Transcript Enterprise Networks

Enterprise Security:
A Community of Interest
Based Approach
Patrick McDaniel (psu), Subhabrata Sen, Oliver
Spatscheck, Jacobus Van der Merwe, Charles
Kalmanek (at&t), Bill Aiello (ubc)
NDSS’06
Outline



Introduction
Dataset
Securing the End Host





COI Profiles
Throttling Disciplines
Usability Analysis
Security Analysis
Conclusion and Comments
2008/2/22
Speaker: Li-Ming Chen
2
Enterprise Networks

Enterprise networks have certain properties
which make it easier to protect them





Known network topology
Have knowledge of all end hosts allowed
Manageable end hosts
Controllable routers and switches
Traditional perimeter defense – firewalls

2008/2/22
Using rules to protect internal hosts from potentially
malicious external hosts
Speaker: Li-Ming Chen
3
Motivation and Goal

(vs. Internet) Corporate enterprise networks carry the
vast majority of mission critical communications


Firewalls are not enough



A successful worm attack within it will be substantially more
devastating to most companies than attacks on the Internet
worms might be introduced by laptops or by unauthorized
software installations
These attacks are exacerbated by the size of enterprise networks
(Goal) improve the protection against active malware
within enterprise networks

2008/2/22
Protect internal-to-internal communications!
Speaker: Li-Ming Chen
4
Dataset

11 weeks flow records are collected from a single site in
a large enterprise environment (at&t..?)




This environment consists of more than 400 distributed site and
serves more than 50,000 users
The flow records contain all traffic for more than 300 hosts
Take 150 hosts that communicated during the entire 11 week
period as the focal point of the analysis
Data preprocessing:




2008/2/22
Exclude the communication with the external hosts
Only focus on TCP and UDP traffic
Remove weekend data
Tag data with client/server designations
Speaker: Li-Ming Chen
5
Problem Settings

Defining rules for dropping or allowing packets
where both the source and destination are
internal hosts

Rules could be any arbitrary subset of the 4-tuple:


A brownfield approach


Target in existing large, complex enterprise network
The design space of rules should follow 3 principle:

2008/2/22
source IP、destination IP and port、protocol
Security、usability、manageability
Speaker: Li-Ming Chen
6
Methodology


Premise

If future communication patterns are constrained to
historical “normal” communication patterns, then the ability
of malware to exploit vulnerabilities in the enterprise is
severely curtailed

This premise might hinder both usability and security
Approaches:

Develop a COI (Community of Interest) profile of each end
host to capture what communication is normal

Define TDs (Throttling Disciplines) to handle out-of-profile
communications
2008/2/22
Speaker: Li-Ming Chen
7
Simple COI Profiles

Pure history-based profiles for a
given set of clients

1. PCSPP {Proto, Client, Server, Server Port}



2. PCSP {Proto, Client, Server}


Wild cards the Server Port
3. PCP {Proto, Server}

2008/2/22
Most closely represents past
communication
Suffer the problems of applications using
ephemeral port
Only contains all {Proto, Server} tuples
for the given set of clients
Speaker: Li-Ming Chen
To compensate for the
presence of ephemeral
port communication.
(promote usability)
But with weak security
8
Extended COI Profile

Identify the ephemeral communications and
define ephemeral rules to assist the PCSPP


Use an automated data clustering approach to
accurately partition the training data
4-step approaches:




2008/2/22
Non-ephemeral Global
Non-ephemeral Per-Server
Ephemeral (generate ephemeral rules)
Non-ephemeral Unclassified
Speaker: Li-Ming Chen
generate PCSPP rules
9
# of servers using that port
Extended COI Profile (4-step Approaches)
445
66
44
55
80
Ephemeral
-like
21
Popular
service ports
33
# of connections of port
• Step 1: Non-ephemeral Global
use K(2)-menas to separate the
heavy-hitter ports.
• The ports are then selected to
build rules for PCSPP, (prot, c,
s, p)
2008/2/22
• Step 2: Non-ephemeral Per-Server identify the
significant (server, port) pairs.
• Also use K(2)-means algo.
• PCSPP rules: (prot, c, s, p)
Ephemeral
Unclassified
• Step 3: Ephemeral, identify those
(client, server) pairs comm. on
many ports !
• Add ephemeral (range) rules.
• Step 4: add unclassified comm. to the PCSPP !
Speaker: Li-Ming Chen
10
3 Throttling Disciplines

n-r-Strict、n-r-Relaxed、n-r-Open



Miss: every out-of-profile communication attempt by a host is
deemed a miss
n-r is the allowable rate of out-of-profile communication
 means: “if number of misses exceed a threshold n within a
time period r ”
Event: an event is triggered when the TD threshold n is reached
Before trigger event
The event
2008/2/22
(for each client)
Block missed
comm.
Allow missed
comm.
Block all comm.
n-r-Strict
n-r-Relaxed
Block just missed
comm.
Speaker: Li-Ming Chen
n-r-Open
11
Usability Analysis (profile size)

The profile size will impact the complexity
required to implement such a profile to network
device (switch/router/firewall)


Profile size = number of rules needed to be specified
A rule has slightly different definitions for the profiles


2008/2/22
E.g., PCSPP rules defined as (prot, c, s, p)
E.g., Extended COI Profile includes: (1) non-ephemeral
PCSPP rules (2) ephemeral communication rules
Speaker: Li-Ming Chen
12
Usability Analysis (profile size) (cont’d)
(Conclude: the profile sizes are quite manageable !!)
(both UDP & TCP)
Require less than 400 ephemeral rules for the client set
TCP server ports are more stable than UDP server ports
Rules increase by adding client IP address
2008/2/22
Speaker: Li-Ming Chen
13
Usability Analysis (the prediction)
20% of the clients miss
at least 100 connections
per week.
(Unusable PCSPP..)
(Missed connections
per client in PCSPP)
(This highlights the need
for a policy that allows for
some level of out-ofprofile comm.)
(Total connections
per client)
The 4 test weeks has a
comparable mix of client traffic.
2008/2/22
Speaker: Li-Ming Chen
14
Usability Analysis (Impact of 3 TDs)

Parameters of TDs simulation:






Profile: PSP, PCSP, PCSPP, and extended COI
TD: STRICT, RELAXED, OPEN
c: the out-of-profile counter
n: the allowed threshold, {0, 1, 5, 10, 15, 20}
r: the counter-reset-time (reset to 0), {1 hr, 1 day}
Block Time: the event execution time (after a client is
unblocked c is reset to 0), {1 min, 10 min, 1 hr}

The simulation measures blocked events,
blocked connections and blocked time.
2008/2/22
Speaker: Li-Ming Chen
15
Usability (Impact of
3 TDs)
(Number of Blocking Events using 10 min. block time)
90%tile
clients’ avg.
TDs and # of events is
Independent !
50%tile
clients’ avg.
2008/2/22
Speaker: Li-Ming Chen
16
Usability (Impact of 3 TDs)
(Blocked Connections for 3TDs using 10 min. block time)
90%tile
clients’ avg.
OPEN
• OPEN TD performs best in usability.
(but cannot provide security..)
• 0-r-RELAXED = 0-r-STRICT.
• STRICT TD always blocks out-of-profile
comm. even if no event occurs.
• Simple COI based profiles are becoming
less usable as additional IP header fields
are considered.
• r seems to impact the usability sub-linearly.
2008/2/22
Speaker: Li-Ming Chen
RELAXED
STRICT
17
Usability (Impact of 3 TDs)
(Blocked Connections vs. Block duration)
RELAXED TD,
r = 1 day,
n = 10.
• The block time is determined
by how quickly network
operators react.
10 min.
50%tile clients’ avg.
• Blocked connections increase
sub-linearly with increasing
block time.
• The result is acceptable..
10 min.
90%tile clients’ avg.
2008/2/22
Speaker: Li-Ming Chen
18
Usability (Impact of 3 TDs)
(The Impact of Extended COI)

A substantial part of the out-of-profile connections in the
PCSPP are due to ephemeral ports


Use extended COI profile to more accurately predict such
ephemeral comm.
The table shows the relative improvement of the events and
blocked connections of extended COI profile
2008/2/22
Speaker: Li-Ming Chen
19
Security Analysis

A simulation based security evaluation



Perform in discrete time (round) within a modeled
enterprise network
The vulnerability (target port) is fixed
Each infected host has a fixed probability s of successfully
comprising one another host in a round




2008/2/22
But depends on the policy
The infected hosts will attempt to infect other hosts in
subsequent rounds
The experiment terminates when all hosts are
compromised or there are no hosts that can compromise
any remaining uninfected hosts
Assume all hosts that have the target port in their profile
are vulnerable
Speaker: Li-Ming Chen
20
Security Analysis (# of )
SMTP
HTTP
DNS
DCE endpoint resolution
NETBIOS name service
NETBIOS name service
NETBIOS session service
HTTPS
Microsoft-DS (RPC)
• The number of infectable hosts by protocols
• By construction, all hosts will be modeled as
vulnerable in the PCSP and PSP
2008/2/22
Speaker: Li-Ming Chen
21
Security Analysis (Worst-case Scenario)
• worst-case, all hosts are
vulnerable and no counter
-measure in place to detect
and mitigate the worm.
• the curve demonstrate why
worms are so dangerous.
• Hit-list worm takes only 14
rounds to infect the entire
network.
• Goal: slow the rate of
infection.. (hard to “stop
a worm”)
14 round
2008/2/22
Speaker: Li-Ming Chen
22
Security Analysis (Worm Containment, #
of infected hosts)
Worm infections on port 137, UDP, n=10, s=1%, 4 Profiles, 3 TDs.
98%
47%
around 30%
• After 10 misses, the host is prevented
from communicating over the network
• The STRICT almost never goes
beyond a single host !
2008/2/22
• The OPEN lead to more polar results.
• and the profile types begin to exhibit
different levels of effectiveness !
Speaker: Li-Ming Chen
23
Security Analysis (Worm Moderation,
time to terminate)
Worm infections on port 137, UDP, n=10, s=1%, 4 Profiles, 3 TDs.
• 10 round lower bound occurs when the
worm stays alive while it consumes its
n=10 out-of-profile grace connections.
2008/2/22
• The OPEN leads to polar behavior
• Notice that the time to saturation is
significantly longer than the baseline
simulation
(allow more time to enact effectively)
Speaker: Li-Ming Chen
24
Conclusion

This paper presented a brownfield approach to
hardening an enterprise network against internally
spreading malware.





The results validate the key premise of the approach
Examine the tradeoff between usability and security
Suggestion:


Can automatically generate 4 different individual host profiles to
capture historical COI
Define 3 security TDs.
Extended COI profile + n-r-Relaxed TDs
Future work:

2008/2/22
The profiles update !
Speaker: Li-Ming Chen
25
My Comments

The Environment


The COI-like approaches are suitable for well managed network
environments
Compare to our work:



2008/2/22
It also relies on the historical normal dataset and mentions that
the profiles need to be updated as communication patterns
change over longer time period.
It focus on the 4-tuple, especially the DP when building the
Extended COI profiles
As a detection mechanism, it emphasizes the tradeoff between
security, usability and manageability
 We are focus on a scalable forensics mechanism and the
tradeoff between the accuracy and scalability
 FP (usability) is not that important in our case
Speaker: Li-Ming Chen
26