300 likes | 488 Views
Summer VFRP Experience. Tool Development for a Cyber SA System . Martin Q. Zhao. October 1, 2010. VFRP when and where. Applied for SFFP (summer faculty fellowship program) jointly sponsored by ASEE (American Society of Engineering Education) and AFRL Application submitted: December, 2009
E N D
Summer VFRP Experience Tool Development for a Cyber SA System Martin Q. Zhao October 1, 2010
VFRP when and where • Applied for SFFP (summer faculty fellowship program) jointly sponsored by ASEE (American Society of Engineering Education) and AFRL • Application submitted: December, 2009 • Accepted (through VFRP): March, 2010 • Thanks to Drs. Allen, Cozart and Digh for their help • Worked at AFRL’s Rome Research Site for 10 weeks (May 24 – July 30) • Griffiss Business and Technology Park http://www.griffissbusinesspark.com/
AFRL/RI an overview • US Air Force Research Laboratory Information Directorate in Rome, NY. • AFRL/RI is the component responsible for command, control, communication and computers and intelligence (C4I) research and development. • Core Technology Competencies (CTCs): -Information Exploitation -Information Fusion & Understanding -Information Management -Advanced Computing Architectures -Cyber Operations -Connectivity -Command and Control
Information Fusion • Data fusion is a formal framework in which are expressed the means and tools for the alliance of data originating from different sources. • Data fusion aims at obtaining information of greater quality; the exact definition of 'greater quality' will depend upon the application. • In the context of military applications, it emphasizes collecting and processing raw data from various sensory sources and tracking and identifying activities of interest, so as to enable situation awareness (SA) for the decision maker to take appropriate actions.
Unified SA Modelby Salerno et al['05] • Dr. Endsley’s model['95] : • Perception • Comprehension • Projection Dr. Salerno also co-chaired a Social Computing conference for 3 times JDL (joint director of labs) model['91, revised '98]: Level 0: Source Preprocessing/subobject refinement Level 1: Object refinement Level 2: Situation refinement Level 3: Impact Assessment Level 4: Process Refinement
Cyber SA Virtual Terrain The virtual terrain is a graphical representation of a computer network containing information relevant for a security analysis of a computer network, including: • Hosts & Subnets • Routers, sensors & firewalls • Physical & wireless links • Services & exposures • Users and accounts • Mission & criticality scores
Sample Virtual Terrain cs.mercer.edu Internet xxx.xxx.xxx.xxx Cobra 168.15.1.2 Raptor 168.15.1.4 Intruder 168.15.1.6 Lab 100 168.15.2.1 -.21 Main Switch 168.15.1.1 Eagle 168.15.1.3 Apache 168.15.1.5 Zeus 168.15.1.7 Lab 204 168.15.4.1 -.21 Faculty - 1 168.15.5.1 - .8 Lab 200 168.15.6.1 - .17 2ndFlr. Switch 168.15.3.2 Lab 306 168.15.8.1 -.21 Lab 304 168.15.10.1 - .15 Faculty - 2 168.15.9.1 - .4 3rdFlr. Switch 168.15.7.2
Sample Mission Tree cs.mercer.edu mission Sub-mission_1 Sub-mission_n … App_1_1 … App_1_m Asset … Asset
Cyber SA Tracking Attack Events (1) ICMP Ping NMAP (62.34.46.54 45.34.12.1) (2) SCAN nmap fingerprint attempt (38.244.61.9 45.34.12.2) (3) x86 mountd overflow (62.34.46.54 45.34.12.1) (4) gobbles SSH overflow (62.34.46.54 45.34.12.1) (5) SCAN cybercop os SFU12 probe (38.244.61.9 45.34.12.2) (6) WEB-MISC windmail.exe access (38.244.61.9 45.34.12.2) (7) ICMP Ping NMap (45.34.12.1 45.34.13.1) (8) EXPLOIT RADIUS MSID overflow attempt (45.34.12.2 45.34.12.2) (9) chown command attempt (62.34.46.54 45.34.12.1) (10) MS-SQL:PROCEDURE-DUMP (45.34.12.2 45.34.12.2) IDS alerts
Summer Research An Overview • Title of the proposal: Knowledge Representation & Reasoning for Impact/ Threat Assessment in Cyber Situation Awareness Systems • Objective: Enhancing the SITA system • Find ways to model domain knowledge • Develop a tool for VT creation/modification • Collaborators: • Dr. John Salerno • Mike Manno • Jimmy Swistak • Warren Geiler
Problems to Solve • Tools need to be developed to feed SITA with data • Amount of data is huge • A computer network can have hundreds of machines, thousands of software applications and user accounts • Known vulnerabilities are in the thousands, and the number is ever growing. • XML files are used: they can contain redundant data • Harm efficiency • Hard to change anything: due to well-known anomalies • Insertion • Deletion • Update
Relational Data Model-VT S/W H/W Link & Policy Exposure
Mission Map Editor-Requirements • Requirements modeling w/ a use-case diagram • (Type of) User:SA Operator • System Functions: • Access data in file/DB • Display a mission tree • Modify a mission tree • Save changes to file/DB • Create a mission tree
Mission Map Editor-Tree creation 6 File | Save 1 File | New 5 Assign assets 2 Top mission 3 Add more 4 Set criticality
Mission Map Editor-Architecture XML Mission Map Model VT Model DB
Vulnerability Lookup-Overview National Vulnerability Database (NVD) contains • What is a vulnerability? • What is an exposure? • How is it stored in NVD? • What is CVE? • What is CPE? • How are they related to SITA? Common Vulnerabilities and Exposures (CVE) <entry id="CVE-2010-0278"> … … <cpe-lang:logical-test negate="false" operator="OR"> <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_7"/> <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_vista"/> … … </entry> Common Platform Enumeration (CPE) <cpe-item name="cpe:/o:microsoft:windows_7"> <title xml:lang="en-US">Microsoft Windows 7</title> … … </cpe-item>
Vulnerability Lookup-Prototype 0 Load files C Exposure Apps affected B A CVSS Rating
Vulnerability Lookup-Ideal ways cpe:/o:microsoft:windows_7
Future R&D • MissionMapEditor: Thorough testing and refactoring • VulnerabilityTracker: • Research the processes of checking/updating CVE and CPE data feeds • Design a layered system architecture • Design and implement GUI that organizes products by category (such as OS, apps, HW), vendor, product family, version, etc • IDS (e.g. Snort) alerts specifics and mapping with CVE, as well as with SITA • VT model generation using automatic scanning data • Cyber situation visualization
Fall Extension Updates – Vul’Tracker The data feed file download and DB loading/update functions have been tested with • CVE data feed files for • 2010 (two versions, one from July [15 MB] and another from December revision [39 MB]) and • 2009 [34 MB]; and • CPE file from July 2010 [6.8 MB]. • Table 1 – Vendor Counts by Platform Types • Table 2 – Count of Vulnerable Software by Year