07-09-2016, 09:18 AM
NICE : Network Intrusion detection
and Counter measure selection
in virtual network systems
1453369761-nice.pdf (Size: 628.2 KB / Downloads: 8)
Existing System
The area of detecting malicious behavious has been well explored in the following approaches.
SPOT focuses on the detection of compromised machines that have been recruited to serve as
spam zombies. It is based on sequentially scanning outgoing messages while employing a statistical
method Sequential Probability Ratio Test (SPRT), to quickly determine whether a host has
been compromised. BotHunter detects compromised machines based on the fact that a thorough
malware infection process has a number of well-defined stages that allow correlating the intrusion
alarms triggered by inbound traffic with resulting outgoing communication patterns. BotSniffer
exploits uniform spatial-temporal behavior characteristics of compromised machines to detect zombies
by grouping flows according to server connections and searching for similar behavior in the flow.
An attack graph is used to represent a series of exploits, called atomic attacks, that lead to an
undesirable state. There are many automation tools to construct attack graph. A technique based
on a modified symbolic model checking NuSMV and Binary Decision Diagrams (BDDs) was proposed
to construct attack graph. This model can generate all possible attack paths, but, the
scalability is a big issue for this solution. The assumption of monotonicity was introduced, which
states that the precondition of a given exploit is never invalidated by the successful application
of another exploit, ie.attackers never need to backtrack. With this assumption, a concise, scalable
graph representation for encoding attack tree can be obtained. An attack graph tool called
MulVAL, adopts a logic programming approach and uses Datalog language to model and analyze
network system. The attack graph in the MulVAL is constructed by accumulating true facts of
the monitored network system. The attack graph construction process will terminate efficiently because the number of facts is polynomial in system.
The major problems for any IDS implementation are the false alarms and the large volume of
raw alerts from IDS. Many attack graph-based alert correlation techniques have been proposed.
An in memory structure, called queue graph (QG), was devised to trace alerts matching each exploit
in the attack graph. However, the implicit correlations in this design make it difficult to use
the correlated alerts in the graph for analysis of similar attack scenarios. A modified attack-graphbased
correlation algorithm was proposed to create explicit correlations only by matching alerts to
specific exploitation nodes in the attack graph with multiple mapping functions, and devised an
alert dependencies graph (DG) to group related alerts with multiple correlation criteria. However,
this algorithm involved all pairs shortest path searching and sorting in DG, which consumes considerable
computing power. Several solutions have been proposed to select optimal countermeasures
based on the likelihood of the attack path and cost benefit analysis. An attack countermeasure tree
(ACT) was proposed to consider attacks and countermeasures together in an attack tree structure.
Here several objective functions based on greedy and branch and bound techniques were devised to
minimize the number of countermeasure, reduce investment cost, and maximize the benefit from
implementing a certain countermeasure set. In this design, each countermeasure optimization problem
could be solved with and without probability assignments to the model. However, this solution
focuses on a static attack scenario and predefined countermeasure for each attack. Another attack
graph, Bayesian attack graph (BAG) was proposed to address dynamic security risk management
problem and applied a genetic algorithm to solve countermeasure optimization problem.
System Models
3.1 Threat Model
This protection model focuses on virtual network based attack detection and reconfiguration solutions
to improve the resiliency to zombie explorations. The proposed solution can be deployed
in an Infrastructure as a Service (IaaS) cloud networking system. Cloud service users are free to
install whatever operating systems or applications they want, even if such action may introduce
vulnerabilities to their controlled VMs.
3.2 Attack Graph Model
An attack graph is a modeling tool to illustrate all possible multistage, multihost attack paths
that are crucial to understand threats and then to decide appropriate countermeasures. In an
attack graph, each node represents either precondition or consequence of an exploit. Attack graph
is helpful in identifying potential threats, possible attacks, and known vulnerabilities in a cloud
system. If an event is recognized as a potential attack, specific countermeasures can be applied to
mitigate its impact or take actions to prevent it from contaminating the cloud system. To represent
the attack and the result of such actions, the notation of MulVAL logic attack graph is extended
and is defined as Scenario Attack Graph (SAG). An SAG is a tuple SAG = (V,E), where
• V= NC ∪ ND ∪ NR denotes a set of vertices that include three types namely conjunction node
NC to represent exploit, disjunction node ND to denote result of exploit, and root node NR
for showing initial step of an attack scenario.
• E = Epre ∪ Epost denotes the set of directed edges. An edge e ∈ Epre ⊆ N D ×NC represents
that ND must be satisfied to achieve NC. An edge e ∈ Epost ⊆ NC ×N D means that the
consequence shown by ND can be obtained if NC is satisfied.
Node vc ∈ NC is defined as a three tuple (Hosts, vul, alert) representing a set of IP addresses,
vulnerability information such as CVE , and alerts related to vc, respectively. ND behaves like a
logical OR operation and contains details of the results of actions. NR represents the root node of
the SAG. A new Alert Correlation Graph (ACG) is defined to map alerts in ACG to their respective
nodes in SAG. To keep track of attack progress, the source and destination IP addresses are tracked
for attack activities. An ACG is a three tuple ACG = (A,E,P), where
1. A is a set of aggregated alerts. An alert a ∈ A is a data structure (src,dst,cls,ts) representing
source IP address, destination IP address, type of the alert, and time stamp of the alert
respectively.
2. Each alert a maps to a pair of vertices (vc,vd) in SAG using map(a) function, ie. map(a) : a
7→ {(vc,vd)| (a.src∈ vc.Hosts)∧ (a.dst ∈ vd.Hosts)∧ (a.cls=vc.vul)}
3. E is a set of directed edges representing correlation between two alerts (a,a’) if criteria below
satisfied:
a.(a.ts < a’.ts)∧(a’.ts - a.ts<threshold).
b. ∃ (vd,vd)∈ Epre : (a.dst ∈ vd.Hosts ∧ a’.src ∈ vc.Hosts).
4. P is set of paths in ACG. A path Si
| P is a set of related alerts in chronological order.
A contains aggregated alerts rather than raw alerts. Raw alerts having same source and destination
IP addresses, attack type, and time stamp within a specified window are aggregated as Meta Alerts.
Each ordered pair (a, a’) in ACG maps to two neighbor vertices in SAG with time stamp difference
of two alerts within a predefined threshold. ACG shows dependency of alerts in chronological order
and related alerts are found in the same attack scenario by searching the alert path in ACG. A set
P is used to store all paths from root alert to the target alert in the SAG, and each path Si
| P
represents alerts that belong to the same attack scenario. Alert Correlation algorithm is followed
for every alert detected and returns one or more paths Si
. For every alert ac that is received from
the IDS, it is added to ACG if it does not exist. For this new alert ac, the corresponding vertex
in the SAG is found by using function map(ac). For this vertex in SAG, alert related to its parent
vertex of type NC is then correlated with the current alert ac. This creates a new set of alerts that
belong to a path Si
in ACG or splits out a new path Si+1 from Si with subset of Si before the alert
a and appends ac to Si+1. In the end of this algorithm, the ID of ac will be added to alert attribute
of the vertex in SAG. Algorithm 1 returns a set of attack paths S in ACG.
Algorithm 1. Alert Correlation
Require: alert ac, SAG, ACG
if (ac is a new alert) then
create node ac in ACG
n1 ← vc ∈ map(ac)
for all n2 ∈ parent(n1) do
create edge (n2.alert,ac)
for all Si containing a do
if a is the last element in Si then
append ac to Si
else
create path Si+1 = { subset(Si
,a),ac}
end if
end for
add ac to n1.alert
end for
end if
return S