Monitor placement for large-scale systems

Nirupama Talele, Jason Teutsch, Robert Erbacher, Trent Ray Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.

Original languageEnglish (US)
Title of host publicationSACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies
PublisherAssociation for Computing Machinery
Pages29-40
Number of pages12
ISBN (Print)9781450329392
DOIs
StatePublished - Jan 1 2014
Event19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014 - London, ON, Canada
Duration: Jun 25 2014Jun 27 2014

Other

Other19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014
CountryCanada
CityLondon, ON
Period6/25/146/27/14

Fingerprint

Access control
Large scale systems
Electric network analyzers
Monitoring

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems

Cite this

Talele, N., Teutsch, J., Erbacher, R., & Jaeger, T. R. (2014). Monitor placement for large-scale systems. In SACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (pp. 29-40). Association for Computing Machinery. https://doi.org/10.1145/2613087.2613107
Talele, Nirupama ; Teutsch, Jason ; Erbacher, Robert ; Jaeger, Trent Ray. / Monitor placement for large-scale systems. SACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery, 2014. pp. 29-40
@inproceedings{73b69067c4644358bba5b8dc924fdcb6,
title = "Monitor placement for large-scale systems",
abstract = "System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.",
author = "Nirupama Talele and Jason Teutsch and Robert Erbacher and Jaeger, {Trent Ray}",
year = "2014",
month = "1",
day = "1",
doi = "10.1145/2613087.2613107",
language = "English (US)",
isbn = "9781450329392",
pages = "29--40",
booktitle = "SACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies",
publisher = "Association for Computing Machinery",

}

Talele, N, Teutsch, J, Erbacher, R & Jaeger, TR 2014, Monitor placement for large-scale systems. in SACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery, pp. 29-40, 19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014, London, ON, Canada, 6/25/14. https://doi.org/10.1145/2613087.2613107

Monitor placement for large-scale systems. / Talele, Nirupama; Teutsch, Jason; Erbacher, Robert; Jaeger, Trent Ray.

SACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery, 2014. p. 29-40.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Monitor placement for large-scale systems

AU - Talele, Nirupama

AU - Teutsch, Jason

AU - Erbacher, Robert

AU - Jaeger, Trent Ray

PY - 2014/1/1

Y1 - 2014/1/1

N2 - System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.

AB - System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.

UR - http://www.scopus.com/inward/record.url?scp=84904506308&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84904506308&partnerID=8YFLogxK

U2 - 10.1145/2613087.2613107

DO - 10.1145/2613087.2613107

M3 - Conference contribution

SN - 9781450329392

SP - 29

EP - 40

BT - SACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies

PB - Association for Computing Machinery

ER -

Talele N, Teutsch J, Erbacher R, Jaeger TR. Monitor placement for large-scale systems. In SACMAT 2014 - Proceedings of the 19th ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery. 2014. p. 29-40 https://doi.org/10.1145/2613087.2613107