Network Security Situation Assessment: A Review and ... - Springer Link

4 downloads 605 Views 125KB Size Report
Researchers have shown an increased interest in designing network security situation awareness which consists of event detection, situation assessment and.
Network Security Situation Assessment: A Review and Discussion Yu-Beng Leau Selvakumar Manickam and Yung-Wey Chong National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia, 11800, Bayan Lepas, Penang, Malaysia. {beng,selva,chong}@nav6.usm.my http://www.springer.com/lncs

Abstract. The number of network intrusion attempts have reached an alarming level. Questions have been raised about the efficiency of deploying intrusion detection and prevention system which are more concern on single device instead of overall network security situation. Researchers have shown an increased interest in designing network security situation awareness which consists of event detection, situation assessment and situation prediction. Generally, Network Security Situation Assessment is a process to evaluate the entire network security situation in particular time frame and use the result to predict the incoming situation. In this paper, we review existing network security situation assessment methods from three major categories in the aspect of its strengths and limitations. A list of consideration criteria has been summarized for future situation assessment model design. Keywords: Network Security Situation Assessment, Statistical Approach, Relationship Analysis, Artificial Intelligence

1

Introduction

The rapid development of Internet, which offers convenient services and information sharing, has opened up an opportunity for it to become a breeding ground for malware and cyber criminals [1, 2]. In a report revealed by G Data Software, there were 1,509,934 new malware found in the first half of 2013. This means that an average of 8,342 new malware program types is produced every day. [3]. In 2012, Symantec also encountered a 58% increase in new mobile malware compared to previous year [4]. In Malaysia, the number of incidents is also rising progressively which hit 10636 cases with different types of attacks such as denial of service, intrusion attempt, malicious codes, spamming and etc [5]. These increasing numbers brings serious challenges and problems to network security. In addition, most prevention system responds directly to these attacks without any assessment on the alert, creating a lot of false positive and false negative notification [6]. Therefore, instead of concerning single asset in the network, security 

National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia, 11800, Bayan Lepas, Penang, Malaysia.

Ó Springer-Verlag Berlin Heidelberg 2015 K.J. Kim (ed.), Information Science and Applications, Lecture Notes in Electrical Engineering 339, DOI 10.1007/978-3-662-46578-3_48

407

408

Y.-B. Leau et al.

administrator nowadays are more interested on assessing security situation in overall network in order to provide useful information to Intrusion Prevention System for predicting the incoming network security situation and be ready with proper action taken.

2

Network Security Situation Assessment in Situation Awareness Framework

Network Security Situation Assessment is the second level in Network Security Situation Awareness framework. The concept of Security Awareness (SA) was first introduced by Endsley [7] in the aviation and aerospace realms throughout the research on human factors. Its objective is to ensure the necessary information is readily accessible and understood by various levels of decision makers and analysts by providing them in an abstract visual format. To firmly expand upon their perspective of SA, three hierarchical phases which begins with Perception, followed by Comprehension and the highest level is Projection were introduced [8, 9]. Perception classifies information about the status, attributes and dynamics of relevant elements within the environment into understood representation. Comprehension of the situation includes how people integrate multiple pieces of information, interpret them in terms of their relevance to an individual's underlying goals and able to infer conclusions about the goals. Based on the knowledge from previous levels, Projection represents a forecasting of the elements of the situation into the near future [10]. The range of awareness levels is progressively increasing from basic perception of important data to interpretation and combination of data into knowledge, then prediction of future situation and their implementation. With concerning environment of cyberspace, in 1999, Tim Bass proposed the concept of SA into Network Security field called Network Security Situation Awareness (NSSA). NSSA can be divided into three stages which are event detection, current situation assessment and future situation prediction [11]. Event Detection identifies the abnormal and malicious activity in the network and translates them into logical format. Current Situation Assessment is a process to evaluate the security situation of the entire network by using the information from previous stage. Last stage is Future Situation Prediction is aimed to forecast the future network security tendency according to the current and historical network security situation status. Basically, Network Security Situation Assessment is the core of SA where it extracts the situation elements, analyses the association of security events among them and infers the degree of threats in each layer of the network in order to reflect the security situation in the whole network. It provides an all-inone and reliable frame of reference to administrators in order to make the right and timely decisions. In this paper, we only focus on reviewing existing network security situation assessment mechanisms.

Network Security Situation Assessment …

3

409

Existing Network Security Situation Assessment Mechanisms

Today, many assessment mechanisms have been proposed to attain the goal and there can be categorized into three oriented-bases which are logical relationship, artificial intelligence and mathematical model. 3.1

Based on Relationship Analysis

Assessment method based on relationship analysis is a means to examine interrelationship among the alerts which might symbolize an attack scenario in a network. Some subjective criterions such as expert’s knowledge, experience and historical data are required in this method. By correlating detected alerts on the basic of prerequisites and consequences of attacks, the attack scenarios can be constructed to represent security situation of the network such as the frameworks in [12, 13]. The intuitive conviction, a prerequisite of an attack, is the necessary condition for an attack to be successful, whereas the consequence of an attack is the possible outcome of the attack. These methods are not only heavily depending on the completeness of predefined reference templates but also involve high labour cost and time. In 2010, Zhaowen et al proposed a real-time prerequisite and consequence (RIAC) intrusion alert correlation model [14]. It employs distributed agents to collect alert information online and uses them to produce hyper-alerts. Sets of prerequisite and expended consequence have been derived by using information in knowledge base. By identifying the “prepare-for” relationships among hyperalerts, attack scenario and intent intrusion behind the alerts were discovered.This model can be applied in large scale environment but it highly depends on expert knowledge to completely prepare alert information knowledge base. To overcome this constraint, Anbarestani et al [15] proposed a Bayesian Network-based alert correlation which discovers attack strategies without the need for expert knowledge. The approach extracted attack scenarios using actions sequence classification. It leverages upon historical data from log sources and classify them based on observed intrusion objective as class variables. The possible attack scenarios constructed from hyper alerts sequences are examined and the most plausible strategies for constructing a cooperative attack are extracted. The model eliminates the redundant relationships but a set of adequate and reliable historical data from log sources is required. In the same year, Zali et al [16] applied graph model called Causal Relations Graph to represent attack pattern in knowledge base. Some trees related to alerts probable correlations are constructed offline while the correlations of each received alert in real time with previously received alerts will be identified by performing a search only in the corresponding tree. Although the model is able to identify the relationship between the alerts in a short time, the construction of complete tress related to alerts probable correlations is laborious and challenging. In general, situation assessment method based on relationship analysis is easy to understand and efficient if a comprehensive relation template which includes

410

Y.-B. Leau et al.

prerequisites and consequences of various types of attacks is in place. Nevertheless, this method has some limitations. The reference model with prerequisite and consequence of various attacks is difficult to construct and it is hard to identify the logical relationship among the alerts which come from multiple sources. For this reason, this method is unable to illustrate the uncertainty exist in the whole network system which is required by security managers as their guidance to configure network security mechanism. 3.2

Based on Artificial Intelligence

Assessment method based on artificial intelligence, particularly artificial immune system, uses biological immune theoretic as references to search and design relevant models and algorithms to solve the various problems. With the help of biological technology such as self-tolerance, self-learning and evolution mechanisms, the intrusion detection system utilizes the biological immunity theory as the base of security awareness to detect known and unknown intrusions. In 2009 and 2011, Liu Nian et al.[17] and Zhang Ruirui et al.[18] have applied the concept of artificial immune technology in their proposed NSSA structure respectively . They suggested that by determining the corresponding relationship of the change of antibody concentration of human immune system and pathogens intrusion rate with attack power, researchers can use this information to calculate the security situation of hosts. Network security situation can be quantitatively determined in real time and dynamic manner. The proposed model is claimed to be able to realize overall evaluation of the attacks in each level of host computer, sub-network and whole network, observe the current system risk which reflects the present security situation in network timely and accurately. Unfortunately, there are some limitations in this model particularly in scalability and coverage which lead to low efficiency and high false negative. Besides that, a huge number of detectors are needed and intolerable time is required to improve the coverage rate. In order to overcome these deficiencies, a network security situation assessment model based on cooperative artificial immune system has been suggested [19]. In this model, the memory detectors in different computers which spread in the whole system will share the differences of their detected packet. The function of the cooperative module is to send and receive the information of cooperative detector. It will also decide which collaboration relationship should be used and when it has to quit. Although this model is to share the efficient detectors in a certain range with which shorten the training time of individual immune system, yet it is not an easy task to train the detector to be act intelligently in sharing the information. 3.3

Based on Statistical Approach

Assessment method based on statistical approach is aimed to build an evaluation function by considering a range of elements which influence the security situation

Network Security Situation Assessment …

411

of network. The function maps the relation of all situational elements, R into a situational space, S which can represents as S = (r1 , r2 , r3 , . . . , rn ) ,

r1 ∈ R (1 ≤ i ≤ n)

(1)

Many researchers had proposed weighted average method to assess the network security situation [20–34] and most of them are hierarchical approach applied. They divided their proposed framework into three layers from bottom to top which covers service layer, host layer and network layer [20–22, 26–29, 31] . In service layer assessment, the focus is more on the vulnerabilities of services and its times to be utilized. The threat degree of each situational element in the layer is taken into account to product the weight of the element in order to calculate the situation value of the layer. The sum of situation value from each layer represents the situation of element in higher layer. The same evaluation process has been done at host and network layer and the overall security situation of the network is the total of situation value in host layer. Undoubtedly, weighted average method is simple and easy to be used in any assessment process which a weight value will be assigned to each situational element or resource according to its importance in the network. However, the main limitation of this method is lack of solid and standard guidelines to determine the significance of each element in the network and it causes the weight assignment subjectively. Due to this, there are several alternatives have been used to obtain the weight value such as through the expert’s perception and organization policy [20, 22, 28, 30, 32–34], comparison between the current and historical observed value at the layers [24, 25], calculation from Grey Relational Analysis [22] as well as Analytic Hierarchy Process [29].

4

Conclusion

In this paper, we identified the existing problems of network security situation and explained the role of situation assessment in a NSSA framework. We also categorized and presented a comprehensive review on existing network security situation assessment methods based on their approaches. Each of them has own strengths and weaknesses in terms of the completeness of chosen criteria in assessment process. Table 1 stated the consideration criteria in some recent existing security situation assessment methods. From the table, we noticed that most of the related works focus on statistical approaches which quantitatively determine the asset importance, attack severity and its likelihood of occurrence. Based on our best knowledge, there is no single study exists which adequately considers the cost factor in the assessment. In this context, it referred to damage and response costs which usually used in selecting appropriate responses after the situation evaluation [35, 36]. While damage cost characterizes the amount of damage to a target resource by an attack when intrusion detection is unavailable or ineffective, response cost is the cost of acting upon an alarm or log entry that indicates a potential intrusion [37].

412

Y.-B. Leau et al.

Category Relationship Analysis

Existing Assessment Method Ning, Cui et al.[12] Xu and Ning [13] Zhaowen, Li et al. [14] Anbarestani, Akbari et al. [15] Zali, Hashemi et al. [16] Nian, Diangang et al.[17] Artificial Ruirui, Tao et al.[18] Intelligence Qiao and Xu [19] Hu, Li et al. [20] Yong, Xiaobin et al.[21] Zhang, Wang et al. [22] Wang, Zhang et al. [23] Liqun and Xingyuan [24] Song and Zhang [25] Zhang, Huang et al. [26] Cheng and Lang [27] Statistical Xiaorong, Su et al. [28] Approach Bian, Wang et al. [29] Xiangdong Cai, Yang Jingyi et al. [30] Xiaoli and Hui [31] Szwed and Skrzynski [32] Zheng, Wei et al. [33] Zhang, Chen et al. [34]

Severity of Attack Frequency of Attack Importance of Service Likelihood of Occurrence Damage Degree Types of Attacks

Table 1. Criteria has been considered in Existing Network Security Situation Assessment Methods

/ /

/ /

/

/

/ / / / / / / / / / / / / /

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

As a conclusion, all the criteria including the damage and response costs should take into consideration in designing an efficient and cost-sensitive network security assessment mechanism in order to provide a more reliable and accurate current network security situation.

Acknowledgement The authors would like to thank the National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia for supporting this research project.

Network Security Situation Assessment …

413

References 1. Yu Beng, L., et al., A Survey of Intrusion Alert Correlation and Its Design Considerations. IETE Technical Review. 31(3), pp. 233-240. (2014). 2. Beng, L.Y., S. Manickam, and T.S. Fun, A Framework for Analytic Hierarchy Process-Entropy Network Security Situation Assessment and Adaptive Grey Verhulst-Kalman Prediction in Intrusion Prevention System. Australian Journal of Basic & Applied Sciences, 8(14), pp.34-39.(2014). 3. G Data PC Malware Report in Half-yearly Report (January - June 2013). G Data SecurityLabs: Germany. pp. 1-12. (2013). 4. Internet Security Threat Report 2013. Symantec Corporation: United States. pp. 1-58. (2013). 5. MyCERT Incident Statistics Year 2013-2014, http://www.mycert.org.my 6. Jawdekar, A., V. Richariya, and V. Richariya, Minimization of False Alarm Prediction in IDS Based On Frequent Pattern Mining. International Journal of Emerging Technology and Advanced Engineering, 2(4), pp. 511-514. (2012). 7. Endsley, M.R. Situation awareness global assessment technique (SAGAT). In: National Aerospace and Electronics Conference, pp. 789-795. IEEE, (1988). 8. Endsley, M.R., Toward a theory of situation awareness in dynamic systems. The Journal of the Human Factors and Ergonomics Society, 37(1), pp. 32-64. (1995). 9. Endsley, M.R., et al., Situation awareness information requirements for commercial airline pilots. International Center for Air Transportation. pp. 1-7. (1998). 10. Jajodia, S., et al., Cyber situational awareness. 14, pp. 3-14. Springer, Heidelberg (2010). 11. Bass, T., Multisensor data fusion for next generation distributed intrusion detection systems. In: 1999 IRIS National Symposium on Sensor and Data Fusion pp. 24-27. (1999). 12. Ning, P., et al., Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security (TISSEC), 7(2), pp. 274-318.(2004). 13. Xu, D. and P. Ning. Alert correlation through triggering events and common resources. In: 20th Annual Computer Security Applications Conference, pp. 360-369. IEEE, (2004). 14. Lin, Z., et al., Real-Time Intrusion Alert Correlation System Based on Prerequisites and Consequence. In: 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM), pp. 1-5, IEEE, (2010). 15. Anbarestani, R., et al., An iterative alert correlation method for extracting network intrusion scenarios. In: 20th Iranian Conference on Electrical Engineering (ICEE), pp. 684-689 , IEEE, (2012). 16. Zali, Z., et al., Real-time attack scenario detection via intrusion detection alert correlation. In: 9th International ISC Conference on Information Security and Cryptology (ISCISC), pp. 95-102, IEEE, (2012). 17. Nian, L., et al. Research on network security situation awareness technology based on artificial immunity system. In: International Forum on Information Technology and Applications, pp. 472-475. IEEE, (2009). 18. Ruirui, Z., et al., A Network Security Situation Awareness Model Based on Artificial Immunity System and Cloud Model. In: Computing and Intelligent Systems, pp. 212-218. Springer, Heidelberg (2011). 19. Qiao, Y. and J. Xu. A network security situation awareness model based on cooperative artificial immune system. In: International Conference on Computer Science and Service System (CSSS), pp. 1945-1947. IEEE, (2011).

414

Y.-B. Leau et al.

20. Hu, W., J. Li, and J. Shi. A novel approach to cyberspace security situation based on the vulnerabilities analysis. In: The Sixth World Congress on Intelligent Control and Automation, pp. 4747-4751. IEEE, (2006). 21. Yong, Z., T. Xiaobin, and X. Hongsheng. A novel approach to network security situation awareness based on multi-perspective analysis. In: International Conference on Computational Intelligence and Security, pp. 768-772. IEEE, (2007). 22. Zhang, F., J. Wang, and Z. Qin. Using gray model for the evaluation index and forecast of network security situation. In: International Conference on Communications, Circuits and Systems, pp. 309-313. IEEE, (2009). 23. Wang, J., et al. Alert analysis and threat evaluation in Network Situation Awareness. In: International Conference on Communications, Circuits and Systems, pp. 278-281. IEEE, (2010). 24. Liqun, T. and Z. Xingyuan. A method of service-oriented network security situational assessment in transport layer. In: International Conference on Multimedia Technology, pp. 4759-4763. IEEE, (2011). 25. Song, S. and Y. Zhang. A Novel Extended Algorithm for Network Security Situation Awareness. In: International Conference on Computer and Management, pp. 1-3. IEEE, (2011). 26. Zhang, Y., et al., Multi-sensor Data Fusion for Cyber Security Situation Awareness. Procedia Environmental Sciences. 10, pp. 1029-1034. (2011). 27. Cheng, X. and S. Lang. Research on network security situation assessment and prediction. In: Fourth International Conference on Computational and Information Sciences (ICCIS), pp. 864-867. IEEE, (2012). 28. Xiaorong, C., L. Su, and L. Mingxuan, Research of Network Security Situational Assessment Quantization Based on Mobile Agent. Physics Procedia. 25, pp. 17011707. (2012). 29. Bian, N., X. Wang, and L. Mao. Network security situational assessment model based on improved AHP FCE. In: Sixth International Conference on Advanced Computational Intelligence, pp. 200-205. IEEE, (2013). 30. Xiangdong Cai, X.C., Y.J. Yang Jingyi, and H.Z. Huanyu Zhang, Network Security Threats Situation Assessment and Analysis Technology Study. International Journal of Security and Its Applications. 7(5), pp. 217-224.(2013). 31. Xiaoli, G. and W. Hui, Research on the Network Security Situation Awareness Model for the Electric Power Industry Internal and Boundary Network. Journal of Applied Sciences. 13(16), pp. 3285-3289. (2013). 32. Szwed, P. and P. Skrzynski, A new lightweight method for security risk assessment based on fuzzy cognitive maps. International Journal of Applied Mathematics and Computer Science. 24(1), pp. 213-225. (2014). 33. Zheng, R., et al., Network Security Situation Evaluation Strategy Based on Cloud Gravity Center Judgment. Journal of Networks. 9(2), pp. 283-290. (2014). 34. Zhang, B., et al., Network security situation assessment based on stochastic game model, in Advanced Intelligent Computing, pp. 517-525. Springer, Heidelberg (2012). 35. Jumaat, N.B.A., Incident Prioritisation for Intrusion Response Systems, in School of Computing and Mathematics, pp. 25-37, Plymouth University: United Kingdom, (2012). 36. Stakhanova, N., et al., A Cost-Sensitive Model for Preemptive Intrusion Response Systems. In: AINA, 7, pp. 428-435, (2007). 37. Lee, W., et al., Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security. 10(1), pp. 5-22. (2002).