Confidentiality of event data in policy-based monitoring

2011

Security policy conformance is a crucial issue in large-scale critical cyber-infrastructure. The complexity of these systems, insider attacks, and the possible speed of an attack on a system necessitate an automated approach to assure a basic level of protection. This paper presents Odessa, a resilient system for monitoring and validating compliance of networked systems to complex policies. To manage the scale of infrastructure systems and to avoid single points of failure or attack, Odessa distributes policy validation across many network nodes. Partial delegation enables the validation of component policies and of liveness at the edge nodes of the network using redundancy to increase security. Redundant distributed servers aggregate data to validate more complex policies. Our practical implementation of Odessa resists Byzantine failure of monitoring using an architecture that significantly increases scalability and attack resistance.

2001

This paper describes a new approach to collecting real-time transaction information from a server application and forwarding the data to an intrusion detection system. While the few existing applicationbased intrusion detection systems tend to read log files, the proposed application-integrated approach uses a module coupled with the application to extract the desired information. The paper describes the advantages of this approach in general, and how it complements traditional network-based and host-based data collection methods. The most compelling benefit is the ability to monitor transactions that are encrypted when transported to the application and therefore not visible to network traffic monitors. Further benefits include full insight into how the application interprets the transaction, and data collection that is independent of network line speed. To evaluate the proposed approach, we designed and implemented a data-collection module for the Apache Web server. Our experiments showed that the required implementation effort was moderate, that existing communication and analysis components could be used without incurring adaptation costs, and that the performance impact on the Web server is tolerable.

The Computer Journal, 2012

Security is considered one of the crucial issues for the widespread adoption of cloud computing. Despite all research done in preventive security for cloud computing, the high complexity and the interdependence of many software layers and infrastructures mean that in practice there are always chances for something going wrong. For this reason, there is a need to complement preventive security measures with reactive measures. Among these, monitoring is the most relevant approach. In this paper, we introduce a new and robust architecture for dynamic security monitoring and enforcement specially designed for cloud computing scenarios. Our solution is therefore a complete one including a three-layered architecture, a new language for expressing monitoring rules and a strategy based on the generation of a finite-state machine to improve the performance of the monitoring engine.

As large-scale coordinated and sophisticated attacks are constantly evolving in the network, security of the network has turned to a global phenomenon that demands to collaborative and sharing of network monitoring information. Since sharing monitoring data may contain sensitive and business relevant information, inherently, network operators are discouraged to contribute in such sharing scenarios. In a previous work, we proposed a technique called "conditional data sharing", devised to permit cross-domain sharing of fine-grained organized subsets of network monitoring data (called data feeds), only when a threshold number of domains are ready to reveal their data for a specific feed name. We here extent such techniques to support fine-grained data disclosure policies. The proposed approach designs more general access structure associated to parties credentials for a particular type of attack and enables participants to reveal their data for a same feed only when the monotone boolean policy is satisfied.

2007

Abstract Runtime monitoring is performed during system execution to detect whether the system's behaviour deviates from that described by requirements. To support this activity we have developed a monitoring framework that expresses the requirements to be monitored in event calculus-a formal temporal first order language.

Hawaii International Conference on System Sciences, 2011

Log event correlation is an effective means of detecting system faults and security breaches encountered in information technology environments. Centralized, database-driven log event correlation is common, but suffers from flaws such as high network bandwidth utilization, significant requirements for system resources, and difficulty in detecting certain suspicious behaviors. Distributed event correlation is often assumed to be superior, but no research

Trust, Privacy and Security in Digital Business, 2015

INTER-TRUST is a framework for the specification, negotiation, deployment and dynamic adaptation of interoperable security policies, in the context of pervasive systems where devices are constantly exchanging critical information through the network. The dynamic adaptation of the security policies at runtime is addressed using Aspect-Oriented Programming (AOP) that allows enforcing security requirements by dynamically weaving security aspects into the applications. However, a mechanism to guarantee the correct adaptation of the functionality that enforces the changing security policies is needed. In this paper, we present an approach with monitoring and detection techniques in order to maintain the correlation between the security policies and the associated functionality deployed using AOP, allowing the INTER-TRUST framework automatically reacts when needed.

2011 1st International Workshop on Securing Services on the Cloud (IWSSC), 2011

An architecture for dynamic security monitoring and enforcement for client software running in Virtualized Environments for Cloud computing is presented. Monitoring mechanisms check a set of policy-defined conditions at runtime in order to detect threats or anomalous behaviour. Enforcement is achievable by using secure software execution methods that comply with the defined policies. The presented architecture allows for context adaptation of the defined policies by using a new event-sequence language. Such automatic policy runtime enforcement is crucial to achieve proper security in virtualized platforms for cloud computing.

First International Conference on Availability, Reliability and Security (ARES'06), 2006

Detailed and reliable knowledge of the characteristics of an information system is becoming a very important feature for operational security. Unfortunately, vulnerability assessment tools have important side effects on the monitored information systems. In this paper, we propose an approach to gather or deduce information similar to vulnerability assessment reports, based on passive network observation. Information collected goes beyond classic server vulnerability assessment, enabling compliance verification of desktop clients.

… Workshops (DSN-W …, 2012

Cloud infrastructures play an increasingly important role for telecom operators, because they enable internal consolidation of resources with the corresponding savings in hardware and management costs. However, this same consolidation exposes core services of the infrastructure to very disruptive attacks. This is the case of monitoring, which needs to be dependable and secure to ensure proper operation of large datacenters and cloud infrastructures. We argue that currently existing centralized monitoring approaches (e.g., relying on a single solution provider, using single point of failure components) represent a huge risk, because a single vulnerability may compromise the entire monitoring infrastructure.