Towards Automated Verification of Active Cyber Defense Strategies on Software Defined Networks

Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense Pub Date : 2016-10-24 DOI:10.1145/2994475.2994482

Mohammed Noraden Alsaleh, E. Al-Shaer

{"title":"Towards Automated Verification of Active Cyber Defense Strategies on Software Defined Networks","authors":"Mohammed Noraden Alsaleh, E. Al-Shaer","doi":"10.1145/2994475.2994482","DOIUrl":null,"url":null,"abstract":"Active Cyber Defense (ACD) reconfigures cyber systems (networks and hosts) in timely manner in order to automatically respond to cyber incidents and mitigate potential risks or attacks. However, to launch a successful cyber defense, ACD strategies need to be proven effective in neutralizing the threats and enforceable under the current state and capabilities of the network. In this paper, we present a bounded model checking framework based on SMT to verify that the network can support the given ACD strategies accurately and safely without jeopardizing cyber mission invariants. We abstract the ACD strategies as sets of serializable reconfigurations and provide user interfaces to define cyber mission invariants as reachability, security, and QoS properties. We then verify the satisfaction of these invariants under the given strategies. We implemented this system on OpenFlow-based Software Defined Networks and we evaluated the time complexity for verifying ACD strategies on OpenFlow networks of over two thousand nodes and thousands of rules.","PeriodicalId":343057,"journal":{"name":"Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense","volume":"53 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2994475.2994482","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Active Cyber Defense (ACD) reconfigures cyber systems (networks and hosts) in timely manner in order to automatically respond to cyber incidents and mitigate potential risks or attacks. However, to launch a successful cyber defense, ACD strategies need to be proven effective in neutralizing the threats and enforceable under the current state and capabilities of the network. In this paper, we present a bounded model checking framework based on SMT to verify that the network can support the given ACD strategies accurately and safely without jeopardizing cyber mission invariants. We abstract the ACD strategies as sets of serializable reconfigurations and provide user interfaces to define cyber mission invariants as reachability, security, and QoS properties. We then verify the satisfaction of these invariants under the given strategies. We implemented this system on OpenFlow-based Software Defined Networks and we evaluated the time complexity for verifying ACD strategies on OpenFlow networks of over two thousand nodes and thousands of rules.

查看原文本刊更多论文

软件定义网络主动网络防御策略的自动验证

主动网络防御(Active Cyber Defense，简称ACD)能够及时对网络系统(网络和主机)进行重新配置，以自动响应网络事件，降低潜在的风险或攻击。然而，要发起成功的网络防御，ACD战略需要被证明在消除威胁方面是有效的，并且在当前网络的状态和能力下是可执行的。在本文中，我们提出了一个基于SMT的有界模型检查框架，以验证网络可以准确安全地支持给定的ACD策略，而不会损害网络任务不变量。我们将ACD策略抽象为可序列化的重新配置集，并提供用户界面来定义网络任务不变量，如可达性、安全性和QoS属性。然后在给定策略下验证了这些不变量的满足性。我们在基于OpenFlow的软件定义网络上实现了该系统，并评估了在超过2000个节点和数千条规则的OpenFlow网络上验证ACD策略的时间复杂度。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense

自引率

0.00%

发文量