1 / 32

ARO-MURI on Cyber-Situation Awareness Review Meeting Phoenix, AZ , October 28-29, 2013

A Mission-Centric Framework for Cyber Situational Awareness Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient and Effective Analysis of the Zero-day Landscape S. Jajodia, M. Albanese George Mason University.

roy
Download Presentation

ARO-MURI on Cyber-Situation Awareness Review Meeting Phoenix, AZ , October 28-29, 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Mission-Centric Framework for Cyber Situational AwarenessAssessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient and Effective Analysis of the Zero-day LandscapeS. Jajodia, M. AlbaneseGeorge Mason University ARO-MURI on Cyber-Situation Awareness Review MeetingPhoenix, AZ , October 28-29, 2013

  2. Where We Stand in the Project • Cognitive Models & Decision Aids • Instance Based Learning Models • Simulation • Measures of SA & Shared SA • Software • Sensors, probes • Hyper Sentry • Cruiser Data Conditioning Association & Correlation • Information Aggregation & Fusion • Transaction Graph methods • Damage assessment Multi-Sensory Human Computer Interaction • Automated • Reasoning Tools • R-CAST • Plan-based narratives • Graphical models • Uncertainty analysis Computer network • Enterprise Model • Activity Logs • IDS reports • Vulnerabilities Real World System Analysts Computer network Test-bed ARO-MURI on Cyber-Situation Awareness Review Meeting

  3. Quad Chart - Year 4 • Objectives:Improve Cyber Situation Awareness via • New efficient techniques for generating partial attack graphs on demand in order to enable effective analysis of zero-day vulnerabilities • A three-step process to assess the risk associated with zero-day vulnerabilities • A prototype of the probabilistic framework for unexplained activity analysis • DoDBenefit: • Ability to answer some important questions automatically and efficiently • Reduced workload on the analysts • Reduced gap between raw security data and mental models • Improved decision support • Major Accomplishments • Developed an efficient approach to assessing the risk of zero-day vulnerabilities (SECRYPT 2013) [Best Paper Award] • Challenges • Analyzing zero-day vulnerabilities for very large networks • Scientific/Technical Approach • Developing an exact algorithm for identifying lower bounds on the value of the -zero-day safety metric. • Developing a heuristic algorithm for identifying upper bounds on the value of the -zero-day safety metric. • Developing an efficient algorithmfor calculating, under certain conditions, the exact value of k. • Developing all the algorithms above in a way that they do not require the entire attack graph to be computed in advance. ARO-MURI on Cyber-Situation Awareness Review Meeting

  4. Overview of contribution – Year 1 • Technical accomplishments • A topological approach to Vulnerability Analysis that overcomes the drawbacks of traditional point-wise vulnerability analysis • Preliminary data structures and graph-based techniques and algorithms for processing alerts/sensory data • A novel security metric, k-zero day safety, that counts at least how many zero day vulnerabilities are required for compromising a network asset and algorithms for applying the metric for hardening a network • Major breakthroughs • Capability of processing massive amounts of alerts/sensory data in real-time • Capability of forecasting all possible futures, along with their probabilities and expected damage • Capability of hardening a network against zero day vulnerabilities ARO-MURI on Cyber-Situation Awareness Review Meeting

  5. Overview of contribution – Year 2 • Technical accomplishments • Generalized dependency graphs, which capture how network components depend on one other • Probabilistic temporal attack graphs, which encode probabilistic and temporal knowledge of the attacker’s behavior • Attack scenario graphs, which combine dependency and attack graphs, bridging the gap between known vulnerabilities and the services or missions that could be ultimately affected • Efficient algorithms for both detection and prediction • A preliminary model to identify “unexplained” cyber activities, i.e., activities incompatible with any given known activity model, thus potentially improving detection of zero day attacks • Major breakthroughs • Capability of generating and ranking future attack scenarios in real-time ARO-MURI on Cyber-Situation Awareness Review Meeting

  6. Overview of contribution – Year 3 ARO-MURI on Cyber-Situation Awareness Review Meeting • Technical accomplishments • An efficient and cost-effective algorithm to harden a network with respect to given security goals • A probabilistic framework for localizing attackers in mobile networks, based on the locations of nodes that have detected malicious activity in their neighborhood • A probabilistic framework for assessing the completeness and quality of available attack models, both at the intrusion detection level and at the alert correlation level (joint work with UMD and ARL) • A suite of novel techniques – enhancing NSDMiner – to automatically discover dependencies between network services from passively collected network traffic • Switchwall, an Ethernet-based network fingerprinting technique for detecting unauthorized changes to the L2/L3 network topology • Major breakthroughs • Capability of automatically and efficiently executing several important analysis tasks, namely hardening, dependency analysis, and attacker localization

  7. Overview of contribution – Year 4 ARO-MURI on Cyber-Situation Awareness Review Meeting • Technical accomplishments • Effective and efficient methods for generating partial attack graphs on demand in order to enable efficient analysis of zero-day vulnerabilities • A three-step process to assess the risk associated with zero-day vulnerabilities • A prototype of the probabilistic framework for unexplained activity analysis • Major breakthroughs • Capability to reason about zero-day vulnerabilitiesand efficiently assess the risk associated with such vulnerabilities without generating the entire attack graph

  8. Year 4 Statistics • Publications & presentations • 2 papers published in peer-reviewed conference proceedings • Best paper award at SECRYPT 2013 • 2 paper published in a peer-reviewed journal • 1 book chapter • 2 invited talks/lectures • Supported personnel • 2 faculty • 2 post doctorates • 1 doctoral student ARO-MURI on Cyber-Situation Awareness Review Meeting

  9. Proposed Solution: System Architecture Scenario Analysis & Visualization Vulnerability Databases Network Hardening Zero-day Analysis Unexplained Behavior Analysis Cauldron CVE NVD OSVD Analyst Topological Vulnerability Analysis Index & Data Structures Graph Processing and Indexing Cauldron Switchwall Stochastic Attack Models Situation Knowledge Reference Model [Attack Scenario Graphs] Monitored Network Generalized Dependency Graphs Dependency Analysis NSDMiner Alerts/Sensory Data ARO-MURI on Cyber-Situation Awareness Review Meeting

  10. Zero-Day Analysis M. Albanese, S. Jajodia, A. Singhal, and L. Wang. “An Efficient Approach to Assessing the Risk of Zero-Day Vulnerabilities”. In Proceedings of the 10th International Conference on Security and Cryptography, Reykjavìk, Iceland, July 29-31, 2013. [Best Paper Award] ARO-MURI on Cyber-Situation Awareness Review Meeting

  11. Background and Motivation (1/2) ARO-MURI on Cyber-Situation Awareness Review Meeting • Computer systems are vulnerable to both known and zero-day attacks • Known attack patterns can be easily modeled • Suitable hardening strategies can be developed • Handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature • Attackers can leverage complex interdependencies among both known and unknown vulnerabilities and network configurations to penetrate seemingly well-guarded networks • Attack graphs reveal such threats by enumerating potential paths that attackers can take to penetrate networks

  12. Background and Motivation (2/2) L. Wang, S. Jajodia, A. Singhal, and S. Noel, “-zero day safety: Measuring the security risk of networks against unknown attacks”. In Proceedings of the 15th European Symposium on Research in Computer Security (ESORICS 2010), Springer, 2010 ARO-MURI on Cyber-Situation Awareness Review Meeting • Previous research has attempted to assess and quantify the risk associated with unknown attack patterns • The -zero-day safety metric was defined • Existing algorithms for computing the -zero-day safety metric • are not scalable • assume that complete zero-day attack graphs have been generated, which may be unfeasible in practice for large networks

  13. Example of Zero-Day Attack Graph • host 1 • http • ssh • host 2 • ssh host 0 ARO-MURI on Cyber-Situation Awareness Review Meeting

  14. Contributions (1/2) ARO-MURI on Cyber-Situation Awareness Review Meeting • We propose a set of efficient solutions to • address the limitations of current approaches • enable zero-day analysis of practical importance to be applied to networks of realistic sizes • First, we consider the problem of deciding whether a given network asset is at least -zero-day safe for a given value of • We drop the assumption that a zero-day vulnerability graph has been pre-computed • We combine on-demand attack graph generation with the evaluation of -zero-day safety

  15. Contributions (2/2) ARO-MURI on Cyber-Situation Awareness Review Meeting • Second, we identify an upper bound on the value of • This is done using a heuristic algorithm that integrates attack graph generation and zero-day analysis • Third, when the upper bound on is below an admissible threshold, we compute the exact value of • This phase reuses the previously computed partial attack graph • To the best of our knowledge, this is the first attempt to define a comprehensive and efficient approach to zero-day analysis

  16. Problem Statement (1/3) ARO-MURI on Cyber-Situation Awareness Review Meeting • Problem 1 (Lower bound) • Given a network , a goal condition , and a small integer , determine whether is true for with respect to • Our goal is to identify a lower bound on the value of • Analogous to the problemaddressed in (Wang et al., 2010), but we do not assume the entire attack graph is available • The network is defined in terms of initial conditions and known and unknown exploits

  17. Problem Statement (2/3) ARO-MURI on Cyber-Situation Awareness Review Meeting • Problem 2 (Upper bound) • Given a network and a goal condition , find an upper bound on the value of with respect to • Our goal is to identify an upper bound on the value of • Using a heuristic approach, it is feasible to compute a good upper bound in polynomial time • If the value of is below a threshold , it may then be feasible to compute the exact value of

  18. Problem Statement (3/3) ARO-MURI on Cyber-Situation Awareness Review Meeting • Problem 3 (Exact value) • Given a network and a goal condition such that is true for with respect to , find the exact value of • In other words, when the value of is known to be bounded and the upper bound is small enough, we compute the exact value of , by • leveraging the upper bound for pruning • reusing the partial attack graphgenerated during previous steps of the decision process

  19. Overall Decision Process No Insufficient Security Harden Network Start Yes No Sufficient Security Yes Find exact End ARO-MURI on Cyber-Situation Awareness Review Meeting

  20. Problem 1: Proposed Solution ARO-MURI on Cyber-Situation Awareness Review Meeting • We combine an exhaustive forward search of limited depthwith partial attack graph generation • Only attack paths with up to zero-day vulnerabilities are generated and evaluated using the metric • Connectivity information is used to hypothesize zero-day exploitsand guide the generation of the graph • Algorithm • Input: a set of initial conditions, a set of known and zero-day exploits, an integer and a goal condition • Output: a partial zero-day attack graph, and a truth value indicating whether

  21. Problem 2: Proposed Solution ARO-MURI on Cyber-Situation Awareness Review Meeting • In order to avoid the exponential explosion of the search space we propose an heuristic algorithm that, at each step, maintains only the best partial paths with respect to the metric • Algorithm builds the attack graph forward, starting from initial conditions • Input: a set of initial conditions (or a partial attack graph), a set of known and zero-day exploits, and a goal condition • Output: a partial zero-day attack graph, and an upper bound on the value of

  22. Problem 3: Proposed Solution ARO-MURI on Cyber-Situation Awareness Review Meeting • Our solution consists in performing a forward search, similarly to algorithm • The search starts from the partial attack graphs computed in previous steps of the decision process • Although the value of is known to be no larger than , there still may be many paths with more the distinct zero-day vulnerabilities • To limit the search space, compared to a traditional forward search, and avoid the generation of the entire attack graph we use the upper bound computed by algorithm to prune paths not leading to the solution

  23. Experiments ARO-MURI on Cyber-Situation Awareness Review Meeting • The objective of our experiments was three-fold • We evaluated the performance of the proposed algorithms in terms of processing time • The algorithms are efficient enough to be practical • We evaluated the percentage of nodes included in the generated partial attack graphcompared to the full attack graph • This shows the benefits in terms of both time and storage • We evaluated the accuracy of estimations made using algorithm compared to the exact results obtained using a brute force approach

  24. : Processing Time ARO-MURI on Cyber-Situation Awareness Review Meeting

  25. : Percentage of Nodes ARO-MURI on Cyber-Situation Awareness Review Meeting

  26. : Processing Time ARO-MURI on Cyber-Situation Awareness Review Meeting

  27. : Percentage of Nodes ARO-MURI on Cyber-Situation Awareness Review Meeting

  28. : Approximation Ratio ARO-MURI on Cyber-Situation Awareness Review Meeting

  29. Conclusions ARO-MURI on Cyber-Situation Awareness Review Meeting • We studied the problem of efficiently estimating the -zero-day safety of networks • We presented three polynomial algorithms for establishing lower and upper bounds of and for calculating the actual value of , while generating only partial attack graphs on-demand • Experimental results confirm their efficiency and effectiveness • Although we focused on -zero-day safety, our techniques can be easily extended to other analyses on attack graphs • Future work includes • Fine-tuning the approximation algorithm through various ways for ranking partial solutions • Evaluating the framework on diverse network scenarios

  30. Future Work ARO-MURI on Cyber-Situation Awareness Review Meeting

  31. Plan for Years 5 ARO-MURI on Cyber-Situation Awareness Review Meeting • Year 5 will primary focus on • integration of the results of our efforts with results from other MURI team members • extensive evaluation and refinement of techniques proposed in years 1 to 4 • Specific technical objectives include • Integrating zero-day analysis (Year 4) with our network hardening approach (year 3) • The objective is to harden a target network w.r.t. both known and unknown vulnerability in an effective and efficient way

  32. Questions? ARO-MURI on Cyber-Situation Awareness Review Meeting

More Related