Self-adaptability and Vulnerability Assessment of Secure Autonomic ...

Self-adaptability and Vulnerability Assessment of Secure Autonomic Communication Networks Frank Chiang and Robin Braun Faculty of Engineering, University of Technology Sydney, NSW 2007, Australia [email protected]

Abstract. Risk and Vulnerability Analysis (RVA) aims at identifying the weaknesses of the networks that may be exploited to compromise the normal functions, such as service deployment, file system access permissions, applications activations and so on. Autonomic Communication Networks (ACNs) are recently proposed as business-objective driven high-level self-managed telecommunication networks with the adaptation capability to cope with increasing dynamics. Adaptation capability termed as adaptability becomes the premise of realizing thorough autonomy. As a theoretic foundation, we firstly propose an innovative Object-oriented Management Information Base (O:MIB). Secondly, a new information-theoretic security awareness strategy inspired from human immune system is proposed to reconfigure file access right, which has a direct relation with adaptability. The experimental results validate this methodology and find out a statistical bound for operators to set a vulnerability level of warning in practice.

1

Introduction

Self-protection and self-healing are two important attributes of Autonomic Communication Networks (ACNs), requiring the networks to not only reactively detect attackers but also proactively defend against potential security threats and recover from attacks autonomically. Currently associated research work in the literature includes design and implementations of Autonomic Defence Systems (ADSs) [1]. To deliver an efficient security defence, Vulnerability Analysis (VA) is strongly recommended to help with these requirements due to the fact that it aims at identifying the weaknesses of the networks that may be exploited to compromise the normal functions, such as service deployment, file system access operations and application instantiations. Intensive research has been seen in recent years on Autonomic Communication Networks (ACNs) [2] since 2001. We have also proposed and proved learning and adaptation capabilities are two indispensible factors to the success of ACNs [3]. However, until now, there is a lack of literature to explore the comprehensive links between the vulnerability of autonomic systems and the adaptability in the society for autonomic communication networks, and to what extent the ACNs system is securely self-adaptable enough without breaching the maximum limits S. Ata and C.S. Hong (Eds.): APNOMS 2007, LNCS 4773, pp. 112–122, 2007. c Springer-Verlag Berlin Heidelberg 2007 

Self-adaptability and Vulnerability Assessment of Secure ACNs

113

of safe content exposures to all usages (including illegal users and malicious attacks). To the best of the authors’ knowledge, this research could be the first attempt to tackle this important issue in depth for ACNs. In this paper, we carry out an information-theoretic analysis on the relation of adaptability, autonomy, and vulnerability, and propose a solution to breaking down these coherent links by finding a balance point for the tradeoff of maximizing systems’ adaptability and reducing systems’ vulnerability simultaneously. The research aims at yielding a tolerant bound for a desirable adaptation capability based on our proposed bioinspired scheme, which enables the reduction of the vulnerability into a minimum set for ACN networks simultaneously. It is the belief of the authors that the analysis results in this paper will give operators a global view of what damage will occur under certain situations of information exposure due to security flaws. Consequently, operators can select a best timing to activate security mechanisms (e.g., Anti-virus software, Firewalls and Intrusion Detection System ) to avoid further damages without performance compromises. The remainder of the paper is organized as follows: Section 2 presents a detailed description of research questions. Section 3 presents our innovative O:MIB as well as discussing its links with conventional MIB in the sense of information modelling. Security awareness system (SAS) is discussed in section 4. Section 5 implements a validation simulation with a Java agent system interacting with O:XML. Experimental results show the efficiency of our proposed biological behavior-inspired vulnerability awareness system. Finally, we conclude the contribution of this paper.

2

Problem Statement

The research question arises from such statistical observations that reveal adaptability vs autonomy and adaptability vs vulnerability have strong similarity with respect to quantitative results, whereas, autonomy vs vulnerability are a pair of contradictory factors in practice. Adaptation capability termed as adaptability becomes the premise of realizing thorough autonomy. The statistical results are as follows: the system vulnerability is roughly proportional to the rewritability1 . The dotted lines represents ideal ADaptability (AD)2 without vulnerability bound concern. It is statistically proven that the higher portion the system variables are rewritable, the more adaptable the system is to be, but at the same time, the more vulnerable the system is. Therefore, it is important to seek a way to maintain system robustness and adaptability at the same time so as to avoid this dilemma. To resolve these issues, we propose a biologically inspired awareness scheme that 1

2

ReWritability (RW) of a system is defined as the ratio between the number of writable variables and total number of readable variables. Equation 1 and Eq. 2 define how to calculate writable and readable variables. The system ADaptability (AD) is defined as the mathematical integration of the ReWritability (RW).

114

F. Chiang and R. Braun

senses the security flaw and subsequently produce self-adaptive vulnerability results in the aim of activating the security system protection by reconfiguring file/ variable access permissions. This scheme presents an information-theoretic vulnerability analysis incorporating a number of concerns — (1) histogram of vulnerability and current vulnerability, (2) information contents exposure – rewritability, (3) traffic patterns, (4) disturbances and internal errors.

3 3.1

Information Modelling CIM Schemas, SID Data Model vs. the Proposed O:MIB

The standard of Common Information Model (CIM) [4] developed by DMTF also produce an object-oriented scheme to organize the hierarchical data of Managed Elements (MEs) from different manufactures or sources. MEs includes devices and applications. With regards to its infrastructure specification and schema, the MEs are represented as classes, and the links between classes are desribed by associations. Most importantly, the inheritance is used to efficiently describe the common base elements and inherited sub-elements. UML notation is applied and CIM can be described in XML format in serveral ways. Share Information Data (SID) from Telecommunication Management Force (TMF) also shares some similarities. CIM standards present a conceptual schema to encapsulate all the MEs such as: services, devices, storages, computer systems, network system and applications. CIM essentially only provides an efficient storage mangement of various devices and applications so that system administrators and management programes can access it in an universal way. However, the methods for each class are not the main focus, the predefined methods are limited to static class methods. Moreover, the execution of corresponding actions are still not in need of a seperate high-level control (e.g., centralised control) to be delivered, which is independent from CIM structures. In contrast with SNMP MIBS, CIM schema provides a better representation of information than static MIBs in terms of an OO structure for data modelling. Whereas SNMP MIBS have been used in industries for many years since ISO produced this hierarchically layered model. It represents informations of managed objects from a substantial view other than CIM models. A new O:MIB scheme is proposed in this paper as an alternative way to conventional MIB, also as a new attempt for the information modelling area by taking MIB as an example, it is expected the scheme proposed here could be extended to other sources of information modelling. It is known that conventional MIB is actually a table defined by OIDs to record the hierarchical object information without objectoriented principles. However, O:MIB is not only a data store, rather, it takes the object-oriented principle to manage the MIB objects and essentially divert CPU load into large amount of local CPU. The execution of corresponding actions can be invoked by the methods and algorithms through the local agent residing on each MIB variable dynamically, most of the decision-making taks can be done locally, the workload of system administrators or management programs in CIM

Self-adaptability and Vulnerability Assessment of Secure ACNs

115

standard could be furtherly reduced. Therefore, the nature of O:MIB structure designed specifically for distributed components with local execution capabilities determines its efficiency. 3.2

O:MIB vs. MIB

To fit the distributed scenario, we propose the object-oriented MIB (O:MIB) technique for distributed networks as an alternative to the conventional MIB for ACNs. It is implemented on the basis of object-oriented XML technology (O:XML3 ), and its integration with Spring application framework4. Figure 1 makes a chracteristic comparison between MIBs and O:MIBs. The proposed distributed approach based on O:XML can also be applied to other networks such as wireless ad-hoc networks, wireless sensor networks where peer-to-peer connectivity and network activities are supported. Conventional MIB

Object-oriented MIB

Hierarchical Structure

Hierarchical Structure

Information Elements Stored

Information Elements + functions, Algorithms + Embedded Agent Semantics

Data Oriented

Object-oriented/On-demands

SMI/ASN.1- Standardized

O:XML-Enabled

Static/Fixed

Dynamic/Extensible/Reconfigurable

Fig. 1. Comparison Between Conventional SNMP MIB and O:MIB

4

Vulnerability Awareness System (VAS)

The main functions for VAS are described as follows: 1) Seeking the right timing to activate compact security mechanisms while maintaining performance, minimizing the use of system resources and operational costs. 2) Seeking the safety bound as the minimum vulnerability bottom line under which the system cannot maintain efficient autonomy anymore. 4.1

Information-Theoretic Mathematical Model

In this section, we propose a way of modelling MIB variables and a new way to apply the entropy metrics to measure the uncertainties of these random variables by applying Shannon’s information theory. The readable and writable information contents are given in Definitions 1 and 2. We denote E as the elements in MIBs and X as the set of all the variables in MIBs, and we model the input of the Awareness Strategy (AS) in Figure 2 as set of random variables 3 4

http://www.o-xml.org/ http://www.springframework.org/

116

F. Chiang and R. Braun

X = {X1 , X2 · · · Xk , · · · , Xn } for elements, one element Ej could contain multiple variables; Each variable could have multiple symbols to describe itself, i.e., Xk = {x1 , x2 · · · xi , · · · , xn }. Where Xk = 1 represents this variable is writable only; Xk = 0 represents this variable is readable only. And the access permissions of variables are time-variant, which means the MIB file variables accessibility could be altered due to the results from the output of awareness strategy functional block. The preliminary output of AS is also modeled as random variables Y = {Y1 , Y2 · · · Yi , · · · , Yn } after acquiring all the variables statuses. The final output of AS would be a scalar parameter λ ∈ [0, 1]; Proposition 1. Given that the element Ej is of rewritable status, the larger the value of IVEj , the more significant the variable Xk for an element Ej , and the more uncertain information content this variable takes, and hence, the more vulnerable this variable to the system will be. Some rules of the awareness strategy are related to this definition and remarks in this paper. We design a matrix form to represent all the associated information for MIB variables in matrices as follows. For example, we take 4 variables with up to 6 symbols for element j, the symbol set Sj at time tk can be denoted as: ⎡ ⎤ ⎡ ⎤ 5 1 |1 1 1 1 1 5 1 | 0.1 · · · 0.15 0.15 ⎢− − | − − − − −⎥ ⎢− − | − ··· − − ⎥ ⎥ ⎥ Sj (tk ) = ⎢ Pj (tk ) = ⎢ ⎣4 1 | 1 1 1 0 1 ⎦ ⎣ 4 1 | 0.25 · · · 0 0.25 ⎦ 2 0 | 0 0 0 1 1 M×N 2 0 |0 · · · 0.5 0.5 M×N where each row in the matrix represents each variable. Each value in the first column identifies the number of symbols for this variable in the current row. Each value in the second column shows the ”writable” or ”readable” for this current variable represented by this row. Value ”0” of each row indicates the status of that variable is readable but not writable. Value ”1” of each row indicates the status of that variable is writable and readable. The probability set Pj at time tk of each symbol for the variable can be denoted as Pj (tk ): Hence, the average readable information content and rewritable information content for element j in a stream of bits can be calculated according to the above probability matrix. Definition 1. We define the writable information as follows: WIj (t) = −

[P (t)]m,0 +1 M−1  j  m=0

n=2



[Pj (t)]m,1 · [Pj (t)]m,n · log (Pj )m,n (1)

Self-adaptability and Vulnerability Assessment of Secure ACNs

117

Definition 2. We define the readable information as follows:

RIj (t) =

[P (t)]m,0 +1 M−1  j  m=0

n=2



[Pj (t)]m,1 − 1 · [Pj (t)]m,n · log (Pj )m,n (2) where WIj (t) stands for the sum of writable information entropy; RIj (t) stands for the sum of readable information entropy. EIj (t) = λc × [Ij (t) + f ((t)) + γ(t)]

(3)

where EIj (t) is termed as the Effective Information, which is the ultimate probability of writable information contents in MIBs after considering disturbance, and mis-configuration errors. As shown in figure 2, λc is the normalized parameter, it is the output result of security awareness function, λc ∈ [0, 1] , where ”0” shows read only, ”1” represents fully writable. Any value between 0 and 1 represents the writable percentage of the MIB variables or files (e.g., due to the coded encryption for modifications of MIB varibables ). λc will re-setup the writable levels of information contents based on threats level. 4.2

Integrated Security Awareness Framework (SAF)

Multiple factors are taken into consideration in the proposed integrated SAF. All these factors work together to affect the network security awareness status. The correlation of these factors is analyzed in this section too. The factors include (1) system vulnerability warning from readability and writability of the MIB variables, (2) information flow changes f (x) during a time interval, which includes network traffic conditions, and real multiple services conditions (3) past memories of vulnerability towards attacks/virus conditions (4) disturbances effects and (5) internal mis-configurations errors influences (See figure 2 ). The awareness mechanism working to an awareness strategy is implemented with Self-organized Maps (SOMs) which are a kind of unsupervised ANN. The reason for selecting SOMs is its good classification and clustering performance as reported [5]. Furthermore SOMs have the ability to identify new vulnerability patterns when new threats or attacks increase. For details of SOMs used in this paper refer to the section on experiments. The proposed integrated SAF is assessed through our vulnerability analysis based on two main mathematical notations as follows: Re writableV ariables Remark 1. ReWritability (RW  T otal Re adableV ariables ) of the file system is one of the main necessary conditions for evaluating the adaptability of the overall information system. T otal readableV ariables consists of read only variables and rewritable variables. RW is used as a key parameter in determining the vulnerability because of the fact that we found that rewritability of overall MIB

118

F. Chiang and R. Braun

Fig. 2. Overview of Proposed Framework

variables for all system-wide MIB files is roughly proportional to the specifically predefined system vulnerable threshold values in the simulation5 Remark 2. The overall ReWritability of MIB variables in all MIB files can be used as a measurable parameter in terms of determining system vulnerability. 4.3

Our Algorithm: Adaptive Reconfiguration of O:MIB File/Variable Access Permission

Reconfigure file/variable access rights via Methods defined in O:XML which will modify its own symbols of O:MIB. Inspired by the cell mediated response model from human immune system, we propose a decentralised self-adaptive algorithm based on bio-inspired agent technology. Figure 3 lists the comparisons between the biological behaviors of human immune system and corresponding parts in our algorithm, where the biological inspirations can be clearly seen. The algorithm steps are as follows: Step 1: When one agent finds some threats within radius r (r is the Euclidean distance between this agent and other agents) during one time interval t, it will warn the neighbors of those abnormal behaviors, hence, the system alarm level will be increased by . This process will be repeated every interval t. 5

A Matlab function below is created as a proof: function Ratio = ratio(U, WW, Min, Max, n).

Self-adaptability and Vulnerability Assessment of Secure ACNs Human Immune Network (Focusing on Cell Mediated Response) Cells (e.g., B-Cells and C-Cells) Pathogens

Proposed Bio-inspired Algorithm Peer Agents Network Threats/Attacks/Malicious codes

Information stored in Paratope and Idiotope

Peer agents to find the best timing of stimulating awareness function based on (1) Level of threats/ damage (2) Other affinity (e.g., locations, service types, application categories, ) CSV(.) and H(.) used to calculate SV(.) according to Equation 11 and Eq. 12

Clustered Cells (e.g., Affinity)

Functional groups of agents (e.g., Functionality)

Paratope and Idiotope

119

Fig. 3. Comparisons between Human Immune System and the Proposed Bio-inspired Algorithm

Step 2: Information theory is applied to reduce the dimensionality of related MiB variables. Step 3: When the alarm level reaches the dynamic threshold, λc value is to be adjusted accordingly and consequently the protection mechanism will be activated, i.e., the rewritability of associated MiB variables will be reconfigured by increasing/decreasing .  is a dynamically varied data value. Equation 1, Eq. 2 together with network traffic patterns are three important observations indicating abnormal network activities with respect to MIB information flows; and furthercoming actions become equivalent to hiding information against malicious attackers to limit their access. By manipulating the MIB variable access permission according to the threat information, we can achieve a security system for autonomic service management system.

5

Experiment

In order to evaluate the performance of the proposed vulnerability awareness strategy, an experiment is conducted based on the process described in Figure 2. Self-Organizing Maps (SOMs) are applied into the vulnerability awareness function as a vulnerability classifier in our experiments. To simply our experiments, the input of SOMs in this simulation are limited to the following three categories: (1) the changes of MIB information flows during a time interval, i.e., ReWritability variations; (2) network traffic conditions; (3) observed disturbances and internal errors if applicable. Compared to the higher dimensionality of input data, the output of SOMs is a lower dimension space. When the network is fully trained, it is ready to get the data clustered on the SOM map. After some tests by use of testing data, the 4 classified zones defined is found. In our simulation, a 2-dimensional space split into 4 classified zones, such as zone A, B, C and unacceptable zone, is the output of SOMs output neurons. These zones match with what we describe as safe zone A, risk zone B and high risk zone C.

120

F. Chiang and R. Braun Table 1. Parameters of Self-Organizing Map for Vulnerability Level

Number of Input Layer 3 Row of Output Layer 20 Column of Output Layer 20 Topology Rectangular Learning efficiency 0.9 Iteration Number 2000 error limit 5E-12 Table 2. Part of Testing Results

Test Set Desired Winning Neurons f (x) + Disturbance 30 f (x) 153 f (x) + Disturbance 20 f (x) 345 f (x) + Disturbance 10 f (x) 127

Classified SV information is furthermore obtained by java agent simulator which invoke the call of the methods and algorithms predefined in the O:XML files. Afterwards, the RW of associated MIB variables is ready to be modified. It is shown the process of training SOMs and testing SOMs with the testing data, which is part of the training dataset generated by our Distributed Traffic Generator - D-ITG and ReWritability dataset which is generated by Monte Carlo Simulation where random number generator produce all the dataset. The SOM structure we used in the simulation is a rectangular lattice network formed by a total of 400 neurons (20 × 20) is used. This size is chosen due to two reasons: firstly this size could give a clear visualization effects and secondly some literatures [5] suggest that the number of map cells should be lower than the number of input sets. Therefore, in order to give out a better visualization effects, the number of inputs samples are 400 > 300 > 17 × 17. It is acceptable to have 20 in that it is slightly larger than 17. In our simulation, we repeatedly generate groups of data every 300s, and the disturbance and internal errors are also generated arbitrarily, hence, in the future, we wish to adopt real network traffic data with real disturbance to train our SOMs. 5.1

Simulation Results

We use Distributed Traffic Generator (D-ITG) to generate real traffic patterns. The TCP traffic with Poisson distribution is adopted where packet size = 512 bytes, and average 1000 packets/sec. The traffic pattern we applied by use of bit rate figure for the generated traffic takes continuous simulation time = 700s, the same pattern is repeated in the input data sample to the SOMs. The disturbances are arbitrarily introduced during a period of time and are shown as the peak lines.

Self-adaptability and Vulnerability Assessment of Secure ACNs

121

0.7 0.6

VB=0.8

0.5

VB=0.7

0.4

VB=0.2

0.3

VB=0.3

0.2

VB=0.5 0

0.95 0.9 0.75 50

100

150

200

250

300

Title: A verage Rew ritability Changing Frequency Vs Time

520

0.5 0.25 0.1 0.05

510 500

0.01 0.005

490 480 470

averageCounts data fit 2

0.995 0.99

VB=0.9

Time (s)

Average Rewritability Varying Frequency

0.999

Trend Line

0.8

Probability

Adpatively Updated Rewritability for O:MIB Variables

Title: ReWritability Vs Time

1 0.9

0.001 0.0005 0

50

100

150

200

250

Time (s)

Fig. 4. Simulation Results

300

480

485

490

495

500 Data

505

510

515

Fig. 5. Fitness of Average Counts

According to the vulnerability information from SOM, the methods and algorithms defined in O:XML will be invoked by java agents. The simulation results of our algorithm are shown in Figure 4, where we take the configuration parameters as VB=[0.1:0.1:0.9] and Step=0.1. This results aim at finding a bound used for guiding acceptable autonomy and vulnerability study. We tested different system adaptability status under differently pre-setup VulneraBility Level (VBL), and found that with our algorithm with adaptive reconfiguring file/variable access permissions, in the long run, the system adaptability will come back to normal in the end, but considering the time efficiency, such as recovery time and awareness speed, we can see that when V BL ≤ 0.5, (e.g., 0.2 and 0.3) it takes system an intolerable time (≥ 300s) to recover its adaptability. On the contrary, when the V BL ≥ 0.5 (e.g.,0.5, 0.7, 0.8, 0.9), recovery time and response speed are both in tolerable range. And the trend line shown in this figure demonstrate the trend when V BL = 0.8 as an example. Therefore, we conclude that the tolerable region of VBL selection for operators are from 0.5 to 0.9. The best region for VBL selection in terms of awareness speed max imum Re coveryT ime 20s (≤ totalP eriodCoverageT ime = 60s = 33%) and adaptability recovery (≤ 0.18) measured from the simulation result data is the value V BL ≥ 0.8. A random number generator is used in this experiment, therefore, around 50% of the MIB variables would be writable or readable only (see Figure 5). This is a special case for real network scenario. The simulation results based on these data are still significant with valuable usage.

6

Conclusion

This paper proposes a general analysis on vulnerability and autonomy issues on the basis of our innovative O:MIB structure, this brand new structure is proved to be intuitively efficient and more attachable in future distributed peer-to-peers communication in ACNs. We argue that O:MIB can be as an alternative to replacing the current MIB used by industries. The simulation results based on the benchmark prototype - SOMs are promising and indicate a better performance. The self-protecting and self-healing features of desired ACNs can be improved

122

F. Chiang and R. Braun

significantly and guaranteed by applying the framework, structure and algorithmic scheme.

References 1. Kreidl, O., Frazier, T.: Feedback control applied to survivability: a host-based autonomic defense system. IEEE Transactions on Reliability 53(1), 148–166 (2004) 2. Kephart, J., Chess, D.: The vision of autonomic computing. Computer 36(1), 41–50 (2003) 3. Chiang, F., Braun, R., Hughes, J.: A biologically inspired multi-agent architecture for autonomic service management. Journal of Pervasive Computing and Communications 2(3), 261–275 (2006) 4. Sweitzer, J.W., Thompson, P., Westerinen, A.R., Williams, R.C., Bumpus, W.: Common Information Model: Implementing the Object Model for Enterprise Management. John Wiley and Sons, Chichester (1999) 5. Kohonen, T.: Self-organizing maps. Springer, Berlin, New York (2001)