Intrusion Tolerance for Zero-Day Attacks at Distributed Applications

Page Content

Research Areas: Network Security

Principal Investigator: Saurabh Bagchi

Today's complex multi-stage attacks leverage the interconnection among the nodes of large distributed systems to cause considerable system-wide damage. These attacks propagate in a series of causally ordered attack steps or stages, and are very difficult to thwart unless a priori information about the possible escalation paths is available. Zero-day attacks are a subset of multi-stage attacks for which some or all the stages are based on unknown exploits, and some or all the interconnections among the stages are unknown. There is usually a considerable lag between the first time when a system is hit by a zero-day attack and the time when a patch for the attack is developed and applied to the system. Till such time, the deployed Intrusion Tolerance System (ITS) needs to protect the transaction and security goals of the system from being compromised by the attack.

Although significant progress has been made in detection, response, and prevention of known multi-stage attacks, most current approaches are explicitly predicated on known vulnerabilities and hence fail to provide effective response for zero-day attacks. The current state of the art in dealing with zero-day attacks is based on preventive techniques such as designing a small core of functionality that can be formally verified or employing strict security policies either at a host or at a network ingress point. However, these approaches can significantly hamper system functionality and user-friendliness and are but the first line of defense in a comprehensive defense strategy.

We have developed an ITS that can handle zero-day techniques. It is based on the technique of conceptualized matching of attack graphs. We observe that even for zero-day attacks, the concepts behind the attack steps are not always new. For example, a commonly seen conceptual description of many distinct attacks is memory overflow followed by data execution. We conceptualize the component and the detector alert associated with an attack graph node by moving each of them up to a super-class in a object-oriented hierarchical model. The conceptualization is integrated into a graph edit distance-based similarity matching algorithm to find out a previously seen attack that the current zero-day attack is conceptually similar to. The objective is to help estimate the zero-day attack’s escalation path and the effective responses from this prior observed attack. The resulting similarity metric is carefully designed to follow the definition of metric space. This allows the use of existing search algorithms in metric space to provide efficient matching against a large library of previously seen attack graphs. Our solution also includes a technique for choice of sensors and determination of optimal places for the sensors so that the ITS can gain situational awareness of the distributed application. The ITS continuously adapts itself to an attack and improves the quality of responses over time. To make the adaptation more efficient, we propose a technique called "conceptualized matching" to establish linkages between a zero-day attack and past attacks. This technique allows the use of history information to improve the quality of responses.

Personnel

Other PIs: Gene Spafford (Purdue University)

Students: Gaspar Modelo-Howard (Ph.D. Student) Jevin Sweval

Keywords: distributed applications, intrusion detection, zero-day