TY - GEN
T1 - Monitor placement for large-scale systems
AU - Talele, Nirupama
AU - Teutsch, Jason
AU - Erbacher, Robert
AU - Jaeger, Trent
PY - 2014
Y1 - 2014
N2 - System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.
AB - System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.
UR - http://www.scopus.com/inward/record.url?scp=84904506308&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84904506308&partnerID=8YFLogxK
U2 - 10.1145/2613087.2613107
DO - 10.1145/2613087.2613107
M3 - Conference contribution
AN - SCOPUS:84904506308
SN - 9781450329392
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 29
EP - 40
BT - SACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies
PB - Association for Computing Machinery
T2 - 19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014
Y2 - 25 June 2014 through 27 June 2014
ER -