Download Control Algorithm Vulnerability

Secure Network Design: New Directions
Sumit Ghosh
Hattrick Endowed Chaired Professor of Information Systems Engineering
Department of Electrical & Computer Engineering
Stevens Institute of Technology, Hoboken, NJ 07030
E-mail: [email protected]
Manifestation Des Jeunes Chercheurs Stic (MAJECSTIC) Conference 2003
Marseille, France
October 29-31, 2003
What are Networks?
•
Networks transport material or messages in electromagnetic (EM) form
•
•
Increasingly networks carrying EM messages are gaining importance
Messages represent
1. Information
2. Control
Fundamental elements of networks
1. Networking nodes providing computational intelligence
2. Links representing medium of transport
3. Control algorithms – unseen hand that makes networks work correctly
•
Why are Networks Important?
•
•
Increasingly, civilization evolving from matter-based to abstract (cyber-based)
All systems steadily evolving towards networked computational systems
•
•
Networks underlie all systems and are therefore indispensable
Networked systems parallel human civilization
1. Idea originates in an individual(s) and processed by the brain
2. Exchanged among different individuals and further processed
3. Eventually develops into a whole new product, solution, organization
Networked systems bring unique characteristics
1. Extremely fast processing and transport
2. Vast geographical coverage
3. Simultaneously reaches many many individuals
•
Why is Security of a Network Important?
•
Packets are encrypted, so how can they be vulnerable?
•
First, fundamental weakness is finite distance between source and destination
1.
Millions of miles in space, or
2.
Few millimeters in a VLSI chip
•
Packets exposed, not accompanied by either source or destination

Second, fundamentally, networks are shared; therefore:
Need to protect a user’s process from all other users’ processes
Need to protect a user from network components, gone haywire
Need to protect network elements from users’ processes
Damage -- accidental (rm *.* in unix), intentional (malicious)
Therefore, study of network security is here to stay
It is not a here-today-gone-tomorrow type topic
It is a very serious issue

Why is Security of a Network Node Important?
•
Networking node provides all intelligence, including authentication, etc.
•
Vulnerability from viruses and intrusions
•
All data and information are susceptible
•
If a perpetrator gains control, every activity can be misdirected
•
A fundamental challenge
1.
Login procedure is fundamental – authenticates user and system
2.
Requires combination of user account name and password(s)
3.
Fundamental vulnerability
Security of Transport Links
•
Vulnerability in a physical sense, i.e. being severe
•
All data and information in transit are susceptible
Control Algorithm Vulnerability?
•
Algorithm ties in nodes and links to achieve a desired objective
•
Algorithm encapsulates complex interactions between three elements
•
If algorithm is susceptible, nothing is trustworthy
•
Example: Exploit TCP's retransmission to deliberately cause network overload
•
Exemplified in World War II episodes
•
Strategically, U-boat warfare most critical
•
1.
U-boat command and control utilized enigma encryption machine
2.
Key to allied success lay in the Nazi failure to understand the key
importance of asynchronous distributed algorithms
Unique example from history: Precision bombing run during WWII
Control Algorithm Vulnerability (Cont'd)?
Bombers
Bomb drop
Beam 2
Bombers
Beam 1
Open bomb bay
Britain
Bombers
France
Why is Security Gaining Such Importance?
•
Increasingly, key national infrastructures are controlled by networks
1.
•
Telecommunications, power grid, financial services, etc.
X-10 network for via power line communication in homes

X-10 devices and controller

Turn on A/C in Arizona remotely from cell phone

Turn on outdoor pool following a sand storm in Arizona

Check whether garage door accidentally left opened

Monitor home following an alarm going off

Perpetrator may set fire to a specific home by overheating appliances

Worse, perpetrator may sacrifice many homes to destroy a target building
•
Accessing a patient’s medical record, routine or emergency care
•
Transmitting sensitive financial information
•
Exchanging proprietary trade secrets among company sites – GM, Prudential
•
Accessing individuals’ genetic map from gene analysis laboratories
•
Uses limited only by imagination, while losses cause irreversible damages
Security Guarantees Today
•In the Internet and IP networks, security assumes the forms
Encryption – applied to information in storage and in transit
Key management
Firewall
•Fundamental challenges
Recently invented primality algorithm from IIT Kanpur severely challenges
fundamental mathematical assumptions of encryption keys
Severe performance limitations
•Issues with a perpetrator intercepting data
Current thought: Immediate value of data is time-bound
Analysis of data may render it a timeless attribute, e.g. strategic thinking
Fundamental Principles Underlying IP
•
Store and forward
•
End to end reasoning
•
Consequences
•

Quality of service (QoS) fundamentally difficult

Differentiated services, etc. very difficult to realize

Security incorporated as an afterthought

Cannot prevent denial of service

Cannot prevent overload of TCP retransmissions

Cannot prevent network instability
IP network unsuited for secure transmission of sensitive information
1. Medical
2. Financial
3. Trade secrets
The Changing Nature of Networked Systems?
•Static data stored at a node may be less than useful
•Example: Shiny new car sitting in the dealer's parking lot does not make money.
The tell-tale sign of an efficient dealer is a sparse parking lot since the cars are sold
as soon as they are delivered.
•Data, enhanced, modified, and exchanged dynamically, is increasingly valuable –
(i) information vs. data and (ii) information is subjective
•Therefore, data in transit, is of the highest concern
New Directions in Secure Network Design
•
Unique philosophical insight – in this creation, nothing for which no opposite
•
New networking principles
1.
Fundamental security framework to objectively analyze network security
1.
Adopted by NSA in NRM
2.
Translate security into a quality of service (QoS) metric
2.
Select and establish secure route (connection-oriented) prior to propagating traffic
3.
ATM, MPLS excellent candidates or design a new network (modified ATM)
•
Security is an interdisciplinary challenge
•
New approach and tools
1.
Understand fundamental principles in great depth
2.
Synthesize algorithm and threat scenarios
3.
Test and validate utilizing comprehensive metrics
1.
Behavior modeling
2.
Asynchronous distributed simulation on a network of workstations
3.
Representative traffic model
Baltimore
9
Ft Meade
Downtown,
D.C.
9
9
9
9
The
Pentagon
Andrews AFB
0
Naval
Academy
0
0
Alexandria/Ft Belvoir
0
Norfolk/NB
Node
0
Security matrix (overall value)
9
The White House
Source Node - The White House
Destination Node - Norfolk/Naval Base
Baltimore
9
Ft Meade
Downtown,
D.C.
9
9
9
9
Andrews AFB
0
The White House
Naval
Academy
0
The
Pentagon
0
0
Alexandria/Ft Belvoir
Norfolk/NB
Node
0
Security matrix (overall value)
Route Selected
9
Source Node - The White House
Destination Node - Norfolk/Naval Base
Whidbey Island NAS
23
To Indianapolis
44
Downtown, D.C.
42
Bangor Sub Base
46 Ft Meade
Andrews AFB
22
20
Seattle
Hanford Nuclear
45
Tacoma Reservation
19
Group 3
21
The
Pentagon
24
Milwaukee/
Great Lakes
Naval Tng Ctr
Ft Lewis
To Seattle
To San Francisco
Chicago/DFAS
15
10
43
Dayton/Wright
Patterson AFB
13
Group 4
Denver/DFAS
To Long
Beach
To Atlanta
26
Aurora/
Rocky Flats
28
Colorado Springs/
USAFA/Ft Carson
Group 1
To Dayton
27
Group 5
Los Angeles
Atlanta
Columbus
Ft Benning
3
Long Beach
2
El Toro
4
Augusta/
Ft Gordon
32
33
31
5 Camp Pendleton
1
To Norfolk
To
Chicago
To Denver
1
To Baltimore
Group 7
To Los Angeles
1
Norfolk/NB
San Jose
Group 2
To San Jose
Alexandria/Ft Belvoir
To Ft McPherson
39
Group 6
To Redmond
12
48 Anacostia
Indianapolis/
DFAS
38
40
To Colorado
Springs
Livermore Labs
Oakland 16
47
49
Naval
Academy
50 The White House
41
37
Travis AFB
14
Oakland NAS
11
San Francisco/
Presidio
Moffett NAS
Baltimore
Ft McPherson
34 Maxwell AFB
San Diego/
Naval Base
node (ID)
155 Mb link
77.5 Mb link
Continental Military Network
30
Security as an Interdisciplinary Challenge
•
•
•
Operating systems
1.
Notion of files and attributes
2.
Why can a perpetrator wipe out log files
Viruses
1.
Executable file transfer
2.
BIOS attack
3.
Viruses combining autonomously, unstable mutation (SARS)
4.
Biological and computer virus – unique difference
5.
Ultra-fast viruses?
Computer architectures
1.
Fundamental weakness across all computers
2.
Virus modifies instruction set, computer’s primary objective
Interdisciplinary Issues (Cont’d)
•
•
Control algorithm attacks -- If algorithm is susceptible, nothing is trustworthy
1.
Precision bombing run during WWII
2.
Exploit TCP's retransmission to deliberately cause network overload
3.
Insider attacks – greatest threat in Financial Services Industry
4.
Coordinated attacks – physical and cyberattacks
5.
Elusive attacks – very slow in time and highly geographically distributed
6.
System attacks itself, autoimmune failure – accidentally modified autonomous
agents
Lessons from Nature and biology
1.
Hantavirus
2.
Quarantine only technique that works in infectious diseases, fundamentally weak
for computer viruses – spreads at EM speed
3.
Bubonic plague bacterium and AIDS virus use identical two-prong attack strategy
4.
Sharks switch sensors while attacking prey
5.
Human immune system design and insight from nature of computational power
6.
Genetically imprinted immune system of bees versus adaptive in humans
Interdisciplinary Issues (Cont’d)
•
•
Threat scenario design, rationale, and testing
1.
Requires depth and breadth
2.
Requires interdisciplinary knowledge in biology, law
3.
Law: Can privacy be protected on the Internet?
4.
Law enforcement: Identify original weapon (unique) for conviction?
Encryption
1.
Continue mathematical research into improving performance
Intrusion Detection
Fundamental Challenges to Intrusion Detection
• Intrusion detection is compute-intensive
• Scalability a fundamental issue with all networks
• ATM and variants holds promise
– Inherent promise quality of service
– IP networks based on store and forward principle
• Fundamental framework for security
– NSA adopted under NRM
– Comprehensive security mapped into a QoS metric
Basic Network Intrusion Detection
• Minimum components:
– Sensors
– Assessment Engine
– Response Agents
Response
Agent
Response
Agent
Assessment
Engine
S
S
S
Switched Network Intrusion Detection
• Complications resulting from switched networks
– Unlike broadcast networks where sensors can “sniff” large portions of a
network, switched networks use point-to-point connections.
– Switched (and particularly ATM) networks scale well to very large sizes
• Requires many more sensors
• Overloads the assessment engine
• A new intrusion detection architecture is needed for large, switched networks
Underlying Motivations
• Practical, scaleable intrusion detection architecture for ATM Networks.
– Attacks against the PNNI protocol develop very quickly
– Processes and events within ATM switches occur over very short intervals
of time
– ATM networks can grow quite large using hierarchical peer groups
• Previous research has shown that decentralized military command and control
models allow faster reaction times, resulting in faster convergence on the
enemy and higher kill rates, with fewer casualties
– But, a purely decentralized approach may not be compatible with ATM
peer groups
• Architecture that would apply to other switched networks (e.g. MPLS)
Inspiration -- Human Immune System Design
• Nature designed and tested over millions of years
– Nature's primary objectives
– Key elements of the design
– Evolutionary nature of the design
– Spectacular failures of nature
• The notions of computational energy and limits of computational power
Hierarchical Intrusion Assessment
• Sensors are assigned to various
assessment engines, arranged
hierarchically
• Manages load for assessment
engines
• Scaleable solution
• Allows both tactical and strategic
assessment
Response
Agent
Response
Agent
Strategic
Assessment
Engine
Response
Agent
Tactical
Assessment
Engine
S
S
S
Tactical
Assessment
Engine
S
S
S
Tactical and Strategic Assessment
• Tactical assessment facilitates fast local
responses, necessary in high-speed
switched networks
• Strategic assessment gives overall
picture of distributed or slow-to-develop
attacks
• Assessment engines appear as sensors or
response agents to assessment engines at
other levels of the hierarchy
Response
Agent
Response
Agent
Strategic
Assessment
Engine
Response
Agent
Tactical
Assessment
Engine
S
S
S
Tactical
Assessment
Engine
S
S
S
Detailed View
• Tactical sentinels
– Hardware embodiment of one or more
sensors and an assessment engine
– Monitors fabric of associated switch
– Response is limited to ports, elements,
and UNI traffic of associated switch
– Report observations, events, and actions
to strategic assessment at peer group
level
– Execute local responses as directed by
the peer group level strategic
assessment engine
– Change its behavior via reprogramming
by the strategic assessment engine at the
peer group level
A1
A1-T
A2
A2-T
Strategic Assessment
Level 1
Group A
Strategic
Assessment
Level 2
A3
A3-T
A4
A4-T
A1-T through A4-T: Tactical ATM Sentinels in Peer Group A
B1-T through B4-T: Tactical ATM Sentinels in Peer Group B
B1
B1-T
B2
B2-T
Group B
Strategic Assessment
Level 1
B3
B3-T
B4
B4-T
Detailed View (continued)
• Strategic assessment (level 1)
– Hardware/software entities
– Distinct from the nodes of the peer
group
– Analyze all anomalies within the peer
group, taken in the context of recent
history
– Reprogram tactical sentinels
– Initiate other responses (beyond the
scope of a single switch)
– Report “conclusions” and responses to
level 2 assessment
• Strategic assessment (level 2)
– Likely software implementations
– Assess network behavior
– Compute long-term decisions within
the context of network history
– Initiate responses
A1
A1-T
A2
A2-T
Strategic Assessment
Level 1
Group A
Strategic
Assessment
Level 2
A3
A3-T
A4
A4-T
A1-T through A4-T: Tactical ATM Sentinels in Peer Group A
B1-T through B4-T: Tactical ATM Sentinels in Peer Group B
B1
B1-T
B2
B2-T
Group B
Strategic Assessment
Level 1
B3
B3-T
B4
B4-T
New Approach and Tools
• Synthesize high-level asynchronous distributed algorithm
• Synthesize comprehensive metrics
• Test and validate algorithm through modeling and simulation
– Accurate asynchronous, distributed PNNI simulator
– Representative traffic model
Ultimate Future?
•As networks evolve, newer forms of attacks will emerge
•Interdisciplinary thinking and proposed approach are our key weapons
•Pure energy computers?
•Quantum entanglement?
Source Material for the Tutorial & Further
Reading
1. 1. Sumit Ghosh, Principles of Secure Network Systems Design, Springer
Verlag, 0-387-95213-6, April 2002.
2. Thomas D. Tarman and Edward L. Witzke, Implementing Security for ATM
Networks, Artech House, Boston, ISBN 1-58053-293-4. 2002.
3. Sumit Ghosh, "Computer Virus Attacks on the Rise: Causes, Mitigation,
and the Future," Financial IT Decisions 2002, Vol. 1, a Bi-Annual
Technology Publication of the Wall Street Technology Association, Red Bank,
New Jersey, http://www.wsta.org, Feb/Mar 2002, pp. 16-17, ISBN 1-85938369-6.
4. Ed Witzke, Tom Tarman, Gerald Woodard, and Sumit Ghosh, "A Novel
Scaleable Architecture for Intrusion Detection and Mitigation in Switched
Networks," Proceedings of the IEEE Milcom 2002, Oct 7-10, 2002, The
Disneyland Resort, Anaheim, CA.
5. Sumit Ghosh, "Future Advances in Networked Systems and New Forms of
Cyberattacks," chapter in "Cybercrimes," Edited by Elliot Turrini (Asst. US
Attorney) and Jessica R. Herrera (Federal Prosecutor, CCIPS, US DoJ),
Wadsworth Publishing, Belmont, CA., August 2002.
Thank you
Questions, Suggestions, & Criticisms
email: [email protected]
http://attila.stevens-tech.edu/~sghosh2