A Quantitative Methodology for Security Monitor Deployment

2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) Pub Date : 2016-06-01 DOI:10.1109/DSN.2016.10

Uttam Thakore, G. Weaver, W. Sanders

{"title":"A Quantitative Methodology for Security Monitor Deployment","authors":"Uttam Thakore, G. Weaver, W. Sanders","doi":"10.1109/DSN.2016.10","DOIUrl":null,"url":null,"abstract":"Intrusion detection and forensic analysis techniques depend upon monitors to collect information about possible attacks. Since monitoring can be expensive, however, monitors must be selectively deployed to maximize their overall utility. This paper introduces a methodology both to evaluate monitor deployments quantitatively in terms of security goals and to deploy monitors optimally based on cost constraints. First, we define a model that describes the system assets, deployable monitors, and the relationship between generated data and intrusions. Then, we define a set of metrics that quantify the utility and richness of monitor data with respect to intrusion detection and the cost associated with deployment. Finally, we formulate a method using our model and metrics to determine the cost-optimal, maximum-utility placement of monitors. We present an enterprise Web service use case and illustrate how our metrics can be used to determine optimal monitor deployments for a set of common attacks on Web servers. Our approach is scalable, being able to compute within minutes optimal monitor deployments for systems with hundreds of monitors and attacks.","PeriodicalId":102292,"journal":{"name":"2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"38 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2016.10","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Intrusion detection and forensic analysis techniques depend upon monitors to collect information about possible attacks. Since monitoring can be expensive, however, monitors must be selectively deployed to maximize their overall utility. This paper introduces a methodology both to evaluate monitor deployments quantitatively in terms of security goals and to deploy monitors optimally based on cost constraints. First, we define a model that describes the system assets, deployable monitors, and the relationship between generated data and intrusions. Then, we define a set of metrics that quantify the utility and richness of monitor data with respect to intrusion detection and the cost associated with deployment. Finally, we formulate a method using our model and metrics to determine the cost-optimal, maximum-utility placement of monitors. We present an enterprise Web service use case and illustrate how our metrics can be used to determine optimal monitor deployments for a set of common attacks on Web servers. Our approach is scalable, being able to compute within minutes optimal monitor deployments for systems with hundreds of monitors and attacks.

查看原文本刊更多论文

安全监视器部署的定量方法

入侵检测和取证分析技术依赖于监视器来收集有关可能的攻击的信息。但是，由于监视的成本可能很高，因此必须有选择地部署监视器，以最大化其总体效用。本文介绍了一种方法，既可以根据安全目标定量评估监视器部署，又可以基于成本约束优化部署监视器。首先，我们定义一个模型来描述系统资产、可部署的监视器，以及生成的数据和入侵之间的关系。然后，我们定义了一组指标，这些指标量化了监控数据在入侵检测方面的效用和丰富程度，以及与部署相关的成本。最后，我们使用我们的模型和指标制定了一种方法，以确定成本最优、最大效用的监视器位置。我们给出了一个企业Web服务用例，并说明如何使用我们的指标来确定针对Web服务器上的一组常见攻击的最佳监控部署。我们的方法是可伸缩的，能够在几分钟内计算出具有数百个监视器和攻击的系统的最佳监视器部署。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

自引率

0.00%

发文量