CNSSA: A Comprehensive Network Security Situation ... - IEEE Xplore

Download PDF
3 downloads 1136 Views 485KB Size Report
Comment
CNSSA: A Comprehensive Network Security Situation Awareness System. Rongrong-Xi. Institute of Computing Technology,. Chinese Academy of Sciences.
2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11

CNSSA: A Comprehensive Network Security Situation Awareness System Rongrong-Xi Institute of Computing Technology, Chinese Academy of Sciences Beijing, China [email protected]

Shuyuan-Jin School of Information Technology Deakin University, Melbourne, Australia [email protected]

Xiaochun-Yun Institute of Computing Technology, Chinese Academy of Sciences Beijing, China [email protected]

Yongzheng-Zhang Institute of Computing Technology, Chinese Academy of Sciences Beijing, China [email protected]

Abstract—With tremendous attacks in the Internet, there is a high demand for network analysts to know about the situations of network security effectively. Traditional network security tools lack the capability of analyzing and assessing network security situations comprehensively. In this paper, we introduce a novel network situation awareness tool - CNSSA (Comprehensive Network Security Situation Awareness) to perceive network security situations comprehensively. Based on the fusion of network information, CNSSA makes a quantitative assessment on the situations of network security. It visualizes the situations of network security in its multiple and various views, so that network analysts can know about the situations of network security easily and comprehensively. The case studies demonstrate how CNSSA can be deployed into a real network and how CNSSA can effectively comprehend the situation changes of network security in real time. Keywords- Network security situation quantitative assessment, visualization

I.

is highly required to help us fuse all available information properly and comprehend the situations of network security with ease. The concept of network security situation awareness refers to the operational picture that consolidates all available information to identify attacks and select and apply appropriate countermeasures [1]. A network security situation awareness system should have the ability to handle information coming from multiple sources, which will include information of network topology, network configuration, vulnerabilities, system logs, network security device alerts, network traffic and etc. Based on proper information fusion, a network security situation awareness system provides network analysts with the insight into security relevant activities occurring within their networks, so as to help them make decisions or modifications on their networks. A network security situation awareness system should not only perceive the changes of network situations in real time, so that the situations of network security could be reflected accurately, but also present the situations of network security in an efficient way, so that the presented security situations could be understood easily. Visualization is one of the best means for a system to present its results to the end users, since humans are by nature visual beings and can easily understand the process of large amounts of data through maps and data plots [2]. The visualization of network security situation awareness can greatly improve the rate and the quality of human’s decision making. This paper presents a Comprehensive Network Security Situation Awareness System (CNSSA). The proposed system can understand the network security situations through fusing large amount of network information quantitatively. It further visualizes the network security situations in various different views, which enable us to understand the situations of network security easily and effectively. The system has the following distinct features. z The visualization of CNSSA is comprehensive and intuitive. CNSSA visualizes the situations of network security from various different views of network threat, vulnerability and stability, from high-level to low-level presentations. There are also some visualization systems for network security situation awareness, such as NVisionIP [2] and VisFlowConnect-IP [3]. The main difference among our proposed CNSSA and other network security awareness systems lies in that other systems only focus on displaying connections and traffic flows among hosts. In comparison,

awareness,

INTRODUCTION

With tremendous attacks in the Internet, there is a high demands for network analysts to know about the situations of network security easily and comprehensively. The capability of understanding the situations of network security can help network analysts know whether their network status is safe or unsafe, and help them to make their decisions on when to add patches to their computer systems. Although various security tools such as firewalls and intrusion detection systems have been deployed in the detection and prevention of attacks, these security tools often generate huge reports as well as numerous false positives and false negatives. It is commonly too difficult for network analysts to understand and manage extremely large amount of network reports. An effective tool on network security situation awareness

978-0-7695-4600-1/11 $26.00 © 2011 IEEE DOI 10.1109/TrustCom.2011.62

482

II.

Vulne rability Assessment Stability Assessment

Situation Visualization

Threat Assessment

Figure1 The Architecture of CNSSA

RELATED WORK

IV.

There are a number of system tools currently used in the field of network security situation awareness, such as NVisionIP in [2] and VisFlowConnect-IP [3]. Most of these systems use flow traffic to provide network security situation information. For example, the tool NVisionIP in [2] graphically show the connections and traffic flows among hosts in a class-B network to allow analysts to understand the current state of their network. The tool VisFlowConnect-IP in [3] visualizes IP network traffic flow dynamics to provide an overall view of the entire network, which allows network analysts to visually assess the connectivity of large and complex networks. The SiLK tool in [4] provides network flow records to network analysts to understand, query and summarize both recent and historical network traffic data. Using these tools, network analysts can have insights into various aspects of network behaviors. However, these existing tools focus on capturing and analyzing network flow information. They lacks the capability of analyzing and assessing other security related information such as vulnerabilities and threats.

III.

Situation Awareness

Situation Awareness

z

Information Collector

z

subcomponent utilizes CVSS to assess the whole network vulnerability. It outputs a Vulnerability Score (VS) to reflect the status of network vulnerability quantitatively. Stability assessment subcomponent obtains network traffic information from flow detector. It outputs a Stability Score (SS) to evaluate the current network stability quantitatively. Situation assessment subcomponent establishes a unified Security Index (SI) in order to assess the whole network security situations comprehensively. It outputs a network security situation score to reflect the current network situations quantitatively. The values of TS, VS and SS are security measurement indices. They range from 0 to 10 in CNSSA. The higher their values are, the less secure the network will be. Situation visualization module provides multiple level views of situations of network security. It can help network analysts to understand the situations of network security in very friendly user interfaces. We will detail CNSSA user interfaces in Section 4.

Network

z

the information that CNSSA fuses includes not only the connection information among hosts, but also the information of threats, vulnerabilities and alerts. CNSSA fuses and correlates information from multiple sources, and presents the analysis results in multi-level views. The situation assessment provided by CNSSA is quantitative and in real time. CNSSA adopts the measurement metrics of the Common Vulnerability Scoring System (CVSS) to make quantitative assessment on the situations of network security. Most of work on quantitative assessment in literature is based on attack graphs, such as the work in [14] and [15]. The tools that based on attack graphs have limited performance, since attack graph construction is very time consuming. In contrast, CNSSA employs publicly accepted vulnerability scoring system, which enable its assessment to be quick, standard and running in real time. The situation awareness provided by CNSSA is accurate because CNSSA implements filter function in its information collection process. By filtering out the false alarms effectively from tremendous alerts in its data preprocess, CNSSA achieves a high performance based on more accurate data. CNSSA is designed with scalable architecture and open interfaces, so that various IDS tools and vulnerability scanners can be deployed with it. The advanced modules and new functional modules can also be added easily.

USER INTERFACE

The main strength of CNSSA lies in its friendly user interfaces. CNSSA can visualize network security situations comprehensively and quantitatively. It provides a variety of views, from macro views of situation awareness, to the detailed quantitative views of threats, vulnerability and stability. Its friendly user interfaces will greatly help network analysts to perceive the situation changes of network security.

A. Macro View The broadest view that CNSSA provides is its macro view, which presents the security situations of the whole network, as shown in Figure 2. The macro view gives a high level picture of the current security status of the network. It also provides entries to overview the insecure factor assessments in terms of threat, vulnerability and stability. For example, Figure 2(a) shows real time trends of network security status in three indices of threat, vulnerability and stability in the latest 5 minutes. Figure 2(b) presents the current high level security status in pie chart, which reflects the situations of the network in terms of low, medium and high insecurity. Figure 2(c) provides the quantitative assessment on network situations online. When you click a specific button among threat, vulnerability and stability assessments, CNSSA will open the corresponding assessment accordingly.

SYSTEM ARCHITECTURE

The architecture of CNSSA is briefly shown in Figure 1. CNSSA has a total of 3 modules. Among them, Information collector module is responsible for collecting network information and storing them into a database. The collected information includes network topology, network configurations, vulnerabilities, system logs, network security alerts and network traffic. Situation awareness module fuses all network information in order to assess the network security and generate high level views of network situations. It has four subcomponents. They are threat assessment, vulnerability assessment, stability assessment and situation assessment subcomponents. Vulnerability assessment

B. Network Topology View CNSSA shows the network architecture through its network topology view. The network view shows the current network topology and host information in details. It first displays the network subnets. After you click a subnet, CNSSA will popup a subnet view, which presents the topology of the selected subnet. When you click the host running a scanner, CNSSA will present a connected circle which denotes the trace hops of each host from

483

the scanner. For example, Figure 3 shows the topology of a network. There are 2 subnets of 172.16.100.0 and 192.168.0.0. Both subnets have bus network structure with about 10 hosts. When selecting the subnet 172.16.100.0, CNSSA will show the topology of the subnet172.16.100.0 as shown on the right in Figure 3. The lower part of Figure 3 shows the hosts scanned by the scanner.

Figure4 Vulnerability View and Relationship among Multiple Small Views

Figure 2 The Macro View

Figure 5 Threat View

Figure 3 Network Topology View

C. Vulnerability View When you click a host in the network topology view, the vulnerability user interface will pop up. The vulnerability view presents detailed host information including IP address, operation system, open ports and vulnerabilities. A more detailed list of vulnerabilities resident on the host will pop up after you click a vulnerability, as shown in Figure 4.

Figure 6 Stability View

484

D. Threat View

performance, just similar as what we deploy in this case study. The information collector in CNSSA includes three components of attack detector, flow detector and threat scanner. We deploy the attack detector (snort [23]) and flow detector (IPtraf [26]) into the same subnet as where the gateway locates. We deploy the threat scanner in each subnet, since normally the firewall will prevent any scanner probings penetrating different subnets. The database server and situation awareness module are deployed in the intranet.

The threat views of CNSSA show network threat trends, threat details and the distributions of different types of threats, as shown in Figure 5. The Figure 5(a) presents the threat trends of the whole network with time. The Figure 5(b) shows real time distributions of different types of threats in pie chart. The Figure 5(c) presents the most serious online TOP-N threat information, which should cause the attention of administrators. Figure 5(d) lists the threat details, including detection time, name, type, severity, protocol, source IP and destination IP.

B. Evaluating the solution

E. Stability View

In order to validate the performance of CNSSA, we run CNSSA and simulate some attacks in our subnet 192.168.158.0/24 during the dates from 2011-03-18 to 2011-03-22. The details of the simulated attacks are described as follows. (1) Probe Attack. An attacker resident on the host 192.168.158.95 uses Nmap [25] to perform probe attack to subnet192.168.158.0/24, from 9:30 AM to 10:05 AM on the date of 2011-03-19. (2) Simultaneous attacks including portscan, smurf and teardrop attacks, from 11:30AM to 12:10PM on the date of 2011-3-20. Three attacks are launched simultaneously. In details, one attacker resident on the host 192.168.158.95 launches a port scan to the subnet192.168.158.0/24; one attacker resident on the host 192.168.158.92 carries out smurf attack to hosts with IPs from 192.168.158.5 to 192.168.158.10; and one attacker launches teardrop attack to hosts with IPs from 192.168.158.15 to 192.168.158.20. The situation changes in terms of threat, vulnerability, stability and the whole network secutity are shown in Figures 8(a), 8(b), 8(c) and 8(d) respectively. In details, Figure 8(a) shows the value of TS increases from 3.5 to above 5.2 at 9:30 AM on the date of 2011-03-19, which means that the network becomes unsafe during this period because of threats. It corresponds to the probe attack started at 9:35AM on that day. It also shows that the value of TS suddenly increases to about 7.0 at 11:30AM on the date of 2011-3-20, which indicates that some severity attacks happen during that period. We know that the smurf and teardrop attacks are carried out during this period. Figure 8(b) shows the value of VS has some small changes at 8:00AM every day. That is because CNSSA scans the vulnerabilities of the whole network at 8:00AM every day. We can also notice that a significant change at 8:00AM on 2011-3-21, which is because the hosts updates themselves by installing some patches on that day. Since many systems updates themselves on Monday by default. After the system updates, the VS value declines, which indicates that the whole network is less vulnerable than before. Figure 8(c) shows that the value of SS increases at about 9:30AM on 2011-3-19 and at 11:30AM on 2011-3-20, which indicate the stability of the network is reduced during that time. Figure 8(d) shows that the value of SI suddenly increases from 5 to 7 at about 11:30AM on 2011-3-20, which mainly due to serious threats to the network during that period. According to the simulated attack scenarios, we know that the smurf and teardrop attacks happen exactly during that period. In addition, the value of SI has a minor increase from 5 to 6 at about 9:30AM on 2011-319. It shows that there are slight attacks in this period. The simulated probe attack happen during that time can explain the increase of SI.

CNSSA shows network traffic stability trends, the distributions of different types of network traffic and details through its stability views, as shown in Figure 6. Figure 6(a) presents real time network traffic trends. Figure 6(b) shows real time distributions of different types of network services. The Figure 6(c) presents the statistics of the network traffic in the lists. Figure 6(d) presents real time traffic statistics of each probe in 5 minutes. The length of time window in each probe can be settled easily through the CNSSA administration interface.

V.

CASE STUDY

This section demonstrates how CNSSA is deployed into a real network and how CNSSA is used to comprehend real time situations of network security. To our best knowledge there are no any public test datasets for the evaluation of network situation awareness. Therefore, we set up a test environment and simulate different attacks, to demonstrate the performance of CNSSA.

A. System Deployment The design of CNSSA enables end users to choose different intrusion detection tools used in the intrusion detection during CNSSA’s information collection. This design provides flexibility for end users to use their own firewalls or intrusion detection tools. CNSSA provides a data format conversion interface, which aims to transform the output of any intrusion detection systems to the data format that CNSSA can use for its network situation awareness. By default, CNSSA uses snort [23] in its attacks detection, IPtraf [26] in traffic probing and OpenVAS [24] in vulnerability collection.

Figure 7 CNSSA Topology in Case Study The CNSSA deployment in the case study is shown in Figure 7. The CNSSA modules can be deployed either in one powerful server which residents in the same subnet where the gateway device locates, or in multiple servers. We recommend deploying the modules of CNSSA into different servers to achieve higher

485

probe, smurf and teardrop attacks are launched respectively. We should also notice that although each measurement reflects network situations differently, the SI can give an objective assessment on the situations of network security. For example, the value of TS in Figure 8(a) is around 3.7, which is below its average value of 5.0, indicating that the network is safer than that of normal situations. The value of SS in Figure 8(c) is around 8, which is above its average value of 5.0, indicating that the network is more unstable than that of normal situations. CNSSA will combine all of the estimations from TS, SS and VS to achieve an objective assessment by using its indicator SI. The value of SI in Figure 8(d) is around 5.0 when no attacks happen; indicating the situations of the whole network is secure. (a) Threat Trends

VI.

CONCLUSION

This paper presents a comprehensive network security situation awareness system CNSSA. CNSSA can help network analysts know about the situations of network security in a comprehensive way, from high level to detailed multi-level views. In the case studies, we demonstrate how CNSSA is deployed in a real network and how to use CNSSA to reflect the situations of network security in real time. CNSSA can not only alert network analysts that any computer is potentially compromised accurately, but also provide decision support for security analysts on the situation changes of network security . Future work on CNSSA will include the development of prediction function and decision recommendation. We will further focus on the improvement of user interfaces and assessment algorithms. We are also working on committing CNSSA commercially to the market.

(b) Vulnerability Trends

ACKNOWLEDGMENT This research work is supported by the National Natural Science Foundation of China under Grant Nos. 61070186 and 61003261. Any opinions, ndings, and conclusions or recommendations expressed in this work are those of the authors and do not necessarily reect the views of the sponsoring organizations. The authors thank the anonymous reviewers for their valuable comments. (c) Stability Trends

REFERENCES [1] Richard Kemmerer (chair), Roland Bueschkes (vice chair), Ali Fessi (note taker), Hartmut Koenig, Peter Herrmann, Stephen Wolthusen, Marko Jahnke, Hervé Debar, Ralph Holz, Tanja Zseby, and Dirk Haage, “Outcome working group---situation assessment”, In Proceeding of Network Attack Detection and Defense, 2008 [2]Kiran Lakkaraju, William Yurcik, Adam J. Lee, “NVisionIP: netflow visualizations of system state for security situational assessment”, In Proceedings of the ACM workshop on Visualization and data mining for computer security, 2004 [3] Xiaoxin Yin, William Yurcik, Adam Slagell, “The Design of VisFlowConnect-IP: A Link Analysis System for IP Security Situational Assessment”, In Proceedings of the Third IEEE International Workshop on Information Assurance, 2005 [4] Timothy Shimeall, Sydney Faber, Markus DeShon, and Andrew Kompanek, “Analysts' Handbook: Using SiLK for Network Traffic Analysis”, Silk documentation, 2009 [5] David Moore, Geo_rey M. Voelker, and Stefan Savage, “Quantitative network security analysis”, Technology Report, CAIDA/SDSC and CSE Department University of California, CA 92092-0505, 2002

(d) Network Security Trends Figure 8 CNSSA Evaluations in Case Studies Discussion: We notice that all of the measurements on threat, vulnerability and stability in CNSSA reflect the situation changes at two time points in attack scenarios. These two time points are 9:00AM on 2011-3-19 and 11:30AM on 2011-3-20 when the

486

[6] A. Jaquith. “Security Merics: Replacing Fear Uncertainity and Doubt”. Addison Wesley,ISBN:0321349989, 2007. [7] Gula, R., “Correlating IDS Alerts with Vulnerability Information”, Technical report, Tenable Network Security, January 2009. [8] M. Swanson, N. Bartol, J. Sabato, J. Hash, and L. Graffo. “Security metrics guide for information technology systems”. NIST Special Publication 800-55, 2003. [9] National Institute of Standards and Technology. “Technology assessment: Methods for measuring the level of computer security”. NIST Special Publication 500-133, 1985. [10] P. Mell, K. Scarfone, and S. Romanosky. “Common vulnerability scoring system”. IEEE Security & Privacy, Vol.4 No.6, PP. 85–89, 2006. [11] P.A. Porras, M.W. Fong, A. Valdes, “A mission-impact-based approach to INFOSEC alarm correlation”. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection, 2002. [12] MORIN, B., M´E, L., DEBAR, H., AND DUCASSE, M, “M2D2: a formal data model for ids alert correlation”, In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, 2002. [13] Yan Zhai. “integrating multiple information resources to analyzing intrusion alerts”. In Proceeding of Recent Advance in Intrusion Detection, PP.85-103, 2006. [14] Lingyu Wang, Tania Islam, Tao Long, Anoop Singhal and Sushil Jajodia, “An Attack Graph-Based Probabilistic Security Metric”, Lecture Notes in Computer Science, Vol.5094 PP.283-296, 2008. [15] Dapeng Man Wu Yang Yongtian Yang Wei Wang Lejun Zhang , “A Quantitative Evaluation Model for Network Security”, In Proceedings of

the International Conference on Computational Intelligence and Security, 2007. [16] O. Thonnard and M. Dacier. “A framework for attack patterns’ discovery in honeynet data”. In Proceedings of the 8th Digital Forensics Research Conference, 2008. [17] Michael L. Hinman, “Some Computational Approaches for Situation Assessment and Impact Assessment”. In Proceedings of the Fifth International Conference on Information Fusion, pp. 687-693,2002 [18] Sabata Bikash and Ornes Chester, “Multi-source evidence fusion for cyber-situation assessment”, In Proceedings of Multisensor, multisource information fusion. Conference㧘pp. 1-9㧘 2006 [19] Xiu-zhen Chen, Qing-hua Zheng, Xiao-Hong Guan and Chen-Guang Lin, “Quantitative Hierarchical Threat Evaluation Model for Network Security”, Journal of Software, Vol. 17, No.4, pp 885-897, April 2006. [20] Sushil Jajodia,, “cyber situation awareness: issue and research (advanced in information security)”, ISBN: 9781441901392, 2009 [21] Martin E. Liggins, David Lee Hall, James Llinas, “Handbook of multisensor data fusion: theory and practice”, CRC Press, ISBN: 1420053086, 2008 [22] Jitendra R. Raol, “Multi-Sensor Data Fusion: Theory and Practice”, CRC Press, ISBN-10: 1420053086, 2009 [23] Snort—The Open Source Network Intrusion Detection System, http://www.snort.org, 2004. [24] OpenVAS---Open Vulnerability Assessment System, http://www.openvas.org/ [25] Nmap----Free security scanner for network, http://nmap.org/ [26] IPtraf----an IP network monitor, http://iptraf.seul.org/

487