Files in this item

FilesDescriptionFormat

application/pdf

application/pdfmontanari_robustness_techreport2011.pdf (193kB)
Technical ReportPDF

Description

Title:Robustness of Compliance to Infrastructure Security Policies
Author(s):Montanari, Mirko; Chaugule, Amey; Campbell, Roy H.
Subject(s):Computer Security
Monitoring
Regulatory compliance
Abstract:Policies are used extensively in managing the security of large computer infrastructure systems. Many large organizations and several government entities such as the National Institute for Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC) define security policies to specify the allowed configurations of the systems under their watch. The goal of such policies is to help reduce the vulnerability of the infrastructure to attacks, misconfiguration and operator error. To that end, these policies specify allowed interconnections between systems, firewall configurations, software settings, and levels of redundancy in the system’s components. Ensuring compliance to such policies through frequent monitoring can reduce the time span during which these systems are vulnerable to attacks. However, faults and attacks can make the underlying information used for validating compliance erroneous or incomplete. A compromised system could feed false information about its state to the compliance monitoring system. In this paper we introduce the concept of robustness of compliance. We show that systems which are compliant to security policies can exhibit different level of resilience to false information and we provide an algorithm for quantitatively computing a measure of robustness based on the concept of distance from violation. Intuitively, our algorithm computes an estimation of the amount of false information that needs to be provided to a compliance monitoring system for making an infrastructure appear compliant even when the underlying system is not compliant. Our experiments demonstrate that our approach is viable in large networks.
Issue Date:2011
Genre:Technical Report
Type:Text
Language:English
URI:http://hdl.handle.net/2142/27712
Publication Status:unpublished
Peer Reviewed:not peer reviewed
Date Available in IDEALS:2011-10-17


This item appears in the following Collection(s)

Item Statistics