Withdraw
Loading…
Robustness of Compliance to Infrastructure Security Policies
Montanari, Mirko; Chaugule, Amey; Campbell, Roy H.
Loading…
Permalink
https://hdl.handle.net/2142/27712
Description
- Title
- Robustness of Compliance to Infrastructure Security Policies
- Author(s)
- Montanari, Mirko
- Chaugule, Amey
- Campbell, Roy H.
- Issue Date
- 2011
- Keyword(s)
- Computer Security
- Monitoring
- Regulatory compliance
- Date of Ingest
- 2011-10-17T19:45:55Z
- Abstract
- Policies are used extensively in managing the security of large computer infrastructure systems. Many large organizations and several government entities such as the National Institute for Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC) define security policies to specify the allowed configurations of the systems under their watch. The goal of such policies is to help reduce the vulnerability of the infrastructure to attacks, misconfiguration and operator error. To that end, these policies specify allowed interconnections between systems, firewall configurations, software settings, and levels of redundancy in the system’s components. Ensuring compliance to such policies through frequent monitoring can reduce the time span during which these systems are vulnerable to attacks. However, faults and attacks can make the underlying information used for validating compliance erroneous or incomplete. A compromised system could feed false information about its state to the compliance monitoring system. In this paper we introduce the concept of robustness of compliance. We show that systems which are compliant to security policies can exhibit different level of resilience to false information and we provide an algorithm for quantitatively computing a measure of robustness based on the concept of distance from violation. Intuitively, our algorithm computes an estimation of the amount of false information that needs to be provided to a compliance monitoring system for making an infrastructure appear compliant even when the underlying system is not compliant. Our experiments demonstrate that our approach is viable in large networks.
- Type of Resource
- text
- Language
- en
- Permalink
- http://hdl.handle.net/2142/27712
Owning Collections
Manage Files
Loading…
Edit Collection Membership
Loading…
Edit Metadata
Loading…
Edit Properties
Loading…
Embargoes
Loading…