Exploiting curse of diversity for improved network security
作者: Ghanshyam S. Bopche , Babu M. Mehtre
DOI: 10.1109/ICACCI.2015.7275907
关键词:
摘要: Higher species diversity in biological systems increases the robustness of system against spread disease or infection. However, computers are remarkably less diverse. Such lack poses serious risks to today's homogeneous computer networks. An adversary learns with initial compromises and then applies learned knowledge compromise subsequent effort time. exploit engineered take advantage a particular vulnerability could be leveraged on many other multiply effect an attack. The existence same multiple enterprise network greatly benefits because she can gain incremental access resources relative ease. In this paper, we have proposed metric identify all attack paths that not fairly/truly diversified. Our goal is which one more vulnerabilities exploited than once. Additionally, our what those affected software's/services? Based heuristics, identical vulnerable services were identified diversified by functionally equivalent alternatives such way requires independent (i.e. additional new effort) for exploiting each along every path. We presented small case study demonstrate efficacy applicability algorithm diversifying making robust 0-day attacks. Initial results show approach capable identifying software/applications/services need increased security.
sci-hub.se 参考文章(21)
George Cybenko, Sushil Jajodia, Michael P. Wellman, Peng Liu, Adversarial and Uncertain Reasoning for Adaptive Cyber Defense: Building the Scientific Foundation international conference on information systems security. pp. 1- 8 ,(2014) , 10.1007/978-3-319-13841-1_1
H. Okhravi, M. A. Rabe, T. J. Mayberry, W. G. Leonard, T. R. Hobson, D. Bigelow, W. W. Streilein, Survey of Cyber Moving Target Techniques Defense Technical Information Center. ,(2013) , 10.21236/ADA591804
Daniel C. DuVarney, Sandeep Bhatkar, R. Sekar, Address obfuscation: an efficient approach to combat a board range of memory error exploits usenix security symposium. pp. 8- 8 ,(2003)
Sandeep Bhatkar, R. Sekar, Data Space Randomization international conference on detection of intrusions and malware and vulnerability assessment. pp. 1- 22 ,(2008) , 10.1007/978-3-540-70542-0_1
Kenneth P. Birman, Fred B. Schneider, The Monoculture Risk Put into Context ieee symposium on security and privacy. ,vol. 7, pp. 14- 17 ,(2009) , 10.1109/MSP.2009.24
Ruyi Wang, Ling Gao, Qian Sun, Deheng Sun, An Improved CVSS-based Vulnerability Scoring Mechanism 2011 Third International Conference on Multimedia Information Networking and Security. pp. 352- 355 ,(2011) , 10.1109/MINES.2011.27
Rui Zhuang, Scott A. DeLoach, Xinming Ou, Towards a Theory of Moving Target Defense Proceedings of the First ACM Workshop on Moving Target Defense. pp. 31- 40 ,(2014) , 10.1145/2663474.2663479
Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng, Steven Noel, k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities IEEE Transactions on Dependable and Secure Computing. ,vol. 11, pp. 30- 44 ,(2014) , 10.1109/TDSC.2013.24
D. Williams, Wei Hu, J.W. Davidson, J.D. Hiser, J.C. Knight, A. Nguyen-Tuong, Security through Diversity: Leveraging Virtual Machine Technology ieee symposium on security and privacy. ,vol. 7, pp. 26- 33 ,(2009) , 10.1109/MSP.2009.18
Peter Mell, Karen Scarfone, Sasha Romanosky, Common Vulnerability Scoring System ieee symposium on security and privacy. ,vol. 4, pp. 85- 89 ,(2006) , 10.1109/MSP.2006.145