Skip to main content
Springer Nature Link
Log in

Designing Scalable and Effective Decision Support for Mitigating Attacks in Large Enterprise Networks

  • Conference paper
Security and Privacy in Communication Networks (SecureComm 2011)

Abstract

Managing numerous security vulnerabilities has long been a difficult and daunting task especially due to the complexity, heterogeneity, and various operational constraints of the network. In this paper, we focus on the task of mitigating and managing network-device-specific vulnerabilities automatically and intelligently. We achieve the goal by a scalable, interactive, topology-aware framework that can provide mitigation actions at selectively chosen devices. The intuition behind our work is that more and more network devices are becoming security-capable so that they can be collectively used to achieve security goals while satisfying certain network policies.

The intelligence utilizes integer programming to optimize a quantifiable objective conforming to the policy of a given network. An example would be to find the minimum number of network devices to install filters to effectively protect the entire network against potential attacks from external untrusted sources. The constraints of the integer programming are mainly based on the network topology and settings of vulnerable devices and untrusted sources. Our novel implementation uses an iterative algorithm to scale to networks of tens of thousands of nodes, and we demonstrate the effectiveness of our framework using both synthetic and realistic network topologies. Besides scalability, our tool is also operationally easy to use by enabling interactivity to input additional constraints during run-time.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
€32.70 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (France)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 42.79
Price includes VAT (France)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 52.74
Price includes VAT (France)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Cisco IOS HTTP Server Code Injection Vulnerability, http://tools.cisco.com/security/center/viewAlert.x?alertId=10102

  2. Cisco IOS Software UDP Packet Processing Denial of Service Vulnerability, http://tools.cisco.com/security/center/viewAlert.x?alertId=17765

  3. Cisco Intrusion Prevention System, http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html

  4. Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability, http://tools.cisco.com/security/center/viewAlert.x?alertId=16183

  5. Grote, A., Funke, R., Heiss, H.-U.: Performance evaluation of firewalls in gigabit-networks. In: Proc. 1999 Symposium on Performance Evaluation of Computer and Telecommunication Systems (1999), http://www.kbs.cs.tu-berlin.de/publications/fulltext/GFH99.pdf

  6. Capretta, V., Stepien, B., Felty, A., Matwin, S.: Formal correctness of conflict detection for firewalls. In: FMSE 2007: Proceedings of the 2007 ACM Workshop on Formal Methods in Security Engineering, pp. 22–30 (2007)

    Google Scholar 

  7. Introduction to Cisco Inventory and Reporting, http://www.cisco.com/en/US/docs/net_mgmt/inventory_and_reporting/User_Guides/Introduction_to_Cisco_Inventory_and_Reporting.html

  8. David System, a network management system (nms), http://www.hadden.pl/en/index.php

  9. Introduction to OVAL: A new language to determine the presence of software vulnerabilities (2003), http://oval.mitre.org/documents/docs03/intro/intro.html

  10. Cisco Intellishield, http://www.cisco.com/security/

  11. Todtmann, B., Rathgeb, E.P.: Integrated management of distributed packet filter configurations in carrier-grade ip networks. In: International Conference on Networking, p. 44 (2007)

    Google Scholar 

  12. NetMRI, http://www.netcordia.com/

  13. Cisco Multiple Vulnerabilities, http://secunia.com/advisories/23867/

  14. Old, J.L., Buchanan, W., Graves, J., Saliou, L.: Performance analysis of network based forensic systems for in-line and out-of-line detection and logging. In: 5th European Conference on Information Warfare and Security, ECIW (2006)

    Google Scholar 

  15. CPLEX, High-performance software for mathematical programming and optimization, http://www.ilog.com/products/cplex/

  16. GTITM, Modeling Topology of Large Internetworks, http://www.cc.gatech.edu/projects/gtitm/

  17. Bartal, Y., Mayer, A., Nissim, K., Wool, A.: Firmato: A novel firewall management toolkit. ACM Trans. Comput. Syst. 22(4), 381–420 (2004)

    Article  Google Scholar 

  18. Mayer, A., Wool, A., Ziskind, E.: Fang: A firewall analysis engine. In: SP 2000: Proceedings of the 2000 IEEE Symposium on Security and Privacy, p. 177 (2000)

    Google Scholar 

  19. Al-shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. IEEE Journal on Selected Areas in Communications 23, 2069–2084 (2005)

    Article  Google Scholar 

  20. Bellovin, S.M.: Distributed firewalls. Login, 37–39 (1999)

    Google Scholar 

  21. Ioannidis, S., Keromytis, A.D., Bellovin, S.M., Smith, J.M.: Implementing a distributed firewall. In: CCS 2000: Proceedings of the 7th ACM Conference on Computer and Communications Security, pp. 190–199 (2000)

    Google Scholar 

  22. Guttman, J.D.: Filtering postures: local enforcement for global policies. In: SP 1997: Proceedings of the 1997 IEEE Symposium on Security and Privacy, p. 120. IEEE Computer Society (1997)

    Google Scholar 

  23. Uribe, T.E., Cheung, S.: Automatic analysis of firewall and network intrusion detection system configurations. In: FMSE 2004: Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering, pp. 66–74 (2004)

    Google Scholar 

  24. Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: a logic-based network security analyzer. In: SSYM 2005: Proceedings of the 14th Conference on USENIX Security Symposium (2005)

    Google Scholar 

  25. Tödtmann, B., Rathgeb, E.P.: Anticipatory distributed packet filter configurations for carrier-grade ip networks. Comput. Netw. 51(10), 2565–2579 (2007)

    Article  MATH  Google Scholar 

  26. Todtmann, B., Rathgeb, E.P.: Advanced packet filter placement strategies for carrier-grade ip-networks. In: AINAW 2007: Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, vol. 1, pp. 415–423 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Michigan, Ann Arbor, MI, 48105, USA

    Zhiyun Qian & Z. Morley Mao

  2. Cisco Systems, Inc., San Jose, CA, 95134, USA

    Ammar Rayes & David Jaffe

Authors
  1. Zhiyun Qian
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Z. Morley Mao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ammar Rayes
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. David Jaffe
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. City University London, 10 Northampton Square, EC1V 0HB, London, UK

    Muttukrishnan Rajarajan

  2. Royal Holloway University of London, TW20 0EX, Egham Hill, UK

    Fred Piper

  3. College of William and Mary, P.O. Box 8795, 23187, Williamsburg, VA, USA

    Haining Wang

  4. Pennsylvania State University, 338J IST Buillding, 16802, University Park, PA, USA

    George Kesidis

Rights and permissions

Reprints and permissions

Copyright information

© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Qian, Z., Mao, Z.M., Rayes, A., Jaffe, D. (2012). Designing Scalable and Effective Decision Support for Mitigating Attacks in Large Enterprise Networks. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds) Security and Privacy in Communication Networks. SecureComm 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 96. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31909-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-31909-9_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31908-2

  • Online ISBN: 978-3-642-31909-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation