The Complexity of Multiterminal Cuts
SIAM Journal on Computing
An overview of hierarchical control flow graph models
WSC '95 Proceedings of the 27th conference on Winter simulation
A decentralized model for information flow control
Proceedings of the sixteenth ACM symposium on Operating systems principles
A lattice model of secure information flow
Communications of the ACM
TrustedBSD: Adding Trusted Operating System Features to FreeBSD
Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
Two Formal Analys s of Attack Graphs
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Firewalls and Internet Security: Repelling the Wily Hacker
Firewalls and Internet Security: Repelling the Wily Hacker
Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Methods and limitations of security policy reconciliation
ACM Transactions on Information and System Security (TISSEC)
A scalable approach to attack graph generation
Proceedings of the 13th ACM conference on Computer and communications security
Analyzing integrity protection in the SELinux example policy
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
A logical specification and analysis for SELinux MLS policy
ACM Transactions on Information and System Security (TISSEC)
Automating security mediation placement
ESOP'10 Proceedings of the 19th European conference on Programming Languages and Systems
Leveraging "choice" to automate authorization hook placement
Proceedings of the 2012 ACM conference on Computer and communications security
Security-by-contract: toward a semantics for digital signatures on mobile code
EuroPKI'07 Proceedings of the 4th European conference on Public Key Infrastructure: theory and practice
Transforming commodity security policies to enforce Clark-Wilson integrity
Proceedings of the 28th Annual Computer Security Applications Conference
Hi-index | 0.00 |
System administrators frequently use Intrusion Detection and Prevention Systems (IDPS) and host security mechanisms, such as firewalls and mandatory access control, to protect their hosts from remote adversaries. The usual techniques for placing network monitoring and intrusion prevention apparatuses in the network do not account for host flows and fail to defend against vulnerabilities resulting from minor modifications to host configurations. Therefore, despite widespread use of these methods, the task of security remains largely reactive. In this paper, we propose an approach to automate a minimal mediation placement for network and host flows. We use Intrusion Prevention System (IPS) as a replacement for certain host mediations. Due to the large number of flows at the host level, we summarize information flows at the composite network level, using a conservative estimate of the host mediation. Our summary technique reduces the number of relevant network nodes in our example network by 80% and improves mediation placement speed by 87.5%. In this way, we effectively and efficiently compute network-wide defense placement for comprehensive security enforcement.