1 Multilevel Bidirectional Damage Assessment Peng Liu, Penn State University Jason Li, Information Automation Inc. ARO Workshop on Cyber Situational Awareness.

Slides:



Advertisements
Similar presentations
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Advertisements

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Moving Target Defense in Cyber Security
Chapter 3: The Internal Organization: Resources, Capabilities, Core Competencies and Competitive Advantages Overview: Importance of understanding internal.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Introduction to Operating Systems – Windows process and thread management In this lecture we will cover Threads and processes in Windows Thread priority.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chapter 13 Embedded Systems
Lecture 11 Reliability and Security in IT infrastructure.
Chapter 12 File Management Systems
Critical Infrastructure Interdependencies H. Scott Matthews March 30, 2004.
Towards Application Security On Untrusted OS
Computer Security: Principles and Practice
Polaris Financial Technologies Welcomes the members of Hyderabad chapter for the 2nd event on 4 th July 14 held by PACE (The Testing Practice)
Dr. Kalpakis CMSC 461, Database Management Systems Introduction.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Greenbench: A Benchmark for Observing Power Grid Vulnerability Under Data-Centric Threats Mingkui Wei, Wenye Wang Department of Electrical and Computer.
1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
A Portable Virtual Machine for Program Debugging and Directing Camil Demetrescu University of Rome “La Sapienza” Irene Finocchi University of Rome “Tor.
Overview Integration Testing Decomposition Based Integration
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
An approach to Intelligent Information Fusion in Sensor Saturated Urban Environments Charalampos Doulaverakis Centre for Research and Technology Hellas.
ISA 562 Internet Security Theory & Practice
Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000 Bob Balzer Information Sciences Institute Legend: Changes from previous.
Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System.
CYBERCOG Test Bed Overview. The Experiment Setup 2 Screens per analyst A common projector screen Experimenter observing the interactions and taking notes.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Cluster Reliability Project ISIS Vanderbilt University.
INT-Evry (Masters IT– Soft Eng)IntegrationTesting.1 (OO) Integration Testing What: Integration testing is a phase of software testing in which.
Richard Johnson  How can we use the visualization tools we currently have more effectively?  How can the Software Development.
Processes and OS basics. RHS – SOC 2 OS Basics An Operating System (OS) is essentially an abstraction of a computer As a user or programmer, I do not.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
1 Introduction to Middleware. 2 Outline What is middleware? Purpose and origin Why use it? What Middleware does? Technical details Middleware services.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
CE Operating Systems Lecture 11 Windows – Object manager and process management.
Gaining Cyber Situation Awareness in Enterprise Networks: A Systems Approach Peng Liu, Xiaoyan Sun, Jun Dai Penn State University ARO Cyber Situation Awareness.
(a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always the same. So please give three examples.
Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151.
Silberschatz, Galvin and Gagne  Operating System Concepts UNIT II Operating System Services.
A Generic Approach to Automatic Deobfuscation of Executable Code Paper by Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray.
Operating Systems Security
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.
Operating Systems: Summary INF1060: Introduction to Operating Systems and Data Communication.
Resolve today’s IT management dilemma Enable generalist operators to localize user perceptible connectivity problems Raise alerts prioritized by the amount.
Software Connectors. What is a Software Connector? 2 What is Connector? – Architectural element that models Interactions among components Rules that govern.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
System Components Operating System Services System Calls.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Memory Protection: Kernel and User Address Spaces
Wenjing Lou Complex Networks and Security Research (CNSR) Lab
Backtracking Intrusions
Backtracking Intrusions
Modeling Cyberspace Operations
Memory Protection: Kernel and User Address Spaces
Network Intrusion Responder Program
Memory Protection: Kernel and User Address Spaces
Memory Protection: Kernel and User Address Spaces
Chapter 2 Database Environment.
Multi-Step Attack Defense Operating Point Estimation via Bayesian Modeling under Parameter Uncertainty Peng Liu, Jun Dai, Xiaoyan Sun, Robert Cole Penn.
Software Architecture Lecture 20
Analysis models and design models
Introduction to Operating Systems
Design Yaodong Bi.
Design.
Memory Protection: Kernel and User Address Spaces
Presentation transcript:

1 Multilevel Bidirectional Damage Assessment Peng Liu, Penn State University Jason Li, Information Automation Inc. ARO Workshop on Cyber Situational Awareness Nov GMU, Fairfax, VA

2 Multilevel Situational Awareness

3 Damage Assessment Aspect Goal: Develop techniques and tools to identify and assess compromised and damaged information assets Damage assessment is an indispensible part of situation awareness A computer handles only two types of information assets: data and code Network packets are data So only two things could be damaged: data or code

4 But why is damage assessment still a hard problem? Observation 1: A piece of damaged data or code has different semantics at different levels Observation 2: Damage can propagate Observation 3: Damage assessment has two dimensions Time dimension Space dimension

5 Observation 1: we cannot ignore semantics A data record is corrupted by SQL injection attack: Instruction level semantics: a memory unit is tainted Process level semantics: the process (code) executing the malicious SQL query is doing bad things Transaction level semantics: there is a malicious interest rate adjusting transaction, and a data record is corrupted Business process level: the interest rate management business process is causing damage Application level semantics: the loan management application is causing $80 million cascading financial loss Mission level semantics: the mission of protecting the national finance infrastructure is in trouble

6 Observation 2: damage can propagate Direct damage is directly caused by intrusion actions e.g., SQL injection  a data record is modified Indirect damage is indirectly caused by damage propagation e.g., a corrupted file X is used by an innocent program to corrupt file Y No “causality”  no damage propagation Damage assessment is about identifying and tracking the relevant “causality” relationships

7 Observation 3: damage assessment has two dimensions Time dimension: Reactive: what damage has already been caused Real-time: what damage is being caused Predictive: what damage would be caused in the future Reflective: why the damage was caused Space dimension: Multilevel damage assessment Bidirectional damage assessment

8 Focus of this talk We focus on the space dimension  Observation 3 A main merit of multilevel, bidirectional damage assessment is that semantics can be well addressed  Observation 1 Another main merit of multilevel, bidirectional damage assessment is that cross-layer damage propagation will be tracked  Observation 2

9 10,000 feet view of info systems Application code

10 Threat Model Threats may come from either inside or outside of the transaction-level scope of applications Inside the scope: both insider and outsider attacks need to either directly corrupt certain data objects or get certain malicious transactions launched Outside the scope: attack actions (e.g., Witty worm) may bypass the transaction interface and corrupt some data or code via low-level (e.g., memory, file, or I/O) operations

11 Mission Decomposition Model Mission Application 1Application 2 Application m … Bus process 1Bus process 2Bus process n… Task 1Task 2Task k… Application actions vs. environmental actions 40% 20% Influence Factor 20% Inter- dependency

12 Multi-Level Model for Situation Awareness Layer 5: the mission layer is the top layer. Layer 4 is the application layer A mission usually involves the execution of multiple applications. Layer 3 is the business process layer A business process is a workflow instance that involves the execution of multiple tasks. Layer 2 is the task layer A task is usually a partial order of pre-specified, planned actions, e.g., transactions Layer 1 is the action layer: either application actions or environmental actions. An environmental action can be associated with the OS, the network environment, the Physical World, or other peer applications.

13 Multi-Level Damage Assessment Task 1: tracking the causality relationships within each layer This capability is well addressed in the literature Task 2: tracking the causality relationships cross layers This capability is still largely missing in the literature

14 Bidirectional damage assessment Bottom-up direction: Start at a lower level Then track how the damage propagates to a higher level Top-down direction: Purpose 1: forensics Purpose 2: what-if analysis e.g., to satisfy new application requirements, the admin needs to open ports, add services & registry keys, etc., how will this affect lower level damage propagation? U-shape assessment: When new lower level damage propagation channels are caused, other existing applications may be reversely affected State-of-the-art: top-down damage assessment is still largely missing in the literature

15 Bottom-up Damage Assessment: one methodology Bottom level: instruction level Level 2: process/thread level Level 3: transaction level Level 4: business process level Level 5: application level Level 6: mission level

16 Bottom-up DA: instruction level assessment Memory cell X tainted Instruction U Memory cell YRegister ebx Instruction V I/O address Z Instruction level dependency graphs are already in the literature: -- Dynamic taint analysis (e.g., TaintCheck) -- Info flow analysis

17 Bottom-up DA: process level assessment Process dependency graphs: damage assessment (forward tracking) intrusion detection (backtracking) (a) X reads from a file (including directories, file attributes, and file names) after Y writes the file; (b) X reads from a piece of memory shared with Y; (c) Y is the parent of X (i.e., X is forked by Y); (d) X receives a message from Y through a pipe or a queue; (e) X receives a message from Y through a networking socket; (f) X receives a “signal” from Y; (g) X receives a semaphore from Y Process X Process Y From King & Chen 2003

18 A quick note Process dependency graphs can be derived from instruction level dependency graphs If we know which instruction belongs to which process

19 Relation to Attack Graphs Process dependency graphs and attack graphs are very different A node in an attack graph is a system attribute, while a node in a process dependency graph is a process An edge in an attack graph is an exploit, while an edge in a process dependency graph is a dependency relationship However, process dependency graphs and attack graphs can be integrated together

20 Bottom-up DA: Transaction-level Assessment Data Dependency Only

21 Bottom-up DA: Business process level assessment Add Control Dependency on top of transaction level graphs

22 Bridges between attack graphs and dependency graphs Annotate attack graphs with the set of poisoned data (e.g., files, records) and code (e.g., threads) When a poisoned code object X involves the execution of transaction Y, add a code bridge from X  Y: Due to this bridge, Y will be marked “poisoned” in the dependency graph When a poisoned data object X is read by a transaction Y, we add a data bridge from X  Y in the dependency graph

23 Bottom-up DA: Application level assessment One application runs multiple business processes; these business processes may have inter-dependencies Differences-based application-level DA Create a VEE: virtual execution environment Let the application run within a clean VEE Identify the application-level differences between the execution results within a clean VEE vs. within a contaminated execution environment

24 Mission level: Quantify the impact of attacks on a mission Based on the concrete attack effects captured by attack graphs and dependency graphs: Step 1: quantify the impact of business process level effects on applications Step 2: quantify the impact of application level effects on missions Both steps rely on Mission decomposition graphs Inter-dependency among components

25 Top-down Damage Assessment Purpose 1: forensics Travel through the bridges in the reverse direction One-to-many uncertainty: one consequence could be independently caused by multiple lower level events How to minimize such uncertainty is a primary challenge Purpose 2: answer what-if questions Leverage Bayesian networks

26 Questions? Thank you!

27 Requirements Real-time, automated damage assessment Assist analysts in finding root cause of a cyber attack Accurately find damaged network and system components ContainQuarantine Contain the spread of the malicious code; Quarantine damage Produce courses-of-action that provide continuity-of-operations for critical network and information enterprise functions. Accurate network map, visualization of where problems are from performance and security standpoints Overall view of what components/applications are down/damaged extent What extent the damage is, and what corrective actions to take (to keep the overall enterprise operable

28 Multi-Level Damage Assessment Capture the direct effects of malicious non- transactional actions using instruction-level,attack graphs Capture the effects of malicious transactions using transaction-level dependency graphs and business process level dependency graphs Capture the indirect effects of malicious non- transactional actions on applications by “bridges” between level-wise dependency graphs Capture the impact of attacks on a mission using mission decomposition graphs and conditional probabilities that quantify inter-dependency

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.