Information Assurance and Security PDF
Document Details
Laguna University
Felix L. Huerte Jr.
Tags
Related
- Week 2 – Introduction To Information Security Part II PDF
- ITNAS 1: Information Assurance and Security 1 Lecture PDF
- Information Assurance & Security 1 PDF
- CSE 3100: Information Assurance and Security - University of Guyana - 2024 - PDF
- Information Assurance and Security PDF
- Module 1 Introduction To Information Security PDF
Summary
This document is a course material on Information Assurance and Security, including security problems in all-optical networks, robustness evaluation of operating systems, and intrusion response systems. It provides a table of contents, list of tables, and list of figures, in addition to the introduction and security topics.
Full Transcript
Information Assurance and Security Felix L. Huerte Jr. 74 Table of Contents Module 8: Security Problems in All-Optical Network (AON) 78 Introduction 78 Lea...
Information Assurance and Security Felix L. Huerte Jr. 74 Table of Contents Module 8: Security Problems in All-Optical Network (AON) 78 Introduction 78 Learning Outcomes 79 Lesson 1. Security Problems in All-Optical Network (AON) 79 All-Optical Network Features 81 Possible Attacks 81 All-Optical Network Attack Types 82 Cross-talk Monitoring and Localization in All-Optical 83 Networks Monitoring Methods 85 Module 9: Robustness Evaluation of Operating System 87 Introduction 87 Learning Outcomes 87 Lesson 1. Robustness 88 Target System 89 Error Model and Workload Selection 91 The Art of Workload Selection 93 Robustness Metrics 97 Module 10: Intrusion Response Systems 98 Introduction 98 Learning Outcomes 98 Lesson 1. Intrusion Response Systems (IDS) and Intrusion 99 Response Systems (IRS) Types of Intrusion 101 Common Solutions to Intrusions 108 Assessment Task 110 Summary 111 References 111 75 List of Tables Table Description Page No. 3.1 The Crash Scale 97 3.2 Types of Intrusions/Attacks 103 3.3 Solutions to Intrusion 109 76 List of Figures Figure Description Page No. 3.1 Business and Technical Strategies of China Telecom's 80 CT2025 3.2 Example of Crosstalk Attack Using Wavelength 84 Selective Switches 3.3 Example of Crosstalk Attack Propagation 85 3.4 General System Model 89 3.5 Target System Model 90 3.6 Services Exercised 94 3.7 Time Sharing Systems 95 3.8 Networks 96 3.9 Intrusion Detection System Architecture 99 3.10 Defensive Life Cycle 100 3.11 Types of Intrusions/Attacks 102 77 MODULE 8 Security Problems in All-Optical Network (AON) Introduction Optical fiber-based networks have emerged as the predominant transport layer technology for telecom service providers. These networks provide very high bit rates to support a broad class of applications. The ability to route large amounts of data and access different channels make them a very appealing option for providing very high-rate access in wide-area networks (WANs), metropolitan area networks (MANs), and even local-area networks (LANs). In particular, if they can be used in an all-optical network (AON) mode where a signal does not have to go through optical-to-electrical-to-optical (O-E-O) conversion, the benefits are larger. The high capacity of a fiber channel can be efficiently utilized by deploying either time division multiplexed (TDM) or wavelength division multiplexed (WDM) modes. In this module, we will focus on the All-Optical- Network (AON) employing the WDM mode. Fiber bandwidth is divided into multiple optical wavelength channels and each wavelength can support 10 Gbps or higher data rates. A fiber in the future is likely to carry 100 Gbps and hundreds of such channels. However, such networks have four important security ramifications (Qian, Joshi, Tipper and Krishnamurthy, 2008). First and foremost, any attack, even that of a short duration and perhaps infrequent, can result in large amounts of data being corrupted or compromised. Second, end users maybe using security protocols designed for slower networks, which may not be efficient or sufficient to detect attacks at very high]. Third, any attack, even that of a short duration and perhaps infrequent, can result in large amounts of data being corrupted or compromised. And lastly, end users may be using security protocols designed for slower networks, which may not be efficient or sufficient to detect attacks at very high (Qian, et al.,2008). 78 Learning Outcomes At the end of this module, students should be able to: 1. Recognize the security problems in All-Optical Network; 2. Identify the different attacks/intrusions and how to monitor it; 3. Explain the robustness evaluation of an Operating Systems; 4. Evaluate the robustness of an Operating Systems; and 5. Examine the issues and concerns in intrusion detection and response system. Lesson 1. Security Problems in All-Optical Network (AON) All-Optical Networks are also known as fiber to the x (FTTx), which can refer to fiber to the site, fiber to the building, and fiber to the home. The coordinated planning of full-service areas and unified optical cable networks is critical to implementing all-optical networks (carrier.huawei.com, n.d.). According to Qian, et al., (2008) security in All-Optical-Network (AON) is different from communication and computer security in general. This is because AONs introduce physical-layer mechanisms that cause potential models of attack to be different from those that are well known for traditional electronic networks. The transparency characteristic of AONs means that data do not undergo optical-to-electrical or electrical-to-optical conversion. Thus, connections in such networks are only amplified but not regenerated at intermediate components. This creates many security vulnerabilities that do not exist in traditional networks. Transparency and non- regeneration features make attack detection and localization much more difficult. The principal motivations for all-optical networking arise from the ability of optical fiber technology to fulfil the growing demand for bandwidth per user, protocol transparency, higher path reliability, and simplified operation and management. In all these areas, established approaches realized via electronic circuitry, based on time division multiplexing (TDM) are beginning to prove insufficient, as they cannot perform the required operations as cheaply as the all-optical techniques, assuming they can perform them at all (Qian, et al., 2008). 79 Figure 3.1 Business and Technical Strategies of China Telecom's CT2025 Source: https://carrier.huawei.com/za/News/network/All-Optical-Network-Strategy Figure 3.1 above was an example shown by Huawei.com (n.d.) of China Telecom's business strategy in building a 2+5 ecological tree. The root of this tree is broadband and 4G pipes (focusing on gigabit broadband + 5G). The entire tree will thrive only if its root grows well. The branches of the tree are five ecosystems, including smart connectivity, Internet of things (IoT), smart home, novel ICT applications, and Internet finance. Huawei.com (n.d.) also identified the technical strategy of China Telecom, that is to transform from ICT into DICT (Data Tech + ICT). Data Tech include AI, Block chain, Cloud, Big Data, Edge Computing, Five G, Smart Home, and IoT (ABCDEFGHI for short). In 2016, China Telecom proposed three strategic transformation directions: network intelligence (CT to the cloud), service ecosystem (services to the cloud), and smart operation (IT to the cloud). These strategies underline China Telecom's vision to become a leader in the hybrid cloud market. According to IDC, China Telecom's e-Surfing Cloud ranked seventh in the global public cloud market in 2018, and China Telecom was the only telecom operator among the top 10 cloud providers. 80 All-Optical Network Features (Qian, et al.,2008) 1. Full-service areas and unified optical cable networks are the foundation of all-optical networks, and therefore need to coordinate 2B, 2C, and 2H services. 2. The unified transport network (UTN) features high bandwidth, low latency, and multiple services. This network can be used for premium private lines, Data Center Interconnect (DCI), IP links, and mobile network fronthaul. 3. The IP integrated transport network has Flex-E and IPv6 Segment Routing (SRv6) features and is the foundation for network slicing. This network can be used for IP RAN private lines, broadband transport, and mobile backhaul. 4. Passive Optical Network (PON) enables full-service access. Comb PON and Flex PON are widely recognized in the industry and can be used for PON VPN, Internet private lines, regional networking, and smart homes. They are widely used in video surveillance and industrial control, and in public areas and buildings (such as harbors, campuses, hotels, airports, commercial buildings, as well as train and bus stations). 5. Software-defined networking (SDN) supports intelligent, on-demand selection of bandwidth, clouds, value-added applications, and after-sales services, and utilizes the underlay mode to leverage differentiated competitive advantages of operators' network control. Possible Attacks Possible Attacks on a network can be broadly categorized into six areas (Qian, et al.,2008): 1. Traffic Analysis Attack. The ciphertext length usually reveals the plaintext length from which an attacker can get valuable information. An attacker can tap into fibers and obtain this information. Eavesdropping. This occurs when an attacker covertly listens in on traffic to get sensitive information. 2. Data Delay. An attacker intercepts the data sent by the user for later use. 3. Spoofing. This attack is defined as the acquisition of privileges, capabilities, trust, and anonymity by pretending to be a more privileged or trusted process/user. This attack includes masquerading and Trojan horse attacks. 81 4. Service Denial. This attack deprives a user or an organization of the services of a resource that they would normally expect to have. A denial of service (DoS) attack can also destroy programs and files in a computer system. 5. Quality of Service (QoS) Degradation. An attacker overpowers legitimate signals to degrade or deny services. All-Optical Network Attack Types AON attacks can be roughly divided into two different types: service disruption attacks and tapping attacks (Qian, et al.,2008). 1. Service Disruption Attacks This type of attack includes service denial attacks and QoS degradation attacks. Physically, this type of attack can be carried out using the following three methods: Fiber Attacks. Fibers ideally propagate information on different wavelengths with only frequency-dependent delay and attenuation. They typically have very low radiation loss, that is, under normal operating conditions, there is a negligible radiation of power from the fiber. However, unprotected fiber is very vulnerable against any attacker with physical access (e.g., service is easily disrupted by cutting or bending a fiber) (Qian, et al.,2008). Optical Amplifier Attacks. Optical amplifiers are critical and necessary components for AONs. The erbium doped fiber amplifier (EDFA) is commonly used in current optical networks. EDFA consists of an optical fiber having a core doped with the rare-earth element erbium. Light from one or more external semiconductor lasers is coupled into the fiber, exciting the erbium atoms. Optical signals entering the fiber stimulate the excited erbium atoms to emit photons at the same wavelength as the incoming signal. This amplifies a weak optical signal to higher power (Qian, et al.,2008). EDFAs can simultaneously amplify signals over a range of wavelengths, making them compatible with WDM systems. However, the nature of EDFA operation in WDM communication links and nodes can lead to a phenomenon known as gain competition, 82 whereby multiple independent WDM wavelengths share a limited pool of available upper- state photons within the fiber. The result is that a stronger signal (possibly from an attack) can deprive a weaker signal of signal amplification gain. This gain competition, combined with the fact that a fiber has extremely low loss, means that EDFA is susceptible to power jamming from remote locations. In some cases, an attacker from a legitimate network access point can cause service denial to many other users in this manner (Qian, et al.,2008). Switching Node Attacks. Wavelength selective switches (WSSs) have significant crosstalk levels. Crosstalk causes signals to leak onto unintended outputs and permits inputs to cause interference on other optical signals that are passing through these devices. The level of crosstalk greatly depends on the particular components and architecture of a switch. However, crosstalk is additive and thus the aggregate effect of crosstalk over a whole AON may be much worse than the effect of a single point of crosstalk. An attacker could inject a very strong signal into a switch (Qian, et al.,2008). 2. Tapping Attacks This type of attack includes both eavesdropping attacks and traffic analysis attacks. Physically, this can be achieved in two different ways: fiber or EDFA attacks and switching node attacks. Some of the possible attacks, like fiber cuts, can be treated as a component failure. Other attacks, like correlated jamming, have limited spreading capability as they affect only those connections that share a link or a node with the attack connections (Qian, et al.,2008). Cross-Talk Attack Monitoring and Localization in All-Optical Networks The effects of an attack connection can propagate quickly to different parts of an all-optical transparent network. Such attacks affect the normal traffic and can either cause service degradation or outright service denial. Quick detection and localization of an attack source can avoid losing large amounts of data in an all-optical network (Qian, et al.,2008). Attack monitors can collect the information from connections and nodes for diagnostic purpose. However, to detect attack sources, it is not necessary to put monitors at all nodes. Since 83 those connections affected by the attack connection would provide valuable information for diagnosis, we show that by placing a relatively small number of monitors on a selected set of nodes in a network is sufficient to achieve the required level of performance. However, the actual monitor placement, routing, and attack diagnosis are challenging problems that need research attention (Wu and Somani, 2005). Crosstalk Attack Features as shown in Figure 3.2 below, the crosstalk attack happens at a wavelength switch and only affects the normal connections on the same wavelength. The attacker injects a strong signal into a switch, and the power leakage (crosstalk) from the malicious channel is superimposed on a normal channel that shares the same wavelength switch (Qian, et al.,2008) Figure 3.2 Example of crosstalk attack using wavelength selective switches Source: Qian, Joshi, Tipper and Krishnamurthy, 2008 The power of the malicious channel is high enough that just simply the power leakage can still greatly disturb a normal channel. It is also possible that the high energy on one wavelength may affect the signals on other wavelengths. 84 A crosstalk attack may also propagate as depicted in Figure 3.3. The original crosstalk attack occurs on node i, which carries connections 1 and 2. Connection 1 is originally a malicious attack connection. Because of the crosstalk attack from connection 1, the power of connection 2 is also beyond a certain threshold, so connection 2 itself has crosstalk attack capability. Thus, at node j, which carries connections 2 and 3, power leakage from connection 2 also superimposes on connection 3, therefore, connection 3 is also disturbed. This characteristic makes localization of the attack connection much more difficult (Qian, et al.,2008). Figure 3.3 Example of crosstalk attack propagation Source: Qian, Joshi, Tipper and Krishnamurthy, 2008 Monitoring Methods To detect attack signals, a sophisticated optical monitoring technique is required. With current techniques, we can monitor and detect some important features of optical signals. Typically, a monitoring device should be capable of measuring the following: the signal wavelength, signal power, and optical SNR. The following testing methods are available. We also describe their limitations (Qian, et al.,2008). 85 Power Detection Power detection over a wide band may be used to record an increase or decrease in power with respect to the expected value. The power detection technique is well suited to some problems such as amplifier failures. However, this alone is insufficient to detect a combination of in-band jamming attacks that increase average power and out-of-band jamming attacks that decrease power, as they might yield no difference in average received power. The power detection technique is also not satisfactory in the detection of gain competition attacks (Qian, et al.,2008). Optical Spectral Analyzers Optical spectral analyzers (OSAs) display the spectrum of an optical signal. A significant programming effort is required to analyze the output of the OSA and map it to the generation of different types of alarms. Therefore, it is an expensive diagnostic tool for the automatic generation of network alarms. However, OSAs can detect those jamming attacks that seriously affect the optical spectrum (Qian, et al.,2008). Bit Error Rate Testers Bit error rate testers (BERTs) operate by comparing a received pattern with the pattern that was known to have been sent. Given the number of discrepancies that are found, the bit error rate (BER) of the transmission is estimated. BERTs only examine a given test data sequence when this special sequence is transmitted. They do not test the actual data. The time it takes for a BERT to establish the BER will depend on the BER and the data rate. For instance, at 1 Gbps, it takes several seconds for a BERT to establish with good statistical accuracy that the BER has been degraded from 10−8 to 10−3. Moreover, some of the attacks may not seriously affect BER (Qian, et al.,2008). Pilot Tones Pilot tones are signals that travel along the same links and nodes as the communication payload, but are distinguishable from the communication payload. Pilot tones are often at different 86 carrier frequencies than the transmitted signal, and may also be distinguished from the communication payload by certain time slots or codes. The pilot tone technique may generate an alarm only if an attack is at the pilot wavelength. Thus, jamming attacks, for example, cannot be detected. Moreover, pilot tones themselves can be masked by malicious signals, such as gain competition attacks (Qian, et al.,2008). Optical Time Domain Refractometry Optical time domain refractometries (OTDRs) are a special application of pilot tones. Rather than analyzing a pilot tone at the point where the communication signal is received, the pilot tone’s echo is analyzed. OTDRs are generally used to diagnose faults, bends, and losses in fibers. Thus, they are usually better adapted to detecting attacks that involve tampering. Since they operate by reflecting a signal back through the fiber, they may also provide information about other attacks that might be taking place. OTDRs with modulated signals can be used to detect jamming attacks as jamming attack signals can be returned in the reflections and observed. The detection efficiency for gain competition is dependent on the type of device. For example, a unidirectional amplifier, if attacked, cannot be detected (Qian, et al.,2008). 87 Module 9. Robustness Evaluation of Operating System Introduction As discussed by Qian, et al., (2008) the operating system (OS) constitutes a key building block in virtually all computer-based systems. Accordingly, the ability of a computing system to provide the desired services to its users depends on the ability of the OS to correctly support the applications running on the computing system, even in the presence of operational agitations. The degree to which an OS can handle the tensions and provide sustained correct operations is termed as the “OS robustness” (Qian, et al.,2008). Such tensions include malfunctioning hardware, software bugs, invalid inputs from external components, and application-level stress/loading. OSs are typically highly complex functional entities with countless environment interaction scenarios. This limits the use of static analytical approaches; hence, typically experimental evaluations of OS robustness form the preferred approach. This lessons typically deals with some methods for the evaluation of OS robustness. The robustness of a system relates to its behavior when subjected to invalid inputs and/or exposure to stressful situations, such as low-resource situations, high-volume invocations, and so on. The thrust of this lesson is primarily on robustness to invalid inputs. 88 Learning Outcomes At the end of this module, students should be able to: 6. Recognize the security problems in All-Optical Network; 7. Identify the different attacks/intrusions and how to monitor it; 8. Explain the robustness evaluation of an Operating Systems; 9. Evaluate the robustness of an Operating Systems; and 10. Examine the issues and concerns in intrusion detection and response system. Lesson 1. Robustness Robustness is the ability of a system to withstand external perturbations arising in its environment. According to Qian et.al., (2008) the key steps involved in evaluating the robustness of an OS are: 1. Definition objectives and goals. 2. Definition system model and the target of a study. 3. Definition of fault models and workload. 4. Definition of the robustness metrics 1. Evaluation Goals Clearly speaking the goals for an evaluation greatly simplifies the overall evaluation steps. The goals of a study are typically set by the person or company ordering the study. When a study is conducted as a part of a larger project, its goals may be guided by the goals of the project as well. One can distinguish two main classes of goals: comparative and quantitative (Qian, et al.,2008). Comparative goals aim to set up a basis for comparing systems (or components). Important aspects include specifying system boundaries such that the comparison can be made across several systems. In the study of Gu, Kalbarczyk, Lyer and Yang (2003) the robustness of the Linux kernel was investigated on two different hardware platforms. Another level for comparison is to specify a certain interface as the target interface, such as POSIX, C-libraries, or 89 Windows device drivers. This type of specification limits the number of target systems possible to only those supporting the specified interface. The second class of goals are quantitative in nature, that is, the aim is to quantify a specific attribute of robustness for the system at hand, for instance, failure modes and error propagation or error detection capabilities. Other studies focus on robustness in terms of security vulnerabilities. Another goal could be to enhance the robustness of an existing system using robustness wrappers. This is especially useful in the case of Commercial-Off-The-Self (COTS) components, where source code may not be available or changes may be prohibited due to lack of resources, legal constraints, and so on (Qian, et al.,2008). 2. Target System The target system is the entity under test. As robustness relates to input and environmental stresses, the target system definition is a key issue. Typically, a layered model of a system is used to indicate the different entities in the system. The OS is split into a suitably large number of components, as shown in Figure 3.4, depending on the goals of the study (Qian, et al.,2008). A model similar to the one in Figure 3.4 allows for defining the input/output interfaces in the system and to isolate the target system under test. The model chosen should be general enough to make the approach applicable to more than a specific target. This becomes even more important when the goal is to benchmark a system, as the benchmark is used to compare multiple systems (Qian, et al.,2008). 90 Figure 3.4 General System Model Source: Qian, Joshi, Tipper and Krishnamurthy, 2008 In Qian, et al. (2008) the POSIX interface (an API to OS services) is used as a benchmark target (i.e., the components “below” this level in the system are considered to be the target system). Any system supporting this API can then potentially be benchmarked. Often the OS is split into components, allowing characterization of intercomponent interaction. Qian, et al. (2008) considers microkernel-based systems, where interactions between the different functional components comprising the kernel are studied. They also studied the Linux OS, dividing it into functional subsystems, allowing characterization of error propagation across subsystems. The system used in this lesson consists of the OS software and hardware components depicted in Figure 3.5. The goal is comparing device drivers and system services on their effect on OS robustness. The target system is the OS. The interfaces to the system under test thus become the software interfaces between the OS and the drivers and the interface between applications and the OS (Qian, et al.,2008). 91 Figure 3.5 Target System Model Source: Qian, Joshi, Tipper and Krishnamurthy, 2008 The first step (evaluation goals), has already pointed out device drivers as being separate from the rest of the OS, and thus Figure 3.5 highlights this key interface. Drivers handle the interaction between the OS and the hardware. They are responsible for implementing the interface that the OS expects and are typically implemented by the hardware vendors. We do not consider direct interaction by the OS (or applications for that matter) with the hardware. This type of interaction is indeed possible in some OSs, but we focus on the more common model using device drivers. The drivers in the system are labeled D1, D2,... , DN in Figure 3.5. A driver exports services (service dsx.y is the yth service of driver Dx) that the OS uses to interact with the driver. For implementing its functionality, a driver may use other services provided by the OS (osx.y), for instance, system calls. The two types of service interactions are considered individually in this lesson. The OS layer includes shared libraries present in the system. This corresponds to a programmer’s view of the system, that is, the libraries are present in the system to provide services for applications (and drivers). The OS layer is part of two important interfaces (Qian, et al.,2008): 92 OS-Application. The OS Application interface (also known as API) provides services s1, s2,..., ss to be used by applications. OS-Driver Interfaces. The OS-Driver interface contains the services the OS provides for drivers to use. For a specific driver Dx, the OS services it uses are labeled osx.1, osx.2,... , osx.K. Note that it is possible for the OS to provide the same service for applications as well as for drivers. The applications executing in the system provide services to users by the use of application code and services provided by the OS. Since different OS services may have different failure characteristics, the set of used services influences the behavior of the application when faults are present in the system (Qian, et al.,2008). 3. Error Model and Workload Selection A robust system functions correctly in the presence of external agitations and stresses. As such agitations and stressful situations are typically infrequent during normal operations of a system, special techniques have been developed to 12 Robustness Evaluation of Operating Systems 356 speed up the process of testing (Qian, et al.,2008). Fault injection is the process of inserting errors from a specified error model into a system while observing the behavior of the system. By carefully selecting which errors to insert, where and when, the outcome of the evaluation reveals how the system behaves in the presence of real agitations (Qian, et al.,2008). Error Type The error type relates to the implementation of the error model, such as flipping bits in CPU registers, corrupting system call parameters, or providing random input to system utilities. Each error model can be classified along three dimensions: type, location, and timing. The following sections discuss each of these dimensions in turn and give examples of how they have been applied in reported robustness studies. Errors in hardware components commonly manifest themselves as erroneous bit values when reading memory/registers (Qian, et al.,2008). A bit is selected as a target, and its value is changed (flipped) and a system is allowed to continue executing. This typically leads to a large number of injection cases needed, which can negatively influence the execution time required for injection. Bit-flips have been applied at several levels in a system, such as memory, CPU registers, and function call parameters. For software 93 faults (bugs), techniques have been developed to inject typical programmer errors by using code mutations, without access to the actual source code. The most commonly used error model for robustness testing of OSs is corruption of parameters to a system or library calls (Qian, et al.,2008). Error Location The location of an error is related to the type of error, but refers to the location where the error is injected and not where the fault appears. Injecting errors at the same location where the faults appear (dr = 0) may not be possible in some circumstances due to lack of access (to source code, for instance) or for scalability reasons (each bit in RAM). Therefore, a common technique is to inject higher level errors that represent several kinds of lower-level faults. Following the general system model in Figure 3.4, the location of the injection must be outside the targeted component, and as discussed in the previous section, it should be close to the hypothesized fault (Qian, et al.,2008). Error Timing The timing dimension can be further split into two subdimensions: time of injection and duration. The time of injection is often defined relative to some event in the system or when the system is in a certain state. Examples include injecting errors in the system scheduler after a new process has been created or in the file handling utilities when certain file properties have changed. It can also be defined as a specified time from system startup or when some code location is reached. The duration of the error may be defined in terms of physical time (e.g., 2 ms) or in terms of events (e.g., three times). Errors may also be permanent in nature (i.e., never disappearing after appearing) (Qian, et al.,2008). Workload Selection Another key attribute of the selected target system is the system workload, that is, what the system is executing during the test. The workload is external to the system under test and is used to stimulate the system. It is important to differentiate between the workload and the error model (sometimes referred to as fault load). The workload represents the “normal” load on the system, whereas the abnormal load is part of the error model. Sometimes the difference between workload and fault load is fuzzy, for instance, when testing a client server–based, Error Model 94 and Workload Selection system where the work/fault load may be defined as the requests sent to the server (Qian, et al.,2008). The Art of Workload Selection 1. Services Exercised Example: Timesharing Systems Networks Magnetic Tape Backup System 2. Level of Detail 3. Representativeness 4. Timeliness 5. Other Considerations in Workload Selection Services Exercised SUT = System Under Test CUS = Component Under Study System services determine the CUS workload and metrics SUT External component 95 Figure 3.6 Services Exercised Source: https://www.cse.wustl.edu/~jain/iucee/ftp/k_05aws.pdf Figure 3.6 is an example of considerations in the art of workload selection which is services exercised. Under it are the following: Do not confuse SUT w CUS Metrics depend upon SUT: MIPS is ok for two CPUs but not for two timesharing systems. Workload: depends upon the system. Examples: CPU: instructions System: Transactions Transactions not good for CPU and vice versa Two systems identical except for CPU Comparing Systems: Use transactions Comparing CPUs: Use instructions Multiple services: Exercise as complete a set of services as possible Example of Services Exercised: 1. Timesharing Systems Transactions Applications OS commands + service Operating Systems 96 Instructions Figure 3.7 Time Sharing Systems Source: https://www.cse.wustl.edu/~jain/iucee/ftp/k_05aws.pdf Applications ⇒ Application benchmark Operating System ⇒ Synthetic Program Central Processing Unit ⇒ Instruction Mixes Arithmetic Logical Unit ⇒ Addition Instruction 2. Networks Mail, file transfer, virtual terminal, etc. Applications Data Compression, etc. 97 Presentation Dialogs Figure 3.8 Networks Source: https://www.cse.wustl.edu/~jain/iucee/ftp/k_05aws.pdf The workload can be indirectly defined together with the error model, as in other cases where the functions of system APIs are tested individually. Ideally, the starting point for the workload for robustness testing is the anticipated workload of the system in its operational environment. If such knowledge is not available, the best option is to use a synthetic workload mimicking typical system load, or exercising system resources in a proscribed manner. When the goal is comparative evaluation, it is common to use benchmark applications which are either part of standard benchmarking suites or exercise common OS features (Qian, et al.,2008). 98 6. Robustness Metrics In order to quantify the robustness of a target system, metrics of robustness are needed. The most commonly used metrics are failure modes and error propagation. A robust system is one where fewer agitation result in severe failures and where error propagation is minimized. In failure mode analysis, the possible outcomes of injections are postulated beforehand (they may be iteratively refined, of course) as a set of failure modes or classes. The modes are defined to be disjoint, such that the outcome of an experiment can be unambiguously determined to be a member of a specific class (Qian, et al.,2008). The failure classes can typically be listed in order of severity, but severity is also a subjective viewpoint and there is no universal severity scale. As an example, the CRASH severity scale presented in Table 3.1. The API of the OS is tested by creating a specific task that calls the targeted function and the outcome is classified according to the CRASH scale. The concept of error propagation studies how errors penetrate through a system and affect components other than the source component of the fault. In order to measure error propagation, the target system must be equipped with enough observation points such that the propagation across modules can be observed (Qian, et al.,2008). Table 3.1 The Crash Scale Failure Mode Description Catastrophic System crash Restart The task is hung and requires restart Abort The task terminates abnormally Silent No error report is generated by the OS, even though the operation tested cannot be performed and should generate an error Hindering Incorrect error returned Module 10. Intrusion Response Systems 99 Introduction The occurrence of outages due to failures in today’s information technology infrastructure is a real problem that still begs a satisfactory solution. The backbone of the ubiquitous information technology infrastructure is formed by distributed systems—distributed middleware, such as CORBA and DCOM; distributed file systems, such as NFS and XFS; distributed coordination- based systems, such as publish-subscribe systems and network protocols; and above all, the distributed infrastructure of the World Wide Web (Qian, et al.,2008). Distributed systems support many critical applications in the civilian and military domains. Critical civilian applications abound in private enterprise, such as banking, electronic commerce, and industrial control systems, as well as in the public enterprise, such as air traffic control, nuclear power plants, and protection of public infrastructures through Supervisory Control and Data Acquisition (SCADA) systems (Qian, et al.,2008). The importance of distributed systems has led to a long interest in securing such systems through prevention and runtime detection of intrusions. The prevention is traditionally achieved by a system for user authentication and identification (e.g., users log in by providing some identifying information such as log-in signature and password, biometric information, or smart card); access control mechanisms (rules to indicate which user has what privileges over what resources in the system); and building a “protective shield” around the computer system (typically a firewall that inspects incoming and optionally outgoing network traffic and allows it if the traffic is determined to be benign). The prevention mechanism by itself is considered inadequate, because without being too restrictive, it is impossible to block out all malicious traffic from the outside. Also, if a legitimate user’s password is compromised or an insider launches an attack, then prevention may not be adequate (Qian, et al.,2008). Intrusion detection systems (IDSs) seek to detect the behavior of an adversary by observing its manifestations on a system. The detection is done at runtime when the attack has been launched. There are many IDSs that have been developed in research and as commercial products. They fundamentally operate by analyzing the signatures of incoming packets and either matching them against known attack patterns (misuse-based signatures) or against patterns of expected system behavior (anomaly-based signatures). There are two metrics for evaluating IDSs: rate of false alarms (legitimate traffic being flagged as malicious) and rate of missed alarms (malicious traffic not flagged by the IDS) (Qian, et al.,2008). 10 In the past few decades, the rise in attacks on communication devices in networks has resulted in a reduction of network functionality, throughput, and performance. To detect and mitigate these network attacks, researchers, academicians, and practitioners developed Intrusion Detection Systems (IDSs) with automatic response systems. The response system is considered an important component of IDS, since without a timely response IDSs may not function properly in countering various attacks, especially on a real-time basis. To respond appropriately, IDSs should select the optimal response option according to the type of network attack. This research study provides a complete survey of IDSs and Intrusion Response Systems (IRSs) on the basis of our in-depth understanding of the response option for different types of network attacks. Knowledge of the path from IDS to IRS can assist network administrators and network staffs in understanding how to tackle different attacks with state-of-the-art technologies (Anwar, Zain, Zolkipli, Inayat, Khan, Bokolo and Chang, 2017) Lesson 1. Intrusion Detection System (IDS) and Intrusion Response Systems (IRS) Intrusion Detection System (IDS) are hardware or software systems that automatically identify and respond to attacks on computer systems. Depending on IDS alerts, IRSs continuously monitor system health to effectively identify and address potential incidents or inappropriate activities. IRSs apply suitable countermeasures to ensure security in a computing environment (Anwar, et.al.,2017). 10 Figure 3.9 Intrusion Detection System Architecture Source: Intrusion Detection to an Intrusion Response System: Fundamentals, Requirements, and Future Directions, Anwar, et.al.,2017 Intrusion Response Systems (IRS) apply suitable countermeasures to ensure security in a computing environment. Consequently, a proper mechanism for checking the optimum response of these systems is to implement alert procedures. In addition, techniques for statistically detecting attacks and categorizing attacks in terms of how they affect data integrity, availability, and confidentiality are necessary. For instance, if an attack affects the integrity of an enterprise database system, there is a need for an appropriate response to secure data integrity. However, if the attack is against the network the response should improve resource availability and network performance (Anwar, et.al.,2017). Different phases that can be deployed as defensive mechanisms are shown in Figure 3.10. These phases include preventing, detecting, and responding to intrusions. In the prevention phase, attacks are prevented before they happen. In the detection phase, analysis tools are developed to monitor network and host information and also identify intrusions. Response tools are used to mitigate possible intrusions detected by IDS. As stated by Anwar, et.al., (20170, an intrusion is a set of actions that violate security policies. Any defensive mechanism that prevents attacks before they occur is called an IPS. IPSs are IDSs that possess the same features of IDS along with the capability of preventing detected attacks. However, in the prevailing distributed environment, early prevention of attacks is impractical. An IDS is usually a hardware or software set that monitors events occurring in a computer system and identifies intrusions. Based on IDS alerts, a security countermeasure (IRS) is used to thwart detected intrusions. 10 Figure 3.10 Defensive Life Cycle Source: Intrusion Detection to an Intrusion Response System: Fundamentals, Requirements, and Future Directions, Anwar, et.al.,2017 Types of Intrusion During these times majority of networks are basically unsecured, which creates opportunities for cybercriminals to access secure data. Attackers are interested in stealing information and also attempt to make digital resources unavailable to users. Numerous defensive techniques such as access control, cryptography, and firewalls can function as the front line of defense against external and internal attacks (Anwar, et.al.,2017). Firewalls mainly secure the front access points of a network connected node from a number of threats and attacks (Anwar, et.al.,2017). Cryptography allows for secure communication, whereas access control is deployed for authentication purposes (Anwar, et.al.,2017). However, these anti-threat applications can only provide external security and are thus inadequate in detecting internal attacks or providing internal security to any computer system. Responses cannot be evaluated without considering the proceeding incidents, as seen in Figure 3.9. So, in this instance, the main objectives of incident classification are to examine possible incidents, determine actual attacks and respective targets, and choose appropriate response options to counter such attacks. Thus, an incident may refer to any unexpected event that occurs during a program algorithms execution in a network. Specifically, an incident occurs when an attack (natural or man-made) algorithms exploits information resources. Most of the security attacks are categorized based on the network. IDSs address this problem by monitoring and detecting both internal and external attacks (Anwar, et.al.,2017). As state by Anwar et.al. (2017) in passive attacks, attackers only eavesdrop but do not modify any information in the system, whereas in active attacks, attackers attempt to gain unauthorized access and change information in the system with intent to destroy the entire network. Systems must be capable of rapidly recovering from such attacks. An IDS with an IRS enables a computer system to mitigate the damage and recover rapidly from incidents. These incidents are broadly divided into two sub-classes: network-based incidents and host-based incidents. The application layer includes host-based attacks such as: Spamming; Race condition attack; 10 Buffer overflow attacks; Mail forgery; and Man-in-the-middle attacks. Host-based attacks are mostly attacking against system availability, operating systems performance, and web service operations. Network-based incidents include attacks on networks aimed at affecting network availability and performance. Unlike in wired networks, in which attackers target victim networks through firewalls and gateways, attackers of wireless ad hoc networks usually gain access from several access point and target any open node (Anwar, et.al.,2017). 10 Figure 3.11 Types of Intrusions/Attacks Source: Intrusion Detection to an Intrusion Response System: Fundamentals, Requirements, and Future Directions, Anwar, et.al.,2017 Figure 3.11 presents a diagram of a computer network and also presents general attacks that may be targeted at an organization. These attacks are categorized as insider, outsider, active, passive, distributed, sniffing, spoofing, and DDoS/DoS attacks. These attacks can have some effects on system security policies such as confidentiality, integrity, and the availability of computing resources. 10 Table 3.2 describes general attacks and network-based attacks. A detailed description of each attack is given in the following table. The main categorization of these attacks is presented based on below, which highlights active attacks, passive attacks, insider attacks, outsider attacks, DoS, DDoS, covert channel attacks, and side channel attacks. The attack classification aims to support the selection of a suitable response option on the basis of the specific attack behavior (Anwar, et.al.,2017). Table 3.2 Types of Intrusions/Attacks Types of Attacks Attack Name Description Black Hole Refers to dropped traffic in networks Gray Hole Behaves like a malicious node to drop malicious packets, but later switches back to normal Rushing A malicious node raising the speed of the routing process Man in the Middles Attacker secretly relays and intercepts messages between two parties Sleep Deprivation It targets the sensor of nodes to maximize Active Attacks Routing Attacks power consumption. Spoof When an attacker imitates someone else’s device or a user in order to initiate attacks against network hosts, bypass access controls, steal data, or spread malware. Sybil It is an attack wherein a reputation system is subverted by foreign identities in P2P networks. Malicious Packet Dropping It is a type of DDoS attack similar to black hole attacks. Table 3.2 Cont. Types of Attacks Attack Name Description Eavesdropping Network layer attacks that intercept private Passive Attacks communication 10 Traffic Analysis An attack that examines the communication patterns between entities in a system. Location Disclosure Can expose anything about the network structure or the nodes’ locations. Hijacked The attackers take control of communication between nodes and networks, alias man-in-the-middle attacks Defacement It changes the physical appearance of a website or page Phishing It is an e-mail fraud scam that tries to obtain credentials such as credit card details, usernames, and passwords. Illegal Investment Investment through others’ accounts in an illegal way. Account Compromised If you notice unfamiliar activity on your any online account (i.e Gmail, Facebook) someone else might be using it without your permission. If you think your online account have been hacked, follow the steps given by the online site to help spot suspicious activity, get back into your account, and make it more secure. Fraud Site This fraud occurs when a user opens an infected website. Purchase Using fake or stolen credit card for a transaction. The most common fraud is credit cards. Lottery Scam An advanced type of Internet fraud where you get an unexpected e-mail explaining that you won a huge amount to attract victims. Unauthorized Using stolen information from someone’s credit card to Transaction perform a transaction. Counterfeit Item Making a fake or copy of original items Online Criminal activities performed online: attackers may get someone’s personal information, credit card data, or anything else private in an illegal way. Table 3.2 Cont. Types of Attacks Attack Name Description Sniffer Attacks Active Sniffing his is sniffing that is conducted on a switched network. A switch is a device that connects two network devices 10 together. Switches use the media access control (MAC) address to forward information to their intended destination ports. Attackers take advantage of this by injecting traffic into the LAN to enable sniffing. Passive Sniffing passive sniffing uses hubs instead of switches. Hubs perform the same way as switches only that they do use MAC address to read the destination ports of data. All an attacker needs to do is to simply connect to LAN and they are able to sniff data traffic in that network Evil Twin The attacker uses malicious software to change the DNS of the victim. The attacker has a twin DNS set up already (evil twin), which will respond to the requests. This can be easily used to sniff the traffic and reroute it to the website that the attacker wishes. Covert Channel Storage Channel Attacks A covert channel allows transfer of information by an Attacks unauthorized process. A storage channel communicates by modifying a storage location. A timing channel performs operations that affect the response time observed by the receiver Side-Channel- Timing Channel Attacks This is a common threat to multi-level system such as Attacks Access-driven Attacks databases, operating systems, and networks in which Trace-Drive Attacks attackers extract information about the sensor of data that is used in the devices Lower Rate TCP It sends a burst of settled-timed packets, conceiving Attacks packet loss and incrementing the retransmission timeout for certain TCP flows. It has a severe impact on the Border Gateway Protocol (BGP). Close-in Attacks Social engineering is the main type of this attack. Getting closer to the network devices to get more information about them is known as a close-in attack. Table 3.2 Cont. Types of Attacks Attack Name Description Exploit Attacks Using illegal means to utilize something to one’s advantage. 10 User to Root (U2R) An attacker accesses the account of normal users on a system and exploits some vulnerability. Insider Attacks Port Scanning Scan the free and less secure port for attempting attacks. Flooding Sending requests to a server at the same time to shut it down by keeping the system busy Malicious Attacks Bot/Botnet A network of infected devices connected to the Internet performs criminal activities in a group. Malware This is software specially designed to damage or destroy a system or database Malware Hosting The place where malware resides can be mobile or a Personal Computer (PC). DDOS/DOS Buffer Overflow When a program overruns the buffer boundary and overwrites the adjacent memory location Ping of Death It is a request that destroys the target device by putting an invalid packet size value in the packet header. ICMP It is a kind of DDoS attack sending a huge flood of ICMP packets to the victim machine in order to crash it. Smurf Sending a large number of ICMP packets to perform DDoS attack. UDP Flood Sending a large number of UDP packets to random ports. SYN Flood Consume enough server resources to make the system unresponsive to legitimate traffic. Cyber Harassment Cyberbullying A type of bullying using the Internet. This attack can be performed using mobile devices or websites. Cyber Stalking Using electronic media such as e-mail messages to harass a victim. Sexual The Internet is the main source for the sexual harassment, harassment using Internet-based technologies such as email and social media platform. Religious Includes forced religion conversion using electronic media and social media. Racial Refers to harassment suffered by individuals or groups because of their color or race. Table 3.2 Cont. Types of Attacks Attack Name Description 10 Vulnerabilities Report Web An interlinked document type of hypertext that is accessed through the Internet. Misconfiguration Configuration mistakes that result in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure. Probing Combining several different familiar dodging techniques for network attacks. Content Related Intellectual Properties After research and work, finding something new or inventing something as the result of creativity is called IP. Pornography Magazines, pictures, or movies that show naked people or sex in an open way SQL Injection SQL injection is a code injection technique performed to attack data-driven applications to inject SQL statements for malicious intent. Spam Spam Relay Sending e-mails to a huge number of victims by hiding the source address of e-mails. Spam Sending the same messages to a large number of Internet users. These inappropriate or irrelevant e-mails are sent on the Internet to a huge number of victims. Remote to Local User Man-in-the-middle attacks can take place here Distributed Attacks Trojan Horse A computer application or software that sends malicious emails or spam, or performs DDoS attacks. Application Layer - It is very hard to defend, and vulnerabilities are always encountered here for complex user input Compromised Key - Attacker uses stolen key to gain access to the secure system or transmission, which allows the user to decrypt the encrypted data being sent by someone or a system. Password Attacks Dictionary Dictionary attacks are used for decrypting the encrypted message. Login Brute Force Mainly aims to get access to a website by applying the simplest method. It always involves trying several usernames and passwords again and again. Hybrid It is a combination of dictionary and brute force attacks. Table 3.2 Cont. Types of Attacks Attack Name Description 11 Adversarial Attacks Evasion Attacker tries to change the intrusion pattern in order to Against IDS deceive the IDRS. Overstimulation Intruders try to feed the IDRS with a huge number of attacks pattern to enforce to generate many false alarms. Poisoning Attacker tries to inject a well-crafted pattern into the data, aiming to alter the data that are used to train and construct the detection algorithm Reverse Engineering Adversary tries to access the internal processing of IDRS and stimulates the IDRS with a familiar attack signature. Common Solutions to Intrusions Presently firewalls, access control, and cryptography are the main defensive mechanisms deployed against intrusions. As mentioned previously, these mechanisms function as the first line of defense of any network-connected, computer-based system. Cryptography is employed to ensure secure communication, whereas access control is used for user authentication. Both anti- threat applications assist to secure the overall system, but only provide external security. Thus, they are inadequate in providing internal security to computer systems (Anwar, et.al.,2017). A firewall is either a software or hardware system used to control incoming and outgoing traffic according to predefined rules. A basic firewall is installed at the entry points of servers to divert or allow Internet Protocols (IPs) and IP addresses. A firewall permits the arriving traffic from the worldwide through internet to access open available services such as hypertext transfer protocols and domain name servers (Anwar, et.al.,2017). A number of operating systems feature built-in firewalls. These firewalls mainly protect digital devices and contents but traditional ones cannot detect and block viruses, worms, and Trojan horses. Although both IDSs and firewalls are used for network security, they have different functions: firewalls search for external intrusions, whereas IDSs protect against intrusions that originate within systems (Anwar, et.al.,2017). Traditional Firewall 11 Traditional firewalls cannot detect internal attacks such as flooding attacks, user-to-root attacks, and port scanning because they only sniff out network packets at the network boundaries. These traditional firewalls cannot detect a complex attack such as DoS and DDoS. Moreover, traditional firewalls cannot differentiate between ordinary traffic and DoS attack traffic, as mention by Anwar, et.al. (2017). Access control, which serves as the frontline of defense against intrusions, supports both confidentiality and integrity parameters. Table 3.3 summarizes the defensive mechanisms according to the intrusion type and attacks. A few of the defensive mechanisms such as cryptography, firewall, and access control that are used for detecting internal attacks are shown in the table below. However, IDS, IPS, and IRS are used for detecting internal as well as external attacks. Table 3.3 Solutions to Intrusion (Anwar, et.al.,2017) Intrusion Intrusion Description Attack Examples Solution Types Firewall External It is a system designed to stop IP spoofing, eavesdropping, DOS port unauthorized access scan and fragmentation attacks Access Control External These are systems that Unauthorized access, password control or limit illegal access attacks dictionary attacks, rainbow to a system table attacks, and sniffer attacks Cryptography External To stop the coding or Meet-in-the-middle attacks, brute force decoding of secret messages attacks and birthday attacks IDS Internal + A system or devices that DOS, DDOS, user to root (U2R), port External controls and monitors a scanning and flooding network or system IPS Internal + Network security appliances ICMP storms, ping to death, SSL External that monitor network and/or evasion and SMTP mass mailing system activities for malicious attacks activity IDPS Internal + Also known as IPS DOS and DDOS External IRS Internal + DOS, user to root, remote to local, and External prob List of acronyms mentioned or might be associated in the above lessons (Anwar, et.al.,2017): 11 Acronym Description IDS Intrusion Detection System IRS Intrusion Response System IPS Intrusion Prevention System IDRS Intrusion Detection and Response System DIDS Distributed Intrusion Detection System CIA Confidentiality, Integrity, Availability DOS Denial of Service DDOS Distributed Denial of Service NIDS Network-Based Intrusion Detection System HIDS Host-Based Intrusion Detection System AD Anomaly Detection SD Signature Based Detection AIRS Automatic Intrusion Response System AAIRS Adaptive Automatic Intrusion Response System CSM Cooperating Security Managers MANET Mobile Ad hoc Network GIDP Generalized Intrusion Detection System IDAR Intrusion-Detection and-Adaptive Response-Mechanism AudES Audit Expert System Assessment Task Direction: Kindly research on the following topics below and send it in a MS Word format and be ready for a quiz about it. Use the sample filename – CS3119ATFINALS_LastName: 1. Four Intrusion Detection System Types (Host Based, Network Based, Hybrid and Distributed) Intrusions Detection Systems (IDSs) Systems that try to detect attacks as they occur or after the attacks took place. Network Intrusion Detection System (NIDS) 11 is an independent platform that examines network traffic patterns to identify intrusions for an entire network. It needs to be placed at a choke point where all traffic traverses. A good location for this is in the DMZ. Host-based Intrusion Detection System (HIDS) analyzes system state, system calls, file-system modifications, application logs, and other system activity. Modern application whitelisting tools are an evolution of a classic HIDS/Host-based intrusion prevention system (HIPS). Hybrid Intrusion Detection System Obtained by combining packet header anomaly detection and network traffic anomaly detection Distributed Intrusion Detection System Consists of multiple Intrusion Detection Systems (IDS) over a large network, all of which communicate with each other, or with a central server that facilitates advanced network monitoring, incident analysis, and instant attack data. 2. Description of Four Intrusion Detection System Types 3. Advantages of the Four Intrusion Detection System Types The network or computer is constantly monitored for any invasion or attack. The system can be modified and changed according to the needs of specific clients and can help outside as well as inner threats to the system and network. It effectively prevents any damage to the network. It provides a user-friendly interface which allows easy security management systems. Any alterations to files and directories on the system can be easily detected and reported. Disadvantages 11 An only disadvantage of the Intrusion Detection System is they cannot detect the source of the attack and in any case of attack, they just lock the whole network. 4. Four Current Challenges to Intrusion Response System 1 – Ensuring an effective deployment To attain a high level of threat visibility, organizations must ensure that intrusion detection technology is correctly installed and optimized. Due to budgetary and monitoring constraints it may not be practical to place NIDS and HIDS sensors throughout an IT environment. With many organizations lacking a complete overview of their IT network however, deploying IDS effectively can be tricky and if not done well may leave critical assets exposed. 2 – Managing the high volume of alerts HIDS and NIDS typically utilize a combination of signature and anomaly-based detection techniques. This means alerts are generated when a sensor either detects activity that matches a known attack pattern, or flags traffic that falls outside a list of normal behaviors. Anomalous activity could include high-bandwidth consumption and irregular web or DNS traffic. The vast quantity of alerts generated by intrusion detection can be a significant burden for internal teams. Many system alerts are false positives but rarely do organizations have the time and resources to screen every alert, meaning that suspicious activity can often slip under the radar. Most intrusion detection systems come loaded with a set of pre-defined alert signatures but for most organizations these are insufficient, with additional work needed to baseline behaviors specific to each environment. 3 – Understanding and investigating alerts 11 IDS alerts consist of base-level security information which, when viewed in isolation, may mean very little. Upon being presented with an alert, it is often not immediately obvious what caused it, or what actions are required to establish whether or not it poses a genuine threat. Investigating IDS alerts can be very time and resource-intensive, requiring supplementary information from other systems to help determine whether an alarm is serious. Specialist skills are essential to interpret system outputs and many organizations lack the dedicated security experts capable of performing this crucial function. 4 – Knowing how to respond to threats A common problem for organizations that implement IDS is that they lack an appropriate incident response capability. Identifying a problem is half the battle, knowing how to respond appropriately and having the resources in place to do so is equally important. Effective incident response requires skilled security personnel with the knowledge of how to swiftly remediate threats, as well as robust procedures to address issues without impacting day-to-day operations. In many organizations there is a big disconnect between the people charged with monitoring alerts and those managing infrastructure, meaning that swift remediation can be difficult to achieve. To highlight the importance of having an appropriate incident response plan in place, the incoming General Data Protection Regulation (GDPR) requires organizations that process any type of personal data to have appropriate controls in place to report breaches to a relevant authority within 72 hours, or risk a large fine. 5. Generic Authorization and Access Control API is the acronym for Application Programming Interface, A software intermediary that allows two applications to talk to each other. Each time you use an app like Facebook, send an instant message, or check the weather on your phone, you're using an API. 11 Snort Inline One of the most widely used Intrusion Detection Software is the Snort software. It is a network Intrusion Detection Software developed by Source file. It performs real-time traffic analysis and protocol analysis, pattern matching, and detection of various kinds of attacks. McAfee Internet Security Suite A commercial product developed for the Windows operating system platform that integrates many security technologies to protect desktop computers from malicious code, spam, and unwanted or unauthorized access Summary This module has presented a systematic process for robustness evaluation of operating systems. Robustness is the ability of a system to withstand external perturbations arising in its environment. And also, the lessons provide a comprehensive explanation of intrusions in terms of their detection and corresponding responses. A few decades back, emphasis was placed on the development of automatic IRSs to overcome the effects of different intrusions. However, IRSs still require extensive research, especially with regard to the selection of proper response options through an automatic response selection process based on intrusion types (Anwar, et.al.,2017). Different response options must be activated and executed for each intrusion type to mitigate and overcome the effects of such intrusions. However, developing a perfect automatic IRS that completely detects and prevents different types of intrusions is still a challenge. Therefore, IRSs are considered a trending and growing research domain to be explored in terms of response option selection, response time, attack mitigation, alert generation, and adaptability. Comprehensive research must be conducted to achieve the goal of establishing an optimal automated IRS design and architectural framework (Anwar, et.al.,2017). References: 11 Books Qian, Yi, Joshi, James, Tipper, David and Krishnamurthy, Prashant, Information Assurance: Dependability and Security in Networked Systems, Morgan Kaufman Publishers, c2008 Online Resources All-Optical Network Strategy and Coordinated Planning Are the Cornerstone for Building Full- Service Target Networks, n.d., Retrieved from: https://carrier.huawei.com/za/News/network/All-Optical-Network-Strategy Anwar, Zain, Zolkipli, Inayat, Khan, Bokolo and Chang (2017) Intrusion Detection to an Intrusion Response System: Fundamentals, Requirements, and Future Directions Sabella R., Lugli P. (1999) All-Optical Networks. In: High Speed Optical Communications. Telecommunication Technology and Applications Series. Springer, Boston, MA., Retrieved from: https://doi.org/10.1007/978-1-4615-5275-8_12 Tao Wu and A. K. Somani (2005), Cross-Talk Attack Monitoring and Localization In All-Optical Networks, Retrieved from IEEE/ACM Transactions on Networking, vol. 13, no. 6, pp. 1390- 1401, doi: 10.1109/TNET.2005.860103 11 - END OF MODULE FOR MIDTERM TERM PERIOD – EXAMINATION FOR FINALS IS ON DECEMBER 21-23, 2020, CHECK YOUR EXAM SCHEDULE FOR THIS COURSE. DO NOT FORGET TO TAKE THE EXAM AS SCHEDULED. THANK YOU AND GOD BLESS 11