Distributed security policy conformance

Mirko Montanari, Ellick Chan, Kevin Larson, Wucherl Yoo, Roy H. Campbell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Security policy conformance is a crucial issue in large-scale critical cyber-infrastructure. The complexity of these systems, insider attacks, and the possible speed of an attack on a system necessitate an automated approach to assure a basic level of protection. This paper presents Odessa, a resilient system for monitoring and validating compliance of networked systems to complex policies. To manage the scale of infrastructure systems and to avoid single points of failure or attack, Odessa distributes policy validation across many network nodes. Partial delegation enables the validation of component policies and of liveness at the edge nodes of the network using redundancy to increase security. Redundant distributed servers aggregate data to validate more complex policies. Our practical implementation of Odessa resists Byzantine failure of monitoring using an architecture that significantly increases scalability and attack resistance.

Original languageEnglish (US)
Title of host publicationFuture Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings
Pages210-222
Number of pages13
DOIs
StatePublished - Aug 2 2011
Event26th IFIP TC-11 International Information Security Conference on "Future Challenges in Security and Privacy for Academia and Industry", SEC 2011 - Lucerne, Switzerland
Duration: Jun 7 2011Jun 9 2011

Publication series

NameIFIP Advances in Information and Communication Technology
Volume354 AICT
ISSN (Print)1868-4238

Other

Other26th IFIP TC-11 International Information Security Conference on "Future Challenges in Security and Privacy for Academia and Industry", SEC 2011
CountrySwitzerland
CityLucerne
Period6/7/116/9/11

Fingerprint

Security policy
Attack
Node
Monitoring
Aggregate data
Insider
Scalability
Redundancy
Delegation

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications
  • Information Systems and Management

Cite this

Montanari, M., Chan, E., Larson, K., Yoo, W., & Campbell, R. H. (2011). Distributed security policy conformance. In Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings (pp. 210-222). (IFIP Advances in Information and Communication Technology; Vol. 354 AICT). https://doi.org/10.1007/978-3-642-21424-0_17

Distributed security policy conformance. / Montanari, Mirko; Chan, Ellick; Larson, Kevin; Yoo, Wucherl; Campbell, Roy H.

Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings. 2011. p. 210-222 (IFIP Advances in Information and Communication Technology; Vol. 354 AICT).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Montanari, M, Chan, E, Larson, K, Yoo, W & Campbell, RH 2011, Distributed security policy conformance. in Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings. IFIP Advances in Information and Communication Technology, vol. 354 AICT, pp. 210-222, 26th IFIP TC-11 International Information Security Conference on "Future Challenges in Security and Privacy for Academia and Industry", SEC 2011, Lucerne, Switzerland, 6/7/11. https://doi.org/10.1007/978-3-642-21424-0_17
Montanari M, Chan E, Larson K, Yoo W, Campbell RH. Distributed security policy conformance. In Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings. 2011. p. 210-222. (IFIP Advances in Information and Communication Technology). https://doi.org/10.1007/978-3-642-21424-0_17
Montanari, Mirko ; Chan, Ellick ; Larson, Kevin ; Yoo, Wucherl ; Campbell, Roy H. / Distributed security policy conformance. Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings. 2011. pp. 210-222 (IFIP Advances in Information and Communication Technology).
@inproceedings{c163776d48db417d815b9b1d327fe3bd,
title = "Distributed security policy conformance",
abstract = "Security policy conformance is a crucial issue in large-scale critical cyber-infrastructure. The complexity of these systems, insider attacks, and the possible speed of an attack on a system necessitate an automated approach to assure a basic level of protection. This paper presents Odessa, a resilient system for monitoring and validating compliance of networked systems to complex policies. To manage the scale of infrastructure systems and to avoid single points of failure or attack, Odessa distributes policy validation across many network nodes. Partial delegation enables the validation of component policies and of liveness at the edge nodes of the network using redundancy to increase security. Redundant distributed servers aggregate data to validate more complex policies. Our practical implementation of Odessa resists Byzantine failure of monitoring using an architecture that significantly increases scalability and attack resistance.",
author = "Mirko Montanari and Ellick Chan and Kevin Larson and Wucherl Yoo and Campbell, {Roy H.}",
year = "2011",
month = "8",
day = "2",
doi = "10.1007/978-3-642-21424-0_17",
language = "English (US)",
isbn = "9783642214233",
series = "IFIP Advances in Information and Communication Technology",
pages = "210--222",
booktitle = "Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings",

}

TY - GEN

T1 - Distributed security policy conformance

AU - Montanari, Mirko

AU - Chan, Ellick

AU - Larson, Kevin

AU - Yoo, Wucherl

AU - Campbell, Roy H.

PY - 2011/8/2

Y1 - 2011/8/2

N2 - Security policy conformance is a crucial issue in large-scale critical cyber-infrastructure. The complexity of these systems, insider attacks, and the possible speed of an attack on a system necessitate an automated approach to assure a basic level of protection. This paper presents Odessa, a resilient system for monitoring and validating compliance of networked systems to complex policies. To manage the scale of infrastructure systems and to avoid single points of failure or attack, Odessa distributes policy validation across many network nodes. Partial delegation enables the validation of component policies and of liveness at the edge nodes of the network using redundancy to increase security. Redundant distributed servers aggregate data to validate more complex policies. Our practical implementation of Odessa resists Byzantine failure of monitoring using an architecture that significantly increases scalability and attack resistance.

AB - Security policy conformance is a crucial issue in large-scale critical cyber-infrastructure. The complexity of these systems, insider attacks, and the possible speed of an attack on a system necessitate an automated approach to assure a basic level of protection. This paper presents Odessa, a resilient system for monitoring and validating compliance of networked systems to complex policies. To manage the scale of infrastructure systems and to avoid single points of failure or attack, Odessa distributes policy validation across many network nodes. Partial delegation enables the validation of component policies and of liveness at the edge nodes of the network using redundancy to increase security. Redundant distributed servers aggregate data to validate more complex policies. Our practical implementation of Odessa resists Byzantine failure of monitoring using an architecture that significantly increases scalability and attack resistance.

UR - http://www.scopus.com/inward/record.url?scp=79960875884&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79960875884&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-21424-0_17

DO - 10.1007/978-3-642-21424-0_17

M3 - Conference contribution

AN - SCOPUS:79960875884

SN - 9783642214233

T3 - IFIP Advances in Information and Communication Technology

SP - 210

EP - 222

BT - Future Challenges in Security and Privacy for Academia and Industry - 26th IFIP TC 11 International Information Security Conference, SEC 2011, Proceedings

ER -