Automating Cyber- Defense Management By: Zach Archer COSC 316.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

LTMI Internet Management Technology Laboratory APNOM 2003 A Study on Survivability of Mobile Network Nodes in the Network Mobility Sang Young Lee, Jin.

Henry C. H. Chen and Patrick P. C. Lee

Report on Common Intrusion Detection Framework By Ganesh Godavari.

Chapter 4 Quality Assurance in Context

A Distributed Security Framework for Heterogeneous Wireless Sensor Networks Presented by Drew Wichmann Paper by Himali Saxena, Chunyu Ai, Marco Valero,

1 Reading Log Files. 2 Segment Format

The Design Philosophy of the DARPA Internet Protocols [Clark 1988] Nick McKeown CS244 Lecture 2 Architecture and Principles.

Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Chapter 4 DECISION SUPPORT AND ARTIFICIAL INTELLIGENCE

Chapter 12 Network Security.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

Chapter 1 Read (again) chapter 1.

Software Engineering for Safety : A Roadmap Presentation by: Manu D Vij CS 599 Software Engineering for Embedded Systems.

Marakas: Decision Support Systems, 2nd Edition © 2003, Prentice-Hall Chapter Chapter 7: Expert Systems and Artificial Intelligence Decision Support.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Department Of Computer Engineering

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for LAN Issues.

Unit 3a Industrial Control Systems

Introduction to IT and Communications Technology Justin Champion C208 – 3292 Ethernet Switching CE

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.

Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.

Machine Learning in Intrusion Detection Systems (IDS)

IIT Indore © Neminah Hubballi

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Reliability Andy Jensen Sandy Cabadas.  Understanding Reliability and its issues can help one solve them in relatable areas of computing Thesis.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

Honeypot and Intrusion Detection System

An Integration Framework for Sensor Networks and Data Stream Management Systems.

Lec4: TCP/IP, Network management model, Agent architectures

MILCOM 2001 October page 1 Defense Enabling Using Advanced Middleware: An Example Franklin Webber, Partha Pal, Richard Schantz, Michael Atighetchi,

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

DSN 2002 June page 1 BBN, UIUC, Boeing, and UM Intrusion Tolerance by Unpredictable Adaptation (ITUA) Franklin Webber BBN Technologies ParthaPal.

A Review by Raghu Rangan WPI CS525 September 19, 2012 An Early Warning System Based on Reputation for Energy Control Systems.

WDMS 2002 June page 1 Middleware Policies for Intrusion Tolerance QuO Franklin Webber, Partha Pal, Chris Jones, Michael Atighetchi, and Paul Rubel.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Survival by Defense- Enabling Partha Pal, Franklin Webber, Richard Schantz BBN Technologies LLC Proceedings of the Foundations of Intrusion Tolerant Systems(2003)

Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.

CS551 - Lecture 5 1 CS551 Lecture 5: Quality Attributes Yugi Lee FH #555 (816)

1 KIMAS 2003Dr. K. Kleinmann An Infrastructure for Adaptive Control of Multi-Agent Systems Dr. Karl Kleinmann, Richard Lazarus, Ray Tomlinson KIMAS, October.

Software Safety Case Why, what and how… Jon Arvid Børretzen.

Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.

Cluster Consistency Monitor. Why use a cluster consistency monitoring tool? A Cluster is by definition a setup of configurations to maintain the operation.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

SRS Architecture Study Partha Pal Franklin Webber.

Networking Aspects in the DPASA Survivability Architecture: An Experience Report Michael Atighetchi BBN Technologies.

A Blackboard-Based Learning Intrusion Detection System: A New Approach

OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.

Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.

Physical Security at Data Center: A survey. Objective of the Survey  1. To identify the current physical security in data centre.  2.To analyse the.

SELF-DEFENDING NETWORK. CONTENTS Introduction What is Self Defending Network? Types of Network Attacks Structure of Self Defending Network Conclusion.

Middleware Policies for Intrusion Tolerance

Managing Secure Network Systems

Firewall Configuration and Administration

Shifting from “Incident” to “Continuous” Response

Cognitive Support for Intelligent Survivability Management

Presentation transcript:

Automating Cyber- Defense Management By: Zach Archer COSC 316

Road Map Introduction State the Problem Approach Key Components Current Achievements Related Work Conclusion Questions

Introduction BBN Technologies New step in security Survivability Architecture What do we mean to do  Automating Cyber-Defense Management is just taking the human experts out of the role of “intelligent control loop”.  Outermost control loop.

Stating the Problem Survivability architectures combine three basic types of defensive capability  Protection  Detection  Adaptive Reaction Lots of information Architecture allows for certain assumption  What needs fixed  Actions that may be applicable

Approach To encode knowledge to rules and constraints Create a process that uses the knowledge representation Then use the process to detect and resolve issues that may arise in a system.

Key Elements Knowledge Representation (KR) Event Interpretation (EI) Response Selection (RS) Claim Selection (CS)

Knowledge Representation (KR) Knowledge of human experts Four types of knowledge  What machine is of what OS, network it is on, what services it hosts, and what is connected to or depend upon any given host  Symptomatic knowledge States of the system Reports from the system Classification of possible vulnerabilities  What response options are available  Whether the response will be effective

Event Interpretation (EI) Constructs a constraint network from the alerts 4 types of hypotheses  Dead  Corrupt  Flooded  Known issues This hypotheses is known issues that can arise within the system

Response Selection (RS) Uses responses to maintain operational capabilities 6 Types of high level responses  Refresh  Reset  Ping  Quarantine  Isolate  Degrade Picks out the sequence of response execution  That will be most effective

Claims Selection (CS) Is responsible for selecting a subset of hypotheses  Looking at metadata as proof status  This also has two sections of hypotheses  Proven  Accepted set

Putting it all together

Main idea is to have the CS as a controller that monitors all the decisions that are being made by the other sections Using the checks that are in all the sections and the CS monitoring all work. We can now have the system create a plan of attack Then a plan of attack is then created and processed through checks within the RS to make sure the response to the attack will maintain a working system state

Current Achievements Implemented a simulation environment  50 hosts  60 NICS  Multiple routers and switches  12 application level protocols

Related Work Cisco's Self-Defending Network  One key difference is the focus of without user involvement.

Conclusion The paper concludes that work is currently ongoing Learning more from past successes and failures Success at this level will be a stepping stone

Why Do This Faster response time Expert managers for every system No corrupted humans Stronger more reliable system Less chance for spread

Why Not Do This No expert Machine can have bugs Some decisions may not be made Error reports may be corrupted

THANK YOU Any Questions????

References Partha Pal, Franklin Webber, Michael Atighetchi, Paul Rubel, Paul Benjamin. Automating Cyber Defense Management. Second International Workshop on Recent Advances in Intrusion Tolerant Systems at EuroSys 2008, Glasgow, UK, Mar 31- Apr 4, 2008.