S3: A DFW-based scalable security state analysis framework for large-scale data center networks

Abdulhakim Sabur, Ankur Chowdhary, Dijiang Huang, Myong Kang, Anya Kim, Alexander Velazquez

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

With an average network size approaching 8000 servers, datacenter networks need scalable security-state monitoring solutions. Using Attack Graph (AG) to identify possible attack paths and network risks is a common approach. However, existing AG generation approaches suffer from the state-space explosion issue. The size of AG increases exponentially as the number of services and vulnerabilities increases. To address this issue, we propose a network segmentation-based scalable security state management framework, called S3, which applies a divide-and-conquer approach to create multiple small-scale AGs (i.e., sub-AGs) by partitioning a large network into manageable smaller segments, and then merge them to establish the entire AG for the whole system. S3 utilizes SDN-based distributed firewall (DFW) for managing service reachability among different network segments. Therefore, it avoids reconstructing the entire system-level AG due to the dependencies among vulnerabilities. Our experimental analysis shows that S3 (i) reduces AG generation and analysis complexity by reducing AG’s density compared to existing AG-based solutions; (ii) utilizes SDN-based DFW to provide a granular security management framework, by incorporating security policies at the level of individual hosts and segments. In effect, S3 helps in limiting targeted slow and low attacks involving lateral movement.

Original languageEnglish (US)
Title of host publicationRAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses
PublisherUSENIX Association
Pages473-485
Number of pages13
ISBN (Electronic)9781939133076
StatePublished - 2019
Event22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019 - Beijing, China
Duration: Sep 23 2019Sep 25 2019

Publication series

NameRAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses

Conference

Conference22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019
CountryChina
CityBeijing
Period9/23/199/25/19

ASJC Scopus subject areas

  • Computer Science(all)
  • Safety, Risk, Reliability and Quality
  • Law
  • Safety Research

Fingerprint Dive into the research topics of 'S3: A DFW-based scalable security state analysis framework for large-scale data center networks'. Together they form a unique fingerprint.

Cite this