Graph-based Automated Denial-of-Service Attack Response
Produktform: Buch / Einband - flex.(Paperback)
Attacks against computer systems and networks in their different characteristics are omnipresent and thus no longer surprising. Almost every computer network has already been subject to processes of reconnaissance, penetration, stealing, or damaging information in the past, with more or less serious subsequent effects.
When an attack has been indicated by a monitoring system, Information Technology (IT) se- curity personnel carefully needs to select an appropriate response to the attack. The way how to define this ‘appropriateness’ depends heavily on the properties and the deployment objective of the network and its components. Not many approaches exist for automatically selecting response mechanisms; the main reason for this is a potentially unwanted impact on either the system that is to be protected, or on the protection system itself.
This challenge exists mainly due to the fact that the complexity of real-world computer systems has grown beyond all measure, so that it is not feasible to observe and analyse the system state in all its aspects. Thus, appropriate models are needed to describe the system behavior in order to derive methods and mechanisms for making such a system more secure.
In general sciences, models are used as a simplified view on real-world phenomena, processes, or systems of entities. The process of generating a model is called modeling and it involves the simplification of reality so that an abstract view is created which may be used for different purposes, including the analysis of the system’s behavior under specified conditions. Models should be as complex as necessary for the specific purpose, but as simple as possible in order to allow efficient deployment.
In information assurance and computer security, models of real-world systems are often used for analyzing their behavior under attack to be able to design and evaluate effective counter- measures in terms of attack prevention, detection, and response. For evaluation purposes, it is necessary to clearly define metrics – standard units of measure – in order to quantify properties of these countermeasures. In many cases, these metrics are abstractions from physically measurable values, such as time or geographic distances.
Unfortunately, many of the existing approaches for dynamically selecting response measures against computer attacks suffer from different problems, in terms of algorithmic infeasibility, unrealistic assumptions or pre-conditions, or narrowness of applicability. These challenges are closely related to the way how the protected systems are modeled for the approach. On the one hand, if models are very fine-grained (and highly realistic), the result might be that they may no longer be handled efficiently. Additionally, complex models might be very specific for just one environment that was observed to build the model. If a model is only coarse-grained, its applicability is to be doubted if the degree of realism is shown to be very low.
Thus, the main goal of this work is to create a model that provides a reasonable balance be- tween the properties mentioned. This model should provide the possibility to express all relevant aspects of systems which are to be protected, and of attacks and response measures, including their differences in a quantifiable manner. The degree of efficiency for maintaining the model should be very high.
As long as the system model is sufficiently simple and intuitive, it is also possible to transfer expert knowledge to the model. The approach for selecting response measures to detected at- tacks as described in this work attempts to map best-practice methodology of human IT security personnel to a formal framework. Actually measurable metrics for quantifying the impact of response actions on a real-world system are mapped to the model to be able to estimate effects of countermeasures before they are actually applied. The graph-based approach is called GrADAR which is short for ‘Graph-based Automated DoS Attack Response’.
Note that in this thesis, the terms ‘response’, ‘response measure’, ‘response action’, ‘reaction’ and ‘countermeasure’ are used synonymously.
The core of this thesis comprises the following parts:
• In Chapter 2, existing approaches, algorithms, and systems for observing and reactively de- fending computer systems and networks are systematically listed in different taxonomies. In addition, known issues of deploying fully automated processes for selecting and apply- ing response measures are discussed.
• Chapter 3 discusses existing models for intrusion detection and response as well as met- rics for quantifying properties of intrusion detection and response algorithms, systems, approaches, and implementations.
• Before the GrADAR approach for characterizing metrics of intrusion response measures is described, an according framework for selecting the most ‘appropriate’ alternative is presented in Chapter 4. This framework combines the ideas of closed control loops and risk and cost analysis.
• The GrADAR approach itself is formally developed and discussed in Chapter 5. Numerous practically relevant examples are given to illustrate parts of the model.
• Chapter 6 presents an experimental validation of the proposed model in typical e-commerce web-shop scenario. A wide range of results is obtained from systematic testbed measure- ments. These results are presented in Chapter 7 and their impact on the definition of the model is discussed.
• Practically relevant aspects of applying the model to real-world scenarios are elaborated on in Chapter 8. This includes interfaces to existing monitoring systems and response measures, ways to determine dependencies between resources, and model extensions for utilizing the model in completely decentralized environments.
• In Chapter 9, the properties of the proposed approach are discussed and compared to re- lated work in the area of automated intrusion response approaches.
• Chapter 10 discusses further issues that were revealed during the theoretical and practical work. Ways to address these issues were outlined.
• Finally, in Chapter 11, the work is summarized, and conclusions on what was achieved and what may be achieved in further activities are drawn.
weiterlesen
39,00 € inkl. MwSt.
kostenloser Versand
lieferbar - Lieferzeit 10-15 Werktage
zurück