A quantitative methodology for evaluating and deploying security monitors

Thakore, Uttam

Permalink

https://hdl.handle.net/2142/88103 Copy

Description

Title

A quantitative methodology for evaluating and deploying security monitors

Author(s)

Thakore, Uttam

Issue Date

2015-07-22

Director of Research (if dissertation) or Advisor (if thesis)

Sanders, William H.

Department of Study

Computer Science

Discipline

Computer Science

Degree Granting Institution

University of Illinois at Urbana-Champaign

Degree Name

M.S.

Degree Level

Thesis

Keyword(s)

• computer security
• monitoring
• monitor deployment
• monitor placement
• intrusion tolerance
• intrusion detection
• Metrics
• modeling
• digital forensics

Abstract

Despite advances in intrusion detection and prevention systems, attacks on networked computer systems continue to succeed. Intrusion tolerance and forensic analysis are required to adequately detect and defend against attacks that succeed. Intrusion tolerance and forensic analysis techniques depend on monitors to collect information about possible attacks. Since monitoring can be expensive, however, monitors must be selectively deployed to maximize their overall utility. We identify a need for a methodology for evaluating monitor deployment to determine a placement of monitors that meets both security goals and cost constraints. In this thesis, we introduce a methodology both to quantitatively evaluate monitor deployments in terms of security goals and to deploy monitors optimally based on cost constraints. First, we define a system and data model that describes the system we aim to protect, the monitors that can be deployed, and the relationship between intrusions and data generated by monitors. Second, we define a set of quantitative metrics that both quantify the utility and richness of monitor data with respect to intrusion detection, and quantify the cost associated with monitor deployment. We describe how a practitioner could characterize intrusion detection requirements in terms of target values of our metrics. Finally, we use our data model and metrics to formulate a method to determine the cost-optimal, maximum-utility placement of monitors. We illustrate our approach throughout the thesis with a working example, and demonstrate its practicality and expressiveness with a case study based on an enterprise Web service architecture. The value of our approach comes from its ability to determine optimal monitor placements, which can be counterintuitive or difficult to find, for nearly any set of cost and intrusion detection parameters.

Graduation Semester

2015-8

Type of Resource

text

Permalink

http://hdl.handle.net/2142/88103

Copyright and License Information

Copyright 2015 Uttam Thakore

Owning Collections