Asynchronous policy evaluation and enforcement

  • Authors:
  • Matthew Burnside;Angelos D. Keromytis

  • Affiliations:
  • Columbia University, New York, NY, USA;Columbia University, New York, NY, USA

  • Venue:
  • Proceedings of the 2nd ACM workshop on Computer security architectures
  • Year:
  • 2008

Quantified Score

Hi-index 0.01

Visualization

Abstract

Evaluating and enforcing policies in large-scale networks is one of the most challenging and significant problems facing the network security community today. Current solutions are limited by an out-of-date allow/deny paradigm, and policies are evaluated synchronously and independently at each service. This makes it difficult to detect or defend against multi-stage attacks, or attacks which begin as innocent requests and then later exhibit malicious behavior in the same context. In this paper we describe Arachne, a prototype for asynchronous policy evaluation. We evaluate the system by testing it against pre-recorded traffic containing known and unknown attacks and show that it is capable of processing events at more than 10x the required rate for a deployed, heavily-used network.