nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

Inferring the Stealthy Bridges Between Enterprise Network Islands in Cloud Using Cross-Layer Bayesian Networks

verfasst von : Xiaoyan Sun, Jun Dai, Anoop Singhal, Peng Liu

Erschienen in: International Conference on Security and Privacy in Communication Networks

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Enterprise networks are migrating to the public cloud to acquire computing resources for promising benefits in terms of efficiency, expense, and flexibility. Except for some public services, the enterprise network islands in cloud are expected to be absolutely isolated from each other. However, some “stealthy bridges” may be created to break such isolation due to two features of the public cloud: virtual machine image sharing and virtual machine co-residency. This paper proposes to use cross-layer Bayesian networks to infer the stealthy bridges existing between enterprise network islands. Prior to constructing cross-layer Bayesian networks, cloud-level attack graphs are built to capture the potential attacks enabled by stealthy bridges and reveal hidden possible attack paths. The result of the experiment justifies the cross-layer Bayesian network’s capability of inferring the existence of stealthy bridges given supporting evidence from other intrusion steps in a multi-step attack.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nächstes Kapitel A Secure Architecture for Inter-cloud Virtual Machine Migration

In our trust model, we assume cloud providers are fully trusted by cloud customers. In addition to security alerts generated at cloud level, such as alerts from hypervisors or cache monitors, the cloud providers also have the privilege of accessing alerts generated by customers’ virtual machines.

The assumption here is that a capable vulnerability scanner is able to scan out all the known vulnerabilities.

The enterprise networks in Step 7 are not key players, so we do not analyze the stealthy bridges established in this step, but still use the raised alerts as evidence.

Aws,Bws,Cws,Cnfs,Cworkstation denote A’s web server, B’s web server, C’s web server, C’s NFS server, C’s workstation respectively.

Amazon Elastic Compute Cloud (EC2). http://aws.amazon.com/ec2/

Rackspace. http://www.rackspace.com/

Windows Azure: Microsoft’s Cloud. https://www.windowsazure.com/en-us/

Varadarajan, V., Kooburat, T., Farley, B., Ristenpart, T., Swift, M.M.: Resource-freeing attacks: improve your cloud performance (at your neighbors expense). In: Proceedings of the 2012 ACM conference on Computer and communications security (CCS) (2012)

Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 2009 ACM CCS (2009)

Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on SSH. In: USENIX Security Symposium (2001)

Szefer, J., Keller, E., Lee, R.B., Rexford, J.: Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 2011 ACM CCS (2011)

Bates, A., Mood, B., Pletcher, J., Pruse, H., Valafar, M., Butler, K.: Detecting co-residency with active traffic analysis techniques. In: Proceedings of the 2012 ACM Workshop on Cloud computing security workshop (CCSW) (2012)

Dai, J., Sun, X., Liu, P.: Patrol: revealing zero-day attack paths through network-wide system object dependencies. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 536–555. Springer, Heidelberg (2013) CrossRef

10.

Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: HomeAlone: co-residency detection in the cloud via side-channel analysis. In: 2011 Symposium on Security and Privacy (S&P) (2011)

11.

Chen, Y., Paxson, V., Katz, R.H.: What’s new about cloud computing security. University of California, Berkeley Report No. UCB/EECS-2010-5, January 2010

12.

Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: 2002 Symposium on Security and Privacy (S&P) (2002)

13.

Ramakrishnan, C.R., Sekar, R.: Model-based analysis of configuration vulnerabilities. J. Comput. Secur. 10(1/2), 189–209 (2002)CrossRef

14.

Phillips C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New security paradigms (1998)

15.

Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats, vol. 5, pp. 247–266. Springer, Heidelberg (2006) CrossRef

16.

Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 2002 ACM CCS (2002)

17.

Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: 22nd Annual Computer Security Applications Conference (ACSAC) (2006)

18.

Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 2006 ACM Conference on Computer and Communications Security (2006)

19.

Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: A logic-based network security analyzer. In: USENIX Security Symposium (2005)

20.

Balduzzi, M., Zaddach, J., Balzarotti, D., Kirda, E., Loureiro, S.: A security analysis of Amazon’s elastic compute cloud service. In: Proceedings of the 27th ACM SAC (2012)

21.

Lazri, K., Laniepce, S., Ben-Othman, J.: Reconsidering intrusion monitoring requirements in shared cloud platforms. In: Availability, Reliability, and Security (ARES). IEEE (2013)

22.

http://www.snort.org/

23.

Xie, P., Li, J., Ou, X., Liu, P., Levy, R.: Using Bayesian networks for cyber security analysis. In: Dependable Systems and Networks (DSN). IEEE/IFIP (2010)

24.

http://www.tenable.com/products/nessus

25.

http://nvd.nist.gov/

26.

http://nvd.nist.gov/cvss.cfm

27.

http://cve.mitre.org/

28.

http://www.tripwire.com/

29.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446

30.

https://www.samba.org

31.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5423

32.

https://info.tiki.org/

33.

http://reasoning.cs.ucla.edu/samiam/

34.

Bugiel, S., Nrnberger, S., Pppelmann, T., Sadeghi, A.-R., Schneider, T.: AmazonIA: when elasticity snaps back. In: Proceedings of the 2011 ACM CCS (2011)

35.

Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. In:19th Annual Computer Security Applications Conference (ACSAC) (2003)

Titel: Inferring the Stealthy Bridges Between Enterprise Network Islands in Cloud Using Cross-Layer Bayesian Networks
verfasst von: Xiaoyan Sun
Jun Dai
Anoop Singhal
Peng Liu
Verlag: Springer International Publishing
Buch: International Conference on Security and Privacy in Communication Networks
Print ISBN: 978-3-319-23828-9

Electronic ISBN: 978-3-319-23829-6

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-23829-6_1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"