adaptive threat management tool cyber systems … · network layer traffic log service log network...
TRANSCRIPT
Adaptive Threat Management Tool for Cyber‐based SystemsYahya Javed, Tawfeeq Shawly, Muhamad Felemban, and Arif Ghafoor
URL (http://multimedia.ecn.purdue.edu/AIMS.html)
Objective: Develop resilient Cyber‐based System (CBS) by incorporating an adaptive threatmanagement mechanism throughout the life cycle of such system from design throughrecovery from cyber attacks.
Application Layer
Network Layer
Traffic Log Service LogNetwork Access Control
Policy Base
Firewalls
Offline Analysis
Real‐timeAnalysis
Intrusion Detection
IDS Alerts
CBS RecoveryRecovery Protocol
Knowledgebase
Repair Manager
Threat Response
Attack Progress Prediction
Online Dependency Analyzer
Damage Container
Response Policy Generation and Deployment
Intrusion Boundary Manager
Cyber Network/System Topology
Cyber Threat Mapper
Cyber‐based Dependency Analyzer
IB Demarcation for CBS
Database/Information Layer
Offline Analysis
Real‐timeAnalysis
Audit Log
Access Control and Authentication
Database System
Cyber‐based SystemSystem Architecture
System Components 1. Intrusion Detection 2. Intrusion Boundary (IB) Manager
• Damage confinement• Scalability
3. Threat Response4. CBS Recovery
Adaptive Threat Management System
Proposed Solutions1. Adaptive Intrusion Management
System (AIMS) for big datacenters2. Adaptive Threat Management (ATM)
for CBS
Solution Methodology 1. Development of a real‐time HMM‐based intrusion detection 2. Development of firewall policy‐based response and recovery
playbook3. Development of a risk‐aware partitioning mechanism for scalable
detection, response, and recovery4. Development of an ATM prototype for testing and validation
ATM
d
b
hj
k
f
l mg
c
f
f
f
f
d
d,a d,g
d,a,b
d,g,f
d,a,b,c
d,e
d,e,f
min, ∈
1
| |
(b) Cost function for IB partitioning
0.20.25
0.4
0.30.5 0.2
0.5
0.4
0.20.7
0.3
0.8
0.75
0.7
0.8
0.2
0.7
0.5
0.30.5
0.9
0.90.7
0.4
0.75
(a) Functionality dependency graph of CBSwith IB partitioning
(c) Attack graph
Set of boundary objects
Solution Methodology1. IB demarcation as a metrics‐driven optimization problem for
damage confinement2. Development of an efficient intrusion response and recovery
mechanism for malicious transactions3. Development of malicious workload benchmarks for
performance evaluation
AIMS
min, ∈
| |
(b) Cost function forIB Demarcation
d i
j
h
nk
ea
b c
f
g
l m
(a) Data dependency graph withIB Demarcation
(c) Performance results
Set of boundary objects
Acknowledgement: This work is supported in part by a grant from the Northrop Grumman Corporation and National Science Foundation Grant IIS‐0964639.