Multi-Step Attack Defense Operating Point Estimation via Bayesian Modeling under Parameter Uncertainty Peng Liu, Jun Dai, Xiaoyan Sun, Robert Cole Penn.

Slides:



Advertisements
Similar presentations
1 NEST New and emerging science and technology EUROPEAN COMMISSION - 6th Framework programme : Anticipating Scientific and Technological Needs.
Advertisements

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
DFF 2014 February 24, Self-adapting Sensor Networks for Semi- automated Threat Detection in a Controlled Area By Jorge Buenfil US ARMY RDECOM ARDEC.
The Most Analytical and Comprehensive Defense Network in a Box.
1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Unit 2: Engineering Design Process
1 MURI: Computer-aided Human Centric Cyber Situation Awareness Peng Liu Professor & Director, The LIONS Center Pennsylvania State University ARO Cyber.
ARO–MURI Thoughts on Visualization for Cyber Situation Awareness MURI Meeting July 8–9, 2015 Christopher G. Healey Lihua Hao Steve E. Hutchinson CS Department,
CYBERCOG Test Bed Overview. The Experiment Setup 2 Screens per analyst A common projector screen Experimenter observing the interactions and taking notes.
Evaluation of software engineering. Software engineering research : Research in SE aims to achieve two main goals: 1) To increase the knowledge about.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
What are the main differences and commonalities between the IS and DA systems? How information is transferred between tasks: (i) IS it may be often achieved.
1 NEST New and emerging science and technology EUROPEAN COMMISSION - 6th Framework programme : Anticipating Scientific and Technological Needs.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Hiding in the Mobile Crowd: Location Privacy through Collaboration.
MURI: Integrated Fusion, Performance Prediction, and Sensor Management for Automatic Target Exploitation 1 Dynamic Sensor Resource Management for ATE MURI.
Value of Information 1 st year review. UCLA 2012 Kickoff VOI Kickoff ARO MURI on Value-centered Information Theory for Adaptive Learning, Inference, Tracking,
Gaining Cyber Situation Awareness in Enterprise Networks: A Systems Approach Peng Liu, Xiaoyan Sun, Jun Dai Penn State University ARO Cyber Situation Awareness.
Understanding the Human Network Martin Kruger LCDR Jodie Gooby November 2008.
Umbrella Presentation Cognitive Science of Cyber SA Collaborative Cyber Situation Awareness Nancy J. Cooke, ASU & Prashanth Rajivan, Indiana U. Models.
Ali Alhamdan, PhD National Information Center Ministry of Interior
Network security Product Group 2 McAfee Network Security Platform.
A Passive Approach to Sensor Network Localization Rahul Biswas and Sebastian Thrun International Conference on Intelligent Robots and Systems 2004 Presented.
A Mission-Centric Framework for Cyber Situational Awareness Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
Non-intrusive Capturing and Analysis of the Cognitive Process of Network Security Analyst Annual Review ARO MURI on Computer-aided Human-centric Cyber.
1 Multilevel Bidirectional Damage Assessment Peng Liu, Penn State University Jason Li, Information Automation Inc. ARO Workshop on Cyber Situational Awareness.
© 2008 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Cyber Security and the National.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
NC-BSI: TASK 3.5: Reduction of False Alarm Rates from Fused Data Problem Statement/Objectives Research Objectives Intelligent fusing of data from hybrid.
Emerging and Evolving Cyber Threats Require Sophisticated Response and Protection Capabilities  Advanced Algorithms  Cyber Attack Detection and Machine.
Paul Beraud, Alen Cruz, Suzanne Hassell, Juan Sandoval, Jeffrey J Wiley November 15 th, 2010 CRW’ : NETWORK MANEUVER COMMANDER – Resilient Cyber.
Big Data Analytics Are we at risk? Dr. Csilla Farkas Director Center for Information Assurance Engineering (CIAE) Department of Computer Science and Engineering.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
AUTONOMIC COMPUTING B.Akhila Priya 06211A0504. Present-day IT environments are complex, heterogeneous in terms of software and hardware from multiple.
Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.
Introduction to Machine Learning, its potential usage in network area,
SIEM Rotem Mesika System security engineering
Penn State Center for e-Design Site Vision and Capabilities
COmbining Probable TRAjectories — COPTRA
Literature Review Dr. Mozaherul Hoque Abul Hasanat.
Testbed for Medical Cyber-Physical Systems
Rootkit Detection and Mitigation
DISA Global Operations
Cyber Resilient Energy Delivery Consortium
Analytics and OR DP- summary.
Detection and Analysis of Threats to the Energy Sector (DATES)
Topological Vulnerability Analysis
Wenjing Lou Complex Networks and Security Research (CNSR) Lab
Software Engineering: A Practitioner’s Approach, 6/e Chapter 23 Estimation for Software Projects copyright © 1996, 2001, 2005 R.S. Pressman & Associates,
MURI Annual Review Meeting Randy Moses November 3, 2008
Modeling Cyberspace Operations
Cyber Security and the National Broadband Strategy
Shifting from “Incident” to “Continuous” Response
Security as Risk Management
Assoc. Prof. Dr. Syed Abdul-Rahman Al-Haddad
See your OpenStack Network Like Never Before
Introduction to Visual Analytics
Software Engineering: A Practitioner’s Approach, 6/e Chapter 23 Estimation for Software Projects copyright © 1996, 2001, 2005 R.S. Pressman & Associates,
Transporte Internacional
Matteo Merialdo RHEA Group Innovative aspects in cyber range solutions.
2016 Maintenance Innovation Challenge
Big DATA.
Autonomous Network Alerting Systems and Programmable Networks
Enabling Prediction of Performance
Chapter 26 Estimation for Software Projects.
Presentation transcript:

Multi-Step Attack Defense Operating Point Estimation via Bayesian Modeling under Parameter Uncertainty Peng Liu, Jun Dai, Xiaoyan Sun, Robert Cole Penn State University pliu@ist.psu.edu ARO Cyber Situation Awareness MURI

Association & Correlation Multi-Sensory Human Computer Interaction Cognitive Models & Decision Aids Instance Based Learning Models Simulation Measures of SA & Shared SA Software Sensors, probes Hyper Sentry Cruiser Information Aggregation & Fusion Transaction Graph methods Damage assessment Automated Reasoning Tools R-CAST Plan-based narratives Graphical models Uncertainty analysis Association & Correlation Data Conditioning Multi-Sensory Human Computer Interaction Computer network Enterprise Model Activity Logs IDS reports Vulnerabilities Real World System Analysts Computer network Test-bed ARO Cyber Situation Awareness MURI

System Architecture – Cyber Security Perspective ARO Cyber Situation Awareness MURI

ARO Cyber Situation Awareness MURI Year 4 projects Multi-Step Attack Defense Operating Point Estimation via Bayesian Modeling -- PhD Dissertation Snake: Discover and Profile Network Service Dependencies via network wide SCDGs -- Tool & paper (in progress) Patrol: Zero-day attack path detection via network-wide SCDGs -- ESORICS’13 -- Tool Cross-layer Bayesian networks to manage uncertainty in cyber SA -- Paper (in progress) CLR: Automated recovery plan generation -- ICICS’13 ARO Cyber Situation Awareness MURI

ARO Cyber Situation Awareness MURI Year 4 accomplishments Publications: -- 1 PhD dissertation -- 5 journal papers -- 11 conference papers -- 1 book chapter Tools: -- Patrol -- Snake (in progress) Tech transfer: DoD SBIR 12.3 Phase I OSD12-IA5 project “An Integrated Threat feed Aggregation, Analysis, and Visualization (TAAV) Tool for Cyber Situational Awareness,” funded, led by Intelligent Automation, Inc. Students: -- Jun Dai (50%), PhD -- Xiaoyan Sun (50%), PhD -- Robert Cole (0%), PhD ARO Cyber Situation Awareness MURI

ARO Cyber Situation Awareness MURI Research Highlight: Multi-step attack defense operating point estimation via Bayesian modeling ARO Cyber Situation Awareness MURI

ARO Cyber Situation Awareness MURI Motivation No real world IDS system is perfect. -- When an IDS system is configured to achieve a higher true positive rate, usually it would suffer from a higher false positive rate Such a (true positive rate, false positive rate) tradeoff is called an operating point of the IDS. The cyber operator can keep tuning the IDS until the estimated operating point is close enough to the desired operating point. ARO Cyber Situation Awareness MURI 7

ARO Cyber Situation Awareness MURI Problem Statement Due to the inherent uncertainty associated with gaining cyber SA, operating point estimation won’t be 100% accurate. Although the estimation problem for individual exploits has been studied in the literature, the estimation problem for multi-step attacks (a chain of exploits) under model parameter uncertainty has not yet been studied. -- Traditional IDS systems do not explicitly consider uncertainty ARO Cyber Situation Awareness MURI 8

ARO Cyber Situation Awareness MURI Innovation Claim We developed the first quantitative multi- step intrusion detection system operating point estimation framework based on Bayesian modeling. ARO Cyber Situation Awareness MURI 9

ARO Cyber Situation Awareness MURI Approach Do generalized alert correlation analysis. Instead of requiring (certain types of) attribute value match (e.g., the destination IP address of one alert matches the source IP of another) between two IDS alerts, we model the rationale for such matches using conditional probabilities and a Bayesian net. --Similar modeling is used in the ACSAC’04 work by Ning group for a different purpose. They want to infer unknown intrusion evidence; in contrast, we want to quantify the uncertainty in operating point estimation. ARO Cyber Situation Awareness MURI 10

Research Contribution 1 We developed a novel Bayesian operating point estimation model: -- General multi-step attack strategies can be precisely specified as a “query” against the model which corresponds to a specific Bayesian network. -- Our model can propagate parameter uncertainty through the model to a query result. ARO Cyber Situation Awareness MURI 11

Research Contribution 2 Shift from per-exploit detection to per- chain: In the case of zero parameter uncertainty, we developed an efficient algorithm to enumerate useful operating points within the 2-dimensional design space of: [detection rate vs. false positive rate] ARO Cyber Situation Awareness MURI 12

Research Contribution 3 For the uncertain parameter case, we studied the special case of serial order multi-step attacks. We theoretically proved that there exist specific cases under which model parameter uncertainty won’t produce output uncertainty. ARO Cyber Situation Awareness MURI 13

Research Contribution 4 We found that operating points could become 2- dimensional operating boxes. The general problem of operating box enumeration is highly computationally complex. We conducted experiments evaluating two heuristic solutions. Experimental results show a heuristic solution (our operating point enumeration algorithm) provides results very close to full enumeration. Results show the significance of uncertainty in the multi-step attack detection cases considered. ARO Cyber Situation Awareness MURI 14

ARO Cyber Situation Awareness MURI Year 5 Snake: Discover and Profile Network Service Dependencies via network wide SCDGs -- Tool & paper (in progress) Joint project with NIST: Cloud-wide vulnerability analysis -- In progress Joint project with NEC Labs: System-call-level security intelligence -- In progress Cross-layer Bayesian networks to manage uncertainty in cyber SA -- In progress Tool integration: with GMU, NCSU, etc. -- In progress ARO Cyber Situation Awareness MURI

Objectives: Improve Cyber SA through: ARO MURI: Computer-aided Human-Centric Cyber Situation Awareness: SKRM Inspired Cyber SA Analytics Penn State University (Peng Liu) Tel. 814-863-0641, E-Mail: pliu@ist.psu.edu Objectives: Improve Cyber SA through: A Situation Knowledge Reference Model (SKRM) A systematic framework for uncertainty management Cross-knowledge-abstraction-layer SA analytics Game theoretic SA analytics DoD Benefit: Innovative SA analytics lead to improved capabilities in gaining cyber SA. Uncertainty analysis Scientific/Technical Approach Leverage knowledge of “us” Cross-abstraction-layer situation knowledge integration Network-wide system all dependency analysis Probabilistic graphic models Game theoretic analysis Accomplishments A suite of SKRM inspired SA analytics A Bayesian Networks approach to uncertainty A method to identify zero-day attack paths A signaling game approach to analyze cyber attack-defense dynamics Challenges Systematic evaluation & validation ARO Cyber Situation Awareness MURI

ARO Cyber Situation Awareness MURI Q & A Thank you. ARO Cyber Situation Awareness MURI