slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Intrusion Countermeasures Security Model based on Prioritization Scheme for Intranet Access Security PowerPoint Presentation
Download Presentation
Intrusion Countermeasures Security Model based on Prioritization Scheme for Intranet Access Security

Loading in 2 Seconds...

play fullscreen
1 / 17

Intrusion Countermeasures Security Model based on Prioritization Scheme for Intranet Access Security - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

Intrusion Countermeasures Security Model based on Prioritization Scheme for Intranet Access Security. Authors Professor Shambhu Upadhyaya Professor H. R. Rao Manish Gupta Shamik Banerjee. Contributions of Paper. Framework for Effective Response Mechanism

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Intrusion Countermeasures Security Model based on Prioritization Scheme for Intranet Access Security' - aspen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Intrusion Countermeasures Security Model based on Prioritization Scheme for Intranet Access Security

Authors

Professor Shambhu Upadhyaya

Professor H. R. Rao

Manish Gupta

Shamik Banerjee

contributions of paper
Contributions of Paper
  • Framework for Effective Response Mechanism
  • RBAC and Prioritization based Vulnerability assessment scheme
  • Optimize Alert Engine detections
  • Faster turn-around time-to-detection
  • Proposed model can be used as a plug-in for an Alert Engine
existing intranet security access control models
Existing Intranet security access control models
  • Access Control List
  • Discretionary Access Control
  • Mandatory Access Control
  • Role Based Access Control Model
    • RBAC1
    • RBAC2
    • RBAC3
framework based on rbac contd
Framework based on RBAC (contd..)
  • Traditionally approach granting specific permissions for each application for each user within an organization.
    • ! Access Management is cost-prohibitive and error-prone
  • RBAC uses the user’s role as the key to access rather than the user’s identification
  • Task-based authorizations map the access permissions at the application and enterprise level based on the end transaction
  • The current paper suggests a model that
    • Synergizes the RBAC with transaction based access control approach
    • Enhances Alert Engine’s Proactively
    • Improves Turn-Around Time for intrusion remediation
our framework based on rbac
Our Framework based on RBAC

Nomenclature

  • Applications (A) {A1, A2, A3,……,An}.
  • Application transactions (X)  {X1, X2, X3, X4….. Xm}
  • Application roles /access levels (L) AiLj
  • Application Access Level Transaction (ALAX) Map
  • Organizational functional departments (D)  {D1, D2, D3, D4…, Dp}
  • Organizational roles(R)
  • Application Access Level Departmental Role (ALDR) MapAiLj DkRp.
proposed framework to derive access priority scheme
Proposed framework to derive access priority scheme

The paper proposes generic framework for any corporate intranet to prioritize its security events monitoring and design a model for its access scheme based on expense/impact severity levels of misuse of intranet

  • STEPS
    • Identify and categorize transactions based on importance and cost-levels in terms of impact in case of misuse.
      • Analyze and Identify Known Risks
      • Analyze and Identify Known Exceptions
    • Let each application/transaction be assigned an individual criticality weight, denoted by ωi. Thus each application may be uniquely qualified by a security criticality measure given as AiXjωk.
      • Cm = {A1X2, A3X2,….,AiXj,…..}
        • m denotes priority level as defined by security needs of the organization
proposed framework to derive access priority scheme contd
Proposed framework to derive access priority scheme (Contd..)
  • 2. (contd..) The overall aggregate weighted score for any such level of Cm can be represented as Ωm
  • The value of Ω for the prioritization scheme can be decided based on the organizational security policies.
  • Combined criticality and priority level of transactional cost
    • Simultaneous occurrence of a combination of transactions may be more critical than the individual transactions
    • The rules of analysis on logs of events to generate alarms should look for patterns of such combinations which would be aided by the priority levels and transactions assigned to these levels.
    • The proposal recommends that dependency of inter-application transactions as opposed to intra-application transactions be given equal consideration while preparing the matrix.
proposed framework to derive access priority scheme contd1
Proposed framework to derive access priority scheme (Contd..)
  • The proposal recommends that dependency of inter-application transactions as opposed to intra-application transactions be given equal consideration while preparing the matrix.
  • the model develops on RBAC, prioritization based on access levels or departmental roles could be also achieved. Departmental roles monitoring aligns to decisions about privilege levels to respective users in role-group.
  • The proposed model can be extended by retracing departmental roles from access level assignments and henceforth the application transactions.

Example: DR  {AL(s)}  {AX(s)}

proposed framework to derive access priority scheme contd2
Proposed framework to derive access priority scheme (Contd..)
  • With this schematic structure for all the applications in the organization’s framework, we can get the following advantages in terms of optimizing the processing capability of the anomaly detection engine and promote an easier and faster detection of true alarms in the system, and hence effective response and countermeasure system.
  • Increase the operational efficiency of the detection engine.
  • Efficient access security monitoring
  • Efficient response and countermeasures to alerts
model representation

Cj

Criticality Set

This is a global security access level boundary decided by the organization for security monitoring

C2

A3X3

C1

Reducing

A1X1

ωi

Individual Criticality Weight

A2X2

Ωmax

A4X4

Reducing

Ωi

Aggregate Weight

Model Representation

The model always tries to build the most critical information domain by re-arranging the priorities of the individual elements.

Along the X-axis, the individual application transaction criticality weights have been plotted. On the Y-axis each individual critical set is represented, with C1 considered as the most critical, closer to the origin having high values of Ω. On the Z-axis, the values of Ω are plottedstarting from the origin, with the maximum value as the origin.

This model can be extended for any prioritization and categorization of any information distribution and sharing to get the maximum value from it.

Representation of the model operating in a 3-dimensional space domain

an example
An Example
  • A1 = Customer Credit Card Transaction Monitoring Application
  • A2 = Customer Account Information Application
  • Each of the 2 applications can have many transactions in it, denoted by Xi.
  • Let X1: View Customer Credit Card Transaction
  • X2 : Update Transaction Amount
  • X3 : View Customer Personal Information
  • X4: Update Customer Account Information.
  • From the sensitivity / criticality perspective, the following hypothetical weights may be assigned as follows on a scale of 100 to each of the above mentioned transactions. These criticalities will vary depending upon the business impact to the organization.
  • X1: ω1 = 15
  • X2 : ω2 = 40
  • X3: ω3 = 25
  • X4: ω4 = 35
  • Thus we can now build the vulnerability dependency matrix to derive the optimal access security monitoring model can be drawn as in the adjacent figure
  • C1 Ω 1A1X1 + A1X2 + A2X3: Ω1 = 15+25+35 = 75
  • C1 Ω 2A1X1+ A2X3: Ω2 = 15+25 = 40
model comparison with rbac
Model Comparison with RBAC
  • RBAC
    • One-time Policy Definition and Access Role
    • Does not monitor ongoing patterns
      • Alert Engine generates Extensive Logs
      • No Prioritization
      • Sub-optimal cost-effectiveness threat detection
  • Current Model
      • Operate at a user-defined threshold level
      • Eliminate redundant scans
      • Save Information Security costs
      • Business Risk = Business Value x Vulnerabilities x Threats x Time to Detection ( the model reduces this component )
application of criticality matrix to ids and alert mechanisms
Application of criticality matrix to IDS and Alert Mechanisms
  • Forms basis for forensic monitoring module and caters to real time business rules of the org.
  • This includes a way to scan the alert logs based on a real-time dynamic business rule definition.
  • This would include component criticality weighting, linking to the changing business scenarios and priorities.
  • Advantages to security management policies and endeavors
  • Dynamic monitoring
  • Learning Capability
  • More effective than quantitative evaluation
  • Efficient resource usage
implementation scenario

includes

Application

Transaction

Is Accessed By

has

Includes

Access_Level

Incl.

has

Org_Role

Dept

Implementation Scenario
  • The access security model can be integrated as a module, in alert engine software in particular with the Event Log Scanning functionality.
  • From the implementation perspective, the organization as a part of their systems implementation methodology should make it mandatory to estimate the business criticality of the application and its individual transactions.
  • As an input to the alert engine security access module, which will prioritize the monitoring of the security logs. Thus the event scanning engine has a reduced set of data sets to monitor and setup alarms for anomalies.

TypicalERD for Prioritization Model

conclusion
Conclusion

Summary of proposed framework

  • Tries to minimize the perceived cost of security in terms of lost productivity
  • Improvises for better quality of security and overall manageability of information assets on intranet.
  • Future Research Directions
  • Impact of different sequences of transactions on development of prioritization matrix
  • Incorporation of constraints and other boundaries to the access control model
  • Obtain aggregate criticality matrix by using other algorithms which would can reflect improved consideration of criticalities of individual transactions.
slide17
Thank You!!

Questions??