Abstract
The interest in diversity as a security mechanism has recently been revived in various applications, such as Moving Target Defense (MTD), resisting worms in sensor networks, and improving the robustness of network routing. However, most existing efforts on formally modeling diversity have focused on a single system running diverse software replicas or variants. At a higher abstraction level, as a global property of the entire network, diversity and its impact on security have received limited attention. In this paper, we take the first step towards formally modeling network diversity as a security metric for evaluating the robustness of networks against potential zero day attacks. Specifically, we first devise a biodiversity-inspired metric based on the effective number of distinct resources. We then propose two complementary diversity metrics, based on the least and the average attacking efforts, respectively. Finally, we evaluate our algorithm and metrics through simulation.
Chapter PDF
Similar content being viewed by others
References
Falliere, N., Murchu, L.O., Chien, E.: W32.stuxnet dossier. Symantec Security Response (2011)
Littlewood, B., Strigini, L.: Redundancy and diversity in security. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 423–438. Springer, Heidelberg (2004)
Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-variant systems: A secretless framework for security through diversity. Defense Technical Information Center (2006)
Gao, D., Reiter, M.K., Song, D.: Behavioral distance measurement using hidden markov models. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 19–40. Springer, Heidelberg (2006)
Chun, B., Maniatis, P., Shenker, S.: Diverse replication for single-machine byzantine-fault tolerance. In: USENIX Annual Technical Conference, pp. 287–292 (2008)
Garcia, M., Bessani, A., Gashi, I., Neves, N., Obelheiro, R.: OS diversity for intrusion tolerance: Myth or reality? In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN), pp. 383–394 (2011)
Bhatkar, S., DuVarney, D., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium, Washington, DC, vol. 120 (2003)
Team, T.P.: PaX address space layout randomization, http://pax.grsecurity.net/
Kc, G., Keromytis, A., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 272–280. ACM (2003)
Bhatkar, S., Sekar, R.: Data space randomization. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 1–22. Springer, Heidelberg (2008)
Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X.: Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, 1st edn. Springer (2011)
Yang, Y., Zhu, S., Cao, G.: Improving sensor network immunity under worm attacks: a software diversity approach. In: Proceedings of the 9th ACM International Symposium on Mobile ad hoc Networking and Computing, pp. 149–158. ACM (2008)
Caballero, J., Kampouris, T., Song, D., Wang, J.: Would diversity really increase the robustness of the routing infrastructure against software defects? In: Proceedings of the Network and Distributed System Security Symposium (2008)
Elton, C.: The ecology of invasion by animals and plants. University of Chicago Press, Chicago (1958)
Pielou, E.: Ecological diversity. Wiley, New York (1975)
Hill, M.: Diversity and evenness: a unifying notation and its consequences. Ecology 54(2), 427–432 (1973)
Leinster, T., Cobbold, C.: Measuring diversity: the importance of species similarity. Ecology 93(3), 477–489 (2012)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (2002)
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of ACM CCS 2002 (2002)
Albanese, M., Jajodia, S., Noel, S.: A time-efficient approach to cost-effective network hardening using attack graphs. In: Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–12 (2012)
Garey, M., Johnson, D.: Computers and intractability: A guide to the theory of NP-Completeness. W.H. Freeman, San Francisco (1979)
Yuan, S., Varma, S., Jue, J.: Minimum-color path problems for reliability in mesh networks. In: 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), pp. 2658–2669 (2005)
Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic bayesian network. In: Proceedings of 4th ACM QoP (2008)
Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Security & Privacy 4(6), 85–89 (2006)
National vulnerability database, http://www.nvd.org (May 9, 2008)
Gaitanis, K., Cohen, E.: Open bayes 0.1.0 (2013), https://pypi.python.org/pypi/OpenBayes
Idika, N., Bhargava, B.: Extending attack graph-based security metrics and aggregating their application. IEEE Transactions on Dependable and Secure Computing 9, 75–85 (2012)
Wang, L., Singhal, A., Jajodia, S.: Toward measuring network security using attack graphs. In: Proceedings of 3rd ACM QoP (2007)
Manadhata, P., Wing, J.: An attack surface metric. IEEE Trans. Softw. Eng. 37(3), 371–386 (2011)
Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: Measuring the security risk of networks against unknown attacks. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 573–587. Springer, Heidelberg (2010)
Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities. IEEE Transactions on Dependable and Secure Computing 11(1), 30–44 (2013)
Wang, L., Singhal, A., Jajodia, S.: Measuring the overall security of network configurations using attack graphs. In: Barker, S., Ahn, G.-J. (eds.) Data and Applications Security 2007. LNCS, vol. 4602, pp. 98–112. Springer, Heidelberg (2007)
Holm, H., Ekstedt, M., Andersson, D.: Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Trans. Dependable Secur. Comput. 9(6), 825–837 (2012)
Kheir, N., Cuppens-Boulahia, N., Cuppens, F., Debar, H.: A service dependency model for cost-sensitive intrusion response. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 626–642. Springer, Heidelberg (2010)
Avizienis, A., Chen, L.: On the implementation of n-version programming for software fault tolerance during execution. In: Proc. IEEE COMPSAC., vol. 77, pp. 149–155 (1977)
Mitra, S., Saxena, N., McCluskey, E.: A design diversity metric and analysis of redundant systems. IEEE Trans. Comput. 51(5), 498–510 (2002)
Littlewood, B., Popov, P., Strigini, L.: Modeling software design diversity: A review. ACM Comput. Surv. 33(2), 177–208 (2001)
Maxion, R.: Use of diversity as a defense mechanism. In: Proceedings of the 2005 Workshop on New Security Paradigms, NSPW 2005, pp. 21–22. ACM, New York (2005)
Saïdane, A., Nicomette, V., Deswarte, Y.: The design of a generic intrusion-tolerant architecture for web servers. IEEE Trans. Dependable Sec. Comput. 6(1), 45–58 (2009)
Totel, E., Majorczyk, F., Mé, L.: Cots diversity based intrusion detection and application to web servers. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 43–62. Springer, Heidelberg (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Wang, L., Zhang, M., Jajodia, S., Singhal, A., Albanese, M. (2014). Modeling Network Diversity for Evaluating the Robustness of Networks against Zero-Day Attacks. In: Kutyłowski, M., Vaidya, J. (eds) Computer Security - ESORICS 2014. ESORICS 2014. Lecture Notes in Computer Science, vol 8713. Springer, Cham. https://doi.org/10.1007/978-3-319-11212-1_28
Download citation
DOI: https://doi.org/10.1007/978-3-319-11212-1_28
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11211-4
Online ISBN: 978-3-319-11212-1
eBook Packages: Computer ScienceComputer Science (R0)