Skip to main content
SpringerLink
Log in

Using Security Policies to Automate Placement of Network Intrusion Prevention

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7781))

Included in the following conference series:

Abstract

System administrators frequently use Intrusion Detection and Prevention Systems (IDPS) and host security mechanisms, such as firewalls and mandatory access control, to protect their hosts from remote adversaries. The usual techniques for placing network monitoring and intrusion prevention apparatuses in the network do not account for host flows and fail to defend against vulnerabilities resulting from minor modifications to host configurations. Therefore, despite widespread use of these methods, the task of security remains largely reactive. In this paper, we propose an approach to automate a minimal mediation placement for network and host flows. We use Intrusion Prevention System (IPS) as a replacement for certain host mediations. Due to the large number of flows at the host level, we summarize information flows at the composite network level, using a conservative estimate of the host mediation. Our summary technique reduces the number of relevant network nodes in our example network by 80% and improves mediation placement speed by 87.5%. In this way, we effectively and efficiently compute network-wide defense placement for comprehensive security enforcement.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, J.P.: Computer security technology planning study, vol. II. Technical Report ESD-TR-73-51, Deputy for Command and Management Systems, HQ Electronics Systems Division (AFSC) (October 1972)

    Google Scholar 

  2. Breitbart, Y., Dragan, F., Gobjuka, H.: Effective monitor placement in internet networks. Journal of Networks (2009)

    Google Scholar 

  3. Chen, H., Li, N., Mao, Z.: Analyzing and comparing the protection quality of security enhanced operating systems. In: NDSS (2009)

    Google Scholar 

  4. Chen, X., Kim, Y.-A., Wang, B., Wei, W., Shi, Z.J., Song, Y.: Fault-tolerant monitor placement for out-of-band wireless sensor network monitoring. Ad Hoc Networks 10(1), 62–74 (2012)

    Article  Google Scholar 

  5. Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet Security; Repelling the Wily Hacker, 2nd edn. Addison-Wesley, Reading (2003)

    Google Scholar 

  6. Clark, D.D., Wilson, D.: A comparison of military and commercial security policies. In: IEEE Symposium on Security and Privacy (1987)

    Google Scholar 

  7. Dahlhaus, E., Johnson, D.S., Papadimitriou, C.H., Seymour, P.D., Yannakakis, M.: The complexity of multiterminal cuts. SIAM J. Comput. 23, 864–894 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  8. Denning, D.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–242 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  9. Dragoni, N., Massacci, F., Naliuka, K., Siahaan, I.: Security-by-Contract: Toward a Semantics for Digital Signatures on Mobile Code. In: López, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 297–312. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  10. Ford, L.R., Fulkerson, D.R.: Flows in Networks. Princeton University Press (1962)

    Google Scholar 

  11. Fritz, D.G., Sargent, R.G.: An overview of hierarchical control flow graph models. In: Proceedings of the 27th Conference on Winter Simulation, WSC 1995, pp. 1347–1355. IEEE Computer Society, Washington, DC (1995)

    Chapter  Google Scholar 

  12. Hicks, B., Rueda, S., St. Clair, L., Jaeger, T., McDaniel, P.: A logical specification and analysis for SELinux MLS policy. ACM Transaction on Information and System Security 13(3) (2010)

    Google Scholar 

  13. Howard, M., Pincus, J., Wing, J.: Measuring relative attack surfaces. In: Proceedings of Workshop on Advanced Developments in Software and Systems Security (2003)

    Google Scholar 

  14. Jaeger, T., Sailer, R., Zhang, X.: Analyzing integrity protection in the SELinux example policy. In: USENIX Security Symposium (August 2003)

    Google Scholar 

  15. Jaeger, T., Butler, K., King, D.H., Hallyn, S., Latten, J., Zhang, X.: Leveraging IPsec for mandatory access control across systems. In: Proc. 2nd Intl. Conf. on Security and Privacy in Communication Networks (August 2006)

    Google Scholar 

  16. Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the 15th IEEE Workshop on Computer Security Foundations, pp. 49–63. IEEE Computer Society, Washington, DC (2002)

    Chapter  Google Scholar 

  17. King, D., Jha, S., Jaeger, T., Jha, S., Seshia, S.A.: Towards automated security mediation placement. Technical Report NAS-TR-0100-2008, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, USA (November 2008)

    Google Scholar 

  18. King, D., Jha, S., Muthukumaran, D., Jaeger, T., Jha, S., Seshia, S.A.: Automating Security Mediation Placement. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 327–344. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  19. Massacci, F., Siahaan, I.: Matching Midlet’s security claims with a platform security policy using automata modulo theory. In: Proceedings of NordSec (2007)

    Google Scholar 

  20. McDaniel, P., Prakash, A.: Methods and limitations of security policy reconciliation. ACM Trans. Inf. Syst. Secur. (2006)

    Google Scholar 

  21. Morris, J.: New Secmark-based network controls for SELinux, http://james-morris.livejournal.com/11010.html

  22. MSDN. Mandatory Integrity Control (Windows), http://msdn.microsoft.com/

  23. Muthukumaran, D., Rueda, S., Talele, N., Vijayakumar, H., Jaeger, T., Teutsch, J., Edwards, N.: Transforming commodity security policies to enforce Clark-Wilson integrity. In: ACSAC (2012)

    Google Scholar 

  24. Muthukumaran, D., Jaeger, T., Ganapathy, V.: Leveraging ”choice” to automate authorization hook placement. In: CCS 2012: Proceedings of the 19th ACM Conference on Computer and Communications Security. ACM Press, Raleigh (2012)

    Google Scholar 

  25. Myers, A.C., Liskov, B.: A decentralized model for information flow control. ACM Operating Systems Review 31(5), 129–142 (1997)

    Article  Google Scholar 

  26. Nessus Vulnerability Scanner, http://www.nessus.org/

  27. Noble, J., Biddle, R., Tempero, E., Potanin, A., Clarke, D.: Towards a model of encapsulation. Presented at the ECOOP 2003 IWACO Workshop on Aliasing, Confinement, and Ownership (publications) (2003), http://www.mcs.vuw.ac.nz/comp

  28. Noel, S., Jajodia, S.: Advanced vulnerability analysis and intrusion detection through predictive attack graphs. In: Critical Issues in C4I, Armed Forces Communications and Electronics Association (AFCEA) Solutions Series. International Journal of Command and Control (2009)

    Google Scholar 

  29. Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: ACSAC (2003)

    Google Scholar 

  30. Novell. AppArmor Linux Application Security, https://www.suse.com/support/security/apparmor/

  31. NetLabel - Explicit labeled networking for Linux, http://www.nsa.gov/research/selinux/

  32. Security-enhanced linux, http://www.nsa.gov/research/selinux/

  33. Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: CCS (2006)

    Google Scholar 

  34. Pike, L.: Post-hoc separation policy analysis with graph algorithms. In: Workshop on Foundations of Computer Security (FCS 2009). Affiliated with Logic in Computer Science (LICS) (August 2009)

    Google Scholar 

  35. Sarna-Starosta, B., Stoller, S.D.: Policy analysis for Security-Enhanced Linux. In: WITS (April 2004)

    Google Scholar 

  36. Sheyner, O., Haines, J.W., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: IEEE Symposium on Security and Privacy, pp. 273–284 (2002)

    Google Scholar 

  37. Sun Microsystems. Trusted Solaris operating environment - a technical overview, http://www.sun.com

  38. Tang, Y., Daniels, T.E.: On the economic placement of monitors in router level network topologies. In: The Workshop on the Economics of Securing the Information Infrastructure (2006)

    Google Scholar 

  39. Tresys. SETools - Policy analysis tools for SELinux, http://oss.tresys.com/projects/setools

  40. Watson, R.N.M.: TrustedBSD: Adding trusted operating system features to FreeBSD. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pp. 15–28 (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Systems and Internet Infrastructure Security Lab, Pennsylvania State University, USA

    Nirupama Talele, Jason Teutsch & Trent Jaeger

  2. Network Security Branch, Army Research Laboratory, USA

    Robert F. Erbacher

Authors
  1. Nirupama Talele
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jason Teutsch
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Trent Jaeger
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Robert F. Erbacher
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, TU Dortmund und Fraunhofer ISST, Otto-Hahn-Straße 14, 44221, Dortmund, Germany

    Jan Jürjens

  2. One Microsoft Way, Microsoft Research, 98052-6399, Redmond, WA, USA

    Benjamin Livshits

  3. Department of Computer Science, Katholieke Universiteit Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Riccardo Scandariato

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Talele, N., Teutsch, J., Jaeger, T., Erbacher, R.F. (2013). Using Security Policies to Automate Placement of Network Intrusion Prevention. In: Jürjens, J., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2013. Lecture Notes in Computer Science, vol 7781. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36563-8_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-36563-8_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-36562-1

  • Online ISBN: 978-3-642-36563-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation