Towards an unified security testbed and security analytics framework

Abstract

This paper presents the architecture of an end-to-end security testbed and security analytics framework, which aims to: i) understand real-world exploitation of known security vulnerabilities and ii) preemptively detect multi-stage attacks, i.e., before the system misuse. With the increasing number of security vulnerabilities, it is necessary for security researchers and practitioners to understand: i) system and network behaviors under attacks and ii) potential effects of attacks to the target infrastructure. To safely emulate and instrument exploits of known vulnerabilities, we use virtualization techniques to isolate attacks in containers, e.g., Linux-based containers or Virtual Machines, and to deploy monitors, e.g., kernel probes or network packet captures, across a system and network stack. To infer the evolution of attack stages from monitoring data, we use a probabilistic graphical model, namely AttackTagger, that represents learned knowledge of simulated attacks in our security testbed and real-world attacks. Experiments are being run on a real-world deployment of the framework at the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign.