Files in this item

FilesDescriptionFormat

application/pdf

application/pdfECE499-Sp2011-chaugule.pdf (561kB)Restricted to U of Illinois
(no description provided)PDF

Description

Title:Robustness of Compliance to Infrastructure Security Policies
Author(s):Chaugule, Amey
Contributor(s):Campbell, Roy H.
Subject(s):network security
infrastructure security
security estimation
Abstract:Policies are used extensively in managing the security of large computer infrastructure systems. Many large organizations and several government entities such as the National Institute for Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC) define security policies to specify the allowed configurations of the systems under their watch. The goal of such policies is to help reduce the vulnerability of the infrastructure to attacks, misconfiguration and operator error. To that end, these policies specify allowed interconnections between systems, firewall configurations, software settings, and levels of redundancy in the system’s components. Ensuring compliance to such policies through frequent monitoring can reduce the time span during which these systems are vulnerable to attacks. However, faults and attacks can make the underlying information used for validating compliance erroneous or incomplete. A compromised system could feed false information about its state to the compliance monitoring system. In this thesis we introduce the concept of robustness of compliance. We show that systems which are compliant to security policies can exhibit different level of resilience to false information and we provide an algorithm for quantitatively computing a measure of robustness based on the concept of distance from violation. Intuitively, our algorithm computes an estimation of the amount of false information that needs to be provided to a compliance monitoring system for making an infrastructure appear compliant even when the underlying system is noncompliant. Our experiments demonstrate that our approach is viable in large networks.
Issue Date:2011-05
Genre:Other
Type:Text
Language:English
URI:http://hdl.handle.net/2142/46542
Publication Status:unpublished
Peer Reviewed:not peer reviewed
Date Available in IDEALS:2014-01-15


This item appears in the following Collection(s)

Item Statistics