A Mission-Centric Framework for Cyber Situational Awareness Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient.

Slides:



Advertisements
Similar presentations
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
Advertisements

Cyber-Security: Some Thoughts
Introduction to IRRIIS testing platform IRRIIS MIT Conference ROME 8 February 2007 Claudio Balducelli.
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
DFF 2014 February 24, Self-adapting Sensor Networks for Semi- automated Threat Detection in a Controlled Area By Jorge Buenfil US ARMY RDECOM ARDEC.
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
The Most Analytical and Comprehensive Defense Network in a Box.
1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia.
Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.
Data Mining and Intrusion Detection
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.
Marakas: Decision Support Systems, 2nd Edition © 2003, Prentice-Hall Chapter Chapter 7: Expert Systems and Artificial Intelligence Decision Support.
A Smart Sensor to Detect the Falls of the Elderly.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
seminar on Intrusion detection system
Introduction to Systems Analysis and Design
Science and Engineering Practices
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Microsoft ® Office Project Portfolio Server 2007.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
Topological Vulnerability Analysis
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
A Mission-Centric Framework for Cyber Situational Awareness Metrics, Lifecycle of Situational Awareness, and Impact of Automated Tools on Analyst Performance.
1 Systems Analysis and Design in a Changing World, Fourth Edition.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
The Most Analytical and Comprehensive Defense Network in a Box.
1 MURI: Computer-aided Human Centric Cyber Situation Awareness Peng Liu Professor & Director, The LIONS Center Pennsylvania State University ARO Cyber.
CRESCENDO Full virtuality in design and product development within the extended enterprise Naples, 28 Nov
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
ARO–MURI Thoughts on Visualization for Cyber Situation Awareness MURI Meeting July 8–9, 2015 Christopher G. Healey Lihua Hao Steve E. Hutchinson CS Department,
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
SALSA-NetAuth Joint Techs Vancouver, BC July 2005.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.
Carnegie Mellon University 10/23/2015 Survivability Analysis via Model Checking Oleg Sheyner Jeannette Wing Carnegie Mellon University.
ARO-MURI on Cyber-Situation Awareness Review Meeting Phoenix AZ, 2013
Gaining Cyber Situation Awareness in Enterprise Networks: A Systems Approach Peng Liu, Xiaoyan Sun, Jun Dai Penn State University ARO Cyber Situation Awareness.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Umbrella Presentation Cognitive Science of Cyber SA Collaborative Cyber Situation Awareness Nancy J. Cooke, ASU & Prashanth Rajivan, Indiana U. Models.
Network security Product Group 2 McAfee Network Security Platform.
23 July 2003 PM-ITTS TSMOTSMO Information Assessment Test Tool (IATT) for IO/IW Briefing by: Darrell L Quarles Program Director U.S. Army Threat Systems.
CSCE 548 Secure Software Development Security Operations.
Cryptography and Network Security Sixth Edition by William Stallings.
Louisiana Tech Capstone Submitted by Capstone 2010 Cyber Security Situational Awareness System.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
A Security Framework with Trust Management for Sensor Networks Zhiying Yao, Daeyoung Kim, Insun Lee Information and Communication University (ICU) Kiyoung.
Unit 6 Understanding and Implementing Crew Resource Management.
Unclassified//For Official Use Only 1 RAPID: Representation and Analysis of Probabilistic Intelligence Data Carnegie Mellon University PI : Prof. Jaime.
An Active Security Infrastructure for Grids Stuart Kenny*, Brian Coghlan Trinity College Dublin.
Paul Beraud, Alen Cruz, Suzanne Hassell, Juan Sandoval, Jeffrey J Wiley November 15 th, 2010 CRW’ : NETWORK MANEUVER COMMANDER – Resilient Cyber.
Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Enabling Team Supervisory Control for Teams of Unmanned Vehicles
Transaction Processing Systems
Detection and Analysis of Threats to the Energy Sector (DATES)
Topological Vulnerability Analysis
Modeling Cyberspace Operations
Model-Driven Analysis Frameworks for Embedded Systems
The Extensible Tool-chain for Evaluation of Architectural Models
Multi-Step Attack Defense Operating Point Estimation via Bayesian Modeling under Parameter Uncertainty Peng Liu, Jun Dai, Xiaoyan Sun, Robert Cole Penn.
Skybox Cyber Security Best Practices
Security Overview: Honeypots
Autonomous Network Alerting Systems and Programmable Networks
SECURITY AS NON-FUNCTIONAL REQUIREMENT IN SOFTWARE ENGINEERING
Presentation transcript:

A Mission-Centric Framework for Cyber Situational Awareness Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient and Effective Analysis of the Zero-day Landscape S. Jajodia, M. Albanese George Mason University ARO-MURI on Cyber-Situation Awareness Review Meeting Phoenix, AZ, October 28-29, 2013

Where We Stand in the Project System Analysts Computer network Software Sensors, probes Hyper Sentry Cruiser Multi-Sensory Human Computer Interaction Enterprise Model Activity Logs IDS reports Vulnerabilities Cognitive Models & Decision Aids Instance Based Learning Models Simulation Measures of SA & Shared SA Data Conditioning Association & Correlation Automated Reasoning Tools R-CAST Plan-based narratives Graphical models Uncertainty analysis Information Aggregation & Fusion Transaction Graph methods Damage assessment Computer network Real World Test-bed ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29,

Quad Chart - Year 4 Objectives: Improve Cyber Situation Awareness via New efficient techniques for generating partial attack graphs on demand in order to enable effective analysis of zero-day vulnerabilities A three-step process to assess the risk associated with zero-day vulnerabilities A prototype of the probabilistic framework for unexplained activity analysis DoD Benefit: Ability to answer some important questions automatically and efficiently Reduced workload on the analysts Reduced gap between raw security data and mental models Improved decision support Major Accomplishments Developed an efficient approach to assessing the risk of zero-day vulnerabilities (SECRYPT 2013) [Best Paper Award] Challenges Analyzing zero-day vulnerabilities for very large networks ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29,

Overview of contribution – Year 1  Technical accomplishments  A topological approach to Vulnerability Analysis that overcomes the drawbacks of traditional point-wise vulnerability analysis  Preliminary data structures and graph-based techniques and algorithms for processing alerts/sensory data  A novel security metric, k-zero day safety, that counts at least how many zero day vulnerabilities are required for compromising a network asset and algorithms for applying the metric for hardening a network  Major breakthroughs  Capability of processing massive amounts of alerts/sensory data in real- time  Capability of forecasting all possible futures, along with their probabilities and expected damage  Capability of hardening a network against zero day vulnerabilities ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29,

Overview of contribution – Year 2  Technical accomplishments  Generalized dependency graphs, which capture how network components depend on one other  Probabilistic temporal attack graphs, which encode probabilistic and temporal knowledge of the attacker’s behavior  Attack scenario graphs, which combine dependency and attack graphs, bridging the gap between known vulnerabilities and the services or missions that could be ultimately affected  Efficient algorithms for both detection and prediction  A preliminary model to identify “unexplained” cyber activities, i.e., activities incompatible with any given known activity model, thus potentially improving detection of zero day attacks  Major breakthroughs  Capability of generating and ranking future attack scenarios in real-time ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29,

Overview of contribution – Year 3 ARO-MURI on Cyber-Situation Awareness Review Meeting  Technical accomplishments  An efficient and cost-effective algorithm to harden a network with respect to given security goals  A probabilistic framework for localizing attackers in mobile networks, based on the locations of nodes that have detected malicious activity in their neighborhood  A probabilistic framework for assessing the completeness and quality of available attack models, both at the intrusion detection level and at the alert correlation level (joint work with UMD and ARL)  A suite of novel techniques – enhancing NSDMiner – to automatically discover dependencies between network services from passively collected network traffic  Switchwall, an Ethernet-based network fingerprinting technique for detecting unauthorized changes to the L2/L3 network topology  Major breakthroughs  Capability of automatically and efficiently executing several important analysis tasks, namely hardening, dependency analysis, and attacker localization October 28-29,

Overview of contribution – Year 4 ARO-MURI on Cyber-Situation Awareness Review Meeting  Technical accomplishments  Effective and efficient methods for generating partial attack graphs on demand in order to enable efficient analysis of zero-day vulnerabilities  A three-step process to assess the risk associated with zero- day vulnerabilities  A prototype of the probabilistic framework for unexplained activity analysis  Major breakthroughs  Capability to reason about zero-day vulnerabilities and efficiently assess the risk associated with such vulnerabilities without generating the entire attack graph October 28-29,

Year 4 Statistics  Publications & presentations  2 papers published in peer-reviewed conference proceedings Best paper award at SECRYPT 2013  2 paper published in a peer-reviewed journal  1 book chapter  2 invited talks/lectures  Supported personnel  2 faculty  2 post doctorates  1 doctoral student ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29,

Situation Knowledge Reference Model [Attack Scenario Graphs] Situation Knowledge Reference Model [Attack Scenario Graphs] Index & Data Structures Topological Vulnerability Analysis Proposed Solution: System Architecture ARO-MURI on Cyber-Situation Awareness Review Meeting Monitored Network Analyst Alerts/Sensory Data CauldronSwitchwall Vulnerability Databases NVDOSVD CVE Stochastic Attack Models Generalized Dependency Graphs Generalized Dependency Graphs Graph Processing and Indexing Dependency Analysis NSDMiner Scenario Analysis & Visualization Network Hardening Unexplained Behavior Analysis Zero-day Analysis Cauldron October 28-29,

M. Albanese, S. Jajodia, A. Singhal, and L. Wang. “An Efficient Approach to Assessing the Risk of Zero-Day Vulnerabilities”. In Proceedings of the 10 th International Conference on Security and Cryptography, Reykjavìk, Iceland, July 29-31, [Best Paper Award] Zero-Day Analysis ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29,

Background and Motivation (1/2) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 11  Computer systems are vulnerable to both known and zero- day attacks  Known attack patterns can be easily modeled Suitable hardening strategies can be developed  Handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature  Attackers can leverage complex interdependencies among both known and unknown vulnerabilities and network configurations to penetrate seemingly well-guarded networks  Attack graphs reveal such threats by enumerating potential paths that attackers can take to penetrate networks

Background and Motivation (2/2) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 12

Example of Zero-Day Attack Graph October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 13 host 0 host 1 http ssh host 2 ssh

Contributions (1/2) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 14

Contributions (2/2) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 15

Problem Statement (1/3) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 16

Problem Statement (2/3) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 17

Problem Statement (3/3) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 18

Overall Decision Process October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 19 Insufficient Security Harden Network Insufficient Security Harden Network Yes No Start End Sufficient Security No

Problem 1: Proposed Solution October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 20

Problem 2: Proposed Solution October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 21

Problem 3: Proposed Solution October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 22

Experiments October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 23

October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 24

October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 25

October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 26

October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 27

October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 28

Conclusions October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 29

Future Work October 28-29, ARO-MURI on Cyber-Situation Awareness Review Meeting

Plan for Years 5 ARO-MURI on Cyber-Situation Awareness Review Meeting 31  Year 5 will primary focus on  integration of the results of our efforts with results from other MURI team members  extensive evaluation and refinement of techniques proposed in years 1 to 4  Specific technical objectives include  Integrating zero-day analysis (Year 4) with our network hardening approach (year 3) The objective is to harden a target network w.r.t. both known and unknown vulnerability in an effective and efficient way October 28-29, 2013

Questions? ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29,

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.