Detecting & Preventing Misuse of Privilege PI Meeting 1/27/05 Bob Balzer (Teknowledge) Howie Shrobe (MIT) Updates since Kickoff.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Unit Testing in the OO Context(Chapter 19-Roger P)
Introduction to IRRIIS testing platform IRRIIS MIT Conference ROME 8 February 2007 Claudio Balducelli.
VTrack: Accurate, Energy-Aware Road Traffic Delay Estimation Using Mobile Phones Arvind Thiagarajan, Lenin Ravindranath, Katrina LaCurts, Sivan Toledo,
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
Solidcore Harness the Power of Change John Sebes CTO Solidcore Systems, Inc. Case Study:
Dr. Bill Curtis Director, Consortium for IT Software Quality The Technical Debt Management Cycle: Evaluating the Costs and Risks of IT Assets.
University of Jyväskylä An Observation Framework for Multi-Agent Systems Joonas Kesäniemi, Artem Katasonov * and Vagan Terziyan University of Jyväskylä,
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Stephen S. Yau CSE , Fall Security Strategies.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000 Bob Balzer Information Sciences Institute Legend: Changes from previous.
1 Process Engineering A Systems Approach to Process Improvement Jeffrey L. Dutton Jacobs Sverdrup Advanced Systems Group Engineering Performance Improvement.
Verification and Validation Overview References: Shach, Object Oriented and Classical Software Engineering Pressman, Software Engineering: a Practitioner’s.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Software Testing. What is Software Testing? Definition: 1.is an investigation conducted to provide stakeholders with information about the quality of.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Operating system Security By Murtaza K. Madraswala.
Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.
Chapter 13 Logical Architecture and UML Package Diagrams 1CS6359 Fall 2012 John Cole.
© Fraunhofer IAO, IAT Universität Stuttgart Message based propagation of changes in VO membership in a Grid environment Change Propagation in a heterogeneous.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
Ready Marjan Nikolovski Father, Dev, CEO/Emit Knowledge Down the rabbit hole Error handling examined try { } // // Blog: emitknowledge.com/research-labs.
McGraw-Hill/Irwin © 2013 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 11 Computer Crime and Information Technology Security.
SRS Common Architecture Bob Balzer Neil Goldman Dave Wile Teknowledge Corp.
Integrity Through Mediated Interfaces PI Meeting Feb. 15, 2001 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from July99.
AWDRAT: Architectural-Differencing, Wrappers, Diagnosis, Recovery, Adaptive Software and Trust Management Howie Shrobe: MIT CSAIL Bob Balzer: Teknowledge.
Integrity Through Mediated Interfaces Bob Balzer Information Sciences Institute
Integrity Through Mediated Interfaces PI Meeting: July 19-21, 2000 Bob Balzer Teknowledge Legend: Turquoise Changes from July 99.
Application Communities Phase II Technical Progress, Instrumentation, System Design, Plans March 10, 2009.
Approved for Public Release, Distribution Unlimited Detecting & Preventing Misuse of Privilege Bob Balzer (Teknowledge) Howie Shrobe (MIT)
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Compuware Corporation Deliver Reliable Applications Faster Dave Kapelanski Automated Testing Manager.
Session 3 How to Approach the UML Written by Thomas A. Pender Published by Wiley Publishing, Inc. October 5, 2011 Presented by Kang-Pyo Lee.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
Integrity Through Mediated Interfaces PI Meeting July 24, 2001 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from July99.
A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.
Virtualized Execution Realizing Network Infrastructures Enhancing Reliability Application Communities PI Meeting Arlington, VA July 10, 2007.
Integrity Through Mediated Interfaces PI Meeting August 19, 2002 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from.
Slide 1 2/22/2016 Policy-Based Management With SNMP SNMPCONF Working Group - Interim Meeting May 2000 Jon Saperia.
An Active Security Infrastructure for Grids Stuart Kenny*, Brian Coghlan Trinity College Dublin.
A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler.
1 Phase Testing. Janice Regan, For each group of units Overview of Implementation phase Create Class Skeletons Define Implementation Plan (+ determine.
Application Communities Phase 2 (AC2) Project Overview Nov. 20, 2008 Greg Sullivan BAE Systems Advanced Information Technologies (AIT)
Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Conclusion.
Topic: Reliability and Integrity. Reliability refers to the operation of hardware, the design of software, the accuracy of data or the correspondence.
Service Charging Platform. EMS (Entity Management System) 0 Logging Agent Provides detailed activity logs and reports all raw facts as they happen to.
LOGO Song Identification System Team members: Nguyen Ngoc Tan Ho Vinh Thinh Nguyen Huu Duy Nguyen Hoang Diep Nguyen Trong Dai Le Thanh Tung Supervisor:
Tool Support for Testing Classify different types of test tools according to their purpose Explain the benefits of using test tools.
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
SQL Injection Attacks Many web servers have backing databases
Verification and Validation Overview
Operating system Security
A Thread Relevant to all Levels of the EA Cube
Fundamentals of Information Systems
Partnership.
Systems Design Chapter 6.
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Detecting & Preventing Misuse of Privilege PI Meeting 1/27/05 Bob Balzer (Teknowledge) Howie Shrobe (MIT) Updates since Kickoff

Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider

Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider MIT Teknowledge

Distinguishing AWDRAT & PMOP AWDRAT –Detecting misbehaving software Hijacks, overprivledged scripts, trap doors, faults PMOP –Detecting misbehaving operators Malicious intent, operator error For integrated SRS system need both capabilities –Have had extensive discussions on integrating both projects together - headstart on workshop :-)

MAF CAF Proposed MI Approved MI Targeting TNL JEESEDC JW CHW Chem Hazard SPI TAP CHI Combat Ops AODB AS LOC Weather Hazard WH WLC ATO EDC CHW Chem Hazard CHA External JBI DemVal Dataflow (via Publish/Subscribe)

What We’ve Got End-To-End Demonstration (demo shortly) –Working Prototypes of PMOP components –Working models & rules of target application –Working integration of PMOP components The Good – The Bad – The Ugly

End-To-End Demonstration Block Harmful Operations Differentiate –Operator Error –Malicious Intent Behavior Authorizer M M M M MediationCocoon JBI DemVal Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider

What We’ve Got End-To-End Demonstration (demo shortly) –Working Prototypes of PMOP components –Working models & rules of target application –Working integration of PMOP components The Good – The Bad – The Ugly Architecture Visualizer (demo shown in AWDRAT) –Event-Sequence diagrams –Architecture dataflow

What We’re Missing Realistic Rules (Domain Knowledgeable) –Would be created by SMEs in real deployment Comprehensive Rule Set –Would be created by SMEs in real deployment Instrumentation of the GUI actions –Just Mission Building/Editing methods currently instrumented –GUI actions will be instrumented by 4/1/05 The Good – The Bad – The Ugly

Accommodations Java code base –Created wrapper infrastructure for Java Planning Application (harm is in future) –Defined Harm as publishing harmful plan Available JBI components to wrap –Detailed on next slide The Good – The Bad – The Ugly

Canned Component Publishes fixed output Legacy Component Code Not Available Table Lookup MAF CAF Proposed MI Approved MI Targeting TNL JEESEDC JW CHW Chem Hazard SPI TAP CHI Combat Ops AODB AS LOC Weather Hazard WH WLC ATO EDC CHW Chem Hazard CHA External JBI DemVal Dataflow (via Publish/Subscribe) The Good – The Bad – The Ugly

DataFlow Demo

Event Diagram Demo

First SRS Tech Transition Architecture Visualizer used in HURT (IXO) –Animated Event Sequence Diagram –Animated Dataflow Architecture

Differences from AWDRAT Harm Detector instead of Architecture Diff Client Reconstitution inactive M M MediationCocoon M M JBI Server PMOP Execution Architecture JBI Client Harm Rules Harm Detector Scripted PMOP Driven from History Scripts Nominal Harmful: Takeoff Before Landing Harmful: Missing Leg (landing not collocated with takeoff) Visualizer Scripts Script Driver History Client Reconstitution Architecture Visualizer M M MediationCocoon M M JBI Server JBI Client Mixed Initiative PMOP One Client Live (with human operator) Others Scripted

Detecting Harmful Actions Demo

Determining Intent Determining that an insider is/has been taking malicious action is a task for human security agents and managers. Our automated system takes the action of raising an “alarm”, based on: –Degree of harm in the action –Probability of Malicious intent And provides the initial evidence

Degree of Harm We are interested in examining harm done by maliciously or accidentally creating a defective plan of action, such as an Air Tasking Order. We base our calculation of harm on a static analysis of the probable consequences of a plan. How the error happened is only used as evidence of intent.

Categories of Harmful Plans Plan results in direct damage – e.g.: –Friendly fire incident –Political harm from attacking non-combatants Plan results in a denial of resources – e.g. –Wasting munitions and sorties –Creating confusion –Putting valuable personnel under suspicion.

Factors used to Determine Intent The harm is more likely to be intentional: 1.If the plan defect depends on a more deliberate, more conscious process 2.If the actions can be fit into a larger plan of action 3.If there are related historical errors for the operator in question. 4.If the action involves coordination with others (inside or outside) Even type 1 involves analyzing the trace of actions Others involve keeping historical “Case Book”

Evidence of a Deliberate Process If the defect in the plan occurs through a plan editing, rather than plan creation step. If there is evidence of information hiding. If there is evidence of tampering with logs or other monitors.

Processing of MAF/CAF Traces Parse XML of traces Accumulate parsed trace into “User Actions” –Event creation followed by setInformation methods -> Single Event creation Follow though sequence of User Actions simulating effect on plan, detecting when harmful effect is created. Edited in harmful effect flagged as definite malicious

Raw Trace missing-leg 5 6 **end-of-messages** <MethodEnter methodClass="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" thread="0"/> <MethodReturn methodClass="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" thread="0"> <this class="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" printer="1"/> <MethodEnter methodName="setInformation" methodClass="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" methodSignature="(Ljava/lang/String;Ljava/lang/String;)V" thread="0" arg0="EVTTYPE" arg1="TO"> <this class="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" printer="1"/>....

Parsed (("missing-leg 5 6") (ENTER :NAME CONSTRUCTOR :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject") (RETURN :NAME CONSTRUCTOR :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" :THIS ("MissionEventObject" "1")) (ENTER :NAME "setInformation" :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" :ARG0 "EVTTYPE" :ARG1 "TO" :THIS ("MissionEventObject" "1")) (RETURN :NAME "setInformation" :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" :ARG0 "EVTTYPE" :ARG1 "TO" :THIS ("MissionEventObject" "1"))...

Reconstructed (("missing-leg 5 6") (EVENT :THIS ("MissionEventObject" "1") :EVTTYPE "TO" :EVTCD "I" :EVTSEQID "1" :LOCID "KBLV-1" :LATITUDE " " :LONGITUDE "38.671" :TIMEON " T19:25:23Z" :TIMEOFF " T19:25:23Z" :ALT "0" :AMCPURPCD "A" :EVTSUBTYPE "-" :SUBTYPECALLSIGN "-" :SUBTYPEFREQ "-" :SUBTYPEMSNCD "-") (EVENT :THIS ("MissionEventObject" "2") :EVTTYPE "REFUEL" :EVTCD "T" :EVTSEQID "2" :LOCID "PATRIOT-2" :LATITUDE "3.164" :LONGITUDE "52.031" :TIMEON " T03:05:20Z" :TIMEOFF " T03:05:20Z" :ALT "280" :AMCPURPCD "Z" :EVTSUBTYPE "-" :SUBTYPECALLSIGN "-" :SUBTYPEFREQ "-" :SUBTYPEMSNCD "-") (EVENT :THIS ("MissionEventObject" "3") :EVTTYPE "LDG" :EVTCD "I" :EVTSEQID "3" :LOCID "LIPA-3" :LATITUDE "12.070" :LONGITUDE "46.230" :TIMEON " T04:45:20Z" :TIMEOFF " T04:45:20Z" :ALT "0" :AMCPURPCD "A" :EVTSUBTYPE "-" :SUBTYPECALLSIGN "-" :SUBTYPEFREQ "-" :SUBTYPEMSNCD "-")...

Interpreted MISSING-LEG Between event 5 and 6 CREATINGevent 1Take Off 05/27/ :25:23 KBLV CREATINGevent 2 Refuel05/28/ :05:20 PATRIOT CREATINGevent 3 LDG05/28/ :45:20LIPA CREATINGevent 4Take Off05/28/ :20:20LIPA CREATINGevent 5LDG05/28/ :35:20LICZ CREATINGevent 6Take Off05/28/ :35:20LICZ CREATINGevent 7LDG05/28/ :15:20OEKH EDITINGevent 6Take Off05/28/ :35:20LICZ Editing event after its creation Not leaving from where you landed Editing over existing leg causes error - Malicious... MALICIOUS

Detecting Malicious Intent Demo

Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider What are we trying to do? Block Harmful Operations Differentiate –Operator Error –Malicious Intent

Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider How will you show success? Block Harmful Operations Differentiate –Operator Error –Malicious Intent Red-Team Experiment Block Harmful Operations Differentiate –Operator Error –Malicious Intent

Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider What are implications of success? Systems can be protected from insider attacks from operator error from zero-day attacks

Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider What is technical approach? Observe effect of operator action in system model Match harmful actions against –Errorful Operator Plans –Attack Plans

Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider What is new? Observe effect of operator action in system model Match harmful actions against –Errorful Operator Plans –Attack Plans

Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider What is hard? Modeling System to predict effect Modeling Operator to differentiate –Operator Error –Malicious Intent

Technology for SRS Integration Behavior Monitor/Authorizer –What code is doing –What human operator is doing Operational Models –Software Components –Human Operators Harm Detector –Rule driven Intent Determination

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.