Measuring the effectiveness of modern security products to detect and contain emerging threats — A consensus-based approach

2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI:10.1109/MALWARE.2013.6703682

F. C. Osorio, F. Leitold, Dorottya Mike, Chris Pickard, Sveta Miladinov, A. Arrott

{"title":"Measuring the effectiveness of modern security products to detect and contain emerging threats — A consensus-based approach","authors":"F. C. Osorio, F. Leitold, Dorottya Mike, Chris Pickard, Sveta Miladinov, A. Arrott","doi":"10.1109/MALWARE.2013.6703682","DOIUrl":null,"url":null,"abstract":"Increasingly the idea that cyber-attacks can be stopped at the periphery of the network has become a fool's errand. In today's computing environment and cyber-threat landscape, individuals as well as corporations have recognized the fact that (i) with the emergence of cloud based computing there are no longer network boundaries under your control that can be protected, (ii) threats are often distributed in nature both in time and space - making detection extremely difficult, and (iii) the working assumption is not that you can prevent infections (the goal of 100% prevention is no longer practical) but rather, given that your \"system\" will be compromised, how quickly can you detect the breach and how do you minimize the impact of such an event. In this new environment, the idea that measuring the number of infected files detected within end-point devices is a good measure of the effectiveness of Anti-Malware and Security related products seems foolish. Instead, the industry has recognized that time to detect, time to countermeasure issuance, and ability to identify short-lived C&C sites are more relevant to determining the \"goodness\" of security products. Within this context, the authors have undertaken to develop benchmark metrics to test the ability of commercial automated gateway and endpoint security services to classify and categorize different types of web traffic (malicious content, malicious activity, non-malicious category). A test methodology has been developed for this purpose, based on the Wireless Systems Security Research Laboratory (WSSRL) test methodology, and extensions to CheckVir Battery Test. Using this methodology, eight gateway protection services were tested and classified for their ability to identify the incoming traffic as malicious, C&C communications, and non-malicious content. A key component of the methodology is the concept of eventual consensus, a methodology whereas new threats are classified as malicious or not when (n/2+ 1) security products agree on the nature of the threat over time. The methodology was developed as a simplified extension of the well known Byzantine Agreement protocol first discussed by Leslie Lamport.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"174 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MALWARE.2013.6703682","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

Abstract

Increasingly the idea that cyber-attacks can be stopped at the periphery of the network has become a fool's errand. In today's computing environment and cyber-threat landscape, individuals as well as corporations have recognized the fact that (i) with the emergence of cloud based computing there are no longer network boundaries under your control that can be protected, (ii) threats are often distributed in nature both in time and space - making detection extremely difficult, and (iii) the working assumption is not that you can prevent infections (the goal of 100% prevention is no longer practical) but rather, given that your "system" will be compromised, how quickly can you detect the breach and how do you minimize the impact of such an event. In this new environment, the idea that measuring the number of infected files detected within end-point devices is a good measure of the effectiveness of Anti-Malware and Security related products seems foolish. Instead, the industry has recognized that time to detect, time to countermeasure issuance, and ability to identify short-lived C&C sites are more relevant to determining the "goodness" of security products. Within this context, the authors have undertaken to develop benchmark metrics to test the ability of commercial automated gateway and endpoint security services to classify and categorize different types of web traffic (malicious content, malicious activity, non-malicious category). A test methodology has been developed for this purpose, based on the Wireless Systems Security Research Laboratory (WSSRL) test methodology, and extensions to CheckVir Battery Test. Using this methodology, eight gateway protection services were tested and classified for their ability to identify the incoming traffic as malicious, C&C communications, and non-malicious content. A key component of the methodology is the concept of eventual consensus, a methodology whereas new threats are classified as malicious or not when (n/2+ 1) security products agree on the nature of the threat over time. The methodology was developed as a simplified extension of the well known Byzantine Agreement protocol first discussed by Leslie Lamport.

查看原文本刊更多论文

衡量现代安全产品检测和遏制新出现威胁的有效性——基于共识的方法

越来越多的人认为网络攻击可以在网络外围被阻止，这种想法已经变成了一种愚蠢的差事。在当今的计算环境和网络威胁环境中，个人和企业都认识到这样一个事实:(i)随着基于云计算的出现，在你的控制下不再有可以保护的网络边界，(ii)威胁通常在时间和空间上都是自然分布的，这使得检测极其困难。(iii)工作假设不是你可以防止感染(100%预防的目标不再实际)，而是考虑到你的“系统”将受到损害，你能多快发现漏洞，以及如何将此类事件的影响降到最低。在这种新环境下，测量终端设备中检测到的受感染文件的数量是衡量反恶意软件和安全相关产品有效性的好方法的想法似乎是愚蠢的。相反，业界已经认识到，检测的时间、发布对策的时间以及识别短期C&C站点的能力与确定安全产品的“好”更相关。在此背景下，作者开发了基准度量来测试商业自动化网关和端点安全服务对不同类型的网络流量(恶意内容、恶意活动、非恶意类别)进行分类和分类的能力。为此，基于无线系统安全研究实验室(WSSRL)的测试方法和CheckVir电池测试的扩展，开发了一种测试方法。使用此方法，对8个网关保护服务进行了测试，并对其识别传入流量为恶意、C&C通信和非恶意内容的能力进行了分类。该方法的一个关键组成部分是最终共识的概念，即当(n/2+ 1)安全产品对威胁的性质达成一致时，新威胁被分类为恶意或非恶意的方法。该方法是作为著名的拜占庭协议协议的简化扩展而开发的，该协议首先由Leslie Lamport讨论。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE)

自引率

0.00%

发文量