Fields of R&D activity

E-mail Print PDF

The problem of information security and operability control in heterogeneous distributed IT-infrastructures

In modern information – oriented society digital information security has become vital for almost any field of activity. To satisfy constantly growing users’ requirements on information retrieval, processing and exchange involving global remote interactions, more and more sophisticated IT – infrastructures are built. Their multilevel distributed architectures incorporate a wide variety of telecommunication, information and multimedia technologies and feature management, operability and security problems. With that the overall vulnerability to hardware and software failures, data and programs corruption, and compromise of confidential information caused by malicious activity or unintentional effects increases.

Thus to protect critical network resources from miscellaneous security threats, rapidly propagating new attacks and insider security breaches a complex approach to information security must be applied, which consists in coordinated deployment of organizational procedures and technical tools with different functionality. Such tools include access and integrity control systems, antivirus software, firewalls, intrusion detection/prevention systems, security information and event management systems, etc. Though vendors offer many solutions to mitigate risks, for effective defense they must be integrated into one consistent security system. It is a difficult task due to the absence of a single platform and integration complexity. Moreover traditional rule-based network security systems require prior knowledge of attacks and depend on actuality and completeness of used signature bases. They generate excess alerts and have high false alarm rates because of inability to consider natural changes in network behavior and lack of "zero-day" detection. As a result incident diagnostics alone takes 60-90% of security officer's time. In addition network components of defense-in-depth strategies are ineffective against insider threats.

So the most significant shortcomings of existing network security solutions are summarized as:

  • detection of known predefined misuses and particular types of threats only;
  • dependence on update rates and completeness of a signature base;
  • deficiency in “zero-day” detection of novel security threats;
  • generation of a large number of alarms;
  • time-consuming incident diagnostics and troubleshooting.

Anomaly detection and Network behavior analysis solutions

According to experts’ opinion network behavior analysis (NBA) can fill the gap left by policy- and signature-based solutions and security information and event management systems and make up the drawbacks mentioned above. NBA systems can be considered as a functional extension of anomaly detection (AD) systems. While AD systems focuses mostly on detecting changes that correspond to unknown threats, NBA systems provide information about other informative and operationally useful types of changes, as well as on “normal” network activity, in addition to anomaly detection capabilities, and along with information security and compliance support network operations and management.

AD is performed in two stages: building a model which reflects “normal” network activity based on known or gathered information and monitoring ongoing activity to identify deviations from this model. Principal issues that impact NBA (AD) system effectiveness are processed data types, aggregation and correlation of data from multiple sources and built-in detection mechanisms in terms of detection accuracy, learning and adaptive features, response time, adequate complexity of mathematical models.

Thus weaknesses concerned with AD and NBA solutions include:

  • inability to adapt to natural changes in network infrastructures;
  • high misoperation rates, especially due to false positive errors;
  • application of simple mathematical models, inadequate to the task;
  • insufficient range of processed information sources.   

The scientific objective

Therefore the scientific objective of ongoing R&D activities is to develop effective techniques and algorithms of anomaly detection in heterogeneous distributed IT – infrastructures based on analysis of structured network traffic and correlation of normalized security events collected from other sources (network hardware logs, NIDS, antivirus, firewall, and etc.). In particular research works are directed to enhancement and implementation of technique of network device abnormal state detection using multidimensional statistical analysis of structured network traffic. This technique was developed earlier at LLC LNT and consists of a set of methodic-organizational rules, mathematical models and algorithms, which define the process of operation state analysis and anomaly detection. It proved to be effective during operational testing under different real network environments, especially for behavior analysis of server devices, but showed some limitations concerned with controlled operation parameters selection, pattern representation and incident investigation. Network traffic was preferred as one of the most reliable data sources on events that actually happen over a network infrastructure. The aim of network operation data sources extension is to enhance analysis results reliability.   

The following requirements to R&D results were defined:

  • real time and deferred analysis, involving event correlation and history;
  • effective localization of network objects related to an incident;
  • robustness to noise in training data;
  • data compression without considerable loss of useful information;
  • aggregation and correlation of information from multiple sources sufficient for incident investigation;
  • generalized anomaly detection, regardless particular cases and intrusion types;
  • dynamic normal behaviour patterns for network objects;
  • adaptive detection and classification of abnormal states;
  • ranking events by priority and severity of detected anomaly.

Software system “Security Locator”

For research and real-life environment testing of new detection algorithms a specialized program tool is required which can monitor a heterogeneous distributed IT – infrastructure, collect necessary information on security events, compute an abnormality level according to embodied analysis techniques and display both operative data and analysis results. To perform this functionality the distributed software system “Security Locator” is developed and used during research and experiments by specialists and students of LLC LNT. The software system also has several deployments in different network infrastructures that give ideas of further R&D in the field.

Within the project “Security Locator” is to be continually upgraded with additional program modules, implementing new research results. The far-reaching ambition of such gradual enhancement of “Security Locator” is a universal intellectual superstructure over network environment that actively interacts with controlled entities, dynamically adapts to natural changes and automatically responds to dangerous exposures.

Last Updated on Saturday, 22 August 2009 18:56  

Search in site