A Formal Approach to Network Segmentation

Mhaskar, Neerja; Alabbad, Mohammed; Khédri, Ridha

doi:10.1016/j.cose.2020.102162

Cited by 21 publications

(9 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In contrast to the aforementioned works, we focus on ITSs where the network is smaller compared to the Internet. More importantly, we aim to capture complex dependencies between ITS components (rather than the statistical properties of the Internet) which is not possible with the aforementioned Works such as [29]- [31]and [32] propose approaches that optimize firewall policies according to specified security and performance goals. A limitation of these approaches is that they need existing firewall policies for all resources as inputs to perform optimization.…”

Section: Related Workmentioning

confidence: 99%

Automatically Generating Models of IT Systems

2022

View full text Add to dashboard Cite

Information technology system (ITS), informally, is a set of workstations, servers, laptops, installed software, databases, LANs, firewalls, etc. Nowadays, every company has an ITS, but rarely is information about it available outside the company that owns it. However, there are many situations where the availability of such data would be beneficial. For example, cyber ranges emulate IT systems and need their description, and various algorithms in cybersecurity, in particular attack tree generation, need to be validated on models of IT systems. In this paper, we describe a system we call the Generator, that as inputs takes requirements such as the number of employees and the vertical to which the company belongs, and outputs a model of an ITS that satisfies the given requirements. A very important property, that we have put special emphasis on, is that the generated ITS models a large amount of details, and ideally resembles a real system. To the best of our knowledge, we are the first to have attempted to build something like this. We made a proof-of-concept implementation of the Generator, validated it by generating an ITS model for a simplified fictional financial institution, and analyzed its performance with respect to the problem size. The conducted experiments show that our approach is feasible. In the future, we intend to extend this prototype to allow probabilistic generation of IT systems when only a subset of parameters is explicitly defined, and further validate our approach with the help of domain experts.INDEX TERMS cybersecurity, cyber range, information technology system I. INTRODUCTION

show abstract

Section: Related Workmentioning

confidence: 99%

Automatically Generating Models of IT Systems

2022

View full text Add to dashboard Cite

show abstract

“…The defence-in-depth (DiD) methodology is a defensive approach traditionally implemented by network administrators to design and build secure networks by layering and segmenting them [ 3 ]. Network segmentation relies on organising corporate resources in zones with similar security requirements [ 4 , 5 ]. Then, a firewall enforcing restrictive policies is deployed between zones.…”

Section: Introductionmentioning

confidence: 99%

Performance Analysis of Software-Defined Networks to Mitigate Private VLAN Attacks

Álvarez

Nuño

González

et al. 2023

Sensors

View full text Add to dashboard Cite

The defence-in-depth (DiD) methodology is a defensive approach usually performed by network administrators to implement secure networks by layering and segmenting them. Typically, segmentation is implemented in the second layer using the standard virtual local area networks (VLANs) or private virtual local area networks (PVLANs). Although defence in depth is usually manageable in small networks, it is not easily scalable to larger environments. Software-defined networks (SDNs) are emerging technologies that can be very helpful when performing network segmentation in such environments. In this work, a corporate networking scenario using PVLANs is emulated in order to carry out a comparative performance analysis on defensive strategies regarding CPU and memory usage, communications delay, packet loss, and power consumption. To do so, a well-known PVLAN attack is executed using simulated attackers located within the corporate network. Then, two mitigation strategies are analysed and compared using the traditional approach involving access control lists (ACLs) and SDNs. The results show the operation of the two mitigation strategies under different network scenarios and demonstrate the better performance of the SDN approach in oversubscribed network designs.

show abstract

“…Cybersecurity practices and drawbacks. Organizations may use fundamental cybersecurity techniques such as multi-factor authentication (MFA) [28] or firewalls to decrease the damage of a cyberattack [24]. The purpose of these techniques, if properly conducted, is to segment the network into smaller blocks so that the contagion can be isolated or at least cause minimal damage by impacting only a fragment of the network.…”

Section: Introductionmentioning

confidence: 99%

“…In practice, there are many different ways to segment the network and the possibilities only increase as the organization expands in size [22,39]. Because of this, there is a great lack of formal approaches for network administrators to optimally segment networks [24]. And so, they segment the network based on their own experiences, preferences, and available resources of the organization [22,24].…”

Section: Introductionmentioning

confidence: 99%

“…Because of this, there is a great lack of formal approaches for network administrators to optimally segment networks [24]. And so, they segment the network based on their own experiences, preferences, and available resources of the organization [22,24]. Despite this, proper network segmentation is still typically an effective method to deter contagions from infecting other components of the organization's network and so reducing the impact of the cyber attack [9].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Exact Insurance Premiums for Cyber Risk of Small and Medium-Sized Enterprises

Chiaradonna¹,

Lanchier²

2022

Math. Model. Nat. Phenom.

View full text Add to dashboard Cite

As cyber attacks have become more frequent, cyber insurance premiums have increased, resulting in the need for better modeling of cyber risk. Jevtic and Lanchier[20] proposed a dynamic structural model of aggregate loss distribution for cyber risk of small-and-medium-sized enterprises under the assumption of a tree-based local-area-network topology that consists of the combination of a Poisson process, homogeneous random trees, bond percolation processes, and cost topology. Their model assumes that the contagion spreads through the edges of the network with the same fixed probability in both directions, thus overlooking a dynamic cyber security environment implemented in most networks, and their results give an exact expression for the mean of the aggregate loss but only a rough upper bound for the variance. In this paper, we consider a bidirectional version of their percolation model in which the contagion spreads through the edges of the network with a certain probability moving toward the lower level assets of the network but with another probability moving toward the higher level assets of the network. Also, our different mathematical approach leads to exact expressions for both the mean and the variance of the aggregate loss, and therefore an exact expression for the insurance premiums.

show abstract

A Formal Approach to Network Segmentation

Cited by 21 publications

References 12 publications

Automatically Generating Models of IT Systems

Automatically Generating Models of IT Systems

Performance Analysis of Software-Defined Networks to Mitigate Private VLAN Attacks

Exact Insurance Premiums for Cyber Risk of Small and Medium-Sized Enterprises

Contact Info

Product

Resources

About