A Cyber Awareness Frameworkfor Attack Analysis, Prediction, and

Visualization

University of California, Santa BarbaraUniversity of California, BerkeleyGeorgia Institute of Technology

ARO MURI Kickoff Meeting June 17, 2009

Richard A. Kemmerer

The Problem

• Cyber networks are ubiquitous and the Internet has become a mission-critical asset

• There is a need to monitor and protect cyber assets to support mission execution

• Lieutenant General Charles E. Croom Jr’s testimony to the House Armed Services Committee April 2006 – “Across the Department of Defense, requirements

supporting a global, interconnected force demand a transformation in the way information is managed and shared to accelerate decision making, improve warfighting, create intelligence advantages, and optimize business processes.”

The Problem

• The impact of current (security) events on a mission can be understood only if cyber situation awareness is achieved– Situation Awareness: the perception of the elements of the

environment, the comprehension of their meaning, and the projection of their status in order to enable decision superiority [Salerno05]

Current Status of Network Surveillance and Security Monitoring

• Networks are monitored by Intrusion Detection Systems (IDSs)

• The IDSs produce a stream of low-level alerts that represent security-relevant events in different points of the network, for different operating systems, and at different levels of abstraction

• Alert Correlation is the process through which alerts are grouped, merged, and/or put in relation with one another

Current Status of Network Surveillance and Security Monitoring

• Alerts are still low-level events– Lack of contextualization in terms of cyber assets– Lack of contextualization in terms of cyber missions– Lack of damage assessment and impact on mission– Lack of adversarial behavior prediction– Lack of presentation media that enables efficient decision-

making and action planning

What is needed for cyber-situation awareness is a fundamentally richer perspective

Extract & Abstract

Assets Configuration Impact Threat

Knowledge about assets is incomplete

Relationships betweenassets and mission

are unknown

Effects of an attack on the mission are unknown

Type and goalsof the adversary

are unknown

Situation Awareness Framework

Novel tools and techniques to automatically obtain an

up-to-date view of the cyber-assets

Novel analysis approachesto automatically extract

dependencies between the mission and the assets

Comprehensive correlationframework to automatically

determine the impact of attacks on the mission

Game-theoretic techniquesto characterize the attackerand predict future actions

Cha

lleng

esS

olut

ions

Visualization

Meaningful view of the mission’s state is

missing

Extract & Abstract Extract & Abstract Extract & Abstract Extract & Abstract

Create a semantically-rich view of the cyber-mission status, on

a variety of display platforms

Inte

grat

ion

Challenges and Solutions

MissionMission

Proposed Research

We will develop novel situation awareness theories and techniques to obtain an accurate view of the available cyber-assets and to automatically determine the assets required to carry out each mission task.

Based on this information, we will automatically assess the damage of attacks, possible next moves, and the impact on the missions.

We will also model the behavior of adversaries to predict the threat of future attacks to the success of a mission.

Finally, we will present the status of the current missions and the impact of possible countermeasures to a security officer, using a semantically-rich environment.

Each of these technologies will be integrated into a coherent cyber-situation awareness framework.

Hypothetical Tactical Military Example

A rocket launcher unit is about to shell an area occupied by the enemy. Before doing that, the commander requires assurance that there are no friendly troops in the area. Moreover, if possible, the location of the enemy troops (or at least their recent whereabouts) should be determined.

It is clear that the gathering of intelligence is a crucial component for the success of this mission.

Furthermore, mission critically relies on the security and availability of a complex cyber-infrastructure, which comprises a large number of diverse services.

Available Information and Services

The commander has access to • Satellite photos, geographical maps• A targeting information server aggregates reports

from recon units on the ground– GPS coordinates, times, and types of enemy units– Reconstruct past movements and overlay on maps– Information on friendly troops

• UAV ground station server gets UAV data by high-integrity link from one or more unmanned aerial vehicles (UAV), providing near-real-time imagery– Target confirmation and damage assessment

Adversarial Actions Against the Mission

Consider an adversary who has launched a denial-of-service (DoS) attack on the targeting information server by using thousands of zombie computers that are part of a botnet.

At the same time, the attacker is also launching a stealthy remote-to-local attack against the UAV ground station server.

Furthermore, assume that the purpose of the DoSattack is to draw attention away from the true attack, which is against the UAV ground station.

First Scenario

• Network security officer (NSO) is presented with the raw alerts from all of the IDS sensors in the network

• NSO is overwhelmed by the sheer volume and concentrates on the DoS attack, because there are thousands of alerts raised for this attack

• NSO misses the stealthy attack against the UAV ground station server

Current correlation systems fuse alerts, and the DoSattack would likely be presented as a single alert, allowing the NSO to catch the stealthy attack

Second Scenario

• NSO is aware of the remote-to-local attack on the UAV ground station server, but is not immediately aware that this component is a critical asset for the targeting process and that its loss can delay the planned attack

Having an up-to-date view of the cyber-assets and knowing the dependencies between the mission and the cyber-assets could avoid this problem

Third Scenario

• NSO is aware that the compromised UAV ground station server is a critical asset

• However, NSO does not realize that the compromised server can be isolated and a backup ground station server, which would allow the planned rocket launching to be executed on time, can be used in its place.

Knowing the impact of attacks on a mission and possible COAs could avoid this problem

Fourth Scenario

• NSO is aware of the current and past attacks and of both ground station servers

• NSO does not know what the attacker may do next (e.g., the attacker could attempt to compromise the backup ground station server next)

• Because the NSO does not have this information, he/she may not take the appropriate actions to protect the critical backup server

Characterizing the attacker and predicting future attacker actions could avoid this problem

Fifth Scenario

• NSO is aware of the current and past attacks and of the available ground station servers, and has modeled the adversary and used game theoretic processes to forecast the adversary’s possible future actions.

• NSO has a fully-immersive visual environment, and the current attacks and the status of the mission are all clearly displayed.

• Furthermore, NSO is presented with possible COAs and can play them out interactively on the visual display.

• Based on the information obtained in various what-if scenarios, the NSO gains a complete understanding of the nature of possible attacks, guards against them, and brings the mission to a successful conclusion

Fifth Scenario

The objective of our research is to develop cyber-situation awareness theories and techniques and a framework that integrates these technologies to provide the network security officer with a “big picture” view that enables detection and understanding of complex cyber-attacks and rapid responsive action to preserve mission efficacy

Five Key Concepts

1. Up-to-date views of the available cyber-assets2. A comprehensive analysis of the dependencies

between cyber-missions and cyber-assets,3. An accurate understanding of the impact of cyber-

attacks4. Actionable cyber-attack forecasts5. A semantically-rich, easy-to-grasp view of the cyber-

mission status.

Thrust I: Obtaining an up-to-date view of the available cyber-assets

• Develop tools and techniques for automated analysis of the network event data about resources, services, hosts, and network connections– Modeling assets– Passive monitoring– Active probing– Host-based monitoring

• “Capture of Mission Assets”– Vern Paxson

Thrust I: Obtaining an up-to-date view of the available cyber-assets

Year 1 tasks:• Compile comprehensive list of assets based on input

from domain experts [UCSB, UCB ]• Develop a model for assets (hosts, networks,

services, ...) [UCSB, UCB ]• Develop initial set of techniques and tools to extract

asset information through passive monitoring of the infrastructure [UCSB, UCB ]

Deliverables:• Data repository of (manually-inserted) assets

Thrust II: Obtaining dependencies between missions and assets

• Develop analysis approaches to automatically extract relationships (either manifest or hidden) between cyber-mission tasks and the resources required– Modeling missions– Mapping assets to tasks and missions– Indirect dependencies– Inferring types of dependencies

• “Automated Extraction of Network Protocol Specifications”– Chris Kruegel

Thrust II: Obtaining dependencies between missions and assets

Year 1 tasks: • Analyze existing missions to model their work-flow

and dependencies on assets [ UCSB, UCB ]

Deliverables:• Data repository of (manually-defined) missions

Thrust III: Obtaining an accurate view of the impact of cyber-attacks

• Develop techniques to automatically correlate the information about ongoing attacks with the affected cyber-assets that are needed to successfully complete a mission– Alert correlation– Speculative analysis– Cyber-triaging

• “Alert Correlation and Impact Assessment ”– Giovanni Vigna

Thrust III: Obtaining an accurate view of the impact of cyber-attacks

Year 1 tasks: • Design the integration mechanisms between the

asset and mission models and the correlation process [UCSB ]

Deliverables:• Basic Adversarial Detection Tools

Thrust IV: Obtaining actionable cyber-attack forecasts

• Develop game-theoretic techniques for modeling adversary behavior and predicting the effects of future attacks that can be launched to prevent a cyber-mission from completing successfully– Computation of effective strategies– Uncertainty and adversarial intent– Detection in adversarial environments

• “Game Theoretical Approaches to Actionable Cyber-attack Forecasts ”– João P. Hespanha & Jeff Shamma

Thrust IV: Obtaining actionable cyber-attack forecasts

Year 1 tasks: • Construct simple adversarial models and an initial set

of techniques and tools for detection in adversarial environments [UCSB, GTech ]

• Develop an initial set of techniques and tools to construct CMDPs models from mission and asset models [UCSB, GTech ]

Deliverables:• CMDP mission models

Thrust V: Obtaining a semantically-rich, easy-to-grasp view of the cyber-mission

• Develop techniques and tools for displaying the relevant components of the current cyber-missions in an immersive environment that leverages novel cognitive science techniques to improve large-scale attack comprehension and response under duress– Display and interaction platforms– Information needs and user modeling– Interactive what-if scenarios

• “Scalable Visualization and Interaction for Cyber-Mission Awareness”– Tobias Hollerer

Thrust V: Obtaining a semantically-rich, easy-to-grasp view of the cyber-mission

Year 1 tasks: • Analyze and model the users and tasks for workflow

and interface design [UCSB,UCB, GTech ]• Evaluate and identify platforms for user interfaces

[UCSB ]

Deliverables:• User and Task Analysis• Detailed Platform Recommendation

The Team

• University of California, Santa Barbara – Richard A. Kemmerer, PI, Computer Science– Joao P. Hespanha, Electrical and Computer Engineering– Tobias Hollerer, Computer Science and Media Arts and

Technology– Christopher Kruegel, Computer Science– Giovanni Vigna, Computer Science

• University of California, Berkeley– Vern Paxson, Electrical Engineering and Computer Science

• Georgia Institute of Technology– Jeff S. Shamma, School of Electrical and Computer

Engineering

Management Plan

• The investigators plan to meet weekly to review the progress of the research and to discuss integration issues

• The investigators who are not at UCSB will be able to participate by video conferencing

• The teams also plan to have at least two project meetings per year, which will alternate between the team locations

Technology Transfer

• ARL– We would like to analyze data that ARL collects, to help in

the development of our cyber-asset and mission models– We would like to try out our techniques and tools on ARL’s

data

• Penn State MURI team– We plan to share data and techniques with the PSU team

• WebWise Security, Inc.– Already using our previous MURI correlation tool in their

company