DOCSLIB.ORG

Network Access Control Through Host and Application Analysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Network Access Control Through Host and Application Analysis ABSTRACT OCONNOR, TERRENCE JOHN. Network Access Control through Host and Application Analysis. (Under the direction of William Enck). Despite increasing complexity to networks and applications, the state of practice in network access control has remained largely static for decades. Existing network security solutions provide limited protection against modern and elaborate network compromises where attackers move laterally through the network, because they lack intra-network mediation and distributed information flow control. The omnipresence of Internet-of-Things (IoT) devices with encrypted and propriety protocols obscures network transparency, making it difficult to identify and classify application behaviors. The always- on nature of IoT with perpetual cloud connections complicates policy enforcement because of the heterogeneity of security and privacy designs for offline content caching and device state management. Leveraging host and application behavior analysis provides sufficient context for network access control to address the increasing complexity of networks, opaqueness in applications behaviors, and perpetual cloud connections. In this dissertation, we demonstrate how specialized and sophisticated network access control schemes address the aforementioned challenges by considering host and application context. We implement two security orchestrator application frameworks to address complex attacks, and provide behavior transparency for smart-home IoT devices. First, we present PivotWall which uses a novel combination of information-flow tracking and Software Defined Networking (SDN) to detect a wide range of attacks used by advanced adversaries, including those that abuse both application- and network-layer protocols. It further enables a variety of attack responses including traffic steering, as well as advanced mechanisms for forensic analysis. Through PivotWall, we extend information flow tracking out from a host and through the entire network. Second, we introduce HomeSnitch, a building block for enhancing smart home transparency and control by classifying IoT device communication by behavior. HomeSnitch uses supervised learning to classify features from connection-oriented application data unit exchanges that represent application-layer dialog between clients and servers. This overcomes the limitations of increasingly encrypted payloads in smart home devices. Having laid the groundwork for access control for smart-home devices with our behavior classification, we then answer critical questions that govern access control policy and mediation for smart-home devices. We present a sufficiently broad study of the application behaviors of smart-home actuator and sensor-based IoT devices and analyze their responses to a loss of the communications channel. We investigate weaknesses in the current heterogeneity of smart-home device security designs and describe implications for offline state and cache decisions. In doing so, we provide the context understanding for effective policy enforcement. Network Access Control through Host and Application Analysis by Terrence John OConnor A dissertation submitted to the Graduate Faculty of North Carolina State University in partial fulfillment of the requirements for the Degree of Doctor of Philosophy Computer Science Raleigh, North Carolina 2019 APPROVED BY: Bradley Reaves Alexandros Kapravelos Aydin Aysu William Enck Chair of Advisory Committee DEDICATION For my Ninja Princess and Monkey. ii BIOGRAPHY TJ OConnor received his Bachelor’s Degree in Computer Science from the US Military Academy at West Point in 1999. Following graduation, TJ served 20 years in the US Army, retiring at the rank of Lieutenant Colonel. His service included assignments with the 2nd Infantry Division, the 7th Special Forces Group (Airborne), the 10th Special Forces Group (Airborne), the Office of Special Warfare (Airborne), and the 1st Special Forces Command (Airborne). In 2008, TJ earned a Master’s Degree in Computer Science from North Carolina State University. Subsequently, he served as an assistant professor in the Electrical Engineering and Computer Science department at the US Military Academy and as the Professor of Military Science for the Florida Institute of Technology. He is the first (but hopefully not last) member of his immediate family to earn a doctorate. iii ACKNOWLEDGEMENTS I would like to thank my advisor, Dr. William Enck, for his unparalleled support over the course of my time in graduate school. I cannot express the gratitude, respect, and debt I owe you. I can only promise to do my best to emulate the positive traits you have taught me. I would also like to thank the members of my doctoral committee including Dr. Bradley Reaves, Dr. Alexandros Kapravelos, and Dr. Aydin Aysu for their valuable insight. I owe a debt of gratitude my teammates on the Wolfpack Security and Privacy Research (WSPR) that have provided me the candid feedback, expertise, and emotional support necessary for this endeavor. Specifically, I’d like to thank Akash Verma, Sanket Gooutam, Micah Bushouse, Benjamin Andow, Luke Deshotels, and Isaac Polinsky. I’d also like to thank Michael Petullo and Sam Huddleston for being my sounding boards on so many ideas. I would finally like to thank my family for their unconditional love, support and belief in me. We did this. iv TABLE OF CONTENTS LIST OF TABLES ...................................................... viii LIST OF FIGURES ..................................................... ix LIST OF ABBREVIATIONS ............................................... xi Chapter 1 Introduction ................................................. 1 1.1 Thesis Statement .................................................. 3 1.2 Thesis Contributions ............................................... 4 1.3 Thesis Organization ................................................ 4 Chapter 2 Background and Related Work ................................... 7 2.1 Software Defined Networking ......................................... 7 2.1.1 The Data Plane ............................................. 8 2.1.2 The Control Plane ........................................... 8 2.1.3 The Application Plane ........................................ 9 2.1.4 Extending SDN to Security ..................................... 9 2.1.5 Emulation Environments ....................................... 10 2.2 The Internet of Things .............................................. 10 2.2.1 Overview of IoT ............................................ 10 2.2.2 Cloud Services ............................................. 11 2.2.3 Access Control ............................................. 11 2.2.4 Device and Behavior Transparency ................................ 12 2.2.5 Motivating Examples ......................................... 12 2.3 Machine Learning ................................................. 14 2.3.1 Supervised Learning Models .................................... 14 2.3.2 Unsupervised Learning Models .................................. 15 2.3.3 Scikit-Learn Framework and Evaluation ............................ 15 2.4 Threat Model .................................................... 16 Chapter 3 PivotWall ................................................... 17 3.1 Introduction ..................................................... 17 3.2 Motivation ...................................................... 19 3.2.1 Motivating Example .......................................... 19 3.2.2 Threat Model and Assumptions .................................. 20 3.3 Overview ....................................................... 21 3.3.1 Architecture Overview ........................................ 21 3.3.2 Challenges ................................................ 22 3.3.3 Key Ideas in PivotWall ........................................ 22 3.4 PivotWall ....................................................... 24 3.4.1 Network Layer Design ........................................ 25 3.4.2 Host Design ............................................... 29 3.4.3 Forensic Analysis ............................................ 31 v 3.5 Performance Evaluation ............................................. 32 3.5.1 RQ1: Stealthy Attack Detection .................................. 33 3.5.2 RQ2: Attack Coverage ........................................ 36 3.5.3 RQ3: Network Scalability ...................................... 36 3.5.4 RQ4: Response Capability ..................................... 37 3.6 Discussion ...................................................... 38 3.7 Related Work .................................................... 39 3.7.1 Detection Using Network Flow Correlation .......................... 39 3.7.2 Network Management and Monitoring for SDN ...................... 40 3.7.3 Host Provenance Frameworks ................................... 41 3.8 Conclusion ...................................................... 42 3.9 Acknowledgements ................................................ 42 Chapter 4 HomeSnitch ................................................. 43 4.1 Introduction ..................................................... 43 4.2 Motivation and Problem ............................................. 45 4.3 Overview ....................................................... 46 4.4 Design ......................................................... 48 4.4.1 Classification of Application Behaviors ............................ 49 4.4.2 Context Monitor ............................................ 52 4.4.3 Policy ...................................................
Load more

Recommended publications
  • Network Security Knowledge Area
    Network Security Knowledge Area Prof. Christian Rossow CISPA Helmholtz Center for Information Security Prof. Sanjay Jha University of New South Wales © Crown Copyright, The National Cyber Security Centre 2021. This information is licensed under the Open Government Licence v3.0. To view this licence, visit http://www.nationalarchives.gov.uk/doc/open- government-licence/. When you use this information under the Open Government Licence, you should include the following attribution: CyBOK Network Security Knowledge Area Version 2.0 © Crown Copyright, The National Cyber Security Centre 2021, licensed under the Open Government Licence http://www.nationalarchives.gov.uk/doc/open- government-licence/. The CyBOK project would like to understand how the CyBOK is being used and its uptake. The project would like organisations using, or intending to use, CyBOK for the purposes of education, training, course development, professional development etc. to contact it at [email protected] to let the project know how they are using CyBOK. Security Goals What does it mean to be secure? • Most common security goals: “CIA triad” – Confidentiality: untrusted parties cannot infer sensitive information – Integrity: untrusted parties cannot alter information – Availability: service is accessible by designated users all the time • Additional security goals – Authenticity: recipient can verify that sender is origin of message – Non-Repudiation: anyone can verify that sender is origin of message – Sender/Recipient Anonymity: communication cannot be traced back to
    [Show full text]
  • Network Access Control: Disruptive Technology? Craig Fisher Regis University
    Regis University ePublications at Regis University All Regis University Theses Fall 2007 Network Access Control: Disruptive Technology? Craig Fisher Regis University Follow this and additional works at: https://epublications.regis.edu/theses Part of the Computer Sciences Commons Recommended Citation Fisher, Craig, "Network Access Control: Disruptive Technology?" (2007). All Regis University Theses. 94. https://epublications.regis.edu/theses/94 This Thesis - Open Access is brought to you for free and open access by ePublications at Regis University. It has been accepted for inclusion in All Regis University Theses by an authorized administrator of ePublications at Regis University. For more information, please contact [email protected]. Regis University College for Professional Studies Graduate Programs Final Project/Thesis Disclaimer Use of the materials available in the Regis University Thesis Collection (“Collection”) is limited and restricted to those users who agree to comply with the following terms of use. Regis University reserves the right to deny access to the Collection to any person who violates these terms of use or who seeks to or does alter, avoid or supersede the functional conditions, restrictions and limitations of the Collection. The site may be used only for lawful purposes. The user is solely responsible for knowing and adhering to any and all applicable laws, rules, and regulations relating or pertaining to use of the Collection. All content in this Collection is owned by and subject to the exclusive control of Regis University and the authors of the materials. It is available only for research purposes and may not be used in violation of copyright laws or for unlawful purposes.
    [Show full text]
  • NUREG/CR-7117 "Secure Network Design"
    NUREG/CR-7117 SAND2010-8222P Secure Network Design Office of Nuclear Regulatory Research AVAILABILITY OF REFERENCE MATERIALS IN NRC PUBLICATIONS NRC Reference Material Non-NRC Reference Material As of November 1999, you may electronically access Documents available from public and special technical NUREG-series publications and other NRC records at libraries include all open literature items, such as NRC’s Public Electronic Reading Room at books, journal articles, and transactions, Federal http://www.nrc.gov/reading-rm.html. Publicly released Register notices, Federal and State legislation, and records include, to name a few, NUREG-series congressional reports. Such documents as theses, publications; Federal Register notices; applicant, dissertations, foreign reports and translations, and licensee, and vendor documents and correspondence; non-NRC conference proceedings may be purchased NRC correspondence and internal memoranda; from their sponsoring organization. bulletins and information notices; inspection and investigative reports; licensee event reports; and Copies of industry codes and standards used in a Commission papers and their attachments. substantive manner in the NRC regulatory process are maintained at— NRC publications in the NUREG series, NRC The NRC Technical Library regulations, and Title 10, Energy, in the Code of Two White Flint North Federal Regulations may also be purchased from one 11545 Rockville Pike of these two sources. Rockville, MD 20852–2738 1. The Superintendent of Documents U.S. Government Printing Office These standards are available in the library for Mail Stop SSOP reference use by the public. Codes and standards are Washington, DC 20402–0001 usually copyrighted and may be purchased from the Internet: bookstore.gpo.gov originating organization or, if they are American Telephone: 202-512-1800 National Standards, from— Fax: 202-512-2250 American National Standards Institute 2.
    [Show full text]
  • Comparative Study of Network Access Control Technologies Hasham Ud-Din Qazi
    Final Thesis Comparative Study of Network Access Control Technologies By Hasham Ud-Din Qazi LITH-IDA-EX--07/028--SE 2007-05-11 Linköpings universitet Department of Computer and Information Science Final Thesis Comparative Study of Network Access Control Technologies By Hasham Ud-Din Qazi LITH-IDA-EX--07/028--SE 2007-05-11 Supervisor: Prof. Dr. Christoph Schuba Examinator: Prof. Dr. Christoph Schuba Datum Avdelning, institution Date Division, department Institutionen för datavetenskap Department of Computer and Information Science 2007-05-11 Linköpings universitet Språk Rapporttyp ISBN Language Report category Svenska/Swedish Licentiatavhandling ISRN LITH-IDA-EX--07/028--SE X Engelska/English X Examensarbete C-uppsats Serietitel och serienummer ISSN D-uppsats Title of series, numbering Övrig rapport URL för elektronisk version http://www.ep.liu.se/ Titel Title Comparative Study of Network Access Control Technologies Författare Author Hasham Ud-Din Qazi Sammanfattning Abstract This thesis presents a comparative study of four Network Access Control (NAC) technologies; Trusted Network Connect by the Trusted Computing group, Juniper Networks, Inc.’s Unified Access Control, Microsoft Corp.’s Network Access Protection and Cisco Systems Inc.’s Network Admission Control. NAC is a vision, which utilizes existing solutions and new technologies to provide assurance that any device connecting to a network policy domain is authenticated and is subject to the network’s policy enforcement. Non-compliant devices are isolated until they have been brought back to a complaint status. We compare the NAC technologies in terms of architectural and functional features they provide. There is a race of NAC solutions in the marketplace, each claiming their own definition and terminology, making it difficult for customers to adopt such a solution, resulting in much uncertainty.
    [Show full text]
  • Network Protocols Handbook.Pdf
    Second Edition Network Protocols TCP/IP Ethernet ATM Handbook Frame Relay WAN LAN MAN WLAN SS7/C7 VOIP Security VPN SAN VLAN IEEE IETF ISO Javvin Technologies,ITU-T Inc. ANSI Cisco IBM Apple Microsoft Novell Network Protocols Handbook Network Protocols Handbook 2nd Edition. Copyright © 2004 - 2005 Javvin Technologies Inc. All rights reserved. 13485 Old Oak Road Saratoga CA 95070 USA 408-872-3881 [email protected] All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means electronically or mechanically. Warning and Disclaimer This book is designed to provied information about the current network communication protocols. Best effort has been made to make this book as complete and ac- curate as possible, but no warranty or fitness is implied. The infomation is provided on an “as is” basis. The author, publisher and distributor shall not have liability nor respon- sibility to anyone or group with respect to any loss arising from the information contained in this book and associated materials. I Table of Contents Table of Contents Network Communication Architecture and Protocols••••••••••••••••••••••••••••••1 OSI Network Architecture 7 Layers Model••••••••••••••••••••••••••••••••••••••••2 TCP/IP Four Layers Archiitecture Model••••••••••••••••••••••••••••••••••••••••••5 Other Network Architecture Models: IBM SNA••••••••••••••••••••••••••••••••••7 Network Protocols: Definition and Overview••••••••••••••••••••••••••••••••••••••9 Protocols Guide•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••11
    [Show full text]