Testbed Design For Evaluation Of Active Cyber Defense Systems
Open Access
- Author:
- Sridhar, Srikumar
- Graduate Program:
- Computer Science and Engineering
- Degree:
- Master of Science
- Document Type:
- Master Thesis
- Date of Defense:
- July 06, 2018
- Committee Members:
- Sencun Zhu, Thesis Advisor/Co-Advisor
Gang Tan, Committee Member - Keywords:
- Moving Target Defense
Container Migration
Intrusion Detection - Abstract:
- As with any system, often times, an attacker only needs to know a single vulnerability to compromise the entire system. To ensure a system is free of vulnerability is extremely difficult, if not impossible, especially for large systems with over millions of lines of code. Hence, we focus on a cyber security methodology called Moving Target Defense (MTD). The philosophy of MTD is that instead of attempting to build flawless systems to prevent attacks, one may continually change the attack surface (certain system dimensions) over time in order to increase complexity and cost for attackers to probe the system and launch the attack. The approach taken for implementing MTD in this thesis involves a naive checkpoint and restore methodology. If either an application has come under attack or the application hasn’t been switched for a while (a user-defined period), the container that it was running in will be killed and a new instance would be spawned (application switching). This would help prevent a single software vulnerability from compromising the whole system. The new instance of the application will begin its execution from the latest checkpoint available to it. We demonstrate this approach using checkpoint and restore in user space with docker containers. Additionally, we present the design of a complete, open-source, testbed for systems that utilize docker containers. Tools such as OSSEC (Open Source Host Based Intrusion Detection System Security), Snort (Network intrusion prevention and network intrusion detection system), Bro (Network intrusion detection system), Sysdig Falco (Runtime container monitoring tool) etc., are utilized to detect intrusions or anomalous behavior in a containerized environment. Multiple intrusion detection tools are enforced in the system while various exploits are carried out. We perform application switching along with IP mutation once an intrusion has been detected and evaluate the downtime associated with this process. We find that the process of checkpointing and restoring docker containers on the same host takes roughly 2.5 seconds.