TY - GEN
T1 - S3
T2 - 22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019
AU - Sabur, Abdulhakim
AU - Chowdhary, Ankur
AU - Huang, Dijiang
AU - Kang, Myong
AU - Kim, Anya
AU - Velazquez, Alexander
N1 - Funding Information:
All authors are thankful for research grants from Naval Research Lab N00173-15-G017, N0017319-1-G002 and National Science Foundation US DGE-1723440, OAC-1642031, SaTC-1528099. Special thank to Jim Kirby from NRL for the valuable feedback on the paper. Also, Abdulhakim Sabur is a scholarship recipient from Taibah University through Saudi Arabian Cultural Mission (SACM).
Publisher Copyright:
© 2019 RAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses. All rights reserved.
PY - 2019
Y1 - 2019
N2 - With an average network size approaching 8000 servers, datacenter networks need scalable security-state monitoring solutions. Using Attack Graph (AG) to identify possible attack paths and network risks is a common approach. However, existing AG generation approaches suffer from the state-space explosion issue. The size of AG increases exponentially as the number of services and vulnerabilities increases. To address this issue, we propose a network segmentation-based scalable security state management framework, called S3, which applies a divide-and-conquer approach to create multiple small-scale AGs (i.e., sub-AGs) by partitioning a large network into manageable smaller segments, and then merge them to establish the entire AG for the whole system. S3 utilizes SDN-based distributed firewall (DFW) for managing service reachability among different network segments. Therefore, it avoids reconstructing the entire system-level AG due to the dependencies among vulnerabilities. Our experimental analysis shows that S3 (i) reduces AG generation and analysis complexity by reducing AG’s density compared to existing AG-based solutions; (ii) utilizes SDN-based DFW to provide a granular security management framework, by incorporating security policies at the level of individual hosts and segments. In effect, S3 helps in limiting targeted slow and low attacks involving lateral movement.
AB - With an average network size approaching 8000 servers, datacenter networks need scalable security-state monitoring solutions. Using Attack Graph (AG) to identify possible attack paths and network risks is a common approach. However, existing AG generation approaches suffer from the state-space explosion issue. The size of AG increases exponentially as the number of services and vulnerabilities increases. To address this issue, we propose a network segmentation-based scalable security state management framework, called S3, which applies a divide-and-conquer approach to create multiple small-scale AGs (i.e., sub-AGs) by partitioning a large network into manageable smaller segments, and then merge them to establish the entire AG for the whole system. S3 utilizes SDN-based distributed firewall (DFW) for managing service reachability among different network segments. Therefore, it avoids reconstructing the entire system-level AG due to the dependencies among vulnerabilities. Our experimental analysis shows that S3 (i) reduces AG generation and analysis complexity by reducing AG’s density compared to existing AG-based solutions; (ii) utilizes SDN-based DFW to provide a granular security management framework, by incorporating security policies at the level of individual hosts and segments. In effect, S3 helps in limiting targeted slow and low attacks involving lateral movement.
UR - http://www.scopus.com/inward/record.url?scp=85090108585&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85090108585&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85090108585
T3 - RAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses
SP - 473
EP - 485
BT - RAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses
PB - USENIX Association
Y2 - 23 September 2019 through 25 September 2019
ER -