SecMetrics: On Quantifying Operational Security

Status

This project started in August 2010 and is now closed.

Researchers

Prof. Bernhard Plattner, Communication Systems Group, ETH
Dr. Xenofontas Dimitropoulos, Communication Systems Group, ETH Zurich
Ilias Raftopoulos, Communication Systems Group, ETH Zurich

Description

Security metrics constitute an indicator of the attack proneness of an exposed networked system, reflecting the extensiveness and effectiveness of the safeguard measures undertaken and capturing its ability to withstand and survive an attack. Currently, most approaches in this direction assess information security in a qualitative way, focusing mostly on empirical guidelines regarding optimal configuration of components and providing security assurances if specific design preconditions are met. These static properties often fail to capture the dynamic aspects of the system’s attack proneness, its ability to resist malicious actions involving different levels of intelligence and sophitication, and the underlying state evolution during ongoing attacks. The goal of this project is to provide a rigorous, concrete methodology, to effectively quantify the security assurance level of an exposed infrastructure. The derived security metrics should reflect whether specific principal requirements such as confidentiality, integrity, and availability are respected, support different attacker and defender models involving different types of infections and malicious behaviours, capture the security dynamics of an evolving networked system where new nodes, services, and baseline defenses are constanlty introduced.

Our approach consists of two equally important steps:

We collect and analyze real-life traces from different vantage points of the infrastructure. Information from diverse heterogeneous sensors deployed in the infrastructure, including flow data, security incidents and intrusion detection logs, historical data, and vulnerability scanner reports, provide us with a rich dataset capturing correlations among different security events. Information fusion, and data mining techniques are employed to identify the system characteristics within the selected observation space, that have a dominant impact on the security evolution of the infrastructure. Profiling, clustering and statistical analysis are used to identify groups of nodes exhibiting malicious behaviour and to analyze their long term security trends. The goal of this process is to formulate a metric that reflects the security assurance level of the studied system compared to identified compromised and consistently malicious sets of nodes, operating both as a ranking function regarding the resilience of different system components, and also as a security predictor capturing the probability of the system being compromised or exhibiting some type of significant malicious activity in the future.

We derive a probabilistic model that captures the evolution of security characteristics of a system and its ability to provide critical services in the presence of attacks. Our main objective is to derive a model that represents efficiently the evolution of the security awareness of the user, captures attacks involving various subtasks in order to achieve a major goal, reflects the impact of each significant security incident on the overall performance, and incorporates defensive and recovery measures undertaken by the system in response to the adversary’s actions. This probabilistic approach of quantifying security is a highly desirable abstraction since intrusion tolerance, and survivability, are driven by human behaviour, which is inherently stochastic.

Publications

Elias Raftopoulos, Xenofontas Dimitropoulos
A Quality Metric for IDS Signatures: In the Wild the Size Matters


EURASIP Journal on Information Security. Under Submission.

Elias Raftopoulos, Xenofontas Dimitropoulos

Tracking Malware in the Wild: Detection, Validation and Characterization

ACM Transactions on Information and System Security Journal. Under Publication.

Elias Raftopoulos, Xenofontas Dimitropoulos

Understanding Network Forensics Analysis in an Operational Environment 

IEEE International Workshop on Cyber Crime, IWCC 2013. Best Paper Award.

Elias Raftopoulos, Xenofontas Dimitropoulos

Shedding Light on Log Correlation in Network Forensics Analysis 

In Proceedings of the 9th international conference on Detection of intrusions and malware, and vulnerability assessment. DIMVA 2012.

Elias Raftopoulos, Xenofontas Dimitropoulos

Detecting, Validating and Characterizing Computer Infections in the Wild 

ACM SIGCOMM IMC Internet Measurement Conference, Nov. 2011.