[PPT] - RheoStat : Real-time Risk Management Ashish Gehani and Gershon Kedem PowerPoint Presentation

SLIDE 1

RheoStat : Real-time Risk Management

Ashish Gehani and Gershon Kedem Department of Computer Science, Duke University

1

SLIDE 2

PROBLEM : Intrusion response

Manual response decreasingly tenable:

– High attack frequency – Great attack diversity – Rapid attack execution – Protection Time

< Detection Time + Response Time False positives preclude retaliation Network connections encrypted

2

SLIDE 3

SOLUTION STRATEGY

Automate response:

– Model runtime risk – Build vulnerability management primitives – Dynamically manage risk – Minimize impact on performance

Passive response - limit to owner’s domain Host-based

3

SLIDE 4

RISK MODEL : Management

Threat Vulnerabilities Assets Risk Risk Threshold Consequences Safeguards Likelihood Yes Reconfigure

4

SLIDE 5

RHEOSTAT : Signatures

Timeouts :

Initialized System Alarm Event e1 Time t4 Time t0 Time t1 Time t2 Time t3 Time t5 Event e2 Event e3 Event e4 t2−t1 > t_pre t5−t4 > t_post t3−t1 > t_pre

5

SLIDE 6

RISK MODEL : Threat

Events : E

=

fe 1 ; e 2 ; : : : g Threats : T = ft 1 ; t 2 ; : : : g Signature : S (t

)
=

fs 1 ; s 2 ; : : : g; s i 2 E ; t

2

T Likelihood : T (t

)

= (t

;

E

\

S (t

));

t

2

T

Matching function :

(t

;

E

\

S (t

))

= jE

\

S (t

)j

jS (t

)j

6

SLIDE 7

ARM : Active Reference Monitor

Subject: i Object: j Right: k Request Permission p(i,j,k) Application Access Control: M p(i,j,k) Granted Permission p(i,j,k) Denied Permission Intrusion Detector (i,j,k) Predicate Threat Level: l True D(i,j,k) False False True Timer Expired Default for p(i,j,k) Undefined Defined MonitorException: True False (i,j,k) MonitorException: σ (i,j,k) σ σ σ σ > Cost[ (i,j,k)] Benefit[ (i,j,k), l]

7

SLIDE 8

RISK MODEL : Vulnerability

Weaknesses : W = fw 1 ; w 2 ; : : : g; W (t

)
W

; t

2

T Permissions : P = fp 1 ; p 2 ; : : : g; P (w

)
P

; w

2

W Safeguards : ^ P (t

)

= S w

2W

(t

)

P (w

);

t

2

T Static Exposure: v (p

)

2 f0; 1g; p

2

P Dynamic Exposure: v (p

)

2 [0; 1℄; p

2

P Vulnerability : V (t

)

= X p

2

^ P (t

)

v (p

)
v

(p

)

j ^ P (t

)j

; t

2

T

8

SLIDE 9

RISK MODEL : Consequence

Objects : O = fo 1 ;

2

; : : : g Assets : A(t

)
O

Confidentiality : (o

);
2

O Integrity : i(o

);
2

O Availability : a(o

);
2

O Consequence : C (t

)

= X

2A(t
)

(o

)

+ i(o

)

+ a(o

);

t

2

T

9

SLIDE 10

RISK MODEL : Unmanaged Risk

Unmanaged Risk : R = X t

2T

T (t

)
V

(t

)
C

(t

)

Computation Time : O (jT j

jP

j

jO

j)

10

SLIDE 11

RISK MODEL : Vulnerability Management

Auxiliary safeguards : (P )

P

Static checks : (P )

P
(P

) \ (P ) = ; (P ) [ (P ) = P

11

SLIDE 12

ARM : Skeleton of Auxiliary Safeguard

public abstract class PredicateThread extends Thread{ protected PredicateThread(Permission permission, Object lock); public void run(){ if(condition) result=true; synchronized(lock){ lock.notify(); } } public boolean getResult(); }

12

SLIDE 13

RISK MODEL : Managed Risk

Managed Vulnerability : V (t

)

= X p

2

^ P (t

)\(P

) v (p

)

j ^ P (t

)j

+ X p

2

^ P (t

)\(P

) v (p

)
v

(p

)

j ^ P (t

)j

; t

2

T Managed Risk : R = X t

2T

T (t

)
V

(t

)
C

(t

)

13

SLIDE 14

RISK MODEL : Risk Tolerance

Event : e Risk before : R b Risk change :

6=

Risk after : R a = R b +

Risk threshold :

R

>

^ R a > R ) R edu e()

>

^ R a

R

)

<

) R a = R b +

<

R b < R ) R el ax()

14

SLIDE 15

RISK MODEL : Risk Recalculation

Threat change : Æ (T (t

);

e) = (t

;

(E [ e)

\

S (t

))
(t
;

E

\

S (t

))

Threats affected : (T ; e) : Æ (T (t

);

e) 6= ) t

2

(T ; e) Update cost : O (jT j) * V (t

);

C (t

) cached

15

SLIDE 16

RISK MODEL : Risk Reduction

Enable safeguards : ((P ))

(P

) Find : ((P )) ) R 00 < R Reduced Vulnerability : V 00 (t

)

= X p

2(

^ P (t

)\(P

)((P ))) v (p

)

j ^ P (t

)j

+ X p

2(

^ P (t

)\(P

)[((P ))) v (p

)
v

(p

)

j ^ P (t

)j

Reduced Risk : R 00 = X t

2T

T (t

)
V

00 (t

)
C

(t

)

16

SLIDE 17

RISK MODEL : Cost and Complexity

Increase of Risk Reduction Cost :

(((P

))) = X p

2((P

)) f (p

)

Problem : min

(((P

))); R 00

R

Choices of ((P )) : O (2 (jP j) ) Equivalent : NP-Hard 0-1 Knapsack Problem ) Use greedy heuristic Yields 1 2 approximation of optimal choice

17

SLIDE 18

RHEOSTAT : Response Heaps

Key = Frequency in Workload Risk Reduction

Disabled Heap Responses Enabled Heap Responses

Key = Frequency in Workload Risk Relaxation Activate response Deactivate response Safeguard Safeguard

18

SLIDE 19

RHEOSTAT : Pre-Processing

Step 1

8p

2

(P ), calculate Benefit-to-Cost ratio: (p

)

= X t

:p
2(

^ P (t

)\(P

)) T (t

)
v

(p

)
(1
v

(p

))

j ^ P (t

)j
C

(t

)

f (p

)

19

SLIDE 20

RHEOSTAT : Safeguard Selection

Step 2 Set

((P )) =

Step 3 Choose:

r = max (p

);

p

2

(P )

Step 4 Add

r to ((P ))

Step 5 Recalculate Risk :

R 00 = R a

X

p

2((P

)) (p

)
f

(p

)

20

SLIDE 21

RHEOSTAT : Response Completion

Step 6

R 00 > R )

Step 3

R 00

R

)

Utilize Response :

((P )) Time Complexity : O (j((P ))j) Worst Case : O (jP j) Response Initiation Time : O (1)

21

SLIDE 22

RHEOSTAT : Example Intrusion Response

Servlet accepts uploads via HTTP POST Limits total size of multiple parts ) Prevent denial of service (disk overflow) No cumulative limit per source IP address ) Design error leaves system vulnerable Event 21 causes risk to rise over threshold RheoStat finds optimal permission to safeguard ) Chooses upload directory’s write permission Enables predicate OperationalHours :

During working hours

) Grant permission, Send alert

After hours

) Deny permission

22

SLIDE 23

RheoStat : Real-time Risk Management

Ashish Gehani and Gershon Kedem Department of Computer Science, Duke University

1

PROBLEM : Intrusion response

– High attack frequency – Great attack diversity – Rapid attack execution – Protection Time

2

SOLUTION STRATEGY

– Model runtime risk – Build vulnerability management primitives – Dynamically manage risk – Minimize impact on performance

3

RISK MODEL : Management

Threat Vulnerabilities Assets Risk Risk Threshold Consequences Safeguards Likelihood Yes Reconfigure

4

RHEOSTAT : Signatures

Timeouts :

5

RISK MODEL : Threat

Matching function :

6

ARM : Active Reference Monitor

7

RISK MODEL : Vulnerability

8

RISK MODEL : Consequence

9

RISK MODEL : Unmanaged Risk

10

RISK MODEL : Vulnerability Management

11

ARM : Skeleton of Auxiliary Safeguard

public abstract class PredicateThread extends Thread{ protected PredicateThread(Permission permission, Object lock); public void run(){ if(condition) result=true; synchronized(lock){ lock.notify(); } } public boolean getResult(); }

12

RISK MODEL : Managed Risk

13

RISK MODEL : Risk Tolerance

14

RISK MODEL : Risk Recalculation

15

RISK MODEL : Risk Reduction

16

RISK MODEL : Cost and Complexity

17

RHEOSTAT : Response Heaps

Disabled Heap Responses Enabled Heap Responses

18

RHEOSTAT : Pre-Processing

Step 1

19

RHEOSTAT : Safeguard Selection

Step 2 Set

Step 4 Add

Step 5 Recalculate Risk :

20

RHEOSTAT : Response Completion

Step 6

Step 3

Utilize Response :

21

RHEOSTAT : Example Intrusion Response

During working hours

After hours

22

RHEOSTAT : Risk Driven Response

23