Scalable and adaptable security modelling and analysis.

Hong, Jin Bum

January 2015

Modern networked systems are complex in such a way that assessing the security of them is a difficult task. Security models are widely used to analyse the security of these systems, which are capable of evaluating the complex relationship between network components. Security models can be generated by identifying vulnerabilities, threats (e.g., cyber attacks), network configurations, and reachability of network components. These network components are then combined into a single model to evaluate how an attacker may penetrate through the networked system. Further, countermeasures can be enforced to minimise cyber attacks based on security analysis. However, modern networked systems are becoming large sized and dynamic (e.g., Cloud Computing systems). As a result, existing security models suffer from scalability problem, where it becomes infeasible to use them for modern networked systems that contain hundreds and thousands of hosts and vulnerabilities. Moreover, the dynamic nature of modern networked systems requires a responsive update in the security model to monitor how these changes may affect the security, but there is a lack of capabilities to efficiently manage these changes with existing security models. In addition, existing security models do not provide functionalities to capture and analyse the security of unknown attacks, where the combined effects of both known and unknown attacks can create unforeseen attack scenarios that may not be detected or mitigated. Therefore, the three goals of this thesis are to (i) develop security modelling and analysis methods that can scale to a large number of network components and adapts to changes in the networked system; (ii) develop efficient security assessment methods to formulate countermeasures; and (iii) develop models and metrics to incorporate and assess the security of unknown attacks. A lifecycle of security models is introduced in this thesis to concisely describe performance and functionalities of modern security models. The five phases in the lifecycle of security models are: (1) Preprocessing, (2) Generation, (3) Representation, (4) Evaluation, and (5) Modification. To achieve goal (i), a hierarchical security model is developed to reduce the computational costs of assessing the security while maintaining all security information, where each layer captures different security information. Then, a comparative analysis is presented to show the scalability and adaptability of security models. The complexity analysis showed that the hierarchical security model has better or equivalent complexities in all phases of the lifecycle in comparison to existing security models, while the performance analysis showed that in fact it is much more scalable in practical network scenarios. To achieve goal (ii), security assessment methods based on importance measures are developed. Network centrality measures are used to identify important hosts in the networked systems, and security metrics are used to identify important vulnerabilities in the host. Also, new network centrality measures are developed to improvise the lack of accuracy of existing network centrality measures when the attack scenarios consist of attackers located inside the networked system. Important hosts and vulnerabilities are identified using efficient algorithms with a polynomial time complexity, and the accuracy of these algorithms are shown as nearly equivalent to the naive method through experiments, which has an exponential complexity. To achieve goal (iii), unknown attacks are incorporated into the hierarchical security model and the combined effects of both known and unknown attacks are analysed. Algorithms taking into account all possible attack scenarios associated with unknown attacks are used to identify significant hosts and vulnerabilities. Approximation algorithms based on dynamic programming and greedy algorithms are also developed to improve the performance. Mitigation strategies to minimise the effects of unknown attacks are formulated on the basis of significant hosts and vulnerabilities identified in the analysis. Results show that mitigation strategies formulated on the basis of significant hosts and vulnerabilities can significantly reduce the system risk in comparison to randomly applying mitigations. In summary, the contributions of this thesis are: (1) the development and evaluation of the hierarchical security model to enhance the scalability and adaptability of security modelling and analysis; (2) a comparative analysis of security models taking into account scalability and adaptability; (3) the development of security assessment methods based on importance measures to identify important hosts and vulnerabilities in the networked system and evaluating their efficiencies in terms of accuracies and performances; and (4) the development of security analysis taking into account unknown attacks, which consists of evaluating the combined effects of both known and unknown attacks.

adaptability

network security

scalability

security analysis

security modelling

Denial of service : prevention, modelling and detection

Smith, Jason

January 2007

This research investigates the denial of service problem, in the context of services provided over a network, and contributes to improved techniques for modelling, detecting, and preventing denial of service attacks against these services. While the majority of currently employed denial of service attacks aim to pre-emptively consume the network bandwidth of victims, a significant amount of research effort is already being directed at this problem. This research is instead concerned with addressing the inevitable migration of denial of service attacks up the protocol stack to the application layer. Of particular interest is the denial of service resistance of key establishment protocols (security protocols that enable an initiator and responder to mutually authenticate and establish cryptographic keys for establishing a secure communications channel), which owing to the computationally intensive activities they perform, are particularly vulnerable to attack. Given the preponderance of wireless networking technologies this research hasalso investigated denial of service and its detection in IEEE 802.11 standards based networks. Specific outcomes of this research include: - investigation of the modelling and application of techniques to improve the denial of service resistance of key establishment protocols; - a proposal for enhancements to an existing modelling framework to accommodate coordinated attackers; - design of a new denial of service resistant key establishment protocol for securing signalling messages in next generation, mobile IPv6 networks; - a comprehensive survey of denial of service attacks in IEEE 802.11 wireless networks; discovery of a significant denial of service vulnerability in the clear channel assessment procedure implemented by the medium access control layer of IEEE 802.11 compliant devices; and - design of a novel, specification-based intrusion detection system for detecting denial of service attacks in IEEE 802.11 wireless networks.

denial of service resistance

key establishment

attack prevention

specificationbased intrusion detection

security modelling

cost-based modelling

mobile IP

IEEE 802.11 wireless networks

crypto-based identifiers.

Model-driven security in service-oriented architectures : leveraging security patterns to transform high-level security requirements to technical policies

Menzel, Michael

January 2011

Service-oriented Architectures (SOA) facilitate the provision and orchestration of business services to enable a faster adoption to changing business demands. Web Services provide a technical foundation to implement this paradigm on the basis of XML-messaging. However, the enhanced flexibility of message-based systems comes along with new threats and risks. To face these issues, a variety of security mechanisms and approaches is supported by the Web Service specifications. The usage of these security mechanisms and protocols is configured by stating security requirements in security policies. However, security policy languages for SOA are complex and difficult to create due to the expressiveness of these languages. To facilitate and simplify the creation of security policies, this thesis presents a model-driven approach that enables the generation of complex security policies on the basis of simple security intentions. SOA architects can specify these intentions in system design models and are not required to deal with complex technical security concepts. The approach introduced in this thesis enables the enhancement of any system design modelling languages – for example FMC or BPMN – with security modelling elements. The syntax, semantics, and notion of these elements is defined by our security modelling language SecureSOA. The metamodel of this language provides extension points to enable the integration into system design modelling languages. In particular, this thesis demonstrates the enhancement of FMC block diagrams with SecureSOA. To enable the model-driven generation of security policies, a domain-independent policy model is introduced in this thesis. This model provides an abstraction layer for security policies. Mappings are used to perform the transformation from our model to security policy languages. However, expert knowledge is required to generate instances of this model on the basis of simple security intentions. Appropriate security mechanisms, protocols and options must be chosen and combined to fulfil these security intentions. In this thesis, a formalised system of security patterns is used to represent this knowledge and to enable an automated transformation process. Moreover, a domain-specific language is introduced to state security patterns in an accessible way. On the basis of this language, a system of security configuration patterns is provided to transform security intentions related to data protection and identity management. The formal semantics of the security pattern language enable the verification of the transformation process introduced in this thesis and prove the correctness of the pattern application. Finally, our SOA Security LAB is presented that demonstrates the application of our model-driven approach to facilitate a dynamic creation, configuration, and execution of secure Web Service-based composed applications. / Im Bereich der Enterprisearchitekturen hat das Paradigma der Service-orientierten Architektur (SOA) in den vergangenen Jahren eine große Bedeutung erlangt. Dieser Ansatz ermöglicht die Strukturierung und Umsetzung verteilter, IT-basierter Geschäftsfunktionen, um einen effizienten und flexiblen Einsatz von IT-Ressourcen zu ermöglichen. Während in der Vergangenheit fachliche Anforderungen in monolithischen Applikationen umgesetzt wurden, setzt dieser Architekturansatz auf wiederverwendbare Dienste, die spezifische Geschäftsfunktionen implementieren. Diese Dienste können dann dynamisch zur Umsetzung von Geschäftsprozessen herangezogen werden und ermöglichen eine schnelle Reaktion auf verändernde geschäftliche Rahmenbedingungen durch Anpassung der Prozesse. Die einzelnen Dienste existieren unabhängig voneinander und sind lose über einen Nachrichtenaustausch gekoppelt. Diese Unabhängigkeit unterscheidet den SOA-Ansatz von der bisherigen Entwicklung klassischer verteilter Anwendungen. Die Verwendung unabhängiger Dienste geht aber auch mit einem größeren Gefährdungspotential einher, da eine Vielzahl von Schnittstellen bereitgestellt wird, die mittels komplexer Protokolle angesprochen werden können. Somit ist die korrekte Umsetzung von Sicherheitsmechanismen in allen Diensten und SOA-Infrastrukturkomponeten essentiell. Kommunikationspartner müssen an jedem Kommunikationsendpunkt authentifiziert und autorisiert werden und ausgetauschte Nachrichten müssen immer geschützt werden. Solche Sicherheitsanforderungen werden in technischen Sicherheitskonfigurationen (Policydokumenten) mittels einer Policysprache kodiert und werden an die Dienste verteilt, die diese Anforderungen durchsetzen. Da Policysprachen für SOA aber durch die Vielzahl und Vielfalt an Sicherheitsmechanismen, -protokollen und -standards eine hohe Komplexität aufweisen, sind Sicherheitskonfigurationen höchst fehleranfällig und mit viel Fachwissen zu erstellen. Um die Generierung von Sicherheitskonfigurationen in komplexen Systemen zu vereinfachen, wird in dieser Arbeit ein modellgetriebener Ansatz vorgestellt, der eine visuelle Modellierung von Sicherheitsanforderungen in Architekturmodellen ermöglicht und eine automatisierte Generierung von Sicherheitskonfigurationen auf Basis dieser Anforderungen unterstützt. Die Modellierungsebene ermöglicht eine einfache und abstrakte Darstellung von Sicherheitsanforderungen, die sich auch für Systemarchitekten erschließen, welche keine Sicherheits-experten sind. Beispielsweise können modellierte Daten einfach mit einem Schloss annotiert werden, um den Schutz dieser Daten zu fordern. Die Syntax, die Semantik und die Darstellung dieser Anforderungen werden durch die in dieser Arbeit vorgestellte Sicherheitsmodellierungssprache SecureSOA spezifiziert. Der vorgestellte modellgetriebene Ansatz transformiert die modellierten Anforderungen auf ein domänen-unabhängiges Policymodell, das eine Abstraktionsschicht zu konkreten Policysprachen bildet. Diese Abstrak-tionsschicht vereinfacht die Generierung von Sicherheitspolicies in verschiedenen Policysprachen. Allerdings kann diese Transformation nur erfolgen, wenn im System Expertenwissen hinterlegt ist, das die Auswahl von konkreten Sicherheitsmechanismen und -optionen bestimmt. Im Rahmen dieser Arbeit werden Entwurfsmuster für SOA-Sicherheit zur Transformation herangezogen, die dieses Wissen repräsentieren. Dazu wird ein Katalog von Entwurfsmustern eingeführt, der die Abbildung von abstrakten Sicherheitsanforderungen auf konkrete Konfigurationen ermöglicht. Diese Muster sind mittels einer Entwurfsmustersprache definiert, die in dieser Arbeit eingeführt wird. Die formale Semantik dieser Sprache ermöglicht die formale Verifikation des Transformationsprozesses, um die Korrektheit der Entwurfsmusteranwendung nachzuweisen. Die Definition dieses Entwurfsmusterkatalogs und der darauf basierende Transformationsprozess ermöglichen die Abbildung von abstrakten Sicherheitsanforderungen auf konkrete technische Sicherheitskonfigurationen und stellen den Beitrag dieser Arbeit dar. Abschließend wird in dieser Arbeit das SOA-Security-Lab vorgestellt, das die Umsetzung dieses Ansatzes demonstriert.

IT-Sicherheit

Service-Orientierte Architekturen

Modell-getriebene Sicherheit

Sicherheitsmodellierung

Entwurfsmuster für SOA-Sicherheit

IT-Security

Service-oriented Architectures

Modell-driven Security

Security Modelling

SOA Security Pattern

Data processing Computer science