Project Overview:
Given the increase of Internet activity, a larger number of computers are being corrupted every day by attacks. Within an organization, security administrators make decisions regarding security mainly based on common practices or their experience as security officers. Currently, few practical security tools exist to help them better assess the organization network’s security when they need to make decisions. Many organizations possess security devices to monitor their network’s activity such as intrusion prevention systems (IPSs). The quantity of data collected per day can be so substantial that every event identified by a security device cannot be investigated by the security team. Retrieving meaningful information from collected data on malicious activity would give additional insight to security administrators into the organization’s security.
However, currently, collected data are far from being perfect: they might include false alerts (false positives) and might not include all attacks (false negatives). Moreover, the data will not include new attacks in the case of signature-based IPSs. In addition, many security devices often rely on the trust we have in the security devices and the vendors. No ground truth is provided. Details are lacking on the meaning of the data and how they are produced (the security devices are black boxes for which vendors only release few details).
Therefore, in order to retrieve useful information on an organization’s security from imperfect IPS data, two approaches are possible. The first one is to obtain data sets clean enough so that accurate security estimations are possible. The second one is to accept that the dataset is imperfect but that useful information regarding an organization’s security can be retrieved. We decided to adopt the second approach.
The contribution of this research is to develop and validate practical tools to assess an organization’s security based on imperfect data like IPS data. The tools will extract useful information from IPS data and give a more detailed insight into an organization’s security. For example, one tool could consist in identifying compromised computers within the organization. Another tool could consist in defining metrics and studying outliers in order to identify security issues.
Current Students: Danielle Chrun.
Previous Students: Gabriel Salles-Loustau (UMD/ENSIB), Damien Leger
(UMD/ENSIB), Vincent Le Port (UMD/ENSIB), Venkat Dinavahi.
Collaboration:
Gerry Sneeringer, Director, IT
Security,
Publications:
On the Use of Security Metrics based on Intrusion Prevention System Event Data: An Empirical Analysis, D. Chrun, M. Cukier, and G. Sneeringer, in Proc. 11th IEEE Symposium on High Assurance Systems Engineering (HASE'08), Nanjing, China, December 3 - 5, 2008, pp. 49-58.
Finding Corrupted Computers Using Imperfect Intrusion Prevention System Event Data, D. Chrun, M. Cukier, and G. Sneeringer, in Proc. 27th International Conference on Computer Safety, Reliability and Security (SAFECOMP 2008), Newcastle upon Tyne, UK, September 22-25, 2008, pp. 221-234.
Funded by Raytheon.