a cyber awareness framework for attack analysis ... · a cyber awareness framework for attack...
TRANSCRIPT
A Cyber Awareness Frameworkfor Attack Analysis, Prediction, and
Visualization
University of California, Santa BarbaraUniversity of California, BerkeleyGeorgia Institute of Technology
ARO MURI Kickoff Meeting June 17, 2009
Richard A. Kemmerer
The Problem
• Cyber networks are ubiquitous and the Internet has become a mission-critical asset
• There is a need to monitor and protect cyber assets to support mission execution
• Lieutenant General Charles E. Croom Jr’s testimony to the House Armed Services Committee April 2006 – “Across the Department of Defense, requirements
supporting a global, interconnected force demand a transformation in the way information is managed and shared to accelerate decision making, improve warfighting, create intelligence advantages, and optimize business processes.”
The Problem
• The impact of current (security) events on a mission can be understood only if cyber situation awareness is achieved– Situation Awareness: the perception of the elements of the
environment, the comprehension of their meaning, and the projection of their status in order to enable decision superiority [Salerno05]
Current Status of Network Surveillance and Security Monitoring
• Networks are monitored by Intrusion Detection Systems (IDSs)
• The IDSs produce a stream of low-level alerts that represent security-relevant events in different points of the network, for different operating systems, and at different levels of abstraction
• Alert Correlation is the process through which alerts are grouped, merged, and/or put in relation with one another
Current Status of Network Surveillance and Security Monitoring
• Alerts are still low-level events– Lack of contextualization in terms of cyber assets– Lack of contextualization in terms of cyber missions– Lack of damage assessment and impact on mission– Lack of adversarial behavior prediction– Lack of presentation media that enables efficient decision-
making and action planning
What is needed for cyber-situation awareness is a fundamentally richer perspective
Extract & Abstract
Assets Configuration Impact Threat
Knowledge about assets is incomplete
Relationships betweenassets and mission
are unknown
Effects of an attack on the mission are unknown
Type and goalsof the adversary
are unknown
Situation Awareness Framework
Novel tools and techniques to automatically obtain an
up-to-date view of the cyber-assets
Novel analysis approachesto automatically extract
dependencies between the mission and the assets
Comprehensive correlationframework to automatically
determine the impact of attacks on the mission
Game-theoretic techniquesto characterize the attackerand predict future actions
Cha
lleng
esS
olut
ions
Visualization
Meaningful view of the mission’s state is
missing
Extract & Abstract Extract & Abstract Extract & Abstract Extract & Abstract
Create a semantically-rich view of the cyber-mission status, on
a variety of display platforms
Inte
grat
ion
Challenges and Solutions
MissionMission
Proposed Research
We will develop novel situation awareness theories and techniques to obtain an accurate view of the available cyber-assets and to automatically determine the assets required to carry out each mission task.
Based on this information, we will automatically assess the damage of attacks, possible next moves, and the impact on the missions.
We will also model the behavior of adversaries to predict the threat of future attacks to the success of a mission.
Finally, we will present the status of the current missions and the impact of possible countermeasures to a security officer, using a semantically-rich environment.
Each of these technologies will be integrated into a coherent cyber-situation awareness framework.
Hypothetical Tactical Military Example
A rocket launcher unit is about to shell an area occupied by the enemy. Before doing that, the commander requires assurance that there are no friendly troops in the area. Moreover, if possible, the location of the enemy troops (or at least their recent whereabouts) should be determined.
It is clear that the gathering of intelligence is a crucial component for the success of this mission.
Furthermore, mission critically relies on the security and availability of a complex cyber-infrastructure, which comprises a large number of diverse services.
Available Information and Services
The commander has access to • Satellite photos, geographical maps• A targeting information server aggregates reports
from recon units on the ground– GPS coordinates, times, and types of enemy units– Reconstruct past movements and overlay on maps– Information on friendly troops
• UAV ground station server gets UAV data by high-integrity link from one or more unmanned aerial vehicles (UAV), providing near-real-time imagery– Target confirmation and damage assessment
Adversarial Actions Against the Mission
Consider an adversary who has launched a denial-of-service (DoS) attack on the targeting information server by using thousands of zombie computers that are part of a botnet.
At the same time, the attacker is also launching a stealthy remote-to-local attack against the UAV ground station server.
Furthermore, assume that the purpose of the DoSattack is to draw attention away from the true attack, which is against the UAV ground station.
First Scenario
• Network security officer (NSO) is presented with the raw alerts from all of the IDS sensors in the network
• NSO is overwhelmed by the sheer volume and concentrates on the DoS attack, because there are thousands of alerts raised for this attack
• NSO misses the stealthy attack against the UAV ground station server
Current correlation systems fuse alerts, and the DoSattack would likely be presented as a single alert, allowing the NSO to catch the stealthy attack
Second Scenario
• NSO is aware of the remote-to-local attack on the UAV ground station server, but is not immediately aware that this component is a critical asset for the targeting process and that its loss can delay the planned attack
Having an up-to-date view of the cyber-assets and knowing the dependencies between the mission and the cyber-assets could avoid this problem
Third Scenario
• NSO is aware that the compromised UAV ground station server is a critical asset
• However, NSO does not realize that the compromised server can be isolated and a backup ground station server, which would allow the planned rocket launching to be executed on time, can be used in its place.
Knowing the impact of attacks on a mission and possible COAs could avoid this problem
Fourth Scenario
• NSO is aware of the current and past attacks and of both ground station servers
• NSO does not know what the attacker may do next (e.g., the attacker could attempt to compromise the backup ground station server next)
• Because the NSO does not have this information, he/she may not take the appropriate actions to protect the critical backup server
Characterizing the attacker and predicting future attacker actions could avoid this problem
Fifth Scenario
• NSO is aware of the current and past attacks and of the available ground station servers, and has modeled the adversary and used game theoretic processes to forecast the adversary’s possible future actions.
• NSO has a fully-immersive visual environment, and the current attacks and the status of the mission are all clearly displayed.
• Furthermore, NSO is presented with possible COAs and can play them out interactively on the visual display.
• Based on the information obtained in various what-if scenarios, the NSO gains a complete understanding of the nature of possible attacks, guards against them, and brings the mission to a successful conclusion
Fifth Scenario
The objective of our research is to develop cyber-situation awareness theories and techniques and a framework that integrates these technologies to provide the network security officer with a “big picture” view that enables detection and understanding of complex cyber-attacks and rapid responsive action to preserve mission efficacy
Five Key Concepts
1. Up-to-date views of the available cyber-assets2. A comprehensive analysis of the dependencies
between cyber-missions and cyber-assets,3. An accurate understanding of the impact of cyber-
attacks4. Actionable cyber-attack forecasts5. A semantically-rich, easy-to-grasp view of the cyber-
mission status.
Thrust I: Obtaining an up-to-date view of the available cyber-assets
• Develop tools and techniques for automated analysis of the network event data about resources, services, hosts, and network connections– Modeling assets– Passive monitoring– Active probing– Host-based monitoring
• “Capture of Mission Assets”– Vern Paxson
Thrust I: Obtaining an up-to-date view of the available cyber-assets
Year 1 tasks:• Compile comprehensive list of assets based on input
from domain experts [UCSB, UCB ]• Develop a model for assets (hosts, networks,
services, ...) [UCSB, UCB ]• Develop initial set of techniques and tools to extract
asset information through passive monitoring of the infrastructure [UCSB, UCB ]
Deliverables:• Data repository of (manually-inserted) assets
Thrust II: Obtaining dependencies between missions and assets
• Develop analysis approaches to automatically extract relationships (either manifest or hidden) between cyber-mission tasks and the resources required– Modeling missions– Mapping assets to tasks and missions– Indirect dependencies– Inferring types of dependencies
• “Automated Extraction of Network Protocol Specifications”– Chris Kruegel
Thrust II: Obtaining dependencies between missions and assets
Year 1 tasks: • Analyze existing missions to model their work-flow
and dependencies on assets [ UCSB, UCB ]
Deliverables:• Data repository of (manually-defined) missions
Thrust III: Obtaining an accurate view of the impact of cyber-attacks
• Develop techniques to automatically correlate the information about ongoing attacks with the affected cyber-assets that are needed to successfully complete a mission– Alert correlation– Speculative analysis– Cyber-triaging
• “Alert Correlation and Impact Assessment ”– Giovanni Vigna
Thrust III: Obtaining an accurate view of the impact of cyber-attacks
Year 1 tasks: • Design the integration mechanisms between the
asset and mission models and the correlation process [UCSB ]
Deliverables:• Basic Adversarial Detection Tools
Thrust IV: Obtaining actionable cyber-attack forecasts
• Develop game-theoretic techniques for modeling adversary behavior and predicting the effects of future attacks that can be launched to prevent a cyber-mission from completing successfully– Computation of effective strategies– Uncertainty and adversarial intent– Detection in adversarial environments
• “Game Theoretical Approaches to Actionable Cyber-attack Forecasts ”– João P. Hespanha & Jeff Shamma
Thrust IV: Obtaining actionable cyber-attack forecasts
Year 1 tasks: • Construct simple adversarial models and an initial set
of techniques and tools for detection in adversarial environments [UCSB, GTech ]
• Develop an initial set of techniques and tools to construct CMDPs models from mission and asset models [UCSB, GTech ]
Deliverables:• CMDP mission models
Thrust V: Obtaining a semantically-rich, easy-to-grasp view of the cyber-mission
• Develop techniques and tools for displaying the relevant components of the current cyber-missions in an immersive environment that leverages novel cognitive science techniques to improve large-scale attack comprehension and response under duress– Display and interaction platforms– Information needs and user modeling– Interactive what-if scenarios
• “Scalable Visualization and Interaction for Cyber-Mission Awareness”– Tobias Hollerer
Thrust V: Obtaining a semantically-rich, easy-to-grasp view of the cyber-mission
Year 1 tasks: • Analyze and model the users and tasks for workflow
and interface design [UCSB,UCB, GTech ]• Evaluate and identify platforms for user interfaces
[UCSB ]
Deliverables:• User and Task Analysis• Detailed Platform Recommendation
The Team
• University of California, Santa Barbara – Richard A. Kemmerer, PI, Computer Science– Joao P. Hespanha, Electrical and Computer Engineering– Tobias Hollerer, Computer Science and Media Arts and
Technology– Christopher Kruegel, Computer Science– Giovanni Vigna, Computer Science
• University of California, Berkeley– Vern Paxson, Electrical Engineering and Computer Science
• Georgia Institute of Technology– Jeff S. Shamma, School of Electrical and Computer
Engineering
Management Plan
• The investigators plan to meet weekly to review the progress of the research and to discuss integration issues
• The investigators who are not at UCSB will be able to participate by video conferencing
• The teams also plan to have at least two project meetings per year, which will alternate between the team locations
Technology Transfer
• ARL– We would like to analyze data that ARL collects, to help in
the development of our cyber-asset and mission models– We would like to try out our techniques and tools on ARL’s
data
• Penn State MURI team– We plan to share data and techniques with the PSU team
• WebWise Security, Inc.– Already using our previous MURI correlation tool in their
company