Jason Schatz (JS), Jeff Rowe (JR), Chris Wee (CW), David Klotz (DK) and Karl Levitt (KL)
- We're free until September – demo is off
- KL: New proposal from Boeing – cash in hand. Trust management among different administrative domains. Formal trust model.
IDIP Paper for Jeff and Jason
- JR – Global aggregation, little local things you can use. Current IDIP subnets separated by IDIP routers
- Start with an IDIP-based paper, but include simple ideas that make it better. The way it’s done is terrible. CW: Protocol is flawed. JS: Implementation is terrible.
- JR: Loops in typology – infinite loops in broadcast.
- How do you get intelligent global response only use local info? What traffic have neighbors seen and told you about?
- JS: IDIP blocks all along attack – there is enough information to block near the attacker - based on topographical distance - number of hops. You end up with linear set of subnets and router, because we only deal with routers along path of attack. Draw simple diagram.
- CW: Data collection and response tied to same topology. Why not respond along a different path?
- JR: Only relying on local data/local response from neighbors. Boeing hasn’t pushed idea to see what you can do with information from neighbors only. In the aggregate, get optimized response.
- If you’ve seen the traffic, don’t block. Aggregate response to worm – isolate source of worm – end up with boundary.
- KL: Focus is local info; key is what we can do?
- JR: Global response with only info from neighbor. KL: Isolated with minimum number of routers. JR: Depends on router metric. It costs so much to block here.
- DK: Global cost – getting duplicates – local cost – not getting full value.
- JR: We’ve got 4-5 additions to IDIP to include. More attractive than discovery coordinator. Only using local information, get some total aggregation within the domain. Does work for worm case.
- KL: Submit it to the Applications conference or IEEE Network – describe IDIP with embellishments – cost model etc. Don’t throw away IDIP – it's worth half a paper
- CW: Analogous to routing based on information from and through neighbors. The first algorithm had global views of routing through flooding.
- JR: Basic architecture is same, metric is different – network throughput.
- CW: Original algorithm only dealt with connectivity. Dealing with lack of connectivity here. The assumption is that attacks are worms or connections based. It won't work for the Melissa virus. I’m not tied to being dependent on local information. Depending on non-local information, there is an authentication problem. You need an efficient way of getting global view.
- DK: One advantage is that we know that this will scale. Might be able to prove that it’s effective.
- CW: If attacker can always go around block…
- JS: Not necessarily, not dynamically rerouting depending on protocols.
- JR: It's a question of speed. Not stopping future attack, just current one.
- CW: Lots of variations – maybe if you stick with local information and control, when attack is rerouted, then you’ve got same system and it’ll block that. Attack can proceed, but not once all blocks are set up.
- JR: Section on building up global network.
- IDIP's winning points.
- Academic interest – finding spoofers, have no central control, blocking nearest attacker.
- JR: Works for denial of service.
- KL: Works for containment, blocking future paths, taxonomy of responses. It shows, depending on speed, if we’re faster than protocols and routers.
- JR: Concentrate on simple extensions to IDIP.
- KL: Write to Dan, telling him we’re doing this.
CW: Security Metrics and Costs (see handout notes below).
- JR: Fill up disk very fast.
- CW: Slow connection to site; infinite disk capacity.
- KL: Purpose is to decide to imagine would intruder want to attack? JS: Metric of attractiveness?
- JS: Spiteful model of security – protect everything including things that are not important to us. CW: Intruder will pick site that is easiest to break into, based on vulnerabilities and data intruder wants.
- CW: How do we evaluate your risk of intrusion – likeliness of being attacked? JS: Lots of Linux boxes broken into. CW: List what attacker might have in resources. If no way of exploiting the vulnerability, who cares? Minors can attack; not prosecuted. Senior attackers write scripts for junior attackers to implement.
- KL: Cost of defending it an attack. Attackers also put resources into attacking it. CW: Regulation at a future date – government standards set minimal level of protection or require minimum insurance to operate a website – security and insurance.
- JR: Can you rank sites? CW: Site A has better info, more vulnerabilities. Metric is totally useless – how to collect and quantify information. 3 &4s get attacked instead of 6&7s.
- CW: Economist Krugman – loss of info as you formalize a model – maps of Africa example. As mapping techniques improved, got the coastline right, but Africa became a void because they weren't willing to put inaccurate information on. This will suffer the same problem. If we assemble the metric, it’s going to be totally wrong, We need to figure which parameters are wrong – get feedback. DK: Run experiments, get results.
- CW: Government sites have different risk assessments from commercial sites..
- Jane Win, Professor of Law, Government or military site has no down side of failing to secure site. Commercial entity can be sued – breach in security.
- JR: University not on list – The University is worried about its reputation and bad press. CW: They lose a dollar number, but not concerned about that.
- JR: Mrak policy doesn’t have influence on how we set up . CW: You could set up any website on campus, not any more. JS: University far beyond business for security – less liability.
- Other Organizations worried about reputation: CIA, newspapers, banks. CW: SCC wants to publish it on paper, before put it on the wire. Opposite of how things have been progressing. KL: Run a scanner, tools, maybe inadequate. CW: Scanners won’t report all – just some defenses and vulnerabilities – won’t tell you value of services/data.
- CW: What other factors would affect me? DK: Visibility. NY Times more likely to be attacked because of visibility. JS: Sociology.
A Simple Security Metric
Assessing a site's risk of intrusion
29 April 1999
A first order security metric is a weighted sum of
I assume that an intruder will evaluate several sites and attack the one with the lowest metric (hence highest risk of intrusion). So a site's risk of intrusion evolves and changes depending on how well are other like-sites (by industry or services offered) protected.
What is the motivation for a security metric?
Cost model for: