Gaining Cyber Situation Awareness in Enterprise Networks: A Systems Approach Peng Liu, Xiaoyan Sun, Jun Dai Penn State University ARO Cyber Situation Awareness.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Conceptual Framework for Dynamic Trust Monitoring and Prediction Olufunmilola Onolaja Rami Bahsoon Georgios Theodoropoulos School of Computer Science The.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

The Most Analytical and Comprehensive Defense Network in a Box.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Modeling Human Reasoning About Meta-Information Presented By: Scott Langevin Jingsong Wang.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Introduction to Systems Analysis and Design

Lecture 11 Intrusion Detection (cont)

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

The Most Analytical and Comprehensive Defense Network in a Box.

1 MURI: Computer-aided Human Centric Cyber Situation Awareness Peng Liu Professor & Director, The LIONS Center Pennsylvania State University ARO Cyber.

An approach to Intelligent Information Fusion in Sensor Saturated Urban Environments Charalampos Doulaverakis Centre for Research and Technology Hellas.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

CYBERCOG Test Bed Overview. The Experiment Setup 2 Screens per analyst A common projector screen Experimenter observing the interactions and taking notes.

Honeypot and Intrusion Detection System

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

OOI CI LCA REVIEW August 2010 Ocean Observatories Initiative OOI Cyberinfrastructure Architecture Overview Michael Meisinger Life Cycle Architecture Review.

Semantics for Cybersecurity and Privacy Tim Finin, UMBC Joint work with Anupam Joshi, Karuna Joshi, Zareen Syed andmany UMBC graduate students

Software Security Weakness Scoring Chris Wysopal Metricon August 2007.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Understanding the Human Network Martin Kruger LCDR Jodie Gooby November 2008.

PROFILING HACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIP BETWEEN TCP CONNECTIONS AND SNORT ALERTS Khiem Lam.

Network security Product Group 2 McAfee Network Security Platform.

A Mission-Centric Framework for Cyber Situational Awareness Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient.

Non-intrusive Capturing and Analysis of the Cognitive Process of Network Security Analyst Annual Review ARO MURI on Computer-aided Human-centric Cyber.

BY FIOLA CARVALHO TE COMP. CONTENTS  Malicious Software-Definition  Malicious Programs Backdoor Logic Bomb Trojan Horse Mobile Code Multiple-Threat.

1 Multilevel Bidirectional Damage Assessment Peng Liu, Penn State University Jason Li, Information Automation Inc. ARO Workshop on Cyber Situational Awareness.

Security Vulnerabilities in A Virtual Environment

Cryptography and Network Security Sixth Edition by William Stallings.

Internet of Things. IoT Novel paradigm – Rapidly gaining ground in the wireless scenario Basic idea – Pervasive presence around us a variety of things.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Unclassified//For Official Use Only 1 RAPID: Representation and Analysis of Probabilistic Intelligence Data Carnegie Mellon University PI : Prof. Jaime.

Emerging and Evolving Cyber Threats Require Sophisticated Response and Protection Capabilities  Advanced Algorithms  Cyber Attack Detection and Machine.

An Active Security Infrastructure for Grids Stuart Kenny*, Brian Coghlan Trinity College Dublin.

Introduction on Graphic Models

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.

1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Despite of spending high on digital information security, organizations still remain exposed to external threats. However, data center providers are helping.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

Proactive Incident Response

SIEM Rotem Mesika System security engineering

Business process management (BPM)

Critical Security Controls

Testbed for Medical Cyber-Physical Systems

Rootkit Detection and Mitigation

Business process management (BPM)

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Multi-Step Attack Defense Operating Point Estimation via Bayesian Modeling under Parameter Uncertainty Peng Liu, Jun Dai, Xiaoyan Sun, Robert Cole Penn.

Shifting from “Incident” to “Continuous” Response

Technical Capabilities

About Thetus Thetus develops knowledge discovery and modeling infrastructure software for customers who: Have high value data that does not neatly fit.

Motivation and Problem Statement

Autonomous Network Alerting Systems and Programmable Networks

Deployment Optimization of IoT Devices through Attack Graph Analysis

Presentation transcript:

Gaining Cyber Situation Awareness in Enterprise Networks: A Systems Approach Peng Liu, Xiaoyan Sun, Jun Dai Penn State University ARO Cyber Situation Awareness MURI

System Analysts Computer network Software Sensors, probes Hyper Sentry Cruiser Multi-Sensory Human Computer Interaction Enterprise Model Activity Logs IDS reports Vulnerabilities Cognitive Models & Decision Aids Instance Based Learning Models Simulation Measures of SA & Shared SA Data Conditioning Association & Correlation Automated Reasoning Tools R-CAST Plan-based narratives Graphical models Uncertainty analysis Information Aggregation & Fusion Transaction Graph methods Damage assessment Computer network Real World Test- bed ARO Cyber Situation Awareness MURI

Theme A ARO Cyber Situation Awareness MURI

4 Gaining Cyber SA in Enterprises Uncertainty analysis ARO Cyber Situation Awareness MURI Cross-layer cyber SA

Part 1 Research Highlight: ARO Cyber Situation Awareness MURI

6 The Stealthy Bridge Problem in Cloud Enterprise A Enterprise B C D … Cloud

7 Cloud Features Enabling Stealthy Bridges Virtual Machine Image Sharing – VMI repository – Malicious VMI with security holes, e.g. backdoors Virtual Machine Co-Residency – No perfect isolation between virtual machines – Co-residency can be leveraged, e.g. side-channel

8 Stealthy Bridges are Inherently Unknown Exploit unknown vulnerabilities Cannot be easily distinguished from authorized activities – E.g. side-channel attacks extract information by passively observing resources – E.g. Logging into an virtual machine instance by leveraging intentionally left credentials

9 Our observation Stealthy bridges per se are difficult to detect, but, the intrusion steps before and after the construction of stealthy bridges may trigger some abnormal activities.

10 Our Approach Model stealthy bridges as causality Uses the evidence collected from other intrusion steps to quantify likelihood

11 Logical Attack Graph

12 Public Cloud Structure

13 Cloud-level Attack Graph Model VM Layer: major layer reflects the causality between vulnerabilities and exploits VMI Layer: attacks caused by VMI sharing Host Layer: attacks caused by VM co-residency

14 Bayesian Network A portion of a BN with associated CPT table

15 Bayesian Network Prediction Analysis Pr(symptom|cause = True) E.g. Pr(IDSalert|exploitation = True) Diagnosis Analysis: “backward” computation Pr(cause|symptom =True) E.g. Pr(exploitation|IDSalert = True) Our work: Diagnosis Analysis

16 Identify the Uncertainties Uncertainty of stealthy bridges existence Uncertainty of attacker action Uncertainty of exploitation success Uncertainty of evidence 16

17 Uncertainty of Stealthy Bridges Existence

18 Uncertainty of Attacker Action A portion of a BN with AAN node AAN

19 Uncertainty of Exploitation Success CVSS score: Access Complexity (High, Medium, Low) 0.3

20 Uncertainty of Evidence The support of evidence to an event is uncertain Evidence from security sensors is not 100% accurate Evidence Confidence(ECN)

21 Implementation: Cloud-level Attack Graph Generation

22 Implementation: BN Construction Remove rule nodes of attack graph Adding new nodes Determining prior probabilities Constructing CPT tables

23 Experiment: Attack Scenario Step 5 Step 3 Step 2 Step 4 Step 1 Step 6 Step 7

24 Experiment: Attack Scenario Step 1: Publish a malicious VMI Step 2: Exploit the instance of the malicious VMI in Enterprise A Step 3: Exploit vulnerability on web server of B Step 4: Leverage Co-Residency relationship of B and C’s web server, compromise the latter one Step 5: Upload an application with trojan horse to the shared folder on C’s NFS Step 6: Innocent user from C installs the malicious application Step 7: Compromise other instances of the malicious VMI in Step 1

25 The Constructed Cross-Layer Bayesian Network

26 BN Input and Output Input – Network Deployment

27 BN Input and Output Input – Evidence collected from Security Sensors

28 BN Input and Output Output – Probabilities of Interested Events (Nodes)

29 Experiment 1: Evidence is observed in the order of attack steps N5: A stealthy bridge exists in enterprise A’s web server N8: The attacker can execute arbitrary code on A’s web server N22: A stealthy bridge exists in the host that B’s web server reside N25: The attacker can execute arbitrary code on C’s web server

30 Experiment 2: Test the influence of false alerts to BN

31 Experiment 3: Test the influence of evidence confidence value to the BN

32 Experiment 4: test the affect of evidence input order to the BN analysis Bring forward the evidence N47 and N49 from step 7 and insert them before N23 and N37 respectively BN can still produce reliable results in the presence of changing evidence order

Part 2 Research Highlight: ARO Cyber Situation Awareness MURI

The Network Service Dependency Discovery Problem Benefits of Service Discovery – fault localization – identification of mission-critical services – prioritizing the defense options

35 Overview: service dependency discovery System call centric -- more accurate -- less transparent Traffic centric -- transparent to hosts -- less accurate tradeoffs

Key Insights (1) - Causal Path “causal paths” hidden behind the interdependencies of services and applications

Key Insights (2): OS Layer Causal Path Causal paths get captured by the neutral network SODG

Example Actual OS Layer Causal Path t1 t2 t3 t5 t6 t7 t4 t8 t0

The Snake System System call interception SODG Representation/Generation OS level Causal Path Identification OS level Service Execution Path Extraction Network Service Dependency Graph Generation

40 Evaluation …

Case Study: Avactis 2.1.3

Case study: add a user in tikiwiki /var/lib/mysql/tiki/tiki_pageviews.MYD /var/lib/mysql/tiki/tiki_sessions.MYD /var/lib/mysql/tiki/users_users.MYD /var/lib/mysql/tiki/users_usergroups.MYD /var/log/apache/access.log /var/log/apache/error.log

43 Q & A Thank you. ARO Cyber Situation Awareness MURI

ARO MURI: Computer-aided Human-Centric Cyber Situation Awareness: SKRM Inspired Cyber SA Analytics Penn State University (Peng Liu) Tel , Objectives: Improve Cyber SA through: A Situation Knowledge Reference Model (SKRM) A systematic framework for uncertainty management Cross-knowledge-abstraction-layer SA analytics Game theoretic SA analytics DoD Benefit: Innovative SA analytics lead to improved capabilities in gaining cyber SA. Scientific/Technical Approach Leverage knowledge of “us” Cross-abstraction-layer situation knowledge integration Network-wide system all dependency analysis Probabilistic graphic models Game theoretic analysis Accomplishments A suite of SKRM inspired SA analytics A Bayesian Networks approach to uncertainty A method to identify zero-day attack paths A signaling game approach to analyze cyber attack-defense dynamics Challenges Systematic evaluation & validation Uncertainty analysis ARO Cyber Situation Awareness MURI