NETWORKS, PROTECTION reinforcement through the EC FP projects

1
NETWORKS, PROTECTION reinforcement through the
EC FP projects
_________________________L.AslanyanInstitute
for Informatics and Automation ProblemsNational
Academy of Sciences of Republic of Armenia
2
ABSTRACT

• Security is not a finite state but is a permanent
  process. Basic means for network security include
  firewalls, secure protocols, PKI and electronic
  signature systems, virus and spam filtering. The
  final network protection level depends on correct
  integration of mentioned components. It is
  interesting to know if there exist alternative
  means for security.
• Several EC funded research project results are
  discussed and concluded, that complication of
  basic means of security provide the same or
  comparable level of protection. In addition,
  distributed software agent systems may provide
  additional means being able to monitor wide
  network areas and analyzing the monitored
  information - mining useful knowledge on
  intrusions, malfunctioning, etc.

3
CONTENT

• INTAS 04-77-7173 Data flow systems algorithms
  and complexity project
• EC FP5 SPARTA Security policy adaptation
  reinforced through agents project
• INTAS 00-652 Data mining algorithm incubator
  project

4
INTAS 04-77-7173 Data flow systems algorithms
and complexity
5
ON UNIVERSAL OR COMPLETE ENCRIPTION SYSTEMS (1)

• Let (G,E,D) be PKI probabilistic worst-case
  polinomial time algorithms for key generation,
  encription and decription respectively.
• The given PKI scheme is d(n)-correct iff for
  large n PrDsk(Epk(m))m d(n) for (pk,sk)?G(1n)
• Probabilistic black-box A e(n)-breaks PKI scheme
  if for infinitely many parameters n
  PrApk(1n,Epk(m))m e(n) for (pk,sk)?G(1n)

6
ON UNIVERSAL OR COMPLETE ENCRIPTION SYSTEMS (2)

• An encryption scheme (G1,E1,D1) is reducable to
  an encryption scheme (G2,E2,D2) if there exists a
  probabilistic polinomial time oracle machine R,
  such that for any probabilistic black-box A that
  breacks (G2,E2,D2) RA breacks (G1,E1,D1).
• We denote the class of all 2/3-correct public key
  encription schemes by PKCS.
• Theorem. There exists a complete PKCS.

7
EC FP5 SPARTA Security policy adaptation
reinforced through agents
8
WEB PAGE
ê ä ² ð î ²
9
SECURITY POLICY

• Detailed description of any information, which
  might be monitored operationally and which might
  be of some interest for data security reasons.
• Archiving of existing knowledge systems,
  structures, technologies, viruses, hacking.
• The data analysis algorithms - to be designed and
  realized, by the above data descriptions
  according to the basic tasks and requirements.
• Security policy is the set of laws, rules, and
  practice that regulate how an organization
  implements, manages, protects, and distributes
  its information and computing resources to
  achieve security objectives.

10
GENERAL ARCHITECTURE
11
INTRODUCTION

• The SPARTA mobile agent system monitors the
  implementation of security policies, identifies
  security problems and performs intrusion
  detection.
• Security checks are flexible, at run-time and
  without interrupting the systems activity.
• Two main use cases in SPARTA
• Surveillance (of a given security policy)
• Intrusion Detection (ID)

12
Surveillance - Use CaseArchitecture
13
ArchitectureUse Cases Terminology

• User - A network administrator or a regular local
  user.
• Monitor HS, Subordinate AS.
• Home Server (HS) - A special agent server with a
  Graphical User Interface (GUI), where agents
  return their results and may alert the user.
• Agent Server (AS) - A basic piece of the SPARTA
  architecture is an installed agent platform on a
  standard host (computer) /sometimes we call it
  SPARTA host/.

14
ArchitectureIntrusion Detection - Use Case
15
ArchitectureMain Components I

• SPARTA architecture supports both distributed and
  centralized use cases.
• Main components
• Agents (A)
• Agent Server (AS)
• Home Server (HS)
• Secure Infrastructure with Secure Information
  Space (SIS)
• Data Analyzer Module (DAM)
• Security Policy Editor (SPE)
• User Front End (FE)

16
ArchitectureMain Components II
17
ArchitectureAgents (A)

• Centerpiece of design
• mobile code
• automated application tasks
• Types of SPARTA agents
• One-hop, Multi-hop, Embedded
• An agent consists of two parts
• Agent State agents data together with
  management information (e.g. user ID).
• Agent Code its source code as Java class file,
  which is separately downloaded from a code base
  server.

18
ArchitectureAgent Server (AS)

• Each agent is running on an AS in a certain
  place.
• A place provides a run-time environment for an
  agent by allowing it to call certain functions.
• A communicator is an AS module, which is
  responsible for sending and receiving agents.
• An Agent Security Manager (ASM) prevents attacks
  from agents, which are directed against the AS or
  the underlying host.

19
ArchitectureOverall SPARTA Architecture
20
ArchitectureHome Server (HS)

• A HS has two main duties
• it allows agents that finished their work to
  return to a special place (User Place), where
  they are stored and wait for user login.
• provides an interface for components like FE, SPE
  or DAM to access returned agents or to launch new
  ones.
• HS supports detached computing - FE might be
  disconnected from the network, while the agents
  are performing their work.
• User can optionally be notified by email or SMS
  when the agent has returned.

21
ArchitectureSecure Infrastructure

• Securing an agent platform
• local permission table (on each host).
• permissions depend on the host, where the agent
  came from and on the owner of the agent.
• SIS administrates all trust CAs information and
  encodes and decodes the agents.

22

• SPARTA
• IMPLEMENTATION

23
"Infoservice Co. LtdNetwork Service Provider

• "Infoservice Co. Ltd uses satellite based TCP/IP
  and liesed line telephony communication
  infrastructures serving the information exchange
  of a number of Ministries and other important
  organisations, as well as between different
  state, international professional and
  coordinating, and private organizations.

24
SARMState Standardization Department

• creation of national systems for standardization,
  
• organization of development of national standards
  
• management of works on product, services, quality
  systems certification
• accreditation of certification bodies and test
  laboratories
• state control of compliance to normative
  documents mandatory requirements and
  certification rules
• creation of technical committees of
  standardization and organization of their work
• verification of national measurement samples,
  measurement devices, calibration schemes and
  definition of regarded general metrology
  requirements
• organization of calibration of measurement
  device, as well as type verification and state
  register conduction
• works on measurement uniformity providence in
  the territory of the Republic of Armenia.

25
USERS IS SARMObjectives

• The general objecive of Standards Information
  Exchange System is to set up the logical and
  physical model network between standardization
  bodies and user organizations in order to
  facilitate the information exchange, concerning
  the area of standardization and certification, -
  over the networks.
• The host computer in Internet and Intranet is the
  sarm.am, which is an IBM PC computer, Windows NT
  with MS Proxy 2. Physically sarm.am is situated
  in Yerevan (in SARMs main Office).

26
Branch organizationsLAN Connections

• PRESS (technical information service and library)
• INFOCENTER (official information, advertising)
• YERTEST (certification)
• METROLOGY

The main databases are centralized on the host
server of SARM while a complementary and specific
set of data is a subject to be sent and received
through sarm.am connections. Each of the above
workstations keeps its own documents archieve,
containing task and scope specific records.
27
Remote Branch organizations Internet (TCP/IP)
Connection

• GAVAR
• VANADZOR
• GUMRI
• KAPAN

KAPAN node is situated in town Kapan, which is in
some 300km. The network connection uses TCP/IP
protocols. The basic computer is PC Pentium
(Windows). Connection with Internet is being
realizied by ZyXEL Modem and CISCO 1020 system.
28
(No Transcript)
29
Case studiesKAPAN - SARMs remote branch
organization

• SARMs Branch organization in Kapan manages
  provision of certification and accreditation
  process and documents, in relation to the
  product, services, quality system, etc.
• The certification body works with standardization
  documentation to make a conclusion regarding the
  kinds and services under the consideration.
• production certification (based on use of
  Technical Conditions)
• certification of delivered product (based on
  laboratory analysis)
• services certification
• quality correspondence certification (ISO 9000)
• After making conclusion certification body sends
  the concluding certification document to the
  SARMs server.

30
(No Transcript)
31
IS SARMglobal networking principle

• The global networking principle is outlined
  schematically in the following picture

32
(No Transcript)
33
IS SARM CONNECTION
34
(No Transcript)
35

• SPARTA
• INTELLIGENCE

36
Data Analysis ModuleArchitecture(ARMENIAN
TECHNOLOGICAL WORKLOAD)
37
DAM User Scenarion(UML Use Case Diagram)
Tasks (static regime)
ltltUsesgtgt
ltltUsesgtgt
ltltUsesgtgt
38
DAMUML Class Diagram
39
SPARTA Specfic Validation

• SPARTA Specific Validation issues consists of
• Security Policy validation, monitoring and
  enforcing,
• Monitoring of systems integrity,
• Vulnerability assessment,
• General purpose intrusion detection.

40
INTAS 00-652 Data mining algorithm incubator
project
41
HYBRID RECOGNITION SCHEMES

• Monitoring systems collect huge information
  amounts which require novel algorithmic
  approaches to be able to provide an online
  analysis. In recognition and classification where
  learning set is known as very limited in size,
  the first priority is the detailed information
  analysis. The shift of input from learning set to
  monitoring information requires restructuring of
  recognition algorithms. Hybrid recognition works
  in two stages. First is a quick tree based
  procedure. Then comes metric recognition
  procedures, but these work with error classes
  after the first stage, which are much small in
  sizes.

42
FREQUENT PATTERNS MINING

• Association rule mining is one of the basic data
  mining tools. The known realizations uses
  growing of frequent subsets as the way of
  finding association rules. An alternative
  approach is developed which uses the n-cube
  geometry elements. Monotone Boolean functions
  given by an oracle are recognized optimally
  through the special n-cube partitioning into the
  monotone growing chains. A modification of this
  structure is proven productive for frequent
  subsets finding.

43
LOGIC SEPARATION RECOGNITION

• Logic based Pattern Recognition extends the well
  known similarity models, where the distance
  measure is the base instrument for recognition.
  Initial idea is under consideration since 70s and
  it reduces the logic based recognition models to
  the reduced disjunctive normal form of partially
  defined Boolean functions. An alternative pattern
  recognition approach combines the metric and
  logic hypotheses and features, and leads to
  studies of logic forms, hypotheses, hierarchies
  of hypotheses and effective algorithmic
  solutions. Current results provide probabilistic
  conclusions on effective recognition by logic
  means in a model environment of binary attributes
  and of data flows.

44
ABSTRACT

• Security is not a finite state but is a permanent
  process. Basic means for network security include
  firewalls, secure protocols, PKI and electronic
  signature systems, virus and spam filtering. The
  final network protection level depends on correct
  integration of mentioned components. It is
  interesting to know if there exist alternative
  means for security.
• Several EC funded research project results are
  discussed and concluded, that complication of
  basic means of security provide the same or
  comparable level of protection. In addition,
  distributed software agent systems may provide
  additional means being able to monitor wide
  network areas and analyzing the monitored
  information - mining useful knowledge on
  intrusions, malfunctioning, etc.