Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic Trust Management for Adaptive Survivable Systems Howard Shrobe MIT AI Lab Computational Vulnerability Analysis for Model Based Diagnosis July.

Published byClaribel Goodwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Automatic Trust Management for Adaptive Survivable Systems Howard Shrobe MIT AI Lab Computational Vulnerability Analysis for Model Based Diagnosis July."— Presentation transcript:

1 Automatic Trust Management for Adaptive Survivable Systems Howard Shrobe MIT AI Lab Computational Vulnerability Analysis for Model Based Diagnosis July 2001 PI Meeting Santa Fe

2 Outline Overall Framework Review of Diagnostic Process Computational Vulnerability Analysis

3 Adaptive Survivable Systems Techniques that enable self-monitoring and diagnosis –Driven by representations of structure and purpose –The application knows the purposes of its components –The application checks that these are achieved –If these purposes are not achieved, the application localizes and characterize the failure Techniques that enable application adaptation –The application achieve its purpose as well as possible within the available infrastructure by choosing alternatives. –Driven by models of Trust (informed by diagnosis and monitoring) –Driven by models of computational alternatives –It must have more than one way to effect each critical computation –It should choose an alternative approach if the first one failed –It should make its initial choices in light of the trust model

4 The Active Trust Management Architecture Self Adaptive Survivable Systems Perpetual Analytical Monitoring Trust Model: Trustworthiness Compromises Attacks Rational Decision Making Other Information Sources: Intrusion Detectors Trend Templates System Models & Domain Architecture Rational Resource Allocation

5 Motivating Example Grammar Center Speech Processing Grammar Voice Capture text Start Omnibase query Display Generator response Display SleepyGrumpyDocDopey utterance Performance expectations Integrity Constraint Gui Directives

6 Diagnosis as Likely Mode Identification Single Level, Single Model Model Based Diagnosis –Tells you which components aren’t working as expected Multi-Mode Diagnosis –Tells you in what way they aren’t working as expected Multi-Level, Multi-Mode Diagnosis –Tells you how the misbehaviors are coupled through common- mode failures (or compromises) and ranks the failures by their probabilities. Attack Models –Tells you how the common mode failures (or compromised modes of the resources) are in turn coupled to common attacks exploiting vulnerabilities of the resources.

7 Model Based Diagnosis with Multiple Faults Each component is modeled by multi-directional constraints representing the normal behavior As a value is propagated through a component model, it is labeled with the assumption that this component works A conflict is detected at any place to which inconsistent values are propagated A conflict set is the set of all labels attached to the conflicting values A diagnosis is a set of assumptions which form a covering set of all Conflict set Goal is to find all minimum diagnoses

8 Model Based Troubleshooting GDE Times Plus 3 5 3 5 5 40 35 40 Conflicts: Diagnoses: 25 20 Blue or Violet Broken Green Broken, Red with compensating fault Green Broken, Yellow with masking fault 15 25

9 Consistent Diagnoses ABCMIDMIDProbExplanation LowHigh NormalNormalSlow33.04410C is delayed SlowFastNormal712.00640A Slow, B Masks runs negative! FastNormalSlow12.00630A Fast, C Slower NormalFastSlow46.00196B not too fast, C slow FastSlowSlow-300.00042A Fast, B Masks, C slow SlowFastFast1330.00024A Slow, B Masks, C not masking fast LHP Normal:3 6.7 Fast:-302.1 Slow:730.2 IN 0 LHP Normal:5100.8 Fast:-304.03 Slow:1130.07 OUT2 Observed:17 Predicted:Low = 8 High =16 LHP Normal:240.9 Fast:-301.04 Slow:530.06 OUT1 Observed:5 Predicted:Low = 5 High = 10 A B C MID Low = 3 High = 6 Multi-Mode Diagnosis

10 Multi-Mode Multi-Tiered Diagnosis The model is augmented with another level of detail showing the dependence of computations on underlying resources Each resource has models of its state of compromise The modes of the resource models are linked to the modes of the computational models by conditional probabilities The model forms a bayesian network Normal: Delay: 2,4 Delayed: Delay 4,+inf Accelerated: Delay -inf,2 Node17 Located On Normal: Probability 90% Parasite: Probability 9% Other: Probability 1% Component 1 Has models Conditional probability =.2 Conditional probability =.4 Conditional probability =.3

11 A Host1 B D C E Host2Host4Host3 NH Normal.6.15 Peak.1.80 Off Peak.3.05 NH Normal.8.3 Slow.2.7 Normal.9 Hacked.1 Normal.85 Hacked.15 Normal.8 Hacked.2 Normal.7 Hacked.3 NH Normal.50.05 Fast.25.45 Slow.25.50 NH Normal.60.05 Slow.25.45 Slower.15.50 NH Normal.50.05 Fast.25.45 Slow.25.50 An Example System Description

12 The System Description includes a Bayesian Network The Model can be viewed as a Two-Tiered Bayesian Network –Resources with modes –Computations with modes –Conditional probabilities linking the modes A Host1 B D C E Host2Host4Host3 NH Normal.6.15 Peak.1.80 Off Peak.3.05 NH Normal.8.3 Slow.2.7 Normal.9 Hacked.1 Normal.85 Hacked.15 Normal.8 Hacked.2 Normal.7 Hacked.3 NH Normal.50.05 Fast.25.45 Slow.25.50 NH Normal.60.05 Slow.25.45 Slower.15.50 NH Normal.50.05 Fast.25.45 Slow.25.50

13 The system description includes a behavioral model The Model can also be viewed as a behavioral model with multiple modes per device –Each model has behavioral description The modes have posterior probabilities linked by conditional probabilities to the probabilities of the modes of the resources AB D C E NH Normal.6.15 Peak.1.80 Off Peak.3.05 NH Normal.8.3 Slow.2.7 NH Normal.50.05 Fast.25.45 Slow.25.50 NH Normal.60.05 Slow.25.45 Slower.15.50 NH Normal.50.05 Fast.25.45 Slow.25.50

14 Integrating model based and Bayesian reasoning Start with each behavioral model in the “normal” state Repeat: Check for Consistency of the current model If inconsistent, –Add a new node to the Bayesian network This node represents the logical-and of the nodes in the conflict. It’s truth-value is pinned at FALSE. –Prune out all possible solutions which are a super-set of the conflict set. –Pick another set of models from the remaining solutions If consistent, add to the set of possible diagnoses Continue until all inconsistent sets of models are found Solve the Bayesian network Conflict: A = NORMAL B = NORMAL C = NORMAL Discrepancy Observed Here Least Likely Member of Conflict Most Likely Alternative is SLOW AB D C E NH Normal.6.15 Peak.1.80 Off Peak.3.05 NH Normal.8.3 Slow.2.7 NH Normal.50.05 Fast.25.45 Slow.25.50 NH Normal.60.05 Slow.25.45 Slower.15.50 NH Normal.50.05 Fast.25.45 Slow.25.50

15 Adding Attack Models An Attack Model specifies the set of attacks that are believed to be possible in the environment Each resource has a set of vulnerabilities –Vulnerabilities enable attacks on that resource A successful attack exploits the vulnerability, putting the resource into a non-normal behavioral mode This is given as a set of conditional probabilities –If the attack succeeded on a resource of this type then the likelihood that the resource is in mode-x is P –This now forms a three tiered Bayesian network Host1 Buffer-Overflow Has- vulerability Overflow-Attack Enables Unix-Family Resource-type Causes Normal Slow.5.7

16 Three Tiered Model

17 What the diagnostic process tells us All non-conflicting combination of models are possible diagnoses The posterior probabilities tell you how likely each diagnosis is. This guides recovery processing Each mode of each resource has a posterior probability This guides resource selection in the future The attack models couple the resource models, given a system wide view. This informs the trust model This couples to long-term monitoring, that looks for complex multi-stage attacks

18 Computational Vulnerability Analysis Grounding the attack model in systematic analysis Ontology of: –System Properties –System Types –System Structure –Control and Dependencies

19 Generating Attack Models Through Vulnerability Analysis The problem: Where does the attack model and its links to behavioral modes come from? –So far, by hand crafting Vulnerability Analysis supplants this by a systematic analysis: –Forming an ontology of how computer systems are structured –Building models of the environment Network topology: nodes, routers, switches, filter, firewalls System types: hardware, operating systems Server and user suites: Which servers and users run where –Analyzing how properties depend on resources –Analyzing the vulnerabilities of the resources

20 Modeling System Structure Hardware Processor Memory Device Controllers Devices controls Part-of Operating System Logon Controller Scheduler Device Drivers Part-of Job Admitter Resides-In controls User Set Work Load File System Access Controller resources controls files Part-of Input-to controls Scheduler Policy

21 Modeling the topology Machine name: sleepy OS Type: Windows-NT Server Suite: IIS….. User Authentication Pool: Dwarfs… Router: Enclave restrictions. …. Topology tells you: who can share (and sniff) which packets who can affect what types of connections to whom Switch: subnet restrictions. …. Switch: subnet restrictions. ….

22 Modeling Dependencies Start with the desirable properties of systems: –Reliable performance –Privacy of communications –Integrity and/or privacy of data Analyze which system components impact those properties –Performance - scheduler –Privacy - access-controller To affect a desirable property control a component that contributes to the delivery of that property

23 Controlling components (1) One way to gain control of a component is to directly exploit a known vulnerability –One way to control a Microsoft IIS web server is to use a buffer overflow attack on it. IIS Web Server Process Buffer-Overflow Attack Takes control of IIS Web Server Buffer-Overflow Attack Is vulnerable to

24 Controlling components (2) Another way to control a component is to find an input to the component and then find a way to modify the input –Modify the scheduler policy parameters Scheduler Policy Parameters Input to Scheduler control by Modification- action Scheduler Policy Parameters

25 Controlling components (3) Another way to control a component is to find one of its components and then to find a way to gain control the sub-component Job-Admitter User Job Admitter Component-of Job-Admitter control by Control- action User Job Admitter

26 Modifying Inputs (1) One way to modify an input is to find a component which controls the input and then to find a way to gain control component Scheduler Workload Input-of Scheduler control by Job AdmitterWorkload Job Admitter Controls Attack. Controls

27 Modifying Inputs (2) One way to modify an input is to find a component of the input and then to find a way to modify the component Scheduler Workload Input-of Scheduler control by User Workload Workload User Workload Component Attack. Modify

28 Access Rights Each object specifies a set of capabilities required for each operation on that object –Capabilities are organized in an DAG –This generalizes the access mechanisms of all OS’s. Each actor (user or process) possesses certain capabilities. An actor can perform an action on an object only if it possesses a capability at least as strong as that required for the operation –This is a generalization of the access mechanisms in all current OS’s. An access pool is a set of machines that shares resources, password & access right descriptions

29 Netchex The AI Lab Topology (partial) Router Netchex Filters out Telnet. Server Switch 8th- Floor-1 8th- Floor-2 7th- Floor-1 Router Access pool Life Kenmore Maytag Server Access Pool Doc Dopey Sleepy Dwarf Access Pool Sneezy Sakharov Truman Quincy- Adams Lisp Access Pool Jefferson Wilson Creepy Crawler General Access Pool

30 Obtaining Access (1) One way to gain access to an operation on an object is to find a process with an adequate capability and take control of the process Typical User File User Read Required for Read Typical User File To Read Control- action Typical User Process Typical User Process User Read Posseses Capability

31 Obtaining Access (2) Another way to gain access to an operation on an object is to find a user with an adequate capability and find a way to log in as that user and launch a process with the user’s capabilities Typical User File User Read Required for Read Typical User File To Read Logon as Typical User User Process Typical User User Read Posseses Capability Launches

32 Logging On Logging on requires obtaining knowledge of a password To gain knowledge of a password –Guess it, using guessing attacks –Sniff it By placing a parasitic virus on the user’s machine By monitoring network traffic –Hack the password file

33 Monitoring and Changing Network Traffic Network are broken down into subnet segments Segments are connected by Routers –Routers can monitor traffic on any connected segment Each segment may be: – Shared media Coaxial ethernet Wireless ethernet Any connected computer can monitor traffic –Switched media 10 (100, 100) base-T Only the switch (or reflected ports) can monitor Traffic Switches and Routers are computers –They can be controlled –But they may be members of special access pools To gain knowledge of some information gain the ability to monitor network traffic

34 Residences Components reside in several places –Main memory –Boot files –Paging Files They migrate between residences –Through local peripheral controllers –Through networks To modify/observe a component find a residence of the component and modify/observe it in the residence To modify/observe a component find a migration path and modify/observe it during the transmission

35 Formats and Transformations Components live in several different formats –Source code –Compiled binary code –Linked executable images Processes transform one format into another –Compilation –Linking To modify a component change an upstream format and cause the transformations to happen To modify a component gain control of the processes that perform the transformations

36 Modification during Transmission To control traffic on a network segment launch a “man in the middle attack” –Get control of a machine, redirect traffic to it To observe network traffic get control of a switch/router and a user machine and then reflect traffic to the user machine To modify network traffic launch an “inserted packet” packet. –Get control of a machine –Send a packet from the controlled machine with the correct serial number but wrong data before the sender sends the real packet

37 An Example Affecting reliable performance: –Control the scheduler - The scheduler is a component that impacts performance –By modifying the scheduler’s policy parameters The policy parameters are inputs to the scheduler –By gaining root access The policy parameters require root access for writing –By using a buffer overflow attack on the web-server The web-server process possesses root capabilities The web-server process is vulnerable to a buffer-overflow attack. For this attack to impact the performance all the actions must succeed –Each has an a priori probability based on its inherent difficulty and current evidence suggesting that it occurred.

38 Affecting Data Privacy (1)

39 Affecting Data Privacy (2)

40 Affecting Data Privacy (3)

41 Affecting Performance (1)

42 Affecting Performance (2)

43 Using Attack Scenarios This information is captured in an Object-Oriented knowledge representation and rule-base system that reasons with it. The inference process develops multi-stage attack scenarios The scenarios are transformed into trend templates for recognition purpose The scenarios are transformed into Bayesian network fragment for diagnostic purposes

44 Integration Opportunities Projects that provide self-monitoring capabilities –We depend on self-monitoring –We typical assume coarse-grain (e.g. method wrapping) –Could use lower-level tools as well Projects that provide policy enforcement –Attempted violations of policies should trigger diagnostic activity Projects that provide recovery capabilities Participation in framework development

Download ppt "Automatic Trust Management for Adaptive Survivable Systems Howard Shrobe MIT AI Lab Computational Vulnerability Analysis for Model Based Diagnosis July."

Similar presentations

Performance Testing - Kanwalpreet Singh.

Performance Testing - Kanwalpreet Singh.
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Chapter Six Networking Hardware.

Chapter Six Networking Hardware.
Walter Binder University of Lugano, Switzerland Niranjan Suri IHMC, Florida, USA Green Computing: Energy Consumption Optimized Service Hosting.

Walter Binder University of Lugano, Switzerland Niranjan Suri IHMC, Florida, USA Green Computing: Energy Consumption Optimized Service Hosting.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Discovering Computers Fundamentals, Third Edition CGS 1000 Introduction to Computers and Technology Fall 2006.

Discovering Computers Fundamentals, Third Edition CGS 1000 Introduction to Computers and Technology Fall 2006.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
CEG3185 Tutorial 7 Routers and Routing. IP Address An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer,

CEG3185 Tutorial 7 Routers and Routing. IP Address An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer,
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Chapter 13 Embedded Systems

Chapter 13 Embedded Systems
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
seminar on Intrusion detection system

seminar on Intrusion detection system
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Similar presentations

Ads by Google