Standards and practices necessary to implement a successful security review program for intrusion management systems

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2002Includes bibliographical references (leaves: 84-85)Text in English; Abstract: Turkish and Englishviii, 91 leavesIntrusion Management Systems are being used to prevent the information systems from successful intrusions and their consequences. They also have detection features. They try to detect intrusions, which have passed the implemented measures. Also the recovery of the system after a successful intrusion is made by the Intrusion Management Systems. The investigation of the intrusion is made by Intrusion Management Systems also. These functions can be existent in an intrusion management system model, which has a four layers architecture. The layers of the model are avoidance, assurance, detection and recovery. At the avoidance layer necessary policies, standards and practices are implemented to prevent the information system from successful intrusions. At the avoidance layer, the effectiveness of implemented measures are measured by some test and reviews. At the detection layer the identification of an intrusion or intrusion attempt is made in the real time. The recovery layer is responsible from restoring the information system after a successful intrusion. It has also functions to investigate the intrusion. Intrusion Management Systems are used to protect information and computer assets from intrusions. An organization aiming to protect its assets must use such a system. After the implementation of the system, continuous reviews must be conducted in order to ensure the effectiveness of the measures taken. Such a review can achieve its goal by using principles and standards. In this thesis, the principles necessary to implement a successful review program for Intrusion Management Systems have been developed in the guidance of Generally Accepted System Security Principles (GASSP). These example principles are developed for tools of each Intrusion Management System layer. These tools are firewalls for avoidance layer, vulnerability scanners for assurance layer, intrusion detection systems for detection layer and integrity checkers for recovery layer of Intrusion Management Systems

Securing Virtualized System via Active Protection

Virtualization is the predominant enabling technology of current cloud infrastructure

Master of Science

thesisSystem administrators use application-level knowledge to identify anomalies in virtual appliances (VAs) and to recover from them. This process can be automated through an anomaly detection and recovery system. In this thesis, we claim that application-level policies defined over kernel-level application state can be effective for automatically detecting and mitigating the effects of malicious software in VAs. By combining user-defined application-level policies, virtual machine introspection (VMI), expert systems, and kernel-based state management techniques for anomaly detection and recovery, we are able to provide a favorable environment for the execution of applications in VAs. We use policies to specify the desired state of the VA based on an administrator's application-level knowledge. By using VMI we are able to generate a snapshot that represents the true internal state of the VA. An expert system evaluates the snapshot and identifies any violations. Potential violations include the execution of an irrelevant application, an unauthorized process, or an unfavorable environment configuration. The expert system also reasons about appropriate recovery strategies for each of the violations detected. The recovery strategy decided by the expert system is carried out by recovery tools so that the VA can be restored to an acceptable state. We evaluate the effectiveness of this approach for anomaly detection and repair by using it to detect and recover from the actions of different types malicious software targeting a web server VA. The system is shown to be effective in guarding the VA against the actions of a kernel-exploit kit, a kernel rootkit, a user-space rootkit, and an application malware. For each of these attacks, the recovery component was able to restore the VA to an acceptable state. Although, the recovery actions carried out did not remove the malicious software, they substantially mitigated the harmful effects of the malicious software

The InfoSec Handbook

Computer scienc