Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting & Preventing Misuse of Privilege PI Meeting 1/27/05 Bob Balzer (Teknowledge) Howie Shrobe (MIT) Updates since Kickoff.

Published byJeffery Walters Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting & Preventing Misuse of Privilege PI Meeting 1/27/05 Bob Balzer (Teknowledge) Howie Shrobe (MIT) Updates since Kickoff."— Presentation transcript:

1 Detecting & Preventing Misuse of Privilege PI Meeting 1/27/05 Bob Balzer (Teknowledge) Howie Shrobe (MIT) Updates since Kickoff

2 Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider

3 Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider MIT Teknowledge

4 Distinguishing AWDRAT & PMOP AWDRAT –Detecting misbehaving software Hijacks, overprivledged scripts, trap doors, faults PMOP –Detecting misbehaving operators Malicious intent, operator error For integrated SRS system need both capabilities –Have had extensive discussions on integrating both projects together - headstart on workshop :-)

5 MAF CAF Proposed MI Approved MI Targeting TNL JEESEDC JW CHW Chem Hazard SPI TAP CHI Combat Ops AODB AS LOC Weather Hazard WH WLC ATO EDC CHW Chem Hazard CHA External JBI DemVal Dataflow (via Publish/Subscribe)

6 What We’ve Got End-To-End Demonstration (demo shortly) –Working Prototypes of PMOP components –Working models & rules of target application –Working integration of PMOP components The Good – The Bad – The Ugly

7 End-To-End Demonstration Block Harmful Operations Differentiate –Operator Error –Malicious Intent Behavior Authorizer M M M M MediationCocoon JBI DemVal Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider

8 What We’ve Got End-To-End Demonstration (demo shortly) –Working Prototypes of PMOP components –Working models & rules of target application –Working integration of PMOP components The Good – The Bad – The Ugly Architecture Visualizer (demo shown in AWDRAT) –Event-Sequence diagrams –Architecture dataflow

9 What We’re Missing Realistic Rules (Domain Knowledgeable) –Would be created by SMEs in real deployment Comprehensive Rule Set –Would be created by SMEs in real deployment Instrumentation of the GUI actions –Just Mission Building/Editing methods currently instrumented –GUI actions will be instrumented by 4/1/05 The Good – The Bad – The Ugly

10 Accommodations Java code base –Created wrapper infrastructure for Java Planning Application (harm is in future) –Defined Harm as publishing harmful plan Available JBI components to wrap –Detailed on next slide The Good – The Bad – The Ugly

11 Canned Component Publishes fixed output Legacy Component Code Not Available Table Lookup MAF CAF Proposed MI Approved MI Targeting TNL JEESEDC JW CHW Chem Hazard SPI TAP CHI Combat Ops AODB AS LOC Weather Hazard WH WLC ATO EDC CHW Chem Hazard CHA External JBI DemVal Dataflow (via Publish/Subscribe) The Good – The Bad – The Ugly

12 DataFlow Demo

13 Event Diagram Demo

14 First SRS Tech Transition Architecture Visualizer used in HURT (IXO) –Animated Event Sequence Diagram –Animated Dataflow Architecture

15 Differences from AWDRAT Harm Detector instead of Architecture Diff Client Reconstitution inactive M M MediationCocoon M M JBI Server PMOP Execution Architecture JBI Client Harm Rules Harm Detector Scripted PMOP Driven from History Scripts Nominal Harmful: Takeoff Before Landing Harmful: Missing Leg (landing not collocated with takeoff) Visualizer Scripts Script Driver History Client Reconstitution Architecture Visualizer M M MediationCocoon M M JBI Server JBI Client Mixed Initiative PMOP One Client Live (with human operator) Others Scripted

16 Detecting Harmful Actions Demo

17 Determining Intent Determining that an insider is/has been taking malicious action is a task for human security agents and managers. Our automated system takes the action of raising an “alarm”, based on: –Degree of harm in the action –Probability of Malicious intent And provides the initial evidence

18 Degree of Harm We are interested in examining harm done by maliciously or accidentally creating a defective plan of action, such as an Air Tasking Order. We base our calculation of harm on a static analysis of the probable consequences of a plan. How the error happened is only used as evidence of intent.

19 Categories of Harmful Plans Plan results in direct damage – e.g.: –Friendly fire incident –Political harm from attacking non-combatants Plan results in a denial of resources – e.g. –Wasting munitions and sorties –Creating confusion –Putting valuable personnel under suspicion.

20 Factors used to Determine Intent The harm is more likely to be intentional: 1.If the plan defect depends on a more deliberate, more conscious process 2.If the actions can be fit into a larger plan of action 3.If there are related historical errors for the operator in question. 4.If the action involves coordination with others (inside or outside) Even type 1 involves analyzing the trace of actions Others involve keeping historical “Case Book”

21 Evidence of a Deliberate Process If the defect in the plan occurs through a plan editing, rather than plan creation step. If there is evidence of information hiding. If there is evidence of tampering with logs or other monitors.

22 Processing of MAF/CAF Traces Parse XML of traces Accumulate parsed trace into “User Actions” –Event creation followed by setInformation methods -> Single Event creation Follow though sequence of User Actions simulating effect on plan, detecting when harmful effect is created. Edited in harmful effect flagged as definite malicious

23 Raw Trace missing-leg 5 6 **end-of-messages** <MethodEnter methodClass="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" thread="0"/> <MethodReturn methodClass="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" thread="0"> <this class="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" printer="1"/> <MethodEnter methodName="setInformation" methodClass="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" methodSignature="(Ljava/lang/String;Ljava/lang/String;)V" thread="0" arg0="EVTTYPE" arg1="TO"> <this class="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" printer="1"/>....

24 Parsed (("missing-leg 5 6") (ENTER :NAME CONSTRUCTOR :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject") (RETURN :NAME CONSTRUCTOR :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" :THIS ("MissionEventObject" "1")) (ENTER :NAME "setInformation" :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" :ARG0 "EVTTYPE" :ARG1 "TO" :THIS ("MissionEventObject" "1")) (RETURN :NAME "setInformation" :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" :ARG0 "EVTTYPE" :ARG1 "TO" :THIS ("MissionEventObject" "1"))...

25 Reconstructed (("missing-leg 5 6") (EVENT :THIS ("MissionEventObject" "1") :EVTTYPE "TO" :EVTCD "I" :EVTSEQID "1" :LOCID "KBLV-1" :LATITUDE "-89.804" :LONGITUDE "38.671" :TIMEON "2004-05-27T19:25:23Z" :TIMEOFF "2004-05-27T19:25:23Z" :ALT "0" :AMCPURPCD "A" :EVTSUBTYPE "-" :SUBTYPECALLSIGN "-" :SUBTYPEFREQ "-" :SUBTYPEMSNCD "-") (EVENT :THIS ("MissionEventObject" "2") :EVTTYPE "REFUEL" :EVTCD "T" :EVTSEQID "2" :LOCID "PATRIOT-2" :LATITUDE "3.164" :LONGITUDE "52.031" :TIMEON "2004-05-28T03:05:20Z" :TIMEOFF "2004-05- 28T03:05:20Z" :ALT "280" :AMCPURPCD "Z" :EVTSUBTYPE "-" :SUBTYPECALLSIGN "-" :SUBTYPEFREQ "-" :SUBTYPEMSNCD "-") (EVENT :THIS ("MissionEventObject" "3") :EVTTYPE "LDG" :EVTCD "I" :EVTSEQID "3" :LOCID "LIPA-3" :LATITUDE "12.070" :LONGITUDE "46.230" :TIMEON "2004-05-28T04:45:20Z" :TIMEOFF "2004-05-28T04:45:20Z" :ALT "0" :AMCPURPCD "A" :EVTSUBTYPE "-" :SUBTYPECALLSIGN "-" :SUBTYPEFREQ "-" :SUBTYPEMSNCD "-")...

26 Interpreted MISSING-LEG Between event 5 and 6 CREATINGevent 1Take Off 05/27/2004 19:25:23 KBLV-89.8038.67 CREATINGevent 2 Refuel05/28/2004 03:05:20 PATRIOT3.16 52.03 CREATINGevent 3 LDG05/28/2004 04:45:20LIPA12.0746.23 CREATINGevent 4Take Off05/28/2004 07:20:20LIPA12.0746.23 CREATINGevent 5LDG05/28/2004 08:35:20LICZ14.7337.62 CREATINGevent 6Take Off05/28/2004 11:35:20LICZ14.7337.44 CREATINGevent 7LDG05/28/2004 17:15:20OEKH47.7024.08 EDITINGevent 6Take Off05/28/2004 11:35:20LICZ5.4347.64 Editing event after its creation Not leaving from where you landed 5 6 14.726 37.617 5.4346514 47.63672 Editing over existing leg causes error - Malicious... MALICIOUS

27 Detecting Malicious Intent Demo

28 Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider What are we trying to do? Block Harmful Operations Differentiate –Operator Error –Malicious Intent

29 Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider How will you show success? Block Harmful Operations Differentiate –Operator Error –Malicious Intent Red-Team Experiment Block Harmful Operations Differentiate –Operator Error –Malicious Intent

30 Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider What are implications of success? Systems can be protected from insider attacks from operator error from zero-day attacks

31 Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider What is technical approach? Observe effect of operator action in system model Match harmful actions against –Errorful Operator Plans –Attack Plans

32 Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider What is new? Observe effect of operator action in system model Match harmful actions against –Errorful Operator Plans –Attack Plans

33 Behavior Authorizer M M M M MediationCocoon Legacy App Behavior Monitor Operator Action Operational System Model Predicted State Harm Assessment Benign Operator Action Harmful Operator Action GUI Intent Assessment Operator Error Malicious Insider What is hard? Modeling System to predict effect Modeling Operator to differentiate –Operator Error –Malicious Intent

34 Technology for SRS Integration Behavior Monitor/Authorizer –What code is doing –What human operator is doing Operational Models –Software Components –Human Operators Harm Detector –Rule driven Intent Determination

Download ppt "Detecting & Preventing Misuse of Privilege PI Meeting 1/27/05 Bob Balzer (Teknowledge) Howie Shrobe (MIT) Updates since Kickoff."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Unit Testing in the OO Context(Chapter 19-Roger P)

Unit Testing in the OO Context(Chapter 19-Roger P)
Introduction to IRRIIS testing platform IRRIIS MIT Conference ROME 8 February 2007 Claudio Balducelli.

Introduction to IRRIIS testing platform IRRIIS MIT Conference ROME 8 February 2007 Claudio Balducelli.
VTrack: Accurate, Energy-Aware Road Traffic Delay Estimation Using Mobile Phones Arvind Thiagarajan, Lenin Ravindranath, Katrina LaCurts, Sivan Toledo,

VTrack: Accurate, Energy-Aware Road Traffic Delay Estimation Using Mobile Phones Arvind Thiagarajan, Lenin Ravindranath, Katrina LaCurts, Sivan Toledo,
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
Solidcore Harness the Power of Change John Sebes CTO Solidcore Systems, Inc. Case Study:

Solidcore Harness the Power of Change John Sebes CTO Solidcore Systems, Inc. Case Study:
Dr. Bill Curtis Director, Consortium for IT Software Quality The Technical Debt Management Cycle: Evaluating the Costs and Risks of IT Assets.

Dr. Bill Curtis Director, Consortium for IT Software Quality The Technical Debt Management Cycle: Evaluating the Costs and Risks of IT Assets.
University of Jyväskylä An Observation Framework for Multi-Agent Systems Joonas Kesäniemi, Artem Katasonov * and Vagan Terziyan University of Jyväskylä,

University of Jyväskylä An Observation Framework for Multi-Agent Systems Joonas Kesäniemi, Artem Katasonov * and Vagan Terziyan University of Jyväskylä,
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.

Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Similar presentations

Ads by Google