Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Mission-Centric Framework for Cyber Situational Awareness Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient.

Similar presentations


Presentation on theme: "A Mission-Centric Framework for Cyber Situational Awareness Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient."— Presentation transcript:

1 A Mission-Centric Framework for Cyber Situational Awareness Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient and Effective Analysis of the Zero-day Landscape S. Jajodia, M. Albanese George Mason University ARO-MURI on Cyber-Situation Awareness Review Meeting Phoenix, AZ, October 28-29, 2013

2 Where We Stand in the Project System Analysts Computer network Software Sensors, probes Hyper Sentry Cruiser Multi-Sensory Human Computer Interaction Enterprise Model Activity Logs IDS reports Vulnerabilities Cognitive Models & Decision Aids Instance Based Learning Models Simulation Measures of SA & Shared SA Data Conditioning Association & Correlation Automated Reasoning Tools R-CAST Plan-based narratives Graphical models Uncertainty analysis Information Aggregation & Fusion Transaction Graph methods Damage assessment Computer network Real World Test-bed ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29, 2013 2

3 Quad Chart - Year 4 Objectives: Improve Cyber Situation Awareness via New efficient techniques for generating partial attack graphs on demand in order to enable effective analysis of zero-day vulnerabilities A three-step process to assess the risk associated with zero-day vulnerabilities A prototype of the probabilistic framework for unexplained activity analysis DoD Benefit: Ability to answer some important questions automatically and efficiently Reduced workload on the analysts Reduced gap between raw security data and mental models Improved decision support Major Accomplishments Developed an efficient approach to assessing the risk of zero-day vulnerabilities (SECRYPT 2013) [Best Paper Award] Challenges Analyzing zero-day vulnerabilities for very large networks ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29, 2013 3

4 Overview of contribution – Year 1  Technical accomplishments  A topological approach to Vulnerability Analysis that overcomes the drawbacks of traditional point-wise vulnerability analysis  Preliminary data structures and graph-based techniques and algorithms for processing alerts/sensory data  A novel security metric, k-zero day safety, that counts at least how many zero day vulnerabilities are required for compromising a network asset and algorithms for applying the metric for hardening a network  Major breakthroughs  Capability of processing massive amounts of alerts/sensory data in real- time  Capability of forecasting all possible futures, along with their probabilities and expected damage  Capability of hardening a network against zero day vulnerabilities ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29, 2013 4

5 Overview of contribution – Year 2  Technical accomplishments  Generalized dependency graphs, which capture how network components depend on one other  Probabilistic temporal attack graphs, which encode probabilistic and temporal knowledge of the attacker’s behavior  Attack scenario graphs, which combine dependency and attack graphs, bridging the gap between known vulnerabilities and the services or missions that could be ultimately affected  Efficient algorithms for both detection and prediction  A preliminary model to identify “unexplained” cyber activities, i.e., activities incompatible with any given known activity model, thus potentially improving detection of zero day attacks  Major breakthroughs  Capability of generating and ranking future attack scenarios in real-time ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29, 2013 5

6 Overview of contribution – Year 3 ARO-MURI on Cyber-Situation Awareness Review Meeting  Technical accomplishments  An efficient and cost-effective algorithm to harden a network with respect to given security goals  A probabilistic framework for localizing attackers in mobile networks, based on the locations of nodes that have detected malicious activity in their neighborhood  A probabilistic framework for assessing the completeness and quality of available attack models, both at the intrusion detection level and at the alert correlation level (joint work with UMD and ARL)  A suite of novel techniques – enhancing NSDMiner – to automatically discover dependencies between network services from passively collected network traffic  Switchwall, an Ethernet-based network fingerprinting technique for detecting unauthorized changes to the L2/L3 network topology  Major breakthroughs  Capability of automatically and efficiently executing several important analysis tasks, namely hardening, dependency analysis, and attacker localization October 28-29, 2013 6

7 Overview of contribution – Year 4 ARO-MURI on Cyber-Situation Awareness Review Meeting  Technical accomplishments  Effective and efficient methods for generating partial attack graphs on demand in order to enable efficient analysis of zero-day vulnerabilities  A three-step process to assess the risk associated with zero- day vulnerabilities  A prototype of the probabilistic framework for unexplained activity analysis  Major breakthroughs  Capability to reason about zero-day vulnerabilities and efficiently assess the risk associated with such vulnerabilities without generating the entire attack graph October 28-29, 2013 7

8 Year 4 Statistics  Publications & presentations  2 papers published in peer-reviewed conference proceedings Best paper award at SECRYPT 2013  2 paper published in a peer-reviewed journal  1 book chapter  2 invited talks/lectures  Supported personnel  2 faculty  2 post doctorates  1 doctoral student ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29, 2013 8

9 Situation Knowledge Reference Model [Attack Scenario Graphs] Situation Knowledge Reference Model [Attack Scenario Graphs] Index & Data Structures Topological Vulnerability Analysis Proposed Solution: System Architecture ARO-MURI on Cyber-Situation Awareness Review Meeting Monitored Network Analyst Alerts/Sensory Data CauldronSwitchwall Vulnerability Databases NVDOSVD CVE Stochastic Attack Models Generalized Dependency Graphs Generalized Dependency Graphs Graph Processing and Indexing Dependency Analysis NSDMiner Scenario Analysis & Visualization Network Hardening Unexplained Behavior Analysis Zero-day Analysis Cauldron October 28-29, 2013 9

10 M. Albanese, S. Jajodia, A. Singhal, and L. Wang. “An Efficient Approach to Assessing the Risk of Zero-Day Vulnerabilities”. In Proceedings of the 10 th International Conference on Security and Cryptography, Reykjavìk, Iceland, July 29-31, 2013. [Best Paper Award] Zero-Day Analysis ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29, 2013 10

11 Background and Motivation (1/2) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 11  Computer systems are vulnerable to both known and zero- day attacks  Known attack patterns can be easily modeled Suitable hardening strategies can be developed  Handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature  Attackers can leverage complex interdependencies among both known and unknown vulnerabilities and network configurations to penetrate seemingly well-guarded networks  Attack graphs reveal such threats by enumerating potential paths that attackers can take to penetrate networks

12 Background and Motivation (2/2) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 12

13 Example of Zero-Day Attack Graph October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 13 host 0 host 1 http ssh host 2 ssh

14 Contributions (1/2) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 14

15 Contributions (2/2) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 15

16 Problem Statement (1/3) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 16

17 Problem Statement (2/3) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 17

18 Problem Statement (3/3) October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 18

19 Overall Decision Process October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 19 Insufficient Security Harden Network Insufficient Security Harden Network Yes No Start End Sufficient Security No

20 Problem 1: Proposed Solution October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 20

21 Problem 2: Proposed Solution October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 21

22 Problem 3: Proposed Solution October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 22

23 Experiments October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 23

24 October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 24

25 October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 25

26 October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 26

27 October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 27

28 October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 28

29 Conclusions October 28-29, 2013 ARO-MURI on Cyber-Situation Awareness Review Meeting 29

30 Future Work October 28-29, 2013 30 ARO-MURI on Cyber-Situation Awareness Review Meeting

31 Plan for Years 5 ARO-MURI on Cyber-Situation Awareness Review Meeting 31  Year 5 will primary focus on  integration of the results of our efforts with results from other MURI team members  extensive evaluation and refinement of techniques proposed in years 1 to 4  Specific technical objectives include  Integrating zero-day analysis (Year 4) with our network hardening approach (year 3) The objective is to harden a target network w.r.t. both known and unknown vulnerability in an effective and efficient way October 28-29, 2013

32 Questions? ARO-MURI on Cyber-Situation Awareness Review Meeting October 28-29, 2013 32


Download ppt "A Mission-Centric Framework for Cyber Situational Awareness Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient."

Similar presentations


Ads by Google