A Framework for Enforcing Role Based Access Control in Open Source Software

Manning, Francis Jay

01 January 2013

While Role Based Access Control (RBAC) has been a popular topic of research over the last several years, there are some gaps in the literature that have been waiting to be addressed. One of these gaps involves the application of RBAC to free and open source software (FOSS). With the prevalence of FOSS in most information systems growing rapidly, there is a need to be able to provide a level of confidence that the software will not compromise the data integrity of an environment, nor will it enable the violation of established access controls. Additionally, when utilizing FOSS software it is desirable to do so without having to modify its source code whenever an update is released in order to maintain a secure environment; this makes adding proprietary modules both time consuming and expensive. The challenges involved in maintaining proprietary changes to FOSS generates a particular interest in an RBAC environment that could be deployed without requiring modification to the source code. Developing this type of a framework presented a significant challenge due to the software having been established prior to the definition of any security requirements that would have to be applied by the proposed framework. What this research paper shows are the results of the development of a software framework that allowed security requirements engineering to seamlessly meld with an application after it had already been developed. This framework provided a mechanism to measurably reduce the attack surface of the application against which the framework was implemented, while performing these tasks without requiring alterations to the source code of the application. Additionally, this research introduced a mechanism that was utilized to measure the effectiveness of the framework. This mechanism provided a means of comparing the relative effectiveness of different frameworks against the same software, as well as the effectiveness of a framework against different pieces of software.

AOP

AspectJ

attack graph

FOSS

RBAC

security

Computer Sciences

Cyber-Attack Modeling Analysis Techniques: An Overview

Al-Mohannadi, Hamad, Mirza, Qublai K.A., Namanya, Anitta P., Awan, Irfan U., Cullen, Andrea J., Pagna Disso, Jules F.

January 2016

Yes / Cyber attack is a sensitive issue in the world of Internet security. Governments and business organisations around the world are providing enormous effort to secure their data. They are using various types of tools and techniques to keep the business running, while adversaries are trying to breach security and send malicious software such as botnets, viruses, trojans etc., to access valuable data. Everyday the situation is getting worse because of new types of malware emerging to attack networks. It is important to understand those attacks both before and after they happen in order to provide better security to our systems. Understanding attack models provide more insight into network vulnerability; which in turn can be used to protect the network from future attacks. In the cyber security world, it is difficult to predict a potential attack without understanding the vulnerability of the network. So, it is important to analyse the network to identify top possible vulnerability list, which will give an intuitive idea to protect the network. Also, handling an ongoing attack poses significant risk on the network and valuable data, where prompt action is necessary. Proper utilisation of attack modelling techniques provide advance planning, which can be implemented rapidly during an ongoing attack event. This paper aims to analyse various types of existing attack modelling techniques to understand the vulnerability of the network; and the behaviour and goals of the adversary. The ultimate goal is to handle cyber attack in efficient manner using attack modelling techniques.

Attack modelling

Diamond model

Kill chain

Attack graph

Containing Cascading Failures in Networks: Applications to Epidemics and Cybersecurity

Saha, Sudip

05 October 2016

Many real word networks exhibit cascading phenomena, e.g., disease outbreaks in social contact networks, malware propagation in computer networks, failures in cyber-physical systems such as power grids. As they grow in size and complexity, their security becomes increasingly important. In this thesis, we address the problems of controlling cascading failures in various network settings. We address the cascading phenomena which are either natural (e.g., disease outbreaks) or malicious (e.g., cyber attacks). We consider the nodes of a network as being individually or collectively controlled by self-interested autonomous agents and study their strategic decisions in the presence of these failure cascades. There are many models of cascading failures which specify how a node would fail when some neighbors have failed, such as: (i) epidemic spread models in which the cascading can be viewed as a natural and stochastic process and (ii) cyber attack models where the cascade is driven by malicious intents. We present our analyses and algorithms for these models in two parts. Part I focuses on problems of controlling epidemic spread. Epidemic outbreaks are generally modeled as stochastic diffusion processes. In particular, we consider the SIS model on networks. There exist heuristic centralized approaches in the literature for containing epidemic spread in SIS/SIR models; however no rigorous performance bounds are known for these approaches. We develop algorithms with provable approximation guarantees that involve either protective intervention (e.g., vaccination) or link removal (e.g., unfriending). Our approach relies on the characterization of the SIS model in terms of the spectral radius of the network. The centralized approaches, however, are sometimes not feasible in practice. For example, targeted vaccination is often not feasible because of limited compliance to directives. This issue has been addressed in the literature by formulating game theoretic models for the containment of epidemic spread. However they generally assume simplistic propagation models or homogeneous network structures. We develop novel game formulations which rely on the spectral characterization of the SIS model. In these formulations, the failures start from a random set of nodes and propagate through the network links. Each node acts as a self-interested agent and makes strategic intervention decisions (e.g., taking vaccination). Each agent decides its strategy to optimize its payoff (modeled by some payoff function). We analyze the complexity of finding Nash equilibria (NE) and study the structure of NE for different networks in these game settings. Part II focuses on malware spread in networks. In cybersecurity literature malware spreads are often studied in the framework of ``attack graph" models. In these models, a node represents either a physical computing unit or a network configuration and an edge represents a physical or logical vulnerability dependency. A node gets compromised if a certain set of its neighbors are compromised. Attack graphs describe explicit scenarios in which a single vulnerability exploitation cascades further into the network exploiting inherent dependencies among the network components. Attack graphs are used for studying cascading effects in many cybersecurity applications, e.g., component failure in enterprise networks, botnet spreads, advanced persistent attacks. One distinct feature of cyber attack cascades is the stealthy nature of the attack moves. Also, cyber attacks are generally repeated. How to control stealthy and repeated attack cascades is an interesting problem. Dijk et. al.~cite{van2013flipit} first proposed a game framework called ``FlipIt" for reasoning about the stealthy interaction between a defender and an attacker over the control of a system resource. However, in cybersecurity applications, systems generally consists of multiple resources connected by a network. Therefore it is imperative to study the stealthy attack and defense in networked systems. We develop a generalized framework called ``FlipNet" which extends the work of Dijk et. al.~cite{van2013flipit} for network. We present analyses and algorithms for different problems in this framework. On the other hand, if the security of a system is limited to the vulnerabilities and exploitations that are known to the security community, often the objective of the system owner is to take cost-effective steps to minimize potential damage in the network. This problem has been formulated in the cybersecurity literature as hardening attack graphs. Several heuristic approaches have been shown in the litrature so far but no algorithmic analysis have been shown. We analyze the inherent vulnerability of the network and present approximation hardening algorithms. / Ph. D.

Failure Cacades

Epidemic Containment

Stealthy diffusion

Game theory

Attack graph

SDN-based Proactive Defense Mechanism in a Cloud System

January 2015

abstract: Cloud computing is known as a new and powerful computing paradigm. This new generation of network computing model delivers both software and hardware as on-demand resources and various services over the Internet. However, the security concerns prevent users from adopting the cloud-based solutions to fulfill the IT requirement for many business critical computing. Due to the resource-sharing and multi-tenant nature of cloud-based solutions, cloud security is especially the most concern in the Infrastructure as a Service (IaaS). It has been attracting a lot of research and development effort in the past few years. Virtualization is the main technology of cloud computing to enable multi-tenancy. Computing power, storage, and network are all virtualizable to be shared in an IaaS system. This important technology makes abstract infrastructure and resources available to users as isolated virtual machines (VMs) and virtual networks (VNs). However, it also increases vulnerabilities and possible attack surfaces in the system, since all users in a cloud share these resources with others or even the attackers. The promising protection mechanism is required to ensure strong isolation, mediated sharing, and secure communications between VMs. Technologies for detecting anomalous traffic and protecting normal traffic in VNs are also needed. Therefore, how to secure and protect the private traffic in VNs and how to prevent the malicious traffic from shared resources are major security research challenges in a cloud system. This dissertation proposes four novel frameworks to address challenges mentioned above. The first work is a new multi-phase distributed vulnerability, measurement, and countermeasure selection mechanism based on the attack graph analytical model. The second work is a hybrid intrusion detection and prevention system to protect VN and VM using virtual machines introspection (VMI) and software defined networking (SDN) technologies. The third work further improves the previous works by introducing a VM profiler and VM Security Index (VSI) to keep track the security status of each VM and suggest the optimal countermeasure to mitigate potential threats. The final work is a SDN-based proactive defense mechanism for a cloud system using a reconfiguration model and moving target defense approaches to actively and dynamically change the virtual network configuration of a cloud system. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2015

Computer science

Attack Graph

Cloud Computing

Cloud Security

Cybersecurity

Network security

Software Defined Networking

Security Risk Analysis based on Data Criticality

Zhou, Luyuan

January 2020

Nowadays, security risk assessment has become an integral part of network security as everyday life has become interconnected with and dependent on computer networks. There are various types of data in the network, often with different criticality in terms of availability or confidentiality or integrity of information. Critical data is riskier when it is exploited. Data criticality has an impact on network security risks. The challenge of diminishing security risks in a specific network is how to conduct network security risk analysis based on data criticality. An interesting aspect of the challenge is how to integrate the security metric and the threat modeling, and how to consider and combine the various elements that affect network security during security risk analysis. To the best of our knowledge, there exist no security risk analysis techniques based on threat modeling that consider the criticality of data. By extending the security risk analysis with data criticality, we consider its impact on the network in security risk assessment. To acquire the corresponding security risk value, a method for integrating data criticality into graphical attack models via using relevant metrics is needed. In this thesis, an approach for calculating the security risk value considering data criticality is proposed. Our solution integrates the impact of data criticality in the network by extending the attack graph with data criticality. There are vulnerabilities in the network that have potential threats to the network. First, the combination of these vulnerabilities and data criticality is identified and precisely described. Thereafter the interaction between the vulnerabilities through the attack graph is taken into account and the final security metric is calculated and analyzed. The new security metric can be used by network security analysts to rank security levels of objects in the network. By doing this, they can find objects that need to be given additional attention in their daily network protection work. The security metric could also be used to help them prioritize vulnerabilities that need to be fixed when the network is under attack. In general, network security analysts can find effective ways to resolve exploits in the network based on the value of the security metric.

network security risk assessment

attack graph

data criticality

security metric

threat modeling

Software Engineering

Programvaruteknik

Security Countermeasure Selection as a Constraint Solving Problem

Kathem, Aya

January 2021

Network systems often contain vulnerabilities that remain unmitigated in a network for various reasons, such as lack of a patch and limited budget. Adversaries can exploit these existing vulnerabilities through different strategies. The attackers can use the existing vulnerabilities to gain capabilities that will enable them to reach their target goal. This thesis aims to find the most effective defense strategy that can defend against all discovered/known attack scenarios in attempt to secure the system's critical assets. Threat modeling is a well-known technique to find and assess vulnerabilities and threats in the system. Attack graphs are one of the common models used to illustrate and analyze attack scenarios. They provide a logical overview that illustrates how an attacker can combine multiple vulnerabilities to reach a specific part of the system. This project utilizes attack graphs, taking advantage of the causal relationship of their elements to formulate a Constraint Solving Problem, performs a number of analyses to define some constraints and objectives to select the most appropriate actions to be taken by the defender. This is achieved by addressing the security requirements and organization requirements for a given budget. The results show that the selected combination of countermeasures restricts all attack paths presented in the Logical attack graph. The countermeasures are be distributed on the most critical parts of a system and reduce the potential harm for several vulnerabilities rather than provide high protection to a few vulnerabilities. This approach aids in finding the most relevant way to protect system's assets based on the available budget.

Logical attack graph

Optimization problem

Constraint Solving Problems

Computer Network Security.

Computer Sciences

Datavetenskap (datalogi)

Risk-Averse Bi-Level Stochastic Network Interdiction Model for Cyber-Security Risk Management

Bhuiyan, Tanveer Hossain

10 August 2018

This research presents a bi-level stochastic network interdiction model on an attack graph to enable a risk-averse resource constrained cyber network defender to optimally deploy security countermeasures to protect against attackers having an uncertain budget. This risk-averse conditional-value-at-risk model minimizes a weighted sum of the expected maximum loss over all scenarios and the expected maximum loss from the most damaging attack scenarios. We develop an exact algorithm to solve our model as well as several acceleration techniques to improve the computational efficiency. Computational experiments demonstrate that the application of all the acceleration techniques reduces the average computation time of the basic algorithm by 71% for 100-node graphs. Using metrics called mean-risk value of stochastic solution and value of risk-aversion, numerical results suggest that our stochastic risk-averse model significantly outperforms deterministic and risk-neutral models when 1) the distribution of attacker budget is heavy-right-tailed and 2) the defender is highly risk-averse.

attack graph

stochastic network interdiction

risk-aversion

conditional-value-at-risk

mixed-integer-programming

A comprehensive approach to enterprise network security management

Homer, John

January 1900

Doctor of Philosophy / Department of Computing and Information Sciences / Xinming (Simon) Ou / Enterprise network security management is a vitally important task, more so now than ever before. Networks grow ever larger and more complex, and corporations, universities, government agencies, etc. rely heavily on the availability of these networks. Security in enterprise networks is constantly threatened by thousands of known software vulnerabilities, with thousands more discovered annually in a wide variety of applications. An overwhelming amount of data is relevant to the ongoing protection of an enterprise network. Previous works have addressed the identification of vulnerabilities in a given network and the aggregated collection of these vulnerabilities in an attack graph, clearly showing how an attacker might gain access to or control over network resources. These works, however, do little to address how to evaluate or properly utilize this information. I have developed a comprehensive approach to enterprise network security management. Compared with previous methods, my approach realizes these issues as a uniform desire for provable mitigation of risk within an enterprise network. Attack graph simplification is used to improve user comprehension of the graph data and to enable more efficient use of the data in risk assessment. A sound and effective quantification of risk within the network produces values that can form a basis for valuation policies necessary for the application of a SAT solving technique. SAT solving resolves policy conflicts and produces an optimal reconfiguration, based on the provided values, which can be verified by a knowledgeable human user for accuracy and applicability within the context of the enterprise network. Empirical study shows the effectiveness and efficiency of these approaches, and also indicates promising directions for improvements to be explored in future works. Overall, this research comprises an important step toward a more automated security management initiative.

Enterprise network security analysis

Risk assessment

Attack Graph

Security metric

Computer Science (0984)

Évaluation dynamique de risque et calcul de réponses basés sur des modèles d’attaques bayésiens / Dynamic risk assessment and response computation using Bayesian attack models

Aguessy, François-Xavier

22 September 2016

Les systèmes d'information sont une cible de plus en plus attractive pour les attaquants. Dans cette thèse de doctorat, nous construisons une méthodologie complète d'analyse statique et dynamique de risque prenant en compte la connaissance à priori d'un système avec les événements dynamiques, afin de proposer des réponses permettant d'empêcher les attaques futures. Tout d'abord, nous étudions comment corriger les attaques potentielles qui peuvent arriver dans un système, en s'appuyant sur les graphes d'attaque logiques. Nous proposons une méthodologie de remédiation corrigeant les chemins d'attaque les plus significatifs. Les remédiations candidates sont classées en fonction de leur coût opérationnel et leur impact sur le système. Les graphes d'attaques ne peuvent pas être directement utilisés pour l'évaluation dynamique de risque. Nous étendons donc ce modèle pour construire des modèles d'analyse dynamique de risque basés sur des réseaux bayésiens. Le modèle hybride d'évaluation de risque se divise en deux modèles complémentaires: (1) Les modèles de corrélation de risque, permettant d'analyser les attaques en cours et fournir les probabilités de compromission des états du système, (2) les modèles d'évaluation du risque futur, permettant évaluer les attaques futures les plus probables. Nous analysons la sensibilité des paramètres probabilistes du modèle et en validons les résultats à partir de graphes d'attaque topologiques / Information systems constitute an increasingly attractive target for attackers. Given the number and complexity of attacks, security teams need to focus their actions, in order to select the most appropriate security controls. Because of the threat posed by advanced multi-step attacks, it is difficult for security operators to fully cover all vulnerabilities when deploying countermeasures. In this PhD thesis, we build a complete framework for static and dynamic risk assessment including prior knowledge on the information system and dynamic events, proposing responses to prevent future attacks. First, we study how to remediate the potential attacks that can happen in a system, using logical attack graphs. We build a remediation methodology to prevent the most relevant attack paths extracted from a logical attack graph. In order to help an operator to choose between several remediation candidates, we rank them according to a cost of remediation combining operational and impact costs. Then, we study the dynamic attacks that can occur in a system. Attack graphs are not directly suited for dynamic risk assessment. Thus, we extend this mode to build dynamic risk assessment models to evaluate the attacks that are the most likely. The hybrid model is subdivided in two complementary models: (1) the first ones analysing ongoing attacks and provide the hosts' compromise probabilities, and (2) the second ones assessing the most likely future attacks. We study the sensitivity of their probabilistic parameters. Finally, we validate the accuracy and usage of both models in the domain of cybersecurity, by building them from a topological attack graph

Graphes d'attaque

Évaluation dynamique de risque

Modélisation d'attaques

Modèles d’attaques bayésiens

Attack graph

Dynamic risk assessment

Attack modelling

Bayesian attack model

Network Interdiction Models and Algorithms for Information Security

Nandi, Apurba Kumer

09 December 2016

Major cyber attacks against the cyber networks of organizations has become a common phenomenon nowadays. Cyber attacks are carried out both through the spread of malware and also through multi-stage attacks known as hacking. A cyber network can be represented directly as a simple directed or undirected network (graph) of nodes and arcs. It can also be represented by a transformed network such as the attack graph which uses information about network topology, attacker profile, and existing vulnerabilities to represent all the potential attack paths from readily accesible vulnerabilities to valuable target nodes. Then, interdicting or hardening a subset of arcs in the network naturally maps into deploying security countermeasures on the associated devices or connections. In this dissertation, we develop network interdiction models and algorithms to optimally select a subset of arcs which upon interdiction minimizes the spread of infection or minimizes the loss from multi-stage attacks. In particular, we define four novel network connectivity-based metrics and develop interdiction models to optimize the metrics. Direct network representation of the physical cyber network is used as the underlying network in this case. Two of the interdiction models prove to be very effective arc removal methods for minimizing the spread of infection. We also develop multi-level network interdiction models that remove a subset of arcs to minimize the loss from multi-stage attacks. Our models capture the defenderattacker interaction in terms of stackelberg zero-sum games considering the attacker both as a complete rational and bounded rational agents. Our novel solution algorithms based on constraint and column generation and enhanced by heuristic methods efficiently solve the difficult multi-level mixed-integer programs with integer variables in all levels in reasonable times.

constraint and column generation

multi-level programming

bi-level programming

Mixed Integer programming

cyber security

Attack graph

Network

Interdiction