under attack to compute best system setting and configuration to counter the attack. ... Single interface for handling virtual/physical servers hosting web services ...
Automated Model-based Security Management of Web Services Rajat Mehrotra, Qian Chen, and Sherif Abdelwahed CAC, Mississippi State University
Abhishek Dubey ISIS, Vanderbilt University
Krisa Rowland US Army ERDC, Vicksburg, MS
The Model Based Security Management Framework Motivation Distributed computing environments are complex system which aggregate vast quantities of information to manage load in real-time. The variety of network protocols and network interfaces introduce the potential for illicit cyber penetration of a distributed computing system. Research is required to identify algorithms to efficiently manage the security of distributed computing systems by detecting potential intrusion and hacking attempts, identify the affected system components, and react by isolating the affected components and limiting internal communications to prevent system compromise. Complex distributed computing systems requires autonomic management with minimal or no human intervention based on high level Quality of Service (QoS) specifications and security guidelines provided by system engineers and administrators.
Objective: Security Management of a Multi-tier Web Service Manage the QoS parameters of a distributed multi-tier enterprise system while securing the underlying web service from outside security risks by developing a model based limited look-ahead predictive control framework added security monitoring features and multi dimensional QoS objectives. Experimentally identify the various system and network parameters impacting the performance of the system, defining the dependency relationship between these parameters, and then using that relationship to develop the intrusion detection and performance model structure of the system. Use dynamic regression and Bayesian learning techniques to define the relationship among parameters and to develop system performance model structure, while the intrusion detection model can be developed using Neural networks.
Monitoring Modules System Monitor: reporting CPU and (stack and heap) memory usage, stack depth, number of classes and DLLs used, number of disk access, and number of sockets used for read/write. Performance Monitor: reporting web service response time , number of errors, number of threads and power consumption of the system. Network monitor: reporting number of network packets sent or received, SOAP content, and TCP/IP content. Security Monitor: reporting security certificates received on the system from the clients, and various system configuration compliance defined by the administrators or organization as per the Security Technical Implementation Guides (STIG).
Key Aspects Derived System State for Safe Operation: The desired state of the system in consideration that a system tries to achieve during its operation. Environment Forecaster: estimates the unknown parameters for the system based upon the previous history using statistical methods. Control Algorithms: Feedback map to calculate that uses the threat probability of system under attack to compute best system setting and configuration to counter the attack. Intrusion Detection Models: Machine learning based module that can classify the system state as secure or insecure based on current measurements and previous history. Performance Models: Mathematical model of the underlying system that represents the relation between its input and output at various operational settings. Online Predictive Filter: A mathematical representation of system that derives the next system state based on the current state, next environment input, control input, and error in previous prediction. Web Service System: System under observation for management. Monitoring Module: A multi-thread application module that monitors the system for system resource usage, network resource usage, web service QoS parameters, and security certificates
Project: Automated Model-based Security Management of Web services Zenoss (Unified Network Management Tool) Zenoss (http://www.zenoss.com/) is a GUI based monitoring framework based upon the open source project with development community. Multiple Installation Options (Stack, virtual appliances, rpm). Applicable for both Xen and VMware products as well as Windows and Linux Servers. More than 150 Monitoring Plug-ins and growing. E.g. VMWare ESX Server, Xen Domains, Dell/HP Hardware, Apache Webserver, DNS, J2EE, LDAP, MySql, NTP, Http. Plug-ins can be extended easily with ZENPACK monitoring framework. Auto discovery of all network attached devices. A monitoring scheme can be used for similar type of devices (model based monitoring). Customized reports.
Monitoring Framework for a Mixed Infrastructure (Virtual and Physical) Hosting Multiple Web Services. Single interface for handling virtual/physical servers hosting web services irrespective of their location. Audit management for virtual and physical servers in same manner. Security and network monitoring through same interface for virtual and physical servers.
Monitoring Parameters Bandwidth, Disk Space, CPU Time, Round Trip Time, Packet Loss Rate, Latency Jitter, CPU Usage rate, and Connectivity Response Time, Memory Usage rate, File Space Capacity Usage rate, Thread Number, Progress Number, Packet Arrival, and Packet Drop.
Denial of Service (DoS) Attacks Denial of Service (DoS) attack is the major concern for any computing system hosting service which can be accessed over network. In virtual infrastructure, inappropriate allocation policy of the resources for VMs can result in to consumption of all the available physical resources by a VM which is under DoS attack. There is a tremendous need of an effective monitoring scheme that can monitor various system resources (CPU, Memory, Disk, I/O etc.) with respect to time and able to predict the system state as safe or unsafe. Zenoss GUI will show the changes in system resource utilization with time.
Event in Zenoss shows the changes
Host Based Intrusion Detection Any Changes in the host side may occur due to security problems in the infrastructure ( e.g. the attribute of the file, modified time, add or delete files in the folder). An effective monitoring technique is needed that can monitor the sensitive information stored in the files for unauthorized changes. The host-based intrusion detection script sends changes of monitored folders or files to Zenoss virtual machine. Zenoss GUI will shows the changes for specified files or folders.
Expected Impact The proposed framework will leverage the already proven model based techniques for web service performance and security management task. The proposed framework will integrate the limited look-ahead control framework with a network security based framework to identify the cyber penetration in the web service environment with help of observation related to system and network resource usage pattern and the corresponding web service performance with respect to QoS parameters. The proposed framework will introduce various autonomic features in the system. (i.e. Self protecting, self healing, self configuring).
