Intrusion Detection and Response in Relational...

Department of Computer Science

Data Security

Elisa BertinoCS DepartmentCERIAS and Cyber CenterPurdue UniversityCurrently in sabbatical at National University of Singapore


Dimensions in Data Security

Security Requirements

Confidentiality and Privacy

Trustworthiness

Accountability

Platforms

Clouds

Mobile Systems

Trust AssumptionsHW

Operating Systems

Applications


Data Confidentiality and PrivacyThe problem of Insider Threat


• Mission-critical information = High-value target• Threatens US other Government organizations and large

corporations• Probability is low, but impact is severe• Types of threat posed by malicious insiders

– Denial of service– Data leakage and compromise of confidentiality– Compromise of integrity

• High complexity of problem– Increase in sharing of information, knowledge– Increased availability of corporate knowledge online– “Low and Slow” nature of malicious insiders

Motivations and Challenges


2010 CyberSecurity Watch Survey 2004 (CSO Magazine in cooperation with US Secret Service, CMU CERT and Deloitte) – 26% of attacks on survey respondents’ organizations were

from insiders (as comparison 50% from outsiders, 24%unknown)

– Of these attacks, the most frequent types are:• Unauthorized access to/ use of information, systems or networks

23%• Theft of other (proprietary) info including customer records, financial

records, etc. 15%• Theft of Intellectual Property 16%

Some Data


RemediationSome Initial Ideas

• Distribute trust amongst multiple parties to force collusion– Most insiders act alone

• Question trust assumptions made in computing systems– Treat the LAN like the WAN

• Create profiles of data access and monitor data accesses to detect anomalies


Anomaly Detection and Response System for Databases


SQL CommandsT1

T2

T3

USER TABLES

Normal Access Pattern

SQL CommandsSYSTEM TABLES

syscolumns

sysobjects

Anomalous Access Pattern

Anomalous Access Pattern Example


Is Anomaly Detection Sufficient?Look at the various mechanisms used by insiders (from (*))

Copied information to mobile device (USB drive, iPod, etc.) 42% Downloaded information to home computer 38% Stole information by sending it out via email 34% Shared account (e.g. system administrator, DBA, etc.) 33% Stole hardcopy information 30% Compromised an account 28% Remote access 25% Used authorized system administrator access 25% Stole information by downloading it to another computer 25% Escalated privileges 22% Blackberry or other mobile handheld device 20% Social engineering 17% Password crackers or sniffers 16% Backdoors 13% Rootkit or Hacking Tools 9% Malicious code inserted as part of the software development process 5% Logic bomb 2% Other 8% Don't know 11%


ExpectedBehavior

Model

ObservableActivities

Risks & Alerts

RiskAssessor

SocialNetworkAnalysis

DatabaseAccess Analysis

Data Flow Analysis

Anomaly Detectors

•database accesses•printing•email•file accesses•external device accesses•encryption

A Comprehensive Approach


Data Trustworthiness


Approaches• Integrity models and techniques

– From the security area: • Biba Model• Clark-Wilson Model• Signature techniques

• Physical integrity• Semantic integrity• Data quality• Web-data trust• Reputation techniques


The Trust Fabric

Trustworthiness

UsageManagement (of authorized

activities)

Identity Management

(of people, organizations, and

devices)

Attack Management

(of unauthorized activities)

Provenance management

(of data, software, and

requests)


An Example

A Cyclic Framework for Assessing Data Trustworthiness for

Sensor Streaming Data


Modeling Sensor Networks and Data Provenance

• A sensor network be a graph, G(N,E)– N = { ni|ni is a network node of which identifier is i } : a set of sensor nodes

• a terminal node generates a data item and sends it to one or more intermediate or server nodes• an intermediate node receives data items from terminal or intermediate nodes, and it passes

them to intermediate or server nodes• a server node receives data items and evaluates continuous queries based on those items

– E = { ei,j | e i,j is an edge connecting nodes ni and nj.} : a set of edges connecting sensor nodes• A data provenance, pd

– pd is a subgraph of G

server node

intermediate nodes

terminalnodes

sn sn

1tn 2tn3tn

4tn

in

d

3d1d

2d4d

sn

tn

d

sn

tn

in

an bn

1d 2d

d

(a) a physical network (b) a simple path (c) an aggregate path (d) an arbitrary graph


Assessing TrustworthinessComputing Trust Scores

• Trust scores: quantitative measures of trustworthiness– Data trust scores: indicate about how much we can trust the data items– Node trust scores: indicate about how much we can trust the sensor nodes

collect correct dataScores provide an indication about the trustworthiness of data items/sensor nodes and can be used for comparison or ranking purpose

• Interdependency between data and node trust scores

Node Trust Scores Data Trust Scores

trust score of the data affects the trust score of the sensor nodes that created the data

trust score of the node affects the trust score of the data created by the node

data arrives incrementallyin data stream environments


A Cyclic Framework for Computing Trust Scores

• Trust score of a data item d– The current trust score of d is the score computed from the current trust scores of its related nodes.– The intermediate trust score of d is the score computed from a set (d ∈) D of data items of the same event.– The next trust score of d is the score computed from its current and intermediate scores.

• Trust score of a sensor node n– The intermediate trust score of n is the score computed from the (next) trust scores of data items.– The next trust score of n is the score computed from its current and intermediate scores.– The current trust score of n is the score assigned to that node at the last stage.

Current trust scores of nodes ( )

Next trust scores of nodes ( )

Intermediate trust scores of nodes ( )

+

Current trust scores of data items ( )

Intermediate trust scores of data items ( )

Next trust scores of data items ( )

A set of data items of the same event

in a current window

+

1

2

3

5

4

6

ns

ns

ns

ds

ds

ds


Intermediate Trust Scores of Data (in more detail)

Data trust scores are adjusted according to the data value similarities and the provenance similarities of a set of recent data items (i.e., history)

– The more data items have similar values, the higher the trust scores of these items are– Different provenances of similar data values may increase the trustworthiness of data items

Current trust scores of nodes ( )

Next trust scores of nodes ( )

Intermediate trust scores of nodes ( )

+

Current trust scores of data items ( )

Intermediate trust scores of data items ( )

Next trust scores of data items ( )

A set of data items of the same event

in a current window

+

1

2

3

5

4

6

ns

ns

ns

ds

ds

ds

Similar Data Value Different Data Value

Similar Provenance score ↑score ↓↓↓(conflict)

Different Provenancescore ↑↑↑

(cross checked)score ↓


Discussion• How do we use trust scores

– Notion of confidence policy– Situation awareness

• How do we improve data assessment– Use of semantic knowledge– Dynamic integration of new data sources, also heterogeneous

• How do we deal with rapidly changing values– User awareness– Triggering additional actions, for example collecting more evidence

• Sensor node sleep/awake times based on data trust scores (required and observed)

• How do we securely convey provenance– Data watermarking techniques

• How do we deal with privacy/confidentiality– Privacy-preserving data matching techniques


Data Accountability

Department of Computer ScienceDefinition and Technical Architectures

Data accountability means that:•The use of data should be transparent so that it is possible to determine whether a particular use is appropriate under a given set of rules

•The systems managing the data enable individuals and organizations to be held accountable for data misuse

Mechanisms and Tools•Metadata concerning data purpose

•Policy-aware transaction logs

•Policy management systems


Securing Data in the Cloud


Security Is the Major Challenge


A Simple Example

Who Has Control?Where is it located?Where is it stored?Who backs it up?Who has access?How resilient is it?How do auditors observe?How does our security team engage?

?

? ?

? ?

We Have ControlIt’s located at X.It’s stored in server’s Y, Z.We have backups in place.Our admins control access.Our uptime is sufficient.The auditors are happy.Our security team is engaged.

Cloud-based Data CenterToday Data Center

Slide based on presentation “Security and Cloud Computing” by Michael Waidner (IBM)


Top Security Threats CSA (2010)Abuse and Nefarious Use of Cloud ComputingInsecure Application Programming InterfacesMalicious InsidersShared Technology VulnerabilitiesData Loss/LeakageAccount, Service & Traffic HijackingUnknown Risk Profile

Gartner (2008)Privileged user accessRegulatory complianceData locationData segregationRecoveryInvestigative supportLong-term viability

ENISA (2009)Loss of governanceLock-inIsolation failureCompliance risksManagement interface compromiseData protectionInsecure or incomplete data deletionMalicious Insider


Cloud Provider Location

• It is important to be aware of where data are stored.

• If data do end up at an international site, those systems will be subject to the laws and policies of that jurisdiction.

• Also one has to be confident that international connectivity will remain up and uncongested.

• Data should have meta-data indicatinglocation restrictions and complianceobligations


Investigative SupportWhat we need:

• Audit trails for creation, access, modification, destruction of data– Audit trails need to be kept in tamper proof way– For data destruction, there must be an attestation that

destruction is complete• Attestation of data accuracy• Chain of custody defined for data retrieval• Provision for snapshots for all customer data• Facility for a trusted third party for dispute resolution

over data


Privileged User Access

What we need:

• Segregation of user data from the cloud administrators

• Encryption solutions that– Allow customers to maintain control over encryption keys– Ensure that keys be safely and securely provided to

encryption processes without an opportunity for compromise or the cloud having to retain those keys

• Data management functions that can operate on encrypted data– Such as backup functions


Concluding Remarks

• The problem of securing data is difficult• Data must be secured without being overly

restrictive• Novel encryption techniques and hardware can

help• Risk assessment is crucial

Intrusion Detection and Response in Relational...

Documents

Transcript of Intrusion Detection and Response in Relational...