short-paper

Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment

Authors:

Saman A. Zonouz,

Kaustubh R. Joshi,

William H. SandersAuthors Info & Claims

SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

Pages 71 - 74

https://doi.org/10.1145/1866898.1866910

Published: 04 October 2010 Publication History

Abstract

Balancing the coverage benefits of deploying multiple types of intrusion detection systems against their performance and false alarm costs is an important problem with practical ramifications for runtime security policy. In this position paper, we present an approach to "on-demand" deployment of intrusion detection systems by balancing detection coverage against cost and deploying an IDS only when it is needed. The proposed approach relies on often easy to detect symptoms of attacks, e.g., participation in a botnet or DDoS, and works backwards by iteratively deploying increasingly more localized and powerful detectors closer to the initial attack vector. We accomplish this by characterizing multiple IDS systems in a uniform framework based on their costs and detection capabilities and integrating them, for the first time, into an online system-wide forensics framework. We develop the basic elements of the framework and give an example of its envisioned operation.

References

[1]

}}Secerno available at http://www.secerno.com/, 2010.

[2]

}}Zabbix available at http://www.zabbix.org/, 2010.

[3]

}}M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity. In CCS, pages 340--53, 2005.

Digital Library

[4]

}}D. Chapman. Cisco Secure PIX Firewalls. 2001.

Digital Library

[5]

}}M. Costa, M. Castro, L. Zhou, L. Zhang, and M. Peinado. Bouncer: securing software by blocking bad input. In SOSP, pages 117--30, 2007.

Digital Library

[6]

}}H. Feng, O. Kolesnikov, P. Fogla, W. Lee, and W. Gong. Anomaly detection using call stack information. In IEEE - S&P, page 62, 2003.

Digital Library

[7]

}}W. Hoeffding. Probability inequalities for sums of bounded random variables. JASA, 58(301):13--30, 1963.

[8]

}}Samuel T. King and Peter M. Chen. Backtracking intrusions. SIGOPS Oper. Syst. Rev.,3 7(5):223--36, 2003.

Digital Library

[9]

}}T. Kojm. Clamav: http://www.clamav.net/, 2009.

[10]

}}N. Nethercote and J. Seward. Valgrind: A program supervision framework. Elec. Notes in Theoretical Com. Sci., 89(2):44--66, 2003. RVWorkshop.

[11]

}}M. Roesch. Snort - lightweight intrusion detection for networks. In USENIX-LISA, pages 229--38, 1999.

Digital Library

[12]

}}B. Schneier. Attack trees. Dr. Dobb's Journal, 1999.

[13]

}}D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In ICISS, 2008.

Digital Library

[14]

}}J. Tucek, J. Newsome, S. Lu, C. Huang, S. Xanthos, D. Brumley, Y. Zhou, and D. Song. Sweeper: A lightweight end-to-end system for defending against fastworms. SIGOPS Oper. Syst. Rev., 41(3):115--28, 2007.

Digital Library

[15]

}}B. Wotring, B. Potter, M. Ranum, and R. Wichmann. Host Integrity Monitoring Using Osiris and Samhain. Syngress Publishing, 2005.

Digital Library

[16]

}}S. A. Zonouz, H. Khurana, W. H. Sanders, and T. M. Yardley. RRE: A game-theoretic intrusion Response and Recovery Engine. In DSN, pages439--48, 2009.

Cited By

Gan CFeng QZhang XZhang ZZhu Q(2020)Dynamical Propagation Model of Malware for Cloud Computing SecurityIEEE Access10.1109/ACCESS.2020.29689168(20325-20333)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2968916
Mazloomzadeh AMohammed OZonouzsaman S(2015)Empirical Development of a Trusted Sensing Base for Power System InfrastructuresIEEE Transactions on Smart Grid10.1109/TSG.2015.24353706:5(2454-2463)Online publication date: Sep-2015
https://doi.org/10.1109/TSG.2015.2435370
Salles-Loustau GZonouz S(2015)Towards resilient cyber-physical control systems2015 IEEE Global Conference on Signal and Information Processing (GlobalSIP)10.1109/GlobalSIP.2015.7418279(662-666)Online publication date: Dec-2015
https://doi.org/10.1109/GlobalSIP.2015.7418279
Show More Cited By

Index Terms

Cost-aware systemwide intrusion defense via online forensics and on-demand detector deployment
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

A framework for adaptive, cost-sensitive intrusion detection and response system
Determining the operational limits of an anomaly-based intrusion detector

Anomaly-detection techniques have considerable promise for two difficult and critical problems in information security and intrusion detection: detecting novel attacks, and detecting masqueraders. One of the best-known anomaly detectors used in ...
Toward cost-sensitive modeling for intrusion detection and response

Intrusion detection systems (IDSs) must maximize the realization of security goals while minimizing costs. In this paper, we study the problem of building cost-sensitive intrusion detection models. We examine the major cost factors associated with an ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SafeConfig '10: Proceedings of the 3rd ACM workshop on Assurable and usable security configuration

October 2010

98 pages

ISBN:9781450300933

DOI:10.1145/1866898

General Chair:
Tony Sager
National Security Agency, USA
,
Program Chairs:
Gail-Joon Ahn
Arizona State University, USA
,
Krishna Kant
Intel Corp./ National Science Foundation, USA
,
Heather Richter Lipford
University of North Carolina at Charlotte, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tag

intrusion detection and forensics systems

Qualifiers

Short-paper

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 4, 2010

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 22 of 61 submissions, 36%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
167
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gan CFeng QZhang XZhang ZZhu Q(2020)Dynamical Propagation Model of Malware for Cloud Computing SecurityIEEE Access10.1109/ACCESS.2020.29689168(20325-20333)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2968916
Mazloomzadeh AMohammed OZonouzsaman S(2015)Empirical Development of a Trusted Sensing Base for Power System InfrastructuresIEEE Transactions on Smart Grid10.1109/TSG.2015.24353706:5(2454-2463)Online publication date: Sep-2015
https://doi.org/10.1109/TSG.2015.2435370
Salles-Loustau GZonouz S(2015)Towards resilient cyber-physical control systems2015 IEEE Global Conference on Signal and Information Processing (GlobalSIP)10.1109/GlobalSIP.2015.7418279(662-666)Online publication date: Dec-2015
https://doi.org/10.1109/GlobalSIP.2015.7418279
Mazloomzadeh AMohammed OZonouz S(2013)TSB: Trusted sensing base for the power grid2013 IEEE International Conference on Smart Grid Communications (SmartGridComm)10.1109/SmartGridComm.2013.6688058(803-808)Online publication date: Oct-2013
https://doi.org/10.1109/SmartGridComm.2013.6688058
Zonouz SRogers KBerthier RBobba RSanders WOverbye T(2012)SCPSE: Security-Oriented Cyber-Physical State Estimation for Power Grid Critical InfrastructuresIEEE Transactions on Smart Grid10.1109/TSG.2012.22177623:4(1790-1799)Online publication date: Dec-2012
https://doi.org/10.1109/TSG.2012.2217762
Zonouz SJoshi KSanders W(2011)FloguardProceedings of the 30th international conference on Computer safety, reliability, and security10.5555/2041619.2041653(338-354)Online publication date: 19-Sep-2011
https://dl.acm.org/doi/10.5555/2041619.2041653
Houmansadr AZonouz SBerthier R(2011)A cloud-based intrusion detection and response system for mobile phonesProceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops10.1109/DSNW.2011.5958860(31-32)Online publication date: 27-Jun-2011
https://dl.acm.org/doi/10.1109/DSNW.2011.5958860
Zonouz SJoshi KSanders W(2011)FloGuard: Cost-Aware Systemwide Intrusion Defense via Online Forensics and On-Demand IDS DeploymentComputer Safety, Reliability, and Security10.1007/978-3-642-24270-0_25(338-354)Online publication date: 2011
https://doi.org/10.1007/978-3-642-24270-0_25

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents