Managing User-Level Compromises in the Enterprise

To minimize risk to the OS and other accounts on a system, organizations often limit their users to the minimal privileges needed on the system. To limit threat propagation within the network, organizations use firewalls and virtual LANs (VLANs) to group hosts into smaller risk pools. They then use monitoring tools, such as intrusion-detection systems (IDS), at the network boundaries between groups to detect threats.

Unfortunately, these enforcement and monitoring tools lack visibility into hosts and other parts of the network, hindering their ability to make informed decisions. Specifically, 1) they are blind to activity among grouped hosts (e.g., within VLANs or subnets), 2) they are blind to the host-level cause (or catalyst) of the network traffic when making security decisions, 3) they can only examine a subset of the network's traffic without seeing network-wide behavior, 4) they allow adversaries to perform reconnaissance on the organization's network and infrastructure, and 5) they use broad rules to allow or deny traffic without the ability to consider details.

This work seeks to create centralized access control systems for all network traffic and to inform the network access controller of the host-level context and catalyst of network traffic.

Intellectual Merit

In exploring these research directions, this project will make the following contributions:

  1. DNS Access Control: The proposed work creates a DNS-based access control system that regulates communication between clients and a set of internal servers. In doing so, it creates a system in which a host name serves as a password to allow clients to unlock server resources. This architecture prevents adversaries from engaging in reconnaissance, through network scanning, and even thwarts malware that monitors the host's other network connections to discover and exploit additional systems.
  2. Flow-based Access Control: The proposed work empowers the access control system to control all network connections between hosts, even those traditionally within the same network subnet, on a per-flow basis. This enables an access controller to authorize or deny a flow or even proxy the flow through a security monitor, such as an IDS.
  3. Reporting Host-Level Origins of Packets: The proposed work characterizes the user event, or catalyst, that causes the host to send network traffic and the surrounding context. By considering interactions with a local, trusted user, this work distinguishes locally-triggered traffic from that of other origins. The host reports this information to a centralized controller as part of the DNS process, helping the controller make informed enforcement decisions.

Broader Impacts

This approach increases the security of computer systems and networks, which will have a direct impact on government, military, educational, and industrial organizations. The tools and systems created in this work will enable educational experiments at both the graduate and undergraduate levels. The work also supports extracurricular activities, including the Collegiate Cyber Defense Competitions and the high school CyberPatriot competition.

Publicly Released Data Sets and Code

In creating exploring this project, we have created code and collected data to support our publications. The following code and data is available based on those publications.

  • Our 2016 INFOCOM publication and our 2015 ACM CCS Moving Target Defense Workshop publications used a Python implementation of the host-based SDN. The associated source code is available for download for non-commercial use only. The associated data sets for the INFOCOM publication are large in size and can be obtained manually via an email request to cshue at cs.wpi.edu.
  • A publication currently under review has created a C++ version of the implementation for analysis. Its results are available for download.