Abdulhakim Sabur, Ankur Chowdhary, and Dijiang Huang, Arizona State University; Myong Kang, Anya Kim, and Alexander Velazquez, Naval Research Lab
With an average network size approaching 8000 servers, data-center networks need scalable security-state monitoring solutions. Using Attack Graph (AG) to identify possible attack paths and a network risk is a common approach. However,existing AG generation approaches suffer from the state-space explosion issue. The size of AG increases exponentially as the number of services and vulnerabilities increase. To address this issue, we propose a network segmentation-based scalable security state management framework, called S3, which applies a divide-and-conquer approach to create multiple small-scale AGs (i.e., sub-AGs) by partitioning a large net-work into manageable smaller segments, and then merge them to establish the entire AG for the whole system. S3 utilizes SDN-based distributed firewall(DFW) for managing service reachability among different network segments. Therefore, it avoids reconstructing the entire system-level AG due to the dependencies among vulnerabilities.A series of experimentations are conducted to demonstrates that S3 (i) reduces AG generation and analysis complexity by reducing AG’s density compared to existing AG-based solutions; (ii) utilizes SDN-based DFW to provide a granular security management framework, by incorporating security policies at the level of individual hosts and segments.Therefore, S3 helps in limiting targeted slow and low attacks involving lateral movement.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Abdulhakim Sabur and Ankur Chowdhary and Dijiang Huang and Myong Kang and Anya Kim and Alexander Velazquez},
title = {S3: A {DFW-based} Scalable Security State Analysis Framework for {Large-Scale} Data Center Networks},
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {473--485},
url = {https://www.usenix.org/conference/raid2019/presentation/sabur},
publisher = {USENIX Association},
month = sep
}