intrusion detection and response in lockss
play

Intrusion Detection and Response in LOCKSS Rachel Greenstadt - PowerPoint PPT Presentation

Dec 27, 2023 •201 likes •638 views

Intrusion Detection and Response in LOCKSS Rachel Greenstadt greenie@eecs.harvard.edu Harvard University Advisors: HT Kung and Mike Smith September 30, 2004 Intrusion Detection and Response in LOCKSS p.1/43 Overview Problem: Electronic

  1. Intrusion Detection and Response in LOCKSS Rachel Greenstadt greenie@eecs.harvard.edu Harvard University Advisors: HT Kung and Mike Smith September 30, 2004 Intrusion Detection and Response in LOCKSS – p.1/43

  2. Overview Problem: Electronic Archiving Approach: LOCKSS project Security Threats and Countermeasures Intrusion Detection and Response: Alarms Do we need alarms? Can alarms catch instrusions? Can we take local steps to correct the network after an intrusion? Can we catch intrusions faster? Intrusion Detection and Response in LOCKSS – p.2/43

  3. A Crisis in Archiving Libraries know how to cooperate to preserve paper data With move to electronic data, publishers offer subscriptions Offer “perpetual access,” but no business model for this Libraries want to preserve their own data BUT Digital preservation is hard (and most people don’t believe it) Intrusion Detection and Response in LOCKSS – p.3/43

  4. Why is Digital Preservation Hard? Storage media are unreliable in the long term MTBF of components Human error Many anecdotes of backup failures Suggest bit rot/failures happen in Byzantine ways Almost everyone has a story Companies don’t like to talk about it Intrusion Detection and Response in LOCKSS – p.4/43

  5. Overview Problem: Electronic Archiving Approach: LOCKSS project Security Threats and Countermeasures Intrusion Detection and Response: Alarms Do we need alarms? Can alarms catch instrusions? Can we take local steps to correct the network after an intrusion? Can we catch intrusions faster? Intrusion Detection and Response in LOCKSS – p.5/43

  6. The LOCKSS Approach Build P2P community of libraries Each library maintains a replica of the Archival Unit (AU) Goal: Maintain consensus on content of AUs Libraries help each other repair replicas Audit and repair detected damage with voting Publishers provide content for archiving Without responsibility for preservation Intrusion Detection and Response in LOCKSS – p.6/43

  7. Why LOCKSS? LOCKSS is a real project Deployed version Consortia of libraries Engineering team Good vehicle to study intrusion detection for other P2P/distributed systems Intrusion Detection and Response in LOCKSS – p.7/43

  8. Peer Relationships LOCKSS has an internal PKI. If I’m a LOCKSS peer, other peers are: Friends—Peers with which I have out-of-band trust relationships. Friends sign certificates for each other. Discovered Peers—These peers form my trust web. Reference List—A subset of discovered peers that can be polled. Undiscovered Peers—Peers unknown (or untrusted) by me. Intrusion Detection and Response in LOCKSS – p.8/43

  9. Opinion Polls Periodically, peers poll a subset of the reference list and compare the votes to their local AU Inconclusive Landslide disagreement Landslide agreement Alarm! Repair Do nothing. Intrusion Detection and Response in LOCKSS – p.9/43

  10. Updating the Reference List Before voting, peers nominate other peers for inclusion in reference list/trust web. At the end of poll, voting peers are purged from reference list Add some friends Add some nominees Intrusion Detection and Response in LOCKSS – p.10/43

  11. Overview Problem: Electronic Archiving Approach: LOCKSS project Security Threats and Countermeasures Intrusion Detection and Response: Alarms Do we need alarms? Can alarms catch instrusions? Can we take local steps to correct the network after an intrusion? Can we catch intrusions faster? Intrusion Detection and Response in LOCKSS – p.11/43

  12. Security Concerns Basically giving away write permission on your archive!!!! For LOCKSS to be useful, benefits must outweigh costs Intrusion Detection and Response in LOCKSS – p.12/43

  13. Alarms Idea Simultaneous bit rot is rare If voters disagree, adversary activity likely LOCKSS didn’t specify response This is my contribution Intrusion Detection and Response in LOCKSS – p.13/43

  14. My Contributions Ran experiments to verify alarms were needed and could detect intrusions Devised a localized protocol to respond to alarms by Healing compromised peers Ran simulations to evaluate and tune this protocol Devised and tested an augmented protocol to trigger alarms earlier in an attack Intrusion Detection and Response in LOCKSS – p.14/43

  15. Evaluation Measures Iterative process of simulation and reasoning about the system design and simulation results Proofs would be nice, but system complexity would render them inaccurate or intractable Problem with many P2P systems Initially, goal was to keep adversary from damaging > 50% of the AUs, reached that, see how close we can get to 0. Intrusion Detection and Response in LOCKSS – p.15/43

  16. Simulations Simulate 1000 peers participating in the LOCKSS system Each peer has one AU that can be good or bad. Some variable fraction of these peers are adversarial Adversary follows the strategy of lurk and try to get a presence on good peers’ reference lists, then attack when they’ll win decisively. Intrusion Detection and Response in LOCKSS – p.16/43

  17. Static Variables (Assumptions) Total Peers 1000 Sybils 200 Topology Cluster Poll Size 10-20 Supermajority 70% Reference List Goal 60 Churn Ratio 10% Lurktime 3600 of 7200 ticks 1 MTBF Doc 200 yrs Intrusion Detection and Response in LOCKSS – p.17/43

  18. Dynamic Variables # of Adversarial Peers (10-400) Random seeds Alarm Response Intrusion Detection and Response in LOCKSS – p.18/43

  19. Overview Problem: Electronic Archiving Approach: LOCKSS project Security Threats and Countermeasures Intrusion Detection and Response: Alarms Do we need alarms? Can alarms catch instrusions? Can we take local steps to correct the network after an intrusion? Can we catch intrusions faster? Intrusion Detection and Response in LOCKSS – p.19/43

  20. Do we need alarms? 1 Proportion of replicas damaged 0.8 0.6 0.4 0.2 initial damage irrecoverable damage 0 0.1 0.15 0.2 0.25 0.3 0.35 0.4 Proportion of peers initially subverted Figure 1: MUTE alarm: when an alarm is called, do noth- ing (proceed as if we won the poll) Intrusion Detection and Response in LOCKSS – p.20/43

  21. Can alarms detect intrusions? Theory—Why do alarms occur? Alarm might happen if an adversary tries to win a poll without enough votes (can’t count on this) Peers with corrupted copies + peers with good copies => alarms Adversary can’t corrupt enough copies at once to win without giving alarms a chance to fix things Arrange reference list updating and rate limiting to make this so Intrusion Detection and Response in LOCKSS – p.21/43

  22. Can alarms detect intrusions? Proportion of replicas damaged 0.433 0.471 0.419 0.431 0.47 1 0.395 0.371 0.44 0.346 0.347 0.36 0.34 0.326 0.8 0.31 0.298 0.299 0.276 0.264 0.238 0.6 0.239 0.219 0.208 0.189 0.185 0.148 0.4 0.2 initial damage irrecoverable damage 0 0.1 0.15 0.2 0.25 0.3 0.35 0.4 Proportion of peers initially subverted Figure 2: Foothold ratio for a very patient adversary and results after the first alarm. Intrusion Detection and Response in LOCKSS – p.22/43

  23. Alarms Do we need alarms? Can alarms catch instrusions? Can we take local steps to correct the network after an intrusion? Can we catch intrusions faster? Intrusion Detection and Response in LOCKSS – p.23/43

  24. How can we respond? Change our state (not enough) Ask our friends to change their state Ask our friends to ask their friends · · · Intrusion Detection and Response in LOCKSS – p.24/43

  25. Peer states Admin Computer AU Healthy Good Good Good Damaged Good Good Bad Subverted Good Bad Good/Bad Evil Bad Bad Good/Bad Figure 3: Classification of Peers We can heal subverted peers and revoke certificates of nominated evil peers Intrusion Detection and Response in LOCKSS – p.25/43

  26. Healing Alarm Procedure Contact friends in trust web, ask them to check for compromise and patch. Treat all unhealed peers as undiscovered. What if we want to do more than just our friends? We can heal nodes at depth 2, by asking friends to ask them to heal themselves Healed peers revoke certificates they signed when subverted Intrusion Detection and Response in LOCKSS – p.26/43

  27. Types of Alarms Intrusion Detection and Response in LOCKSS – p.27/43

  28. Healing Results 1 1 1 Proportion of replicas damaged Proportion of replicas damaged 0.8 0.8 0.6 0.6 0.4 0.4 0.2 0.2 initial damage initial damage irrecoverable damage irrecoverable damage 0 0 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.1 0.15 0.2 0.25 0.3 0.35 0.4 Proportion of peers initially subverted Proportion of peers initially subverted Figure 4: Doing nothing, compared to healing d=1 (end of simulation) Intrusion Detection and Response in LOCKSS – p.28/43

  29. Healing Results 2 1 1 Proportion of replicas damaged Proportion of replicas damaged 0.8 0.8 0.6 0.6 0.4 0.4 0.2 0.2 initial damage initial damage irrecoverable damage irrecoverable damage 0 0 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.1 0.15 0.2 0.25 0.3 0.35 0.4 Proportion of peers initially subverted Proportion of peers initially subverted Figure 5: Doing nothing, compared to healing d=1 (worst pt of simulation) Intrusion Detection and Response in LOCKSS – p.29/43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs

A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs

A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs Sascha Lettgen University of Bonn, Germany Inst. of Computer Science IV Marko Jahnke, Jens Tlle, Uwe Weddige, Michael Bussmann FGAN/FKIE, Wachtberg,

641 views • 15 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Building Adaptive and Agile Applications Using Intrusion Detection and Response Joseph P. Loyall,

Building Adaptive and Agile Applications Using Intrusion Detection and Response Joseph P. Loyall,

Building Adaptive and Agile Applications Using Intrusion Detection and Response Joseph P. Loyall, Partha P. Pal, and Richard E. Schantz {jloyall, ppal, schantz}@bbn.com BBN Technologies Franklin Webber franklin.webber@computer.org

239 views • 19 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International Conference on Computing in High Energy and Nuclear Physics Outline: Introduction Threat model Intrusion prevention Intrusion detection

420 views • 16 slides
Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and

Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and

Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and Response Approaches Ph.D. Thesis Defense December 17th, 2019 1 HP Labs (ronny.chevalier@hp.com) 2 CIDRE Team, CentraleSuplec/Inria/CNRS/IRISA

1.66k views • 140 slides
www.faithsouthbay.org @faithsouthbay faithsouthbay IT IS WE WELL LL SIMPLE STEPS TO STAY

www.faithsouthbay.org @faithsouthbay faithsouthbay IT IS WE WELL LL SIMPLE STEPS TO STAY

2115 W. 182nd Street Torrance, CA 90504 310.217.7000 www.faithsouthbay.org @faithsouthbay faithsouthbay IT IS WE WELL LL SIMPLE STEPS TO STAY PHYSICALLY, SPIRITUALLY & EMOTIONALLY WELL IN AN AGE OF THE CORONAVIRUS 1 WASH YOUR HANDS

367 views • 33 slides
Using Machine Learning with Wide Area Networks (WANs) Dr. Mariam Kiran Energy Sciences Network

Using Machine Learning with Wide Area Networks (WANs) Dr. Mariam Kiran Energy Sciences Network

Using Machine Learning with Wide Area Networks (WANs) Dr. Mariam Kiran Energy Sciences Network (ESnet) ANTG Research Group Lawrence Berkeley National Lab Summer Student 2017 Talk 1 Agenda Machine learning (ML) is everywhere: Is it

442 views • 43 slides
Practical Approaches to Spirituality and Schizophrenia Mark Ragins, MD Medical Director MHALA

Practical Approaches to Spirituality and Schizophrenia Mark Ragins, MD Medical Director MHALA

Practical Approaches to Spirituality and Schizophrenia Mark Ragins, MD Medical Director MHALA Village Integrated Service Agency www.mhavillage.squarespace.com mragins@mhala.org Helping Relationships 1. Trust 2. Shared story 3. Shared plan

352 views • 9 slides
Chelonia a lightweight self-healing distributed storage Zsombor Nagy ( zsombor@niif.hu ) Salman

Chelonia a lightweight self-healing distributed storage Zsombor Nagy ( zsombor@niif.hu ) Salman

Chelonia a lightweight self-healing distributed storage Zsombor Nagy ( zsombor@niif.hu ) Salman Toor ( salman.toor@it.uu.se ) Jon Kerr Nilsen ( j.k.nilsen@fys.uio.no ) Motivation How to easily... Create a storage resource from available

871 views • 27 slides
Final Report - Community Report Back August 30th, 2016 @GulfSouthRising www.gulfsouthrising.org

Final Report - Community Report Back August 30th, 2016 @GulfSouthRising www.gulfsouthrising.org

Final Report - Community Report Back August 30th, 2016 @GulfSouthRising www.gulfsouthrising.org GulfSouthRising Purpose of the Call This call is for community members and national allies. This call is not for press purposes. Direct

701 views • 26 slides
CDBG Disaster Recovery Economic Development Programs Hurricanes Katrina & Rita Total CDBG

CDBG Disaster Recovery Economic Development Programs Hurricanes Katrina & Rita Total CDBG

CDBG Disaster Recovery Economic Development Programs Hurricanes Katrina & Rita Total CDBG allocation - $13.4 billion Total ED allocation - $322 million Hurricane Katrina Hurricane Rita Hurricanes Gustav & Ike Total CDBG

276 views • 11 slides
Rivercane Restoration Projects in Western North Carolina Adam D. Griffith - Revitalization of

Rivercane Restoration Projects in Western North Carolina Adam D. Griffith - Revitalization of

Rivercane Restoration Projects in Western North Carolina Adam D. Griffith - Revitalization of Traditional Cherokee Artisan Resources (RTCAR) 19 NOV 2019 - Fire Learning Network Restoration: from what? Before European contact? After Native

876 views • 25 slides
The Google File System Firas Abuzaid Why build GFS? Node failures happen frequently Files

The Google File System Firas Abuzaid Why build GFS? Node failures happen frequently Files

The Google File System Firas Abuzaid Why build GFS? Node failures happen frequently Files are huge multi-GB Most files are modified by appending at the end Random writes (and overwrites) are practically non-existent

228 views • 22 slides

More recommend