Using Security Policies to Automate Placement of Network Intrusion Prevention

Talele, Nirupama; Teutsch, Jason; Jaeger, Trent; Erbacher, Robert F.

doi:10.1007/978-3-642-36563-8_2

Cited by 6 publications

(13 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The recent work by Talele et al [26,25] addresses a similar problem: that of finding a minimal set of IDS placements that will obtain a given graph property. Their work, however, requires knowledge of information flows which we do not consider.…”

Section: Related Workmentioning

confidence: 99%

Defensive Resource Allocations with Security Chokepoints in IPv6 Networks

Gueye

Mell

Harang

et al. 2015

Data and Applications Security and Privacy XXIX

View full text Add to dashboard Cite

Abstract. Securely configured Internet Protocol version 6 networks can be made resistant to network scanning, forcing attackers to propagate following existing benign communication paths. We exploit this attacker limitation in a defensive approach in which heightened security measures are deployed onto a select group of chokepoint hosts to enhance detection or deter penetration. Chokepoints are chosen such that, together, they connect small isolated clusters of the communication graph. Hence, attackers attempting to propagate are limited to a small set of targets or have to penetrate one or more chokepoints. Optimal placement of chokepoints requires solving an NP-hard problem and, hence, we approximate optimal solutions via a suite of heuristics. We test our algorithms on data from a large operational network and discover that heightened security measures are only needed on 0.65% of the nodes to restrict unimpeded attacker propagation to no more than 15% of the network.

show abstract

Section: Related Workmentioning

confidence: 99%

Defensive Resource Allocations with Security Chokepoints in IPv6 Networks

Gueye

Mell

Harang

et al. 2015

Data and Applications Security and Privacy XXIX

View full text Add to dashboard Cite

show abstract

“…The mediator placement problem aims to resolve all information flow errors, as defined in an information flow model, such as the one below (adopted from Talele et al [37]). …”

Section: Mediator Placement Problemmentioning

confidence: 99%

“…In practice, input nodes form a small fraction of the number of nodes in a host's data-flow graph. Second, we compute the paths after the host graphs are summarized, which already eliminated spurious paths [37].…”

Section: Corresponding Info Flow Errors: If Node U1 ∈ V1mentioning

confidence: 99%

“…This work is motivated by Talele et al who build summaries of individual hosts to improve scalability to networks of tens of hosts with fine-grained access control policies [37], such as the SELinux reference policy that contains over 50,000 rules [28]. We identify several insights that enable additional, significant improvements in scalability.…”

Section: Introductionmentioning

confidence: 99%

“…When researchers consider all these layers, the problem was limited to a small number of machines [23]. Talele et al proposed a method whereby summaries of individual hosts are produced [37], yet only problems consisting of tens of hosts could be solved. Our goal is to develop methods for reasoning about organizational networks in their entirety.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Monitor placement for large-scale systems

Talele

Teutsch

Erbacher

et al. 2014

Proceedings of the 19th ACM Symposium on Access Control Models and Technologies

Self Cite

View full text Add to dashboard Cite

System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.

show abstract

A tight $$\sqrt{2}$$-approximation for linear 3-cut

et al. 2019

View full text Add to dashboard Cite

We investigate the approximability of the linear 3-cut problem in directed graphs, which is the simplest unsolved case of the linear k-cut problem. The input here is a directed graph D = (V, E) with node weights and three specified terminal nodes s, r, t ∈ V , and the goal is to find a minimum weight subset of non-terminal nodes whose removal ensures that s cannot reach r and t, and r cannot reach t. The problem is approximation-equivalent to the problem of blocking rooted in-and out-arborescences, and it also has applications in network coding and security. The approximability of linear 3-cut has been wide open until now: the best known lower bound under the Unique Games Conjecture (UGC) was 4/3, while the best known upper bound was 2 using a trivial algorithm. In this work we completely close this gap: we present a √ 2-approximation algorithm and show that this factor is tight assuming UGC. Our contributions are twofold: (1) we analyze a natural two-step deterministic rounding scheme through the lens of a single-step randomized rounding scheme with non-trivial distributions, and (2) we construct integrality gap instances that meet the upper bound of √ 2. Our gap instances can be viewed as a weighted graph sequence converging to a "graph limit structure".

show abstract

Using Security Policies to Automate Placement of Network Intrusion Prevention

Cited by 6 publications

References 18 publications

Defensive Resource Allocations with Security Chokepoints in IPv6 Networks

Defensive Resource Allocations with Security Chokepoints in IPv6 Networks

Monitor placement for large-scale systems

A tight $$\sqrt{2}$$-approximation for linear 3-cut

Contact Info

Product

Resources

About