With the increasing adoption of Cloud Computing, cyber-attacks have become the most effective means for adversaries who opt to inflict damage with the least resources and lowest risk of being physically captured. The attacker operates from a remote location bypassing all security measures to cause data loss or manipulate the functionality of a Cloud session. As indicated in an analysis report prepared by the SANS Institute, all attacks starts with a reconnaissance stage where targets are monitored and relevant data are gathered. By analyzing the collected data, vulnerabilities are identified and then exploited to gain access to the target system. Obviously the best defense against cyber-attacks is to isolate the attacker. Employing a reputation model enables the containment of attackers by alerting a system by identifying compromised or rouge sessions.
Current reputation systems pursue classification into a white and black list, i.e., binary categorization. Separate lists for URLs and IP addresses are maintained. Some tools that provide rudimentary reputation services include Cisco SenderBase , VirusTotal IP reputation and Spam and Open Relay Blocking System (SORBS). Most of these tools and lists are based on a single dimensional-observables with no correlation among them. Such shortcoming degrades the system’s effectiveness for detecting sophisticated attacks and terminating malicious activities. This becomes even more critical in a cloud environment that is hosting thousands of Virtual Machines (VMs) where it is essential to isolate and shut down VM instances whose sessions are under attack from adversaries in remote locations without affecting the operation of the entire cloud infrastructure.
The objective of this proposed project is to develop a dynamic reputation scoring model for sessions based on a variety of observable and derived features. Cloud infrastructure will be pursued as a use case. Our proposed reputation model overcomes the shortcomings of current IP reputation scoring systems in order to enable a variety of high-level analysis and attack forensics. Our proposed work will facilitate attack prevention and empower organizations to “achieve a level of closed-loop intelligence” by stopping an attack at an early stage . The project’s key contribution lies in enriching the set of attributes that the reputation scoring considers, providing an expressive scoring system that enables an administrator, e.g., for a cloud, to understand what is at stake, and increasing robustness by correlating the various pieces of information while factoring in the trustworthiness of their sources.
This project is supported in part by gift from CISCO