Computer security for complex and distributed systems

Introduction

Large and distributed computer infrastructures face important cyber-security challenges. They are high value targets for attack due the big amount of computational power, storage capacity and network resources. These systems require novel computer security approaches, that employ emerging technologies such as data mining, machine learning, autonomous reasoning systems, automatic security hardening among others. Those technologies can be employed in areas such as distributed intrusion detection, automatic vulnerability discovery, automatic vulnerability patching, and in general all the areas that allow the system administration to have a clear security panorama over the entire computational infrastructure.

Secure architectures for Grid computing

Computing Grids allow the submission of user developed jobs composed by code and data. They interface with Internet and other communication networks, also with storage systems and experiment infrastructure. They have challenging security requirements. Even when Grid system administrators perform a careful security assessment of sites, worker nodes, storage elements and central services, an attacker could still take advantage of unknown vulnerabilities (zero day). This attacker could enter and escalate her access privileges to misuse the computational resources for unauthorized or even criminal purposes. She could even manipulate the experimental data. In this document we focus on protecting and monitoring the job execution environment. Grids require tools to enforce the environment in such a way that user processes cannot access sensitive resources. They also require automatic tools to monitor job behavior. These tools should analyze data generated in job runs like log entries, traces, system calls, to detect attacks on the system and react accordingly (for example sending alerts and stopping suspicious processes). This piece of software could be classified as a Grid Intrusion Detection System (Grid-IDS). Traditional IDS perform attack detection by fixed if-then rules based on signatures. This strategy fails when innovative intrusion methods are used. We propose the usage of Machine Learning (ML) combined with virtualization technologies to provide isolation and in real time analysis of attack attempts.

Related publications