190 likes | 258 Views
Fall Extension Project. Initial Brief Meeting. Martin Q. Zhao. August 28, 2010. Summer Research – An Overview. Title: Knowledge Representation & Reasoning for Impact/ Threat Assessment in Cyber Situation Awareness Systems Objective: Enhancing the SITA system
E N D
Fall Extension Project Initial Brief Meeting Martin Q. Zhao August 28, 2010
Summer Research – An Overview • Title: Knowledge Representation & Reasoning for Impact/ Threat Assessment in Cyber Situation Awareness Systems • Objective: Enhancing the SITA system • Find ways to model domain knowledge • Develop a tool for VT creation/modification • Collaborators: • Dr. John Salerno • Mike Manno • Jimmy Swistak • Warren Geiler
Cyber SA Model • Endsley’s model: • Perception • Comprehension • Projection JDL model: Level 0: Source Preprocessing/subobject refinement Level 1: Object refinement Level 2: Situation refinement Level 3: Impact Assessment Level 4: Process Refinement
Virtual Terrain The virtual terrain is a graphical representation of a computer network containing information relevant for a security analysis of a computer network, including: • Mission • Hosts & Subnets • Services & exposures • Routers, sensors & firewalls • Physical & wireless links • Users
TIA Procedures Using VT Projecting promising futures & assessing threats Assessing impacts on missions Tracking relevant attack events Attack detection using IDS
Problems to Solve • Amount of data is huge • A computer network can have hundreds of machines, thousands of software applications and user accounts • Known vulnerabilities are in the thousands, and the number is ever growing. • XML files are used: they can contain redundant data • Harm efficiency • Cause well-known anomalies • Insertion • Deletion • Update • Tools need to be developed to feed SITA with data
Relational Data Model-VT S/W H/W Link & Policy Exposure
Mission Map Editor-Requirements • Requirements modeling w/ a use-case diagram • (Type of) User:SA Operator • System Functions: • Access data in file/DB • Display a mission tree • Modify a mission tree • Save changes to file/DB • Create a mission tree
Mission Map Editor-Tree creation 6 File | Save 1 File | New 5 Assign assets 2 Top mission 3 Add more 4 Set criticality
Mission Map Editor-Architecture XML Mission Map Model VT Model DB
Vulnerability Lookup-Overview National Vulnerability Database (NVD) contains • What is a vulnerability? • What is an exposure? • How is it stored in NVD? • What is CVE? • What is CPE? • How are they related to SITA? Common Vulnerabilities and Exposures (CVE) <entry id="CVE-2010-0278"> … … <cpe-lang:logical-test negate="false" operator="OR"> <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_7"/> <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_vista"/> … … </entry> Common Platform Enumeration (CPE) <cpe-item name="cpe:/o:microsoft:windows_7"> <title xml:lang="en-US">Microsoft Windows 7</title> … … </cpe-item>
Vulnerability Lookup-Prototype 0 Load files C Exposure Apps affected B A CVSS Rating
Vulnerability Lookup-Ideal ways cpe:/o:microsoft:windows_7
Future R&D • MissionMapEditor: Thorough testing and refactoring • VulnerabilityTracker: • Research the processes of checking/updating CVE and CPE data feeds • Design a layered system architecture • Design and implement GUI that organizes products by category (such as OS, apps, HW), vendor, product family, version, etc • IDS (e.g. Snort) alerts specifics and mapping with CVE, as well as with SITA • VT model generation using automatic scanning data • Cyber situation visualization