1 / 28

Research & Development Roadmap

Research & Development Roadmap. 1. Outline. A New Communication Framework Giving Bro Control over the Network Security Monitoring for Industrial Control Systems Parallelism on Concurrent Architectures. 2. COMMUNICATION NG. 3. Communication Today. Primitives Sending events

gerda
Download Presentation

Research & Development Roadmap

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Research & Development Roadmap 1

  2. Outline • A New Communication Framework • Giving Bro Control over the Network • Security Monitoring for Industrial Control Systems • Parallelism on Concurrent Architectures 2

  3. COMMUNICATION NG 3

  4. Communication Today • Primitives • Sending events • &synchronized • Limitations • Model doesn’t scale; no hierarchies • Loose semantics: best effort service • No integration with persistence • Implementation lacks robustness • Two separate protocol implementations 4

  5. Initial Proposal • Extend event propagation • Routing • Subscription groups • Push/pull models • Remove &synchronized (and the proxies...) • Add global, persistent data structure • Probably just key/value store • Explicit API 5

  6. Initial Proposal (cont’d.) • Implementation • “Data nodes” in charge of tables; nodes attach • Receive updates and broadcast them back out • Limit values to atomic data types • Use existing libraries • Implement as a library • Trading “magic” for better semantics and control 6

  7. GIVING BRO CONTROL OVER THE NETWORK 7

  8. Objectives • Bro controls what it sees • Adapt the front-end load-balancing • Bro controls what the network does • Block, steer, shape 8

  9. Science DMZs 100G 10/100G Source: ESNet 10

  10. Science DMZ Switch API API 100 Gb/s Cluster 10GE Control Control 100GE Border Router 100G Load-balancer Bro Cluster 11

  11. Transparent Script Interface • Packet Acquisition • drop(entity) • sample(entity) • notify(entity, cond) • Packet Control • drop(entity) • sample(entity) • throttle(entity) • redirect(entity, destination) 12

  12. Transparent Script Interface (cont’d.) • “Entity” could be very different things ... • Plugins implement what hardware supports 13

  13. SECURITY MONITORING FOR ICS 14

  14. Industrial Control Systems • Critical resources, yet lacking in protection • Often legacy hardware hard to protect • Not built with security in mind • Class IDS not a good fit • Attacks rare / unknown • Behavioral approaches don’t take context into account 15

  15. Industrial Control Systems (cont’d.) • Significant potential through incorporating semantics • Understand protocols Bro-style • Create visibility • Develop models of what we should be seeing • Anomaly detection could actually work here 16

  16. First steps ... • Protocol support in 2.2 • Modbus • DNP3 • Only basic script analysis so far 17

  17. Research Thrusts (1) • Measurement study: What do we see? • Actors, workloads, cross-site characterization • As we do that, extend Bro’s logging • Environments • Municipal water and gas plants • Campus power-plant • Building automation at a large research lab • Looking for more ... 18

  18. Research Thrusts (2) • Semantic models for monitoring • Statistical profiling • Summary statistics framework • Power Grid State Model • PLC Memory Maps 19

  19. PLC Memory Maps • Categorize registers • Constant, attribute, continuos • Derive predictive models • ... and validate them 20

  20. PARALLELISM ON CONCURRENT ARCHITECTURES 21

  21. Concurrency Potential 22

  22. Concurrent Analysis Logs Notification Event Engine Policy Script Interpreter Network Analysis Logic Protocol Decoding Events Packets 23

  23. Detection Logic Dispatcher Packet Dispatcher (NIC) Architecture Notification Events Network Packet Analysis Scripting Language Script Threads Event Engine Event Engine Threads 24

  24. A High-Level Intermediary Language for Traffic Inspection Domain-specific Data Types State Management Concurrent Analysis Real-time Performance Robust/Secure Execution High-level Standard Components New Platform: Abstract Machine First-class networking types built-in Containers with state management support Domain-specific concurrency model Scalability through parallelization Well-defined, contained execution environment Platform for building high-level, reusable functionality on Timers can drive execution Support for incremental processing Compilation to native code Static type-system, and robust error handling Extensive optimization potential 26

  25. A High-Level Intermediary Language for Traffic Inspection HILTI Toolchain 27

  26. Research Questions • How to identify state dependencies? • Static program analysis to drive scheduling • How to leverage hardware capabilities? • E.g., network processors, hardware lookup modules 28

  27. HILTI enables more ... BinPAC++ Demo 29

  28. Robin Sommer • International Computer Science Institute, & Lawrence Berkeley National Laboratory • robin@icsi.berkeley.edu • http://www.icir.org/robin 30

More Related