ASMONIA. Attack analysis and Security concepts for MObile Network infrastructures, supported by collaborative Information exchange

(1)

ASMONIA

Attack analysis and Security concepts

for MObile Network infrastructures,

supported by collaborative Information exchAnge

Contributors: Cassidian / EADS Deutschland GmbH RWTH Aachen

Recommender System for Security

Risk Reduction

Situational Awareness for Critical Information

Infrastructures

(2)

Author(s) Company E-mail

Michael Hoche Cassidian [email protected]

Heiko Kirsch Cassidian [email protected]

Marián Kühnel RWTH Aachen [email protected]

About the ASMONIA project

Given their inherent complexity, protecting telecommunication networks from attacks requires the implementation of a multitude of technical and organizational controls. Furthermore, to be fully effective these measures call for the collaboration between different administrative domains such as network operators, manufacturers, service providers, government authorities, and users of the services.

ASMONIA is the acronym for the German name* of a research project that aims to improve the resilience, reliability and security of current and future mobile telecommunication networks. For this purpose the ASMONIA consortium made up of several partners from academia and industry performs a number of research tasks, based on the specific expertise of the individual partners. The project running from September 2011 till May 2013 receives funding from the German Federal Ministry of Education and Research (Bundesministerium für Bildung und Forschung, BMBF). Various associated partners further contribute on a voluntary basis.

* The full name is "Angriffsanalyse und Schutzkonzepte für MObilfunkbasierte Netzinfrastrukturen unterstützt durch kooperativen InformationsAustausch" (Attack analysis and security concepts for mobile network infrastructures, supported by collaborative information exchange).

Partners: Cassidian

ERNW Enno Rey Netzwerke GmbH

Fraunhofer Research Institution for Applied and Integrated Security (AISEC)

Hochschule Augsburg

Nokia Siemens Networks GmbH & Co KG RWTH Aachen

Associated Partners: Federal Agency for Digital Radio of Security Authorities and Organizations (BDBOS)

Federal Office for Information Security (BSI) Deutsche Telecom AG (DTAG)

(3)

Recommender System for Security Risk Reduction

Situational Awareness for Critical Information Infrastructures D4.1(ii) – 1.0

Executive Summary

This document is part of the development of a security monitoring and recommender system applied to a mobile telecommunication network addressing the transition from the current state as-is to a to-be enterprise architecture. The security monitoring and recommender system is designed to control the security measures developed in the ASMONIA project. In this sense it supplements the approached collaboration as a control instance.

Especially this document addresses development advances made, and the creation of initial enterprise architecture as a coordination means. This architecture enables the collaborative identification and classification of potential sensors suitable to support the ASMONIA project targets and especially the goal of collaborative situational awareness for critical information infrastructures.

The complexity and the variety of aspects of our world demand multiple perspectives on information security. Security approaches need to cope with an information-rich, adversarial and evolutionary environment. Approaches need to consider and leverage on already integrated security means. It is required to be efficient and effective even inside such environments.

Economics of security has recently become a thriving discipline. We conceptually link the security approach with economics for addressing the inherent complexity, for identifying advantageous interactions in collaborative scenarios, and for creating common situational awareness. Our conjecture is that a unifying security model is prospective to enlighten the opaque relation between security and payoff. We borrow concepts from economics to develop a unifying scale-free information security model and outline how the model could be used for recommendation and analysis. We propose a scaling method for identifying security risk in an incentive compatible way by maximizing the payoff of affected parties. This method is designed for adaptability to cope with evolving environments.

We argue the advantages of assuring adequate security collaboratively incorporating the dynamic behavior of an information system and its users by means of the developed security model. We present a foundation of situational awareness for security risk to indicate relevant incidents, threats and impacts. Hence we close the challenges alleged in Deliverable 4.1 (i) and provide enterprise architecture to establish security transparency as social welfare – collaboratively – by means of the identified capability set:

 Continuous Security Monitoring, defined as ongoing observance with the intent to provide warnings in case of deviations from expected behavior.

 Continuous Security Model Adaptation, defined as the ongoing evaluation and adaptation of the underlying behavioral model.

 Continuous Security Economics Analysis, defined as the ongoing identification of effective economical impacts associated with behavioral deviations.

 Continuous Security Awareness, defined as ongoing presentation of the current and past security status for decision support.

 Continuous Security Collaboration, defined as ongoing conflict resolution between parties having divergent economic interests.

This document continues elaborations of the first four capabilities started in D4.1, see [ASMONIA_D41] and enables by a semantic description the last capability.

Finally we present a case study implementing an intrusion detection and prevention system and argue how the concepts are used to embed the offered information to contribute to Continuous Security Awareness and to enable Continuous Security Collaboration.

(4)

(5)

1 Introduction

7 2 Concepts

10

2.1 Socio-Economic Perspective 10 2.1.1 Game Theory 10 2.1.2 Mechanism Design 12 2.1.3 Communities 14 2.1.4 Security Model 15

2.1.5 Profiles and Rewards 15

2.1.6 Transfers 16 2.2 Socio-Technical Perspective 18 2.2.1 Semantics 18 2.2.1.1 Execution Semantics 20 2.2.1.2 Monitoring Semantics 20 2.2.2 Guards 21 2.2.2.1 Governance 21 2.2.2.2 Integrity Monitoring 21 2.2.2.3 Behavioral Monitoring 22 2.2.3 Estimating 26 2.2.4 Filtering 26

2.3 Technical Perspective on Guards 27

2.3.1 Intrusion Detection and Prevention Systems 28

2.3.1.1 IDPS Architecture 32

2.3.1.2 Network-based IDPS 34

2.3.1.3 Inline NIDPS 34

2.3.1.4 Passive NIDPS 35

2.3.1.5 Network Behavior Analysis 36

2.3.1.6 Wireless IDPS 36

2.3.2 Honeypots 37

2.3.2.1 Research honeypots 40

2.3.2.2 Production honeypots 41

2.3.2.3 High interaction honeypots 41

2.3.2.4 Low interaction honeypots 42

2.3.2.5 Medium interaction Honeypots 42

2.3.2.6 Server honeypots 42

2.3.2.7 Client honeypots 43

2.3.2.8 Double honeypot 43

2.3.2.9 Honeyfarms 44

2.3.3 A case study of a 4G network sensor for mobile malware 45

2.3.3.1 Mobile Malware 46

2.3.3.1.1 Mobile Threats 46

2.3.3.1.2 Classification of mobile malware 50

2.3.3.1.3 Observable traffic by MNOs 50

2.3.3.2 4G Mobile Malware Protection Sensor 51

2.3.3.2.1 Sensor Placement 52

(6)

2.3.3.2.3 Simulation of the 4GMOP Sensor 56

2.3.3.2.4 Discussion 57

2.3.4 Relation to the Concepts 57

3 Collaborative Risk Management

58

3.1 Notions 58

3.2 Supervision Enterprise Architecture 58

3.2.1 Business Architecture 58

3.2.2 Data Architecture 59

3.2.2.1 Data Model 59

3.2.2.2 Information Model 60

3.2.2.2.1 Payoff Flow Network 60

3.2.2.2.2 Transfer Flow Network 60

3.2.3 Application Architecture 60 3.2.3.1 Monitoring Application 61 3.2.3.2 Calibration Application 61 3.2.3.3 Analysis Application 62 3.2.3.4 Recommender Application 64 3.2.4 Technology Architecture 67 3.2.4.1 Data Integration 67

3.2.4.2 Storage and Processing 70

3.2.4.3 Data Warehouses 71

3.2.4.4 Data Mining 71

4 Conclusion and Outlook

74

4.1 Stakeholder Interests and Barriers 74

4.2 Shared Resources 75

4.3 Change in Interest and Motivation 75

4.4 Opportunities in Technology 76

References

77 Glossary and Abbreviations

85

Glossary 85

Abbreviations 88

(7)

1 Introduction

The security discipline has so far been scoped toward technology ensuring security characteristics like availability, integrity or confidentiality by architectural design patterns like isolation, transaction or authentication, authorization and accounting. There is a trend focusing on effectiveness by means of risk analysis and proactive intelligence, see e.g. [Ande2007], [Ande2008a] or [Ande2008b]. It is well known that security of information systems is an emergent property; however it is still common practice to protect physical (concrete) elements of these systems, see [Curr2011].

One reason for this might be that intangible assets like information or services are not always regarded directly as assets. Even the quality standards like ISO/IEC 25010 Systems and software engineering - Systems and software Quality Requirements and Evaluation (SQuaRE) distinguishes between product quality and quality in use. Where security characteristics are regarded as quality attributes of products and systems the corresponding quality attribute for in use is "Freedom from risk."

Another reason might be dissolving business canvas separating the production of devices and the service provisioning by means of these devices. This trend is even reflected in the separation of service standards like ISO/IEC 20000 Information technology Service management from development standards like ISO/IEC 12207 Systems and software engineering - Software life cycle processes.

A third reason might be the inherent complexity of interactions and their interdependencies which is reflected in the diversity of standards provided by ITU-T, ETSI, ISO/IEC, 3GPP, IETF, etc. and diversity of technology in the considered domain of mobile telecommunication networks.

In other words information security characteristics like confidentiality or availability are measured and treated at physical elements. This bears the problem that one cannot straight forward argues about both effectiveness and efficiency of information security, nor freedom from information security risk for provided services.

We know the cost of security means like enhancing encryption strength, but the question remains: What is the benefit? Established mechanisms by mere regulations like minimal security requirements cannot assure adequate security. As a consequence there is only weak evidence to benefit from security measures and investment decisions are not sound. This is even more true (and unclear) when considering network-like critical information infrastructure like the considered mobile telecommunication network.

This raises the challenging questions: What is the value of security? And what is the value of introduced security measures? How secure is the critical information infrastructure?

In the large scale context of open systems the generic security measures like authentication, authorization, or accounting seem for users of opaque value. Their value exposes as soon there is a defect in required security characteristics.

Nevertheless, security policies are often ignored. Standards require security risk management although often weekly implemented. Most approaches depend on confidence in a priori information about attacks, threats and vulnerabilities. But usually this information is not for free, evolves continuously and is dependent on implementations (see [ASMONIA_D51]]).

Due to the adverse environment there are additional complexities like asynchronycity and asymmetry. Here an economic approach seems to be promising, at least if we assume that threats betray economic incentives and any threat implies eventually some deficit. Note that

(8)

information security of (even only parts of) critical infrastructures contributes directly to social welfare, see e.g. [Schec2004].

Our hypothesis is that it is prospective to ensure information security collaboratively in networks of interdependencies. Consumers and providers inside an information system can treat information security as common economic good. Assuring the utility of the services provided maximizes use for (nearly all) affected parties. This raises the demand on a new security perspective for these parties.

However, the responsibility for ensuring adequate information security is segregated and assigned to different domains under control of selfish acting parties. These parties follow believes, these parties have their own desires and intents to maximize their payoffs inside the covering socio-economic-technical system.

Because "security demands" and "security offers" form an information market, the relation between information security and economic payoff is not simple. Genuine behavior or strategies like free riding hinder collaboration. On the first view there seems only a weak incentive for increasing security or even only security transparency.

To add another complexity: Each party is confronted with a wide variety of emerging unforeseeable threats originated by fraudulent and disguised use of the information system, mainly motivated by misdirected economic incentives.

Hence ensuring comprehensive security for a critical information infrastructure bears inherent complexity. The variety of unforeseeable risks render efficient and effective defense strategies hard, although risk reduction could even be compatible with economic interests, see e.g. [Moor2011].

In our vision information security approximates a self-securing community sustaining security characteristics of the used and shared information system collaboratively. By collaboration we mean acting together to achieve adequate security properties as common goal.

We develop the first step towards this vision providing a model that allows rendering common situational awareness for any set of affected parties and recommendations for secure services. Several security models have already been proposed ranging from a complete discipline (see [Ande2008a], [Albe2002]) and a body of knowledge (see [Alle2008]) to specific recommendations for dealing with certain security issues (e.g. [NIST_SP800-61] or [NIST_SP800-94]). Common situational awareness requires deepening and aligning continuously the understanding about security risks by means of a unifying model.

The disciplines treat information security as a part of the life cycle processes with the target to design in security measures assuring certain properties to defend assumed threats. These insights lead us to supplement the risk management approaches by a measurement capability to reveal the value of security. Risk management approaches as in the ISO/IEC 27k family recommend one organization to undertake a management cycle

 Identify information assets and their associated security requirements

 Assess information security risks

 Select and implement relevant controls to manage unacceptable risks

 Monitor, maintain and improve the effectiveness of security controls.

Note that this approach usually focuses on one organization, only. As soon as there is a community, the approach lacks on incorporating and reflecting multiple risk and asset perspectives.

(9)

It is well known in the art that protecting complex information systems from attacks requires the consideration of a multitude of technical, organizational and social controls. Several approaches indicate a decision and game-theoretic direction see [Agra2011] or [Alpc2010]. [Ande2009] states that information security requires an interdisciplinary approach, where computer science, economics and psychology meet. [Asgh2007] states that the mental models of security have a deep impact on decisions. Usually these approaches focus on the identification of vulnerabilities with respect to a certain aspect and a bounded system of interest.

In this sense we propose an analytical scale-free security model for increased situational awareness supporting the risk management cycle by determining the current risk exposure of a critical infrastructure. We conceptualize especially estimation and transfer of risks to overcome the restriction to one organization, such that the model can cope even with shared infrastructures. One of our design goals is minimal invasiveness and the capability to leverage existing security measures. We address this by a monitoring recommender system that maintains a shared model of security that is tightly related to real values. The values provisioned by the system and the deficit due to defects will be made transparent.

We present a case study implementing an intrusion detection and prevention system how the concepts can be used to embed the offered information. Although not completely addressing the multiple aspects of enterprise architecture of a telecommunication network the case study shows how concrete means can be realized protecting the offered services by this infra structure and how the described concepts govern integrity supporting the final goal of situational awareness and cooperation.

This document describes and extends the concepts necessary to design a recommender system for continuous security risk reduction based on measurements. Due to involvement of many parties a socio-economic perspective is developed. To relate technical measurements supporting information security risk management with the socio-economic environment of the mobile telecommunication network a socio-technical perspective is developed. These two perspectives enable the further development of an enterprise architecture supplement for collaborative risk management:

 Continuous Security Monitoring is addressed in section 2.2 as the definition of guards.

 Continuous Security Model Adaptation is addressed in the enterprise architecture outlined in section 3.2 and especially in section 3.2.3.2.

 Continuous Security Economics Analysis is addressed as applications in section 3.2.3.

 Continuous Security Awareness is addressed by the developed semantics and the payoff flow graph and transfer flow graph in sections 2.2.1 and 3.2.2.2.

(10)

2 Concepts

2.1 Socio-Economic Perspective

Consider an asset as anything tangible or intangible that is capable of being owned or controlled to produce value and that is held to have positive economic value, see ISO/IEC 27000 Information technology - Security techniques – Information security management systems - Overview and vocabulary. Services provided by the means of the information system are considered as the assets. These might be consumed or provisioned by a party or even by a community or society of multiple parties. So the invocation corresponds somehow to value flows and determines the real impact on society.

We expect that the enhanced security transparency will stipulate replicator dynamics. But collaboration for increasing security bears an adaptation dilemma. It requires effort and transparency to disclose relevant security measurements with unknown benefit, if adopting. In other words security transparency changes the economic game drastically.

To provoke sustainable and stable behavior we design for continuity. We introduced the notion of an agent. Agents represent involved parties provisioning or consuming services. Agents have the capability of selecting a strategy based on their beliefs, desires and intentions. Each agent is assumed to make her own decisions influenced by her intentions, her assumptions, her environment and her constraints to maximize her payoff. Therefore agents have a profile of admissible strategies, values and costs, residual (value) deficits and transferred deficits.

2.1.1 Game Theory

To formalize this we use a relaxed notion of strategic games borrowed from Game Theory, see e.g. [Osbo2009]. Generally the Game Theoretic perspective was selected because of the adversarial dynamic environment. The plurality of users of an information infrastructure have diverge interests leading to strategies to use the provided services. To enable to compare strategies we assume some money as a yardstick for a value maximizing strategy, because it can be easily transferred between agents.

Agents choose their strategies simultaneously. Subsequently each agent receives a payoff resulting from the joint strategy. The key idea is to choose an optimal strategy that maximizes an agent's payoff. However this strategy depends on the choices of others. Game theory treats this dependency by identifying subsets of outcomes, called solution concepts. The two most fundamental ones are equilibrium and best response.

(11)

The notions of dominance and reduction apply to mixed extensions of finite strategic games, as well. The concrete admissible strategies of an agent in our setting consist of the set of consumable services and the set of provided services. The concrete payoff function is composed of the value add v(s) of a service invocation, the cost c(s) imposed and the deficit

d(s) due to security defects

p(s) = v(s) - c(s) - d(s).

Concretely we will use these concepts only to maintain a profile of chosen strategies. We will not assume stable joint strategies or rational behavior at all. We use the game notation for the sole sake of keeping records of the agents' behavioral profile for analyzing purposes. Obviously the game is repeated for any service invocation. The agents in this game are the service providers and the service consumers. This repetition obscures some key factors. We consider the game as infinitely repeated with some discounted reward.

(12)

The resulting strategy space of the repeated game becomes very large, although it is possible to characterize equilibrium. There are so called folk theorems stating that attainable rewards in equilibrium are those attainable payoffs in a single game with the constraint that each agent's payoff is at least the amount she would receive, if the other agents adopt min-max strategies against her, see Essentials of Game Theory: A Concise, Multidisciplinary Introduction, Kevin Leyton-Brown and Yoav Shoham.

2.1.2 Mechanism Design

Mechanism Design concerns the design of economic mechanisms, just like computer scientists designing algorithms. It is advantageous to view the goals of the designed

(13)

of expert agents relying on shared experience making a kind of social choice when compiling an advisory opinion. This is a consensus based social choice. Although the error of the risk prediction could be reduced by enlarging the experts variety (which is known under the term "wisdom of crowds"), the result is limited to the scope and experience of the experts and biased by the experts' intrinsic interests.

Social choice can be seen as an aggregation of preferences of agents towards a single joint decision. The main message conveyed is that there are unavoidable underlying difficulties in conducting a social choice. The main results in this context are the Gibbard-Satterthwaite Theorem and the Theorem of Arrow stating that this strategic vulnerability is unavoidable. These theorems seem to destroy the hope of designing incentive compatible social choice functions.

But the addition of some money offers an escape route. In a world with money the mechanisms will not only choose a social alternative, but will also determine money transfers. The complete social choice is then composed of the alternative chosen, as well as of the transfer of money.

(14)

The main idea lies in the latter sum term, which means that each agent is paid an amount equal to the sum of the values of all others. When this term is added to her value, the sum becomes exactly the total social welfare. Hence, this mechanism aligns the incentives with the social goal of maximizing social welfare, which is exactly archived by telling the truth. The Vickrey-Clarke-Groves Theorem states that these mechanisms are incentive compatible. We use this idea to charge deficits. Our mechanism design follows the principle to charge deficits to agents that would have been in the position to recognize the deficits. This seems to be a rational argument, but is often ignored. One of the challenges is to extract a priori relevant genuine information allowing inferring economic impact even in a context, where information security depends on externalities. And, of course, the other challenge is to identify the agents that were in the position to recognize the deficits.

2.1.3 Communities

Profiling of the agents allow us to categorize agents according to their role. Let a community be a set of agents. There are the following communities.

Participating agents have strategies for providing or consuming a service s. These set includes recursively these agents that consume or provide services the service s depends on. Dependent services are services that are provisioned and consumed for provisioning the service s.

Experienced agents are the agents that have potentially caused or recognized behavior leading to similar observations and deficiencies. These are potential defenders or attackers. These agents had already experience in executing similar deficient strategies and represent security knowledge.

Constructive agents contribute to the recognition of and counteracts against behavior leading to deficiencies, i.e. defenders.

Destructive agents cause direct or indirect consciously or unconsciously, intended or non-intended behavior leading to deficiencies. This class of course comprises the potential attackers.

The communality or society is the set of all agents.

Note that this categorization of agents does not assume or imply intent of the agent. Even a victim of an attack could be classified as destructive. Agents are not a priori divided into attackers or defenders. Call experience some agent's knowledge of some event gained through involvement in or exposure to that event. Experience is gained when an agent has chosen some experimental strategy. The concept of experience refers to know-how, rather than propositional knowledge.

We have assumed so far well behaved agents which are in some sense not realistic. This leads to the question of a mechanism design that ensures genuine and effective collaboration leveraging the knowledge of experienced agents. How a specific agent interacts collaboratively or selfish should be a rational decision maximizing the specific agent's reward. The agents will follow their motivational imperative according to their divergent interests.

A community of interest is a community sharing a common utility. These agents share demands and could be defined as the set of agents that transfer a risk to an experienced agent. A community of practice is a community sharing an experience resulting in a craft or valuable information. This community needs the profile information of experienced agents to extract knowledge about potential threats. These communities evolve naturally because of

(15)

2.1.4 Security Model

So far we approached security by a continuous process as disclosed in ISO/IEC 27001. This process could be re-formulated using the introduced notions:

 Understanding an communality's information security requirements and the need to establish policy and objectives for information security;

 Implementing and operating controls to manage an organization's information security risks in the context of the communality's overall risks;

 Monitoring and reviewing the performance (efficiency) and effectiveness of the information security management system; and

 Continual improvement based on objective measurement.

following a Deming Plan-Do-Check-Act Cycle. We treat to understand and minimize the sum of all deficits due to security defects.

Objectivity (non-biased) is ensured by collaborative agreements on guards. In the end this enables analyzing effectiveness. A major challenge is to treat diffuse deficits. These deficits will aggregate at experienced agents, i.e. agents with a similar profile. The experienced agents become witnesses for detected defects matching their profile.

This transfer mechanism reverses the security risk diffusion, such that deficits will concentrate on the origins of recognition. We leverage not only the experience of a small set of experts but the experience of the whole community consuming the defect service. Finally we can infer from exceeding transferred deficits, that there must be a rationale for a security defect inside the profile. Similar mechanisms are known from web shops with ranked products by crowd's feedback.

We expect that mere allocated aggregated deficits will motivate agents or agent communities - if transparent - to contribute their capabilities and resources to reduce the security risk. This approach patches the dilemma that bad behavior, including inadequate security measures will not immediately be sanctioned economically. Furthermore, the diffusion of impact due to the distributed characteristics of security becomes somehow reversed.

2.1.5 Profiles and Rewards

So far we assumed that each agent intends to follow strategies maximizing her immediate payoff and her discounted reward over time. The communality intends to minimize the summarized deficits to increase social welfare. We consider the history of selected strategies influencing the payoff values as agent profile.

(16)

For identifying relevant experience we propose a notion of neighborhood in the space of all such profiles. This has the advantages of simplicity, justifiability, efficiency and stability with respect to changing profile arrangements. These definitions allow us to compute the relevant community of experience with respect to profile similarity. This community is formed by the set of agents sharing similar deficits, when following similar strategies with similar measurements.

The definition enables narrowing with respect to the degree of similarity  and refinements of measurements, strategies S and time frames .

2.1.6 Transfers

The procedure concentrates deficits to experienced agents by transferring deficit to agent having already a similar profile.

(17)

Initially we suggest a conservative approach for the parameters S,  and  of the distance measure, i.e. S is a singleton of a sole strategy, refinements of measurements  and timeframes  are universal, i.e. the complete measurement capability and history is considered. These parameters might evolve and can be used to focus on specific issues.

Observe that when continuously transferring according to the described rule the experienced agents load the deficits. This allows identifying deficit classes together with their aggregated impact. After a while transfers need to be discharged for cleansing. This might be either justified by initiating countermeasures that avoid the deficit or by aging. If security guards are in place and an agent nevertheless ignorantly invokes a service with defective characteristics, the deficit remains residual.

Multiplying transferred risks by a factor slightly less than 1 from time to time will simply reduce old transfers. Finally irrelevant transfers, i.e. transfers that are not renewed will vanish. Security guards introduced can be considered as dependable because mere inspection would uncover abuse behavior anyhow.

The mechanism outlined so far relies on a continuous stream of measurements of service invocations stipulating state transitions inside the information system. These service invocations cause deficit streams witnessed by measurements. The measurements are assumed to be made by a set of security guards. By the transfer mechanism guards and estimates can gain controlled precision and recall.

(18)

2.2 Socio-Technical Perspective

So far we declared abstractly security guards producing measurements out of the service invocations. Measurements are witnesses for deficits. For deriving them one need a commonly understood and accepted semantics of observations. To be able to cope with the huge variety of formats, monitoring events and protocols we introduce a formal but extensible basis suitable to span and adapt to the relevant dimensions of measurement.

To maintain interoperability within the fast variance of services provided by a critical infrastructure we introduce a semantically layer mediating different physical realizations, evolution and adaptation. This precise shared understanding allows adapting the controls on the services.

The investigations carried out showed the necessity of coordination of existing measurement catalogs ranging from formats like Assessment Results Format, Common Configuration Enumeration, Common Event Format, Charging Data Records, Common Platform Enumeration, or Intrusion Detection Message Exchange Format. This diversity has lead to diverse measurement ontology. To enable a shared interpretation, which is the basis for collaboration, we introduce a sufficient flexible and sufficient expressive semantics.

The semantic should be sufficient simple but formal to ensure shared understanding and un-ambiguous interpretation. The purpose of the semantic is to derive from any measurements or observations a diagnosis about the security of a shared infrastructure - for all invoked parties (or agents). Hence we declared the performance and the observable events as the description itself.

Although this diverges from the usual format standardization approaches, it enables adaptation and extension, which is seen by the authors in an adversarial, evolving multi-stakeholder environment an advantage. Concretely the semantic allows relating any observation that is related to a technical process triggered by a service invocation for integrative purposes.

We follow [Rutt2000] when defining flexible semantics. The basis will be observation semantics of monitored events. The resulting theory of monitored information systems is flexible and sufficient expressive. It even might be probabilistic as in [Sega1994] or in [Sega1995]. We use this semantic to enhance, extend and agree on security guards that serve for measurements. These guards should be non-invasive, non-interfering and adaptive with respect to evolution of the system underneath as well with respect to existing monitoring systems and formats.

2.2.1 Semantics

To be able to integrate concrete monitoring outputs like event streams, log files, configuration identifiers etc. we define a monitoring semantic that abstracts the underlying information system. This helps to consider security measures at different layers and levels of abstraction. For example when considering the Internet as a best effort network we can measure packet loss although the loss is recovered at application layer. Similarly there might be a failed transaction at the application layer that causes some deficit to an agent although the rollback is assumed to recover original state. The agent would experience an effect and complain about the availability or performance of the transaction service.

The idea is that we keep track and adapt the semantics to the effective experience of involved agents at any level of abstraction. Hence the semantics becomes a unifying (integrating) description of the information system's behavior that reflects any changes, e.g., when the system evolves or an increase in precision becomes necessary.

(19)

The model describes the relation of systems and their behaviors in terms of outcomes. From the point of view of the environment the internal states of the information system are not observable. An information system together with a starting state forms a process. A starting state is assumed to correspond one-to-one to a service invocation. To investigate relationships between systems we use morphisms as structure preserving mappings.

The information system together with the morphisms defines a family of observation semantics. Behaviors are invariant with respect to morphisms. All behaviors of all information systems constitute themselves an information system. Investigating morphisms allows declaring concrete observation semantics as well as behavioral equivalence.

This co-algebra construction describes a dynamical reactive information system, where the carrier models a state space. The fundamental difference of co-algebra and the usual algebraic monitoring semantics is construction versus observation. Algebra consists of a carrier set with a function telling how to construct elements. Co-algebra consists of a carrier but with a function going out of the carrier. There are only operations acting on the carrier giving some information about the carrier's evolution. Co-algebraic operations do not discover elements of the carrier entirely.

(20)

The existence of a function into a final algebra serves as a principle of definition by co-induction and uniqueness provides a proof principle. Although it is not feasible to compute the final co-algebra of a real information system for complexity reasons (this would comply with the checking against a full specification), this model is sufficient expressive and serves for reasoning.

2.2.1.1 Execution Semantics

2.2.1.2 Monitoring Semantics

We assume for the sake of simplicity polynomial functors. Further for illustrative purposes and for adaptation to the current logging streaming semantic we restrict our considerations on a direct product. Let

be the signature of the monitoring co-algebra

This has a natural interpretation. The carrier X corresponds to internal states of the monitored system, i.e. the whole critical information infrastructure that evolves over time. The set  comprises all measurements. This algebra can be understood as a process which, when started in some state x in X, produces an infinite stream of outputs, i.e. measurements

(21)

The infinite stream is the behavior of the infrastructure. States are behavioral equivalent if and only if the produced streams are equal.

2.2.2 Guards

The concrete observation semantics allows us eventually to identify and integrate measurements, to communicate their meaning and to define corresponding observers or guards on the semantic structures for certain anomalies.

To overcome the dependability on real (application) infrastructure measurements we introduced the notion of a security guard.

Note that the underlying function of a guard could range from a simple measurement like elapsed time or consumed resources to a sophisticated evaluation of the explicit presented semantic structure. We do not know a priori what will be relevant for the estimation of deficits. Instead we provide a framework to define, to agree on guards and to integrate different guards to a measurement vector that relates to a service invocation.

2.2.2.1 Governance

The crucial benefit from guards is that an explicit agreed measurement can be related to an expected deficit. Furthermore, if there is a reported deficit that cannot be discriminated by the available guards, it could trigger a refinement of measurements by the creation of a new guard. In other words the set of guards can be optimized according to current deficit concentrations.

Agents can share guards as well as the measurement reported by the guard when invoking a service to assure a high precision of estimating deficits. Designing a new guard requires the semantic. But as soon as the set of guards is defined, the measurements can be used to estimate and allocate deficits.

For the moment security guards are assumed to be shared among the agents that consume or provide a service, such that any consumer can leverage on the explicit measurements made. This allows adapting security guards on current conditions. Eventually security guards provide the rationales for deficits.

Examples for concrete guards could be measurements provided as built-in measurements, e.g. originated by network elements or SIEMs as outlined in deliverable D4.1(i) (see [ASMONIA_D41]), or provided by subsystems like intrusion detection and prevention systems or honeypots.

2.2.2.2 Integrity Monitoring

Another example might be the integrity verification of involved components as outlined in deliverable D2.1 [ASMONIA_D21], e.g. implemented by means of comparing a computed hash value against a set of known valid hash values. When the service is invoked the integrity is verified by the guard.

(22)

2.2.2.3 Behavioral Monitoring

A third broader example for a concrete guard is a model of transitions between hidden states. Although, there are observations witnessing a state, the real state is blurring. But the recorded observations can be considered as a probabilistic function of these states.

Given a number of sequences of observations there are essentially three questions:

 What is the probability of a specific observation sequence for a given model?

 How to find a state sequence with the highest probability for a given observation sequence and a model?

 And finally, the calibration problem: How to find a model for a given set of observation sequences that maximizes the probability of the set of sequences.

To be self contained for the reader's convenience we derive a closed solution to the three problems which can be derived from any text about Markov Chains, e.g. see [Bern1999], [Bart2004] or [Bilm2006]. We develop an algorithm sketch for these problems reusing the concepts of the Viterbi Algorithm. Anyhow, any approximation algorithm or reinforcement learning algorithm would serve as well, but here the derivation is merely based on the application of Bayes Law and Law of total probability.

(23)

(24)

(25)

When we consider the probability events  as the set of secure executions, we can train a guard to adapt to secure executions. The feature is then the probability of a secure monitored observation sequence. Similarly we can consider a training set for insecure operations to derive a feature for in-secure executions constituting a security guard.

(26)

2.2.3 Estimating

So far we considered measurements with no direct relation to deficits in order to separate the estimation of behavior from the estimation of value. To instrument the estimation function

mapping the measurements

reported by the guards to deficits, supervised training data is necessary for inferring a function. The training data consist of a set of features produced by guards together with an observed deficit. Each example is a pair (x; y) of measurements x leading to a deficit y. Any supervised learning algorithm would serve as regression function minimizing the error for the training pairs.

To gain this required training data we sample feedback from real agents that experienced a deficit. Hence we compute the function E by means of a feedback loop of agents invoking a service. They leverage their experienced deficits originated by service defects identified by guards. At this point we couple the socio-economic perspective with the technical perspective.

2.2.4 Filtering

It is beneficial to leverage estimation functions from other agents. The explicit measurements and the related experienced deficits allow to collaboratively estimating deficits by means of collaborative filtering.

(27)

For the adaptation of the security guards to current similar observations collaborative filtering is suitable for experience sharing. In general, collaborative filtering is the process of filtering for information or patterns, viewpoints and data sources. In a narrower sense, collaborative filtering is a method of making automatic predictions about the interests of an agent by collecting experience information from many agents. In our case the experience information is the deficit associated with the measurements provided by the guards.

The underlying assumption of the collaborative filtering approach is that if an agent has similar utility as another agent on the same measurement, they are more likely to share utilities on different issues than random agents. Although collaborative filtering methods suffer from low data quality and inherently high update complexity, it seems to be an adequate method to establish and share a latent relation between measurements and deficits.

Regression models allow integrating different data sources in their model equations without a priori knowledge. The continuous adaptation gained from the feedbacks establishes a latent semantic for the guards. Clustering and principal component analysis can be used for cleansing and reducing computational complexity, improve scalability and finally for accuracy. Cross validation against reference test sets and retraining can be used to determine precision and recall.

Since expected deficit becomes predictable, recommendations can be derived based on profile information and the collaborative estimators. An agent can then be recommended to select a service with a lower risk profile, i.e. a better payoff for the agent. This also contributes to the decrease of deficits and hence to increased security. Concretely this could be realized using a dynamic programming approach maximizing the agent's utility.

2.3 Technical Perspective on Guards

This section provides deepened considerations of concrete sensor candidates following the primary forces in the standardization of mobile telecommunication and the products features imposed by the market and the technical architecture.

(28)

2.3.1 Intrusion Detection and Prevention Systems

The process of monitoring and analyzing events occurring in large telecommunication networks has become inevitable with constantly increasing number of attacks. Since attacks have a very wide spectrum of different forms and there are several ways to classify attackers performing them, our focus differentiates two major classes of attackers, namely internal and external attacker. The internal attacker is a legal user within the network who consciously or by mistake attempts to gain more privileges than he has received. On the other side, the external attacker is an adversary responsible for external attacks. He strives for more privileges and rights via unauthorized access to the system from outside the network by using tools directly exploiting security vulnerabilities mostly located in the network edge. Although external attacks led by mistake are theoretically possible, their occurrence is rare and for this deliverable considered to be negligible.

To overwhelm internal and external attacks, intrusion detection systems (IDSs) have been introduced. An IDS is defined as an independent monitoring unit in a network designed to detect various types of aforementioned attacks violating any security policies. Opposite to firewalls, the IDS does not simply block an incoming or outgoing connection, but rather evaluates the suspected event and signals an alarm. A system responsible for handling the detected intrusion by the IDS is called an intrusion prevention system (IPS). The IPS usually works as a tandem to an IDS. For brevity, the term intrusion detection and prevention system (IDPS) is used to refer to a security system which has deployed IDS and IPS in parallel. Figure 1 shows the typical IDPS placement in a network. According to NIST guidelines [NIST_SP800-61], primary objectives of the IDPS are:

 Identifying imminent incidents. As stated, the main reason for deploying an IDPS1 is to detect stealthy malicious attacks often accompanied by reconnaissance activities. It includes network attacks against vulnerable services, data driven attacks on applications, host based attacks (privilege escalation, unauthorized access to sensitive resources) and malware. Note that the scope of this document is to provide security systems recommendations how to detect attacks directly in the network. Therefore, host-based IDPSs are out of the scope and we refer to [ASMONIA_D21] or [NIST_SP800-94] for more information.

 Identifying security policies violations. The IDPS is one of the best sources available in the network for security monitoring [Fry09]. Besides malicious traffic, it can also verify the correctness of security policies by periodically generating bogus data that should be detected by other security components in the network the IDPS is running in. On many networks, a coal mine server (event generator) generates canary events (known attack vectors or failures) once in a while to verify the functionality of the IDPS. Sometimes a simple observation of the event ratio per some time can help to ensure that an IDPS is working as expected. The most decisive parts besides the IDPS, relevant for correct intrusion identification, are antivirus protection, firewalls, routers and network configuration. Last but not least there are collection directories, databases and flow retention.

1_{Note that for intrusion detection is responsible only the IDS. However, if we consider that}

the IDS is usually a part of the IDPS and overall security is more effective only in combination with the IPS, the use of the word IDPS instead of IDS is also appropriate. The

(29)

Figure 1: Location of IDPSs in a network.

 Handling intrusions. Once the intrusion is detected, the IPS is responsible for handling the intrusion. Based on detection and prevention methods, the IPS can block the connection completely or modify the attacker's content in real-time to prevent an intrusion. With respect to the modification, we differentiate between a replacement and a deletion of malicious portions. A single packet replacement especially in multimedia or real-time services can prevent the intrusion. Multimedia and other real-time services are processed by the application regardless of its order. They are directly processed by the application and if a small piece of information is missing, doubled or swapped, human senses can still correctly deduce the context. On the other hand, a successful execution of malicious machine code (bytecode) requires a strict sequence of bytes.

Next, an IDPS can perform a partial or full deletion. The partial deletion is acceptable only if the suspicious content can be separated into smaller independent objects. Then the respective infected chunks are deleted. The method is similar to email filtering where an infected attachment is discarded and never shown to a user. The full deletion is carried out if the suspicious object is atomic (not further dividable) or has no internal structure at an appropriate level needed for the analysis.

If an intrusion is detected, some IDPSs can update the configuration of other security components associated to the network security monitoring and to the network core. Even more, recent IDPSs can download patches from remote sites and install them on vulnerable hosts. It includes altering a host-based firewall to prevent further intrusions. A more complex approach, commonly known as normalization of incoming requests, changes the pattern how a proxy can repackage the payloads of the requests by modifying header information.

 Documenting events. The IDPS has internal processes to receive, analyze and maintain detected events. The life cycle of documenting a single event occurred in the network consists of minimally consists of three steps:

1) Recording of the event. After an intrusion or any other event has been detected in the network, an alert describing the nature of the incident is generated. The alert is usually stored in the local network but not necessarily within the IDPS. Telecommunication companies managing larger networks operate centralized logging database, Security Information and Event Management (SIEM, see

(30)

[ASMONIA_D41]) software or proprietary enterprise management systems.

2) Notifying security experts. Alerts are usually reported to a security administrator who performs all necessary actions to improve the overall security of the monitored network. The value of a reported incident is always dependent on the type and detection technique of the affected IDPS. A widely used standard for security monitoring representing alerts in human readable form is an open source network and infrastructure monitoring software Nagios [Nagios]. Other good alternatives to Nagios are Squil [Sguil] or Argus [Argus].

3) Generating reports. Reports summarize the monitoring events for a given period of time. They also provide a good insight to type, frequency of an attack, attacker level, his security background capabilities and intents. Comparison of several reports can reveal recent malware evolution and trends.

Final reports are highly vulnerable. Therefore, they should be adequately protected. They leave the core IDPS and they are exposed to other passive and/or active network elements sitting in the involved network. A crucial aspect is to guarantee an uninterrupted stream of events because a single missing event could lead to a misinterpreted result. Another aspect of misinterpreted results is that resulting logs and captured classified samples are often reused over and over in training models where each false positive and true negative sample considerably decreases the probability of correctly identifying subsequent intrusions.

 Discouraging attackers. The idea is derived from the panopticism theory which says that if there is any type of surveillance and the attackers are aware of it, they are less likely to commit illegal actions, i.e. the attackers aware of IDPS within the network do not want to risk of being identified because of the consequences. The panopticism effect is even amplified if the provider of IDPS knows the attacker and may demand satisfaction.

As all security protection mechanisms, also IDPSs have their limitations. The most important limitation is that they can not provide completely accurate detection. Attackers can always send packets which do not trigger any alarm. Four methods are commonly used by attackers to evade detection of the IDPSs:

 Pattern matching weaknesses. Detection methods based on known attack patterns are avoided by a polymorphic malware which mutate over time while keeping the same malicious functionality. With each mutation, it changes its distinguishing marks which makes pattern matching performed by many IDPSs very inefficient.

 TTL attacks. If the attacker has accurate knowledge of the internal network topology, i.e. he knows the distances between the IDPS and the targeted host he wants to attack, he can alter TTL values in packets' headers so that some packet will reach only the IDPS while other with larger TLL values will be received and processed in the targeted host.

 Encrypted, Obfuscated and non-standard encoded content. Although the IDPS can analyze every packet up to the application layer, encrypted packets can not be decrypted and processed by the IDPS since the IDPS does not know the corresponding private key. These packets can then carry arbitrary malicious messages to the supervised network. A more advanced attacks can even combine encrypted packets with time dependent execution or wait execution until some

(31)

specific conditions are met. The same holds for obfuscated and non-standard encoded packets.

 Session splicing. Some attackers aware of standard detection techniques used in older IDPSs split data between several packets, making the IDPS unable to match them. Then, they exploits the way how some IDPSs reassemble packets before the analysis. Nowadays, nearly all IDPSs can handle stream reassembling such that this type of attack does not represent a real threat any more.

 Fragmentation. A Fragmentation attack is sometimes seen as the successor of the session splicing attack. It is also more powerful than session slicing. In the fragmentation attack, the attacker send two or more packets, where the later packet overwrites (or replaces) the previous one. Only in-depth knowledge of the operating system on the target host can prevent the fragmentation attack, since only then the IDPS can correctly reassembly the packets and so detect the intrusion.

From the security point of view, it is always better to incorrectly classify a benign sample as malicious than the other way around. Therefore, to decrease the false negative rates, many detection techniques defines in addition a loss function. The loss function represents a function which helps to reduce false negatives at the cost of increasing false positives. It means that more benign activities are detected by the IDPS as malicious but less truly malicious events pass through without being detected and properly handed. There are many other techniques to alter the configuration or extend the IDPS to improve the detection rate [Dubrawsky04][Yu07].

Some attacks do not aim at bypassing the IDPS. Instead, they try to compromise it. A compromised IDPS represents a serious risk for any institution. An attacker could not only tell apart known and unknown vulnerabilities from the IDPS database, but also locate sensitive resources in the network. Host configurations, running operating systems in the network, services and security policies are mostly stored in the IDPS as well. Hence, the compromised IDPS could leak information required to bypass additional security protections installed directly in the host system. Then, the attacker could use the compromised network as a new source or just as a proxy for his next malicious activities. Therefore, the NIST's Guide to intrusion Detection and Prevention Systems (IDPS) [NIST_SP800-94] gives some specific security recommendations to ensure that the IDPS is secured appropriately.

 Each user and administrator of the IDPS should create a separate account with only the most necessary privileges.

 Management communication should be protected either through physical or logical separation.

 Other packet filtering devices in the network should be precisely configured to limit direct access to the IDPS.

 The IDPS should be always fully up-to date.

Note, that there exist several types of updates. Common software updates fix problems, improve usability, performance and add new software functionalities. Other Software updates like signature updates improve detection rates. Their focus is to calibrate the current detection techniques since the accuracy of detection declines over time. Hardware updates are very similar to software updates. They update, remove or add hardware components either within the IDPS itself or in hardware directly interacting with the IDPS.

Not all limitations of IDPSs are of a technical character. Many security experts working with IDPSs on a daily basis are well educated in security areas and are aware of aforementioned limitations of deployed IDPSs, they often forget that the IDPS “see” only a fraction of the

(32)

multitude of events occurring within their network. Also a large volume of non-malicious packets specially crafted to trigger many alarms in the IDPS can overwhelm human operators with too many false positives which leads to less attention for real threats. For more information about IDPSs we refer to [Fritz11], [Grand08] and [Kemmerer02].

2.3.1.1 IDPS Architecture

One of the first generic architectural models of IDS was introduced by Axelsson [Axelsson98] [Axelsoon00]. He managed to identify the most necessary components of a typical IDS. Figure 2 depicts the architectural model of IDS as presented by Axelsson complemented by the IPS, a security authority and an optional management system. Solid lines indicate data flow whereas dashed lines represent responses to detected intrusions. Finally, dotted lines show control flow. The improved generalized architecture of an IDPS contains at least of the following elements and phases:

 Monitored system. Each IDPS protects only a predefined network space including network elements and host which are intended to be monitored. Other networks using the same physical links but not listed in the IDPS list are either rerouted or completely blocked.

 Data collection phase. Data in the monitored system are collected either by the IDS or by different types of sensors (see [ASMONIA_D41]). The row data are often reassembled and the reassembled packets are verified for valid headers.

 Data storage phase. After the raw packets have been reassembled, they are temporarily stored in a queue for further processing.

 Detection. The detection component is the core components of the IDS. It analyzes and compares the data to known attack vectors and attack behaviors. Intermediate results about partially or definitive results about fulfilled intrusion detections are subsequently sent to a prevention component.

 Prevention. A prevention component tells the IDPS how to respond in case a malicious activity has been detected.

 Database. Recorded malicious behavior by the analysis or already known attacks, signatures and patterns needed for the analysis are stored in a database. If there is only a small number of databases then these databases are directly integrated in the respective IDPS. Larger databases are deployed very next to the IDPS since larger distance between the database and the IDPS delays the analysis. It also reduces bandwidth.

 Generating an alarm. The last part in the IDPS generates alerts emerging by the analysis (detection) and prevention. An alert notification describing the nature of the incident is reported to a management server or a security authority.

 Security authority (SA). The SA represents a set of security experts and/or network administrators. They are responding to alarms and are responsible for keeping the IDPS in a healthy state.

(33)

Figure 2: IDPS Architecture

 Management server. Management servers are centralized devices that manage and receive information from sensors deployed in the network. Some management servers are able to find and match event information from multiple sensors and correlate them. It simplifies the process of analyzing events which could not be automatically classified.

IDPS components can be connected to each other either through virtual networks in the standard production network or, preferably, through a separate network strictly designed for only IDPS components. Separate networks are known as management networks. The use of virtual networks in the standard production network is preferred by smaller companies since it minimize the costs. On the other side, large networks seek more protection which can be guaranteed by management networks as they can physically conceal the existence of the IDPS. Another advantage is that if the management network becomes saturated, the local network will still be available and vice versa.

(34)

Figure 3: Inline NIDPS Architecture Example [NIST_SP800-94]

In this deliverable, we examine only IDPSs which are used to monitor network traffic, namely a network-based IDPS, a wireless IDPS and a network behavior analysis system. A detailed description of a host-based IDPS is out of the scope since the host-based IDPS is intended to monitor a single end host. In ASMONIA, the issue has already been analyzed in D2.1 [ASMONIA_D21] where the authors have described and recommended some specific protection methods for the end hosts connected to the monitored network.

2.3.1.2 Network-based IDPS

A network based IDPS (NIDPS) monitors network traffic flowing through a physical medium and identifies suspicious activity up to the application layer. NIDPSs are frequently deployed due to the wide range of detection techniques they support. Therefore, they detect many common attacks including network, transport and application layer reconnaissance attacks, policy violations and unexpected services. The prevention they offer varies greatly depend on the network and the type of scheme that is deployed. The majority of NIDPS can at least block and/or disrupt current sessions, limit bandwidth and alter detected malicious content. More advanced NIDPSs can even reconfigure other network elements and run remote scripts on hosts to prevent malicious activity. On the other side, they often suffer from high false positive and false negative rates.

2.3.1.3 Inline NIDPS

Inline NIDPSs are active IDPSs monitoring network traffic passing through it. Sometimes, they act like firewalls with extended functionality to detect and handle intrusions. However, as depicted in Figure 3, standard active NIDPS are deployed behind the firewall. The idea to place them behind a firewall is to hide the presence of the NIDPS in the network. In addition, traffic flowing through a firewall is already pre-filtered i.e. it reduces the amount of packets the NIDPS has to analyze. Note that in Figure 3 we assume a separated management network with one management server. The NIDPS communicates with the management server and the SA only via a management switch. Therefore, the attacker can not simply connect to the management server or the SA and change the configuration of the inline NIDPS. The only option for him is to compromise the IDPS.

ASMONIA. Attack analysis and Security concepts for MObile Network infrastructures, supported by collaborative Information exchange

ASMONIA

Attack analysis and Security concepts

for MObile Network infrastructures,

supported by collaborative Information exchAnge

Recommender System for Security

Risk Reduction

Situational Awareness for Critical Information

Infrastructures

Executive Summary

Table of Contents

1 Introduction

7

2 Concepts

10

3 Collaborative Risk Management

58

4 Conclusion and Outlook

74

References

77

Glossary and Abbreviations

85

1 Introduction

2 Concepts

2.1 Socio-Economic Perspective

2.2 Socio-Technical Perspective

2.3 Technical Perspective on Guards