對於分散式以及雲端計算環境中零時攻擊的處理與反應

Abstract

在分散式系統中的零時攻擊(未知型攻擊)是一種透過一系列未知或未公開的系統弱點作為渠道的電腦安全攻擊行為。由於對此類攻擊是透過未知的系統弱點，意謂其所相應的攻擊行為模式亦非事前可以預知的，也因此在防範上是極度的困難。我們計畫針對分散式系統環境中零時攻擊開發相應的入侵反制系統(Intrusion Response System)。入侵反制系統的工作基本原理是在攻擊行為進行的過程中，採取一些反制動作來阻隔攻擊行為。然而，由於零時攻擊的行為模式(攻擊圖)是未知的，已知的入侵反制系統多半只能採取預設的反制動作，這些反制動作往往無法達成預期的效果，亦或是採取了過當的措施導致不必要的系統運作中斷。詳細來說，在本計畫中我們先提出了一套線上的動態攻擊圖生成過程。我們透過入侵偵測器的警報以及對被保護系統的架構描述作為生成攻擊圖的參數。另一方面，我們亦提出了一個稱為「攻擊圖概念化」的觀念。我們分別對於受保護系統中的系統元件以及入侵偵測器定義兩個類型架構。然後，對於攻擊圖中的各節點分別進行一個基於此二類型架構圖的抽象化動作。攻擊圖概念化可以幫助我們從過往已經發生過的攻擊中找尋與一個正在發生的零時攻擊間的相關訊息。這些訊息可以幫助提升入侵反制系統所採取的反制動作的準確性與效果。 運端計算正逐步地被應用在我們生活中的各個層面。對於透過入侵反制技術來抵禦雲端計算環境中的安全攻擊也因此是個很重要的課題。雲端計算大致可分為三型：基礎建設服務型、平台服務型、以及軟體服務型。 雲端計算在架構上承襲了分散式運算的概念。更有趣的是很多雲端計算的應用本身也包含了分散式計算的概念於其中。比如說Amazon的EC2雲端服務就被用於建構電子商務平台、媒體播放平台、搜尋引擎、應用程式代管等具備分散式運算概念的服務。在本計畫的後期，我們將基於我們在分散式系統環境中入侵反制系統的經驗與技術來針對諸如Amazon EC2基礎建設服務型的雲環境開發相應的入侵反制系統。我們計畫將我們的入侵反制系統與Amazon EC2中所採用的 Xen® Hypervisor虛擬機器監視器整合。如此一來我們將能對雲端環境中的應用程式提供入侵反制的能力。此外，由於我們是把入侵反制系統整合在虛擬機器監視器中，也因此具有不需要對於受保護的應用程式作任何修改或額外的設定的好處。

Zero-day attack or unknown attack exploits unknown or undisclosed vulnerabilities and can result in devastating damages. We approach the problem from an intrusion response system (IRS) point of view, which deploys responses to contain an ongoing attack in a distributed computing environment. For a zero-day attack, the escalation pattern, commonly represented as an attack graph, is not known a priori. Hence, current IRS can only provide ineffective or drastic responses. We propose an online attack graph generation process, which creates attack graph for a zero-day attack at runtime based on received detector alerts and a specification of the underlying system. We also propose a technique, which “conceptualizes” nodes in an attack graph, whereby they are generalized based on the object-oriented hierarchy for components and detector alerts. This is done based on our insight that high-level manifestations of zero-day attacks can bear similarity with those of previously seen attacks. This technique helps identify the similarities between a zero-day attack and some past attack, which will allow more precise and more effective response against a zero-day attack. Intrusion response for (zero-day) attacks plays a critical role in the security of cloud computing. Cloud computing offers an infrastructure, a platform, or a service (the cloud), on which computing tasks are consolidated and supported. The architecture of cloud computing itself is based on distributed computing, and more interestingly, many cloud applications also involve distributed computing. For instance, enterprises have been using Amazon EC2 cloud to build the distributed computing environments to serve different tasks such as e-commerce, media hosting, search engines, application hosting, etc. Inherently, cloud computing faces the threat from those security attacks in distributed computing. We are thereby interested in using our IRS technology to protect the cloud computing environment from these attacks. Specifically, the proposed IRS system will be incorporated into Xen® Hypervisor, which is the virtualization technology used by Amazon EC2 cloud to provision virtual instances of computing resources. Through this integration, our IRS can protect the applications in the cloud in a transparent manner. The protected application does not need special configuration or additional modification with the proposed approach.