1 / 31

Detecting & Preventing Misuse of Privilege

Detecting & Preventing Misuse of Privilege. PI Meeting 1/27/05 Bob Balzer (Teknowledge) Howie Shrobe (MIT). Updates since Kickoff. DANGER. Harmful Operator Action. Benign Operator Action. Normal. Behavior Authorizer. Intent Assessment. M. Mediation. Cocoon. Legacy App. M. M.

sarila
Download Presentation

Detecting & Preventing Misuse of Privilege

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting & PreventingMisuse of Privilege PI Meeting 1/27/05 Bob Balzer (Teknowledge) Howie Shrobe (MIT) • Updates since Kickoff

  2. DANGER Harmful Operator Action Benign Operator Action Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  3. DANGER Harmful Operator Action Benign Operator Action Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor MIT Teknowledge Operator Action

  4. For integrated SRS system need both capabilities • Have had extensive discussions on integrating both projects together - headstart on workshop :-) Distinguishing AWDRAT & PMOP • AWDRAT • Detecting misbehaving software • Hijacks, overprivledged scripts, trap doors, faults • PMOP • Detecting misbehaving operators • Malicious intent, operator error

  5. JBI DemVal Dataflow(via Publish/Subscribe) External AODB AS Proposed MI MAF Approved MI CAF LOC JW SPI EDC JEES TAP ATO Chem Hazard CHW CHI TNL Targeting EDC CHW WLC Chem Hazard Weather Hazard CHA WH Combat Ops

  6. The Good – The Bad – The Ugly What We’ve Got • End-To-End Demonstration (demo shortly) • Working Prototypes of PMOP components • Working models & rules of target application • Working integration of PMOP components

  7. End-To-End Demonstration • Block Harmful Operations • Differentiate • Operator Error • Malicious Intent DANGER Harmful Operator Action Benign Operator Action Normal Behavior Authorizer Intent Assessment M Mediation Cocoon JBI DemVal M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  8. The Good – The Bad – The Ugly What We’ve Got • End-To-End Demonstration (demo shortly) • Working Prototypes of PMOP components • Working models & rules of target application • Working integration of PMOP components • Architecture Visualizer (demo shown in AWDRAT) • Event-Sequence diagrams • Architecture dataflow

  9. The Good – The Bad – The Ugly What We’re Missing • Realistic Rules (Domain Knowledgeable) • Would be created by SMEs in real deployment • Comprehensive Rule Set • Would be created by SMEs in real deployment • Instrumentation of the GUI actions • Just Mission Building/Editing methods currently instrumented • GUI actions will be instrumented by 4/1/05

  10. The Good – The Bad – The Ugly Accommodations • Java code base • Created wrapper infrastructure for Java • Planning Application (harm is in future) • Defined Harm as publishing harmful plan • Available JBI components to wrap • Detailed on next slide

  11. Legacy Component Code Not Available Canned Component Publishes fixed output Table Lookup The Good – The Bad – The Ugly JBI DemVal Dataflow(via Publish/Subscribe) External AODB AS Proposed MI MAF Approved MI CAF LOC JW SPI EDC JEES TAP ATO Chem Hazard CHW CHI TNL Targeting EDC CHW WLC Chem Hazard Weather Hazard CHA WH Combat Ops

  12. Mixed Initiative PMOP • One Client Live (with human operator) • Others Scripted Scripted PMOP Driven from History Scripts Nominal Harmful: Takeoff Before Landing Harmful: Missing Leg(landing not collocated with takeoff) M M Mediation Mediation Cocoon Cocoon JBI Client JBI Client M M M M JBI Server M M Differences from AWDRAT Client Reconstitution Architecture Visualizer Script Driver Harm Detector Harm Rules Scripts History • Harm Detector instead of Architecture Diff • Client Reconstitution inactive Visualizer PMOP Execution Architecture JBI Server

  13. DetectingHarmful ActionsDemo

  14. Determining Intent • Determining that an insider is/has been taking malicious action is a task for human security agents and managers. • Our automated system takes the action of raising an “alarm”, based on: • Degree of harm in the action • Probability of Malicious intent • And provides the initial evidence

  15. Degree of Harm • We are interested in examining harm done by maliciously or accidentally creating a defective plan of action, such as an Air Tasking Order. • We base our calculation of harm on a static analysis of the probable consequences of a plan. • How the error happened is only used as evidence of intent.

  16. Categories of Harmful Plans • Plan results in direct damage – e.g.: • Friendly fire incident • Political harm from attacking non-combatants • Plan results in a denial of resources – e.g. • Wasting munitions and sorties • Creating confusion • Putting valuable personnel under suspicion.

  17. Factors used to Determine Intent • The harm is more likely to be intentional: • If the plan defect depends on a more deliberate, more conscious process • If the actions can be fit into a larger plan of action • If there are related historical errors for the operator in question. • If the action involves coordination with others (inside or outside) • Even type 1 involves analyzing the trace of actions • Others involve keeping historical “Case Book”

  18. Evidence of a Deliberate Process • If the defect in the plan occurs through a plan editing, rather than plan creation step. • If there is evidence of information hiding. • If there is evidence of tampering with logs or other monitors.

  19. Processing of MAF/CAF Traces • Parse XML of traces • Accumulate parsed trace into “User Actions” • Event creation followed by setInformation methods -> Single Event creation • Follow though sequence of User Actions simulating effect on plan, detecting when harmful effect is created. • Edited in harmful effect flagged as definite malicious

  20. Raw Trace missing-leg 5 6 **end-of-messages** <trace> <MethodEnter methodClass="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" thread="0"/> <MethodReturn methodClass="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" thread="0"> <this class="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" printer="1"/></MethodReturn> <MethodEnter methodName="setInformation" methodClass="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" methodSignature="(Ljava/lang/String;Ljava/lang/String;)V" thread="0" arg0="EVTTYPE" arg1="TO"> <this class="mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" printer="1"/></MethodEnter> ....

  21. Parsed (("missing-leg 5 6") (ENTER :NAME CONSTRUCTOR :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject") (RETURN :NAME CONSTRUCTOR :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" :THIS ("MissionEventObject" "1")) (ENTER :NAME "setInformation" :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" :ARG0 "EVTTYPE" :ARG1 "TO" :THIS ("MissionEventObject" "1")) (RETURN :NAME "setInformation" :CLASS "mil.af.rl.jbi.client.ExtensibleMappingClient.toolsets.MissionPlan.MissionEventObject" :ARG0 "EVTTYPE" :ARG1 "TO" :THIS ("MissionEventObject" "1")) ...

  22. Reconstructed (("missing-leg 5 6") (EVENT :THIS ("MissionEventObject" "1") :EVTTYPE "TO" :EVTCD "I" :EVTSEQID "1" :LOCID "KBLV-1" :LATITUDE "-89.804" :LONGITUDE "38.671" :TIMEON "2004-05-27T19:25:23Z" :TIMEOFF "2004-05-27T19:25:23Z" :ALT "0" :AMCPURPCD "A" :EVTSUBTYPE "-" :SUBTYPECALLSIGN "-" :SUBTYPEFREQ "-" :SUBTYPEMSNCD "-") (EVENT :THIS ("MissionEventObject" "2") :EVTTYPE "REFUEL" :EVTCD "T" :EVTSEQID "2" :LOCID "PATRIOT-2" :LATITUDE "3.164" :LONGITUDE "52.031" :TIMEON "2004-05-28T03:05:20Z" :TIMEOFF "2004-05-28T03:05:20Z" :ALT "280" :AMCPURPCD "Z" :EVTSUBTYPE "-" :SUBTYPECALLSIGN "-" :SUBTYPEFREQ "-" :SUBTYPEMSNCD "-") (EVENT :THIS ("MissionEventObject" "3") :EVTTYPE "LDG" :EVTCD "I" :EVTSEQID "3" :LOCID "LIPA-3" :LATITUDE "12.070" :LONGITUDE "46.230" :TIMEON "2004-05-28T04:45:20Z" :TIMEOFF "2004-05-28T04:45:20Z" :ALT "0" :AMCPURPCD "A" :EVTSUBTYPE "-" :SUBTYPECALLSIGN "-" :SUBTYPEFREQ "-" :SUBTYPEMSNCD "-") ...

  23. Interpreted MISSING-LEG Between event 5 and 6 CREATING event 1 Take Off 05/27/2004 19:25:23 KBLV -89.80 38.67 CREATING event 2 Refuel 05/28/2004 03:05:20 PATRIOT 3.16 52.03 CREATING event 3 LDG 05/28/2004 04:45:20 LIPA 12.07 46.23 CREATING event 4 Take Off 05/28/2004 07:20:20 LIPA 12.07 46.23 CREATING event 5 LDG 05/28/2004 08:35:20 LICZ 14.73 37.62 CREATING event 6 Take Off 05/28/2004 11:35:20 LICZ 14.73 37.44 CREATING event 7 LDG 05/28/2004 17:15:20 OEKH 47.70 24.08 EDITING event 6 Take Off 05/28/2004 11:35:20 LICZ 5.43 47.64 Editing event after its creation Not leaving from where you landed 5 6 14.726 37.617 5.4346514 47.63672 Editing over existing leg causes error - Malicious ... MALICIOUS

  24. DetectingMalicious IntentDemo

  25. DANGER Harmful Operator Action Benign Operator Action What are we trying to do? Normal Behavior Authorizer Intent Assessment • Block Harmful Operations • Differentiate • Operator Error • Malicious Intent M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  26. How will you show success? Block Harmful Operations • Differentiate • Operator Error • Malicious Intent DANGER Harmful Operator Action Benign Operator Action • Block Harmful Operations • Differentiate • Operator Error • Malicious Intent • Red-TeamExperiment Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  27. What are implications of success? DANGER Harmful Operator Action Benign Operator Action • Systems can be protected • from insider attacks • from operator error • from zero-day attacks Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  28. DANGER Harmful Operator Action Benign Operator Action What is technical approach? Normal Behavior Authorizer Intent Assessment • Observe effect of operatoraction in system model • Match harmful actions against • Errorful Operator Plans • Attack Plans M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  29. DANGER Harmful Operator Action Benign Operator Action What is new? Normal Behavior Authorizer Intent Assessment • Observe effect of operatoraction in system model • Match harmful actions against • Errorful Operator Plans • Attack Plans M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  30. DANGER Harmful Operator Action Benign Operator Action What is hard? Normal Behavior Authorizer Intent Assessment • Modeling Systemto predict effect • Modeling Operatorto differentiate • Operator Error • Malicious Intent M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  31. Technology for SRS Integration • Behavior Monitor/Authorizer • What code is doing • What human operator is doing • Operational Models • Software Components • Human Operators • Harm Detector • Rule driven • Intent Determination

More Related