, like stealthy infiltration, Stuxnet (leading threat)
  • 19.
    • Knapp and Boulton
    • Baskerville’s asymmetric war theory justifies need for innovation in defense.
    BACKGROUND
  • 20. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 21. SOLUTION DESIGN Component 1: Surreptitious intrusion detection by keeping the IDS tamper-proof Component 2: Making the integrity signature invisible and accessible to the attacker Component 3: Deception-based proactive recovery scheme, and multi-phase evaluation framework
  • 22.
    • Component 1:
      • Threat model to compromise IDS
      • Graph-based topological solution in multi-core environment
    • Component 2:
      • Threat model to attack recovery
      • Low cost hardware-based solution (timeliness property)
    • Component 3:
      • Threat model for smart attacker
      • Deception-based proactive recovery scheme
    • Other
      • Evaluation Framework
      • Two modes: Centralized, decentralized
    CONTRIBUTIONS
  • 23. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 24.
    • “ All warfare is based on deception.  Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.  Hold out baits to entice the enemy. Feign disorder, and crush him.  If he is secure at all points, be prepared for him. If he is in superior strength, evade him.  If your opponent is prone to anger, seek to irritate him. Pretend to be weak, that he may grow arrogant.  If he is taking his ease, give him no rest.  If his forces are united, separate them.  Attack him where he is unprepared, appear where you are not expected.”: Sun Tzu in ‘The Art of War’
    DECEPTION FOR DEFENSE
  • 25. DECEPTION FOR DEFENSE
    • Two ways to defeat a strong adversary:
    • be stronger
    • manipulate adversary into reduced effectiveness
    • Deception consists of:
    • determining the observables
    • induce desired observations & control the focus of attention
    • use concealment
    • Cyber deception (Cydec)
    • vast literature and taxonomies
    • deception techniques like fingerprint scrubbing, obfuscation, etc.
    • Internal discussions held by Air Force Cyber Command staff in 2008
      • current networks present a sitting target
      • need for change
    • Deception
    • hackers, hacktivists, etc.
    • honey pots
  • 26. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 27.
        • Smart burglar –disable ADT first before burglarizing a home!
    • Malware exists that subvert protection devices
          • user space components like, intrusion detection systems, antivirus
          • retrovirus
            • disables/infects antivirus
          • example: argument switch attacks
          • easier in multithread, multi-core setup
    THREAT MODEL
  • 28.
    • Problem: “Who watches the watcher?”
    • Solutions proposed
      • use of virtual machine: High cost (mission survivability)
      • topological frameworks: Details later
    • We propose
      • a topological framework in multi-core environment
    THREAT MODEL
  • 29.
    • Design and Implementation of IDS
      • user space
        • traditional deployment
      • kernel space
        • better protection, but increases the trusted computing base
    • Secure monitoring of user space IDS
      • running them on isolated virtual machines
      • self protection by redundancy and reconfiguration
    • We propose a hybrid of user-level and kernel level protection
    EXISTING SOLUTIONS
  • 30. EXISTING SOLUTIONS
    • Chameleon project at UIUC
    • Can be easily compromised
    • AAFID project at Purdue
    • Provides only a marginal increase in security
  • 31. PROPOSED SOLUTION
    • Circulant digraph
    • Very difficult to subvert
    • Provides an infinite hierarchy of monitoring using finite number of monitors
  • 32. WHY MULTI-CORE
    • Multi-core technology has become mainstream and it presents new security and design challenges
    • Existing solutions need to be reevaluated
    • Concurrency can be exploited to provide efficacy
  • 33. SIMPLE ARCHITECTURE Intrusion detector or a crucial user space service Lightweight process monitor Direction of Monitoring Process i runs on core i , and 1≤i≤K, where K is the total number of cores on the processor Numbers from 1-K indicate the K cores of the host’s processor 2 3 4 5 6 1 K K-1
  • 34. THREAT MODEL
    • Denial of Service attacks in multi-core
      • Memory hogging
      • Addressed by conditional check
    • Window of vulnerability
      • Scheduling interrupts continuous monitoring
      • Addressed by multiple degree of incidence
    • Exploiting system vulnerabilities
      • Crash attacks
  • 35. FRAMEWORK TOPOLOGIES
    • Topology 1: Simple Ring
    • Topology 2: Circulant Digraph
    A circulant digraph C K (a 1 , . . . , a n ) with K vertices v 0 , . . . v K−1 and jumps a 1 , . . . , a n , 0 < a i < ⌊K/2⌋, is a directed graph such that there is a directed edge each from all the vertices v j ±a i mod K, for 1 < i < n to the vertex v j , 0 < j <K – 1. It is also homogeneous i.e., every vertex has the same degree (number of incident edges), which is 2n, except when a i =K/2 for some i, when the degree is 2n−1 Figure: Circulant digraph with 8 process monitors running on 8 cores. One process monitor per core. This circulant digraph has a degree of incidence 3 and jumps {1,2} 3 5 4 6 7 8 2 1
  • 36. FRAMEWORK TOPOLOGIES
    • Topology 3: Adaptive Cycle
      • Multiple degree of incidence raises multiple alerts for reporting the same instance of suspicious activity
      • Need to reduce the extra overhead (we just need one)
    Figure: Adaptive topology when cores 2 and K are heavily loaded 1 K-1 … . … . 4 3 K 2
  • 37.
    • k-queue currently supports only exit(), fork() and exec() family of system calls
    • Currently, our experiments are limited to crash attacks
    • All processes can be crashed using the kill() system call
    • An attacker is given all information about vulnerabilities
    • Are TOCTOU style attacks possible?
      • Experiments performed under heavy system load
    ATTACK SCENARIOES
  • 38. EVALUATION
    • Multi-core simulator: AMD SimNow
    • Kernel level filters for tamper-resistant process monitoring
      • kqueue (event delivery/notification subsystem) – freeBSD
      • kqueue currently supports only exit(), fork() and exec()
    • Eight simulated cores
      • one process-monitor per core
    • Possibility of TOCTOU attacks under heavy system load.
  • 39. EVALUATION – TIME OVERHEAD Figure: Time Overhead (Initial setup time for the kqueue subsystem to get loaded) for circulant digraph topology with 8 process monitors
      • Figure: Memory overhead (memory consumed by an instance of the framework as a % of the system memory capacity) in an 8-node circulant digraph topology
  • 40. EVALUATION – TAMPER RESISTANCE Figure: Alerts generated for killing process monitors in sequential order without delay, under light system load Figure: Alerts generated for killing process monitors in sequential order without delay, under heavy system load
  • 41. CONCLUSION
    • Monitoring framework to secure IDS in a multi-core environment
      • low time overhead
      • low memory overhead
      • strong tamper-resistance properties
  • 42. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 43.
    • Threats to recovery phase
      • attacks on byzantine protocols
      • attacks on proactive recovery protocols
      • attacks on proactive-reactive recovery protocols
      • attacks on proactive-reactive recovery with spatial diversity
      • the quiet invader
      • the physical access threat
    • Reactive recovery
      • can not detect all intrusions
      • false positives
      • predictive vs. reactive
    THREAT MODEL
  • 44. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 45.
    • Profile: Smart, Adaptive, Resourceful, Stealthy
    • Irrational attacker
      • payoff = incentive
    • Rational attacker
      • payoff = incentive – cost
      • = incentive – (finance +risk)
      • smart attacker wants to keep incentive high, risk low
        • Be stealthy for low risk
        • Plan enough for high incentive
      • if attacker suspects detection, risk -> ∞, how can attacker maximize the payoff?
      • by making, incentive -> ∞
    THREAT MODEL
  • 46. THREAT MODEL
  • 47. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 48.
    • Assumed a centralized, replicated system for demonstration
    • Information hidden using low level built-in hardware that is not accessible to the adversary.
    • Defender’s response to detection
      • prepare while deceiving
      • secure recovery
    COMPONENTS 2 AND 3 “ Hiding detection?” AND “Deception-based recovery”
  • 49. Coordinator Replica 1 Replica 2 Replica 3 Replica n Workload Workload Workload Workload Workload Replica 3 R R R R Periodic checkpoint Hardware Signature Periodic checkpoint Hardware Signature Need at least a duplex system H C H C H C H C Periodic checkpoint Hardware Signature Periodic checkpoint Hardware Signature Periodic checkpoint Hardware Signature
  • 50. HARDWARE SIGNATURE GENERATION
  • 51. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 52. PERFORMANCE ANALYSIS
    • Cases
      • Case 1: S ystems with no checkpointing
      • Case 2: Systems with checkpointing, no failures/attacks
      • Case 3: Systems with checkpointing, failures/attacks
    • Workload
      • Java SciMark 2.0 benchmark workloads: FFT, SOR, Sparse, LU
    • Multi-step simulation based evaluation approach
  • 53.
    • Complex system with several hardware and software layers
    • Which is best?
      • Theoretical models like, CTMC
      • Prototype implementation
      • Functional simulation
    • We propose
      • Using a mix of methods in multiple steps
      • Benefits
        • Low cost
        • Low effort
        • Higher accuracy
        • Realistic results
    MULTI-STEP EVALUATION
  • 54.
    • Divide-and-Conquer, system modularization
    • Start at the highest level and approach downwards
      • composability
      • sufficiency
    • Lowest level
      • black-box defined with parameters derived from implementation
    • Tools used
      • prototype development – JAVA
      • simulation – ARENA
      • hardware simulation - CADENCE
    MULTI-STEP EVALUATION
  • 55. MULTI-STEP APPROACH
  • 56. RESULTS
  • 57. RESULTS
  • 58. CONCLUSION
    • Low cost solution to secure proactive recovery
    • Mission survivability
    • Utilized redundant hardware
    • Small overhead in absence of failures
      • effective preventive measure
  • 59. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 60.
    • Framework implementation - threat specific
    REVISITING SOLUTION DESIGN Intrusion Detection System Symptoms to Script mapping (Smart box) Smart Script Repository
  • 61. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 62. REMAINING WORK
    • Extending the framework to decentralized environment
    • Choosing the topology
    • Designing a secure, distributed voting algorithm
    • Designing decentralized reputation based mechanism
    • Possible use of Nexus
    • Developing scheme for tamper-resistance and mission survivability
  • 63. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 64. DISSERTATION OUTLINE Chapters Topic s Chapter 1 Introduction Chapter 2 Background Chapter 3 Problem Formulation Chapter 4 Surreptitious intrusion detection by keeping the IDS tamper-proof (For both centralized and decentralized environment) Chapter 5 Making the integrity signature invisible and accessible to the attacker (For both centralized and decentralized environment) Chapter 6 Deception-based secure proactive scheme (For both centralized and decentralized environment) Chapter 7 Evaluation Chapter 8 Conclusion
  • 65. PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”
  • 66.
    • Developed a realistic attack model
    • Proposed a deception-based proactive recovery scheme to ensure mission survivability against smart and adaptive attackers
      • demonstrated using a centralized, replicated system
    • Proposed and evaluated scheme to make the proposed solution tamper-proof
    • Performance results so far:
      • low overhead
      • security strength is time-independent
    CONCLUSION
  • 67.
    • Workshop publications
    • R. Mehresh, S. J. Upadhyaya and K. Kwiat, “A Multi-step Simulation Approach toward Secure Fault Tolerant System Evaluation,” in Third International Workshop on Dependable Network Computing and Mobile Systems (DNCMS), Co-located at 29th IEEE Symposium on Reliable Distributed Systems , 2010, pp. 363-367.
    • Conference publications
    • R. Mehresh, S. J. Upadhyaya and K. Kwiat, “Secure Proactive Recovery – A Hardware Based Mission Assurance Scheme,” in Sixth International Conference on Information Warfare and Security , 2011, pp. 171-179.
    • R. Mehresh, J. J. Rao, S. J. Upadhyaya, S. Natarajan and K. Kwiat, “Tamper-resistant Monitoring for Securing Multi-core Environments,” in Sixth International Conference on Security and Management (SAM) , vol. 2, 2011, pp. 372-378.
    • Journal publications
    • R. Mehresh, S. J. Upadhyaya and K. Kwiat, “Secure Proactive Recovery – A Hardware Based Mission Assurance Scheme,” in Journal of Network Forensics , vol 3(2), 2011, pp. 32-48.
    REFERENCES
  • 68.