TY - GEN
T1 - Towards an unified security testbed and security analytics framework
AU - Cao, Phuong
AU - Badger, Eric C.
AU - Kalbarczyk, Zbigniew T.
AU - Iyer, Ravishankar K.
AU - Withers, Alexander
AU - Slagell, Adam J.
N1 - Publisher Copyright:
Copyright 2015 ACM.
PY - 2015/4/21
Y1 - 2015/4/21
N2 - This paper presents the architecture of an end-to-end security testbed and security analytics framework, which aims to: i) understand real-world exploitation of known security vulnerabilities and ii) preemptively detect multi-stage attacks, i.e., before the system misuse. With the increasing number of security vulnerabilities, it is necessary for security researchers and practitioners to understand: i) system and network behaviors under attacks and ii) potential effects of attacks to the target infrastructure. To safely emulate and instrument exploits of known vulnerabilities, we use virtualization techniques to isolate attacks in containers, e.g., Linux-based containers or Virtual Machines, and to deploy monitors, e.g., kernel probes or network packet captures, across a system and network stack. To infer the evolution of attack stages from monitoring data, we use a probabilistic graphical model, namely AttackTagger, that represents learned knowledge of simulated attacks in our security testbed and real-world attacks. Experiments are being run on a real-world deployment of the framework at the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign.
AB - This paper presents the architecture of an end-to-end security testbed and security analytics framework, which aims to: i) understand real-world exploitation of known security vulnerabilities and ii) preemptively detect multi-stage attacks, i.e., before the system misuse. With the increasing number of security vulnerabilities, it is necessary for security researchers and practitioners to understand: i) system and network behaviors under attacks and ii) potential effects of attacks to the target infrastructure. To safely emulate and instrument exploits of known vulnerabilities, we use virtualization techniques to isolate attacks in containers, e.g., Linux-based containers or Virtual Machines, and to deploy monitors, e.g., kernel probes or network packet captures, across a system and network stack. To infer the evolution of attack stages from monitoring data, we use a probabilistic graphical model, namely AttackTagger, that represents learned knowledge of simulated attacks in our security testbed and real-world attacks. Experiments are being run on a real-world deployment of the framework at the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign.
UR - http://www.scopus.com/inward/record.url?scp=84986587184&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84986587184&partnerID=8YFLogxK
U2 - 10.1145/2746194.2746218
DO - 10.1145/2746194.2746218
M3 - Conference contribution
AN - SCOPUS:84986587184
T3 - ACM International Conference Proceeding Series
BT - Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, HotSoS 2015
PB - Association for Computing Machinery
T2 - Symposium and Bootcamp on the Science of Security, HotSoS 2015
Y2 - 21 April 2015 through 22 April 2015
ER -