1 / 32

Towards An Efficient Integrated Enterprise Cyber-Defense System

Towards An Efficient Integrated Enterprise Cyber-Defense System. C. Edward Chow and Xiaobo (Joe) Zhou Department of Computer Science University of Colorado at Colorado Springs.

forest
Download Presentation

Towards An Efficient Integrated Enterprise Cyber-Defense System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards An Efficient Integrated Enterprise Cyber-Defense System C. Edward Chow and Xiaobo (Joe) ZhouDepartment of Computer Science University of Colorado at Colorado Springs Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreements number F49620-03-1-0207 and FA9550-04-1-0239 as NISSC grants, Fall 2003, Spring 2004 and Fall 2004. Front Range Workshop for Information Security

  2. Outline of the Talk • Organic systems and information security • Organic means self-configuration, self management (adaptive to load), autonomic, and self-healing. • Realizing an organic security technique Proxy-based multi-path indirect routing • Developing techniques and tools for supporting secure information sharing and collaborative work among multiple agencies • Improving measurable performance in cyber defense systems by QoS regulation with information fusions Front Range Workshop for Information Security

  3. An Integrated System Infrastructure Front Range Workshop for Information Security

  4. An Enterprise Cyber-Defense System Front Range Workshop for Information Security

  5. Front Range Workshop for Information Security

  6. Utility Computing Technology • Dynamic resource allocation/control according to load status. • Various account control according to amount of use of resource. Application ・・・ APP APP • Load Amount Detection •  (CPU, Memory, Link belt region) • Service Quality Monitoring • Bottleneck Analysis • Optimization of Resource/ • Contents Arrangement (simulator etc.) Resource Re-allocation Management • Load balance control (between/centers in center) • Traffic Redirection Account Mechanism Monitoring Measurement Control User profile • Utility Time • 〃 CPU • 〃 bandwidth Measurement Monitoring Enforcement Control DB DB Platform: Server, Storage, and Network Front Range Workshop for Information Security

  7. Distributed IDC/Organic Networking Effective use of corporate center resource and data integrity • Hosting multiple customer sites with utility based charge. • Direct clients to faster/closer data center • Redirect requests during network congestion/system failures/DDoS attacks • Relocate servers to adapt to system load and flash crowd IDC3(data backup) backup resource IDC2(BtoB/C portal) Operation resource Operation resource Sharing inB BtoB inB BtoC The Internet VPN-CUG VPN-CUG VPN Headquarters Group company Consumer Enterprise Front Range Workshop for Information Security

  8. A2D2 Multi-Level Adaptive Rate Limiting For Anti-DDoS Defense Front Range Workshop for Information Security

  9. SCOLD: Secure COLlective Defense R2 R1 R3 Alternate Gateways net-a.mil net-b.mil net-c.mil ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R Need to Inform Clients or Client DNS servers!But how to tell which Clients are not compromised?How to hide IP addresses of Alternate Gateways? R DNS DDoS Attack Traffic Client Traffic Victim Front Range Workshop for Information Security

  10. SCOLD net-b.mil net-c.mil net-a.mil ... ... ... ... A A A A A A A A 3. New route via Proxy3 3. New route via Proxy1 3. New route via Proxy2 DNS3 DNS1 DNS2 R R R 4. Attack traffic detected by IDSblock by Firewall Proxy2 Proxy3 Proxy1 block 4a. Attack traffic detected by IDSblock by Firewall R R1 R2 R3 RerouteCoordinator 4b. Client traffic comes in via alternate route Attack Traffic 1.distress call Client Traffic 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) Victim Front Range Workshop for Information Security

  11. SCOLD Secure DNS Updatewith New Indirect DNS Entries Modified Bind9 Modified Bind9 Modified ClientResolveLibrary (target.targetnet.com, 133.41.96.71, ALT 203.55.57.102                               203.55.57.103                               185.11.16.49                               221.46.56.38 New Indirect DNS Entries: A set of alternate proxy servers for indirect routes Front Range Workshop for Information Security

  12. IP tunnel IP tunnel Front Range Workshop for Information Security

  13. SIS: Secure Information Sharing Develop techniques and tools for supporting secure information sharing and collaborative work among multiple agencies with focus on Public Key Certificate(for authentication) and Attributed Certificate(for authorization, using Role Based Access Control) management for large-scale information sharing and collaborative work Infrastructure support for secure web-based collaborative applications Ubiquitous computing for sharing sensor and web information. Front Range Workshop for Information Security

  14. SISSystem Overview Version Version Serial Number Serial Number Signature ID Signature ID e e r r Subject Holder u u t t a a n n g g Issuer Issuer i i S S RBAC Validity Period Validity Period Policy Subject Public Key Info Attributes file Externsions Externsions User Role Specification Public Key Certificate Attribute Certificate ( PKC ) ( AC ) AC LDAP Administration Server Tool Mail Server Database Access Control PKC Instant Msg Decision and User Server Enforcement Authenticate Engine Web Server Create/Change/Revoke Attribute Certificates authorize Front Range Workshop for Information Security

  15. SIS Test-bed PerformanceAccess Time from a client at sis-canada Front Range Workshop for Information Security

  16. Innovations in SIS Project • Developed efficient procedures and tools to set up Public Key Infrastructure for authentication and Privilege Management Infrastructure for authorization. • Created a multi-agency SIS test bed based on LDAP and web servers. • OpenLDAP servers were enhanced to accept attribute certificates. • LDAP module of the apache web server was extended to achieve secure web access. Innovation in Distribution: Software/Demo Prototype Available on DVD with MS-Virtual PC2004, as a network of User Mode Linux(UML) virtual machines at nominal fee. Front Range Workshop for Information Security

  17. Secure Scalable Collaborative Tools • Developed Edge Server-side Include Collaborative (ESIC) framework for developing collaborative systems • ready to deploy via Content Delivery Network systems such as Akamai, tap into the resource of thousands of CDN cache servers and bandwidth. • Developed web-based firewall friendly CoWebBrowser for collaborative viewing of web documents • based on signed Javacript and pushlet technologies. • Develop secure groupware for First Responders • Instant messaging/remote file display utilizing PDAs with wireless LAN802.11 • Integrate KeyStone GroupKey management system with Jabber Instant Messaging system • being extended to access mica2 wireless sensor network for fire and firefighter tracking. Front Range Workshop for Information Security

  18. Our Innovations in Organic Security • Enhanced Intrusion-Tolerant DNS system • Allow multiple indirect routing entry • Allow peer-to-peer indirect DNS query • Proxy-based Multiple Path Indirect Routing • Ready to deploy with connection relay servers • Adaptive Available Network Bandwidth Measurement • Highly Available Secure Server Cluster • Secure XML/URL based content switch for e-commerce • High availability load balancer configuration with Distributed File System support. • Autonomous Anti-Distributed Denial of Services (A2D2) • Multi-level adaptive rate limiting firewall • IDIP-based enterprise intrusion detection extension being ported to CIDF/IDMEF standard. • QoS Differentiation Techniques against Uncertainty Front Range Workshop for Information Security

  19. An Integrated System Infrastructure Front Range Workshop for Information Security

  20. What are Goals? To improve measurable network and system performance under cyber attacks, threats, and uncertainty, we want to design an effective enterprise cyber-defense system by integrating • A distributed intrusion detection system • An intrusion information fusion infrastructure • QoS regulation techniques for uncertain intrusion handling at enhanced router and end server systems • Intrusion tolerance techniques based on proxy-based multiple path routing Front Range Workshop for Information Security

  21. Why QoS in Security? • QoS is the target of cyber-attacks • reduced QoS levels provided by systems and networks and experienced by users • Weak trustiness of Internet services • Worst case, no service (QoS) • QoS is also a means • To help system and network behave under uncertainty • To slow down potential malicious code (e.g., worms) • To enhance system and network performance Front Range Workshop for Information Security

  22. How could that be? • Make the performance of systems and networks configurable and controllable by themselves, instead of by parameters and behaviors of attacks • Worm-infected hosts have much higher connection-failure rate than others • Even successful connections, we may distinguish normal behaviors, aggressive behaviors, potentially malicious behavior, and confirmed behaviors • Traffic with different behaviors will be processed by systems and networks differently • Not just client-based, but class-based Front Range Workshop for Information Security

  23. What we need? • A distributed intrusion detection system • Collect behaviors with different confidence • An information fusion infrastructure • Decision making and classification • QoS differentiation & regulation techniques • Processing per-class traffic differently • Network edge routers • Endpoint computer systems • Individual servers and cluster-based servers Front Range Workshop for Information Security

  24. Integrated Resource Allocation Front Range Workshop for Information Security

  25. Proportional Response Differentiation Front Range Workshop for Information Security

  26. System Robustness Front Range Workshop for Information Security

  27. A Microscopic View Front Range Workshop for Information Security

  28. Impact of Feedback Control Front Range Workshop for Information Security

  29. Two-tier Allocation in Server Clusters Front Range Workshop for Information Security

  30. Three-class Slowdown Differentiation Front Range Workshop for Information Security

  31. A Microscopic View Front Range Workshop for Information Security

  32. IEEE SNS2005 Workshop • The 1st IEEE Int’l Workshop on System and Network Security (SNS 2005) • in conjunction with 19th IEEE IPDPS • Denver, April (4 -) 8, 2005 • www.cs.uccs.edu/~SNS/sns2005.html • Received 50 full-paper submissions from 15+ countries; USA, Canada, UK, France, Spain, Germany, China, India, Japan, Greece, Egypt, Finland, Swiss, Australia, Singapore, etc. • To accept about 18 papers • JNCA special issue in Security in Distributed Systems and Networks, Academic Press of Elsevier, Spring 2006 Front Range Workshop for Information Security

More Related