Modelling Distributed Network Security in a Petri ... - Semantic Scholar
Recommend Documents
www.pre-sense.de. ⢠Theoretical Foundations of Computer Science Group (TGI), ... of network security components (NSCs) ... â¢Define a concrete security policy.
Workflow management systems (wfms) are modern software tools to support and control ..... Each token in the place resources represents a free ..... [12] K. HAYES AND K. LAVERY, Workflow management software: the business oppor- tunity ...
two basic services: .... ticket. In a distributed system this would mean that the clocks on the various hosts ... The basic intradomain authentication protocols can.
Dr Luke O'Connor has a PhD in cryptogra- phy and is currently employed as a research sci- entist in the Co-operative Research Centre (CRC) for Distributed ...
The paper shows how Security Iqformatwn for user au- lhenticatwn, peer-entity ..... In its simplest form the PAC is a signed sequence of security Privilege ...
Nov 1, 2012 - infection model, e.g., the Ross-MacDonald model [6]. In this article, we discuss how such a computational method differs from existing methods ...
network management servers in a distributed framework [6]. .... The Circulate Aglet is a mobile agent program .... D-Link's D-View network management software.
log once the data are made permanent at the server [17]. A recovery framework for the g-2PL protocol was discussed in [18]. The performance of the g-2PL ...
necting personal computers, but also to convey music and ... This paper proposes a secure service protocol for home networks. Security is tightly coupled with ...
capable of choosing the service-specific balance between application-layer .... interference, and to avoid possible collusion against the hosting network node ...
where A is a submatrix of A having full rank r, and Y1Y2] is the respective ...... It has been seen by Thomas 71], Nicol and Roy 60] and Chiola and Ferscha 18], ...
for high level nets with arc inscriptions where the enabling test and the r- ... G.S. Thomas and J. Zahorjan. Parallel simulation ... G. Chiola,. G. Conte,. S. Donatelli, and G. Franceschinis. An introduction to Generalized Stochastic Petri Nets. Mi-
a graphical representation of our models: a special dialect of high-level Petri nets, namely ..... R. Scott Cost, Ye Chen, T. Finin, Y. Labrou, and Y. Peng. Modeling ...
such nets and show how history-dependent nets can combine modelling comfort with .... person is suspected of committing a crime, the police department will try to arrest the suspect .... Morgan Kaufmann, San Francisco (1996). 10. Winskel ...
Oct 22, 2005 - together with the topics that fit the best applications of distributed computing and the ... be applied to many traditional aspects of computer programming .... curriculum, Journal of Computing in Colleges, vol 19, no 5,. 2001 ...
components that interact through remote service invocations. It does ... components as Forgery, Betrayal and Denial of Service. ... An email server that broadcast.
Security management and policy compliance are critical issues in modern in- ... redundant information acquisition employing multiple agents and independent.
Access control requirements deal with which clients are ... The rst step in binding is that the candidate client contacts a name server to request the .... The ideal case of security in distributed object systems is a dedicated security subobject tha
Feb 14, 2011 - [email protected]. Debasish Jena ... [email protected] .... encryption techniques, digital signatures, digital certificates and.
Feb 14, 2011 - C.2.0 [Computer-Communication Networks]: General- Security and protection. .... provide well known security services. They do these just to ...
remaining scalable and usable. Keywords-Publish/subscribe networking; network security; denial-of-service; future network architectures. I. INTRODUCTION.
Security in operating systems has long been a topic of research 1, 4, 5], which ... The access control design involves identifying the di erent network services and.
AbstractâThis paper proposes a distributed virtual network .... A. Virtual Network Topology (VNT) ... may maintain it for quality-of-service (QoS) concerns. In this.
representing the best tradeoff between energy and network utility. ... plications such as patient monitoring, disability assistance and ... WBANs can monitor vital.
Modelling Distributed Network Security in a Petri ... - Semantic Scholar
www.pre-sense.de. ⢠Theoretical Foundations of Computer Science Group (TGI),. University of Hamburg www.informatik.uni-hamburg.de/TGI/. ⢠N@Work.
Modelling Distributed Network Security in a Petri Net and Agent-based Approach The Herold Project www.herold-security.de MATES 2010 September 28th Simon Adameit, Tobias Betz, Lawrence Cabac, Florian Hars, Marcin Hewelt, Michael Köhler-Bußmeier, Daniel Moldt, Dimitri Popov, José Quenum, Axel Theilmann, Thomas Wagner, Timo Warns, Lars Wüstenberg
1
www.herold-security.de
Overview Introduction The Herold Project Modelling Background Conceptual Model Implementation Outlook 2
www.herold-security.de
Introduction •Networks omnipresent today •Data and services accessible via a network •Have to be protected from... • unauthorised access • (malicious) tampering • ...
•Need for network security 3
www.herold-security.de
Introduction •Traditional perimeter approaches problematic •Cell-based approaches lessen problems and •Also closer to modern scenarios •Herold project aims to provide distributed network security management •This presentation features early results 4
www.herold-security.de
Overview Introduction The Herold Project Modelling Background Conceptual Model Implementation Outlook 5
www.herold-security.de
Herold Overview •2 Year funded research project •Funded by the BMBF (Grant No. 01BS0901) •Cooperation between: • PRESENSE Technologies GmbH www.pre-sense.de • Theoretical Foundations of Computer Science Group (TGI), University of Hamburg www.informatik.uni-hamburg.de/TGI/ • N@Work www.work.de
6
www.herold-security.de
Herold Overview •Distributed system for a novel agent-oriented approach to distributed network security •Core: Efficient and secure configuration of network security components (NSCs) •Concurrent, cooperative design
7
www.herold-security.de
Herold Overview •Aims to provide activities associated with network security management • Define abstract security goals • Define a concrete security policy • Choose how and where to enforce the policy • Monitor and analyse enforcement • ...
8
www.herold-security.de
Herold Summary •Main Concepts: •Hierarchy of policies •Cooperative design of policies •Localisation •Cooperative enforcement by NSCs 9
www.herold-security.de
Herold Summary Problems:
Solutions:
•Distributed environment
➡ Agents
•Concurrent behaviour
➡ Petri nets
•Complex dynamics
➡ PAOSE
•Security application requirements
➡ Herold
10
www.herold-security.de
Overview Introduction The Herold Project Modelling Background Conceptual Model Implementation Outlook 11
• Nets-within-nets paradigm • Synchronous channels are used for communication between and in nets
13
www.herold-security.de
RENEW •Editor and simulator for different net formalisms •Especially designed for reference nets •Serves as development and runtime environment •Freely available at www.renew.de
14
www.herold-security.de
MULAN • MULti Agent Nets • Complete agent architecture modelled with reference nets • Executable in RENEW as a conceptual framework
15
www.herold-security.de
CAPA • Concurrent Agent Platform Architecture • FIPA compliant extension of MULAN • Replaces upper layers of MULAN to allow deployment in real-life networks 16
www.herold-security.de
PAOSE • Petri net-based Agent and Organisation-oriented Software Engineering • Especially suited for developing systems with MULAN and CAPA • Key Aspects: • Rapid prototyping • Three-dimensional modelling (Actors, Interactions, Ontology) • MAS as metaphor for development team • Tool support (RENEW) for different stages
• Visit www.paose.net for further information 17
www.herold-security.de
Overview Introduction The Herold Project Modelling Background Conceptual Model Implementation Outlook 18
www.herold-security.de
General Assumptions •Needed: •Simple model •Represents all relevant aspects of Herold project •Relatively “easy” to understand, present and handle •Iteratively rising in complexity ➡ A conceptual system for which an implementation is iteratively enhanced 19
www.herold-security.de
General Assumptions •Conceptual view: •One “stepping stone” that covers important aspects •Theoretical view •Implementation •In the paper: Simpler “model zero” •In this presentation: More advanced model 20
www.herold-security.de
Conceptual View •Cell-based approach to network security •Hierarchy of policies •Technical actors are represented as agents •Especially NSCs regarded as nodes of distributed systems
21
www.herold-security.de
Network Model •Fully connected network topology •Unique addresses •Focus of this network model are the NSCs •Grouping of network nodes supported •Limitation: Certain NSCs cannot be covered in this model due to implicit network topology 22
www.herold-security.de
Policy Model • Users share single global (total) policy • Policy consists of an ordered set of rules • Rules consist of • Source address and port • Target address and port • “allow” or “deny” for traffic between source and target
• Implicit rule for every non explicit one • Rules over groups allow concise policy definitions 23
www.herold-security.de
Use Cases • View current policy • Add/delete/modify/move rule within policy • View status information • View current NSCs • Add/delete/modify NSCs • View groups • Add/delete/modify/rename group 24
www.herold-security.de
Overview Introduction The Herold Project Modelling Background Conceptual Model Implementation Outlook 25
www.herold-security.de
Implementation •Working prototype realising Herold functionality •Implemented using MULAN/CAPA agents •RENEW serves as runtime environment •Further along than “model zero” presented in paper 26
Interactions •Interactions in MULAN/CAPA usually provide the largest part of the functionality •In this scenario many similar interactions occur (e.g. add/delete/modify rule) •Two options: •Model each interactions separately •Model a few interactions catering to many uses 29
Decision Components •Use of “template” interactions forces functionality into decision components (DCs) •DCs can be viewed as special, constantly running protocol nets •Every agent (in this context) possesses a number of DCs
34
www.herold-security.de
Decision Components •AdminProxy
•Network Manager
• User Interface DC
• (Top Level)
•Policy Manager
• Database
• (Top Level) • Database • Localisation
• Localisation
•NSC Proxy • (Top Level) • Localisation
35
User Interface DC
www.herold-security.de
36
Policy Manager Database DC
www.herold-security.de
37
www.herold-security.de
Ontology (partial) 38
www.herold-security.de
Overview Introduction The Herold Project Modelling Background Conceptual Model Implementation Outlook 39
www.herold-security.de
Outlook - Data Models • Extensions to network and policy model: • Explicit and complex network topologies • Abstract security objectives and best practices • Partial policies, policy templates, “policy pool” • ...
40
www.herold-security.de
Herold Cycle 41
www.herold-security.de
Further aspects • Localisation • Verification • Distribution of Herold • Versatility • ... 42
The End Thank You for Your attention Questions? :) www.herold-security.de 43
