aro-muri on cyber-situation awareness review meeting phoenix, az , october 28-29, 2013
DESCRIPTION
A Mission-Centric Framework for Cyber Situational Awareness Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient and Effective Analysis of the Zero-day Landscape S. Jajodia, M. Albanese George Mason University. - PowerPoint PPT PresentationTRANSCRIPT
A Mission-Centric Framework for Cyber Situational Awareness
Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient and Effective Analysis of the Zero-day Landscape
S. Jajodia, M. AlbaneseGeorge Mason University
ARO-MURI on Cyber-Situation Awareness Review MeetingPhoenix, AZ , October 28-29, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
2
Where We Stand in the Project
System Analysts
Computer network
•Software•Sensors, probes•Hyper Sentry•Cruiser
Mul
ti-S
enso
ry
Hum
an
Com
pute
r In
tera
ctio
n
• Enterprise Model• Activity Logs • IDS reports• Vulnerabilities
Cognitive Models & Decision Aids
• Instance Based Learning Models
• Simulation• Measures of SA & Shared SA
Dat
a Co
ndit
ioni
ngAs
soci
atio
n &
Co
rrel
atio
n• • •
Automated Reasoning Tools• R-CAST• Plan-based
narratives• Graphical
models• Uncertainty
analysis
Information Aggregation & Fusion•Transaction Graph methods•Damage assessment
Computer
network
Real World
Test-bed
October 28-29, 2013
• • •
ARO-MURI on Cyber-Situation Awareness Review Meeting
3
Quad Chart - Year 4Objectives: Improve Cyber Situation Awareness via• New efficient techniques for generating partial attack graphs on demand
in order to enable effective analysis of zero-day vulnerabilities• A three-step process to assess the risk associated with zero-day
vulnerabilities• A prototype of the probabilistic framework for unexplained activity
analysis
DoD Benefit: •Ability to answer some important questions automatically and
efficiently•Reduced workload on the analysts•Reduced gap between raw security data and mental models•Improved decision support
Scientific/Technical Approach• Developing an exact algorithm for identifying lower bounds on the
value of the -zero-day safety metric.
• Developing a heuristic algorithm for identifying upper bounds on the value of the -zero-day safety metric.
• Developing an efficient algorithm for calculating, under certain conditions, the exact value of k.
• Developing all the algorithms above in a way that they do not require the entire attack graph to be computed in advance.
Major Accomplishments• Developed an efficient approach to assessing the risk of zero-day
vulnerabilities (SECRYPT 2013) [Best Paper Award]
Challenges• Analyzing zero-day vulnerabilities for very large networks
October 28-29, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
4
Overview of contribution – Year 1 Technical accomplishments
A topological approach to Vulnerability Analysis that overcomes the drawbacks of traditional point-wise vulnerability analysis
Preliminary data structures and graph-based techniques and algorithms for processing alerts/sensory data
A novel security metric, k-zero day safety, that counts at least how many zero day vulnerabilities are required for compromising a network asset and algorithms for applying the metric for hardening a network
Major breakthroughs Capability of processing massive amounts of alerts/sensory
data in real-time Capability of forecasting all possible futures, along with their
probabilities and expected damage Capability of hardening a network against zero day
vulnerabilitiesOctober 28-29, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
5
Overview of contribution – Year 2 Technical accomplishments
Generalized dependency graphs, which capture how network components depend on one other
Probabilistic temporal attack graphs, which encode probabilistic and temporal knowledge of the attacker’s behavior
Attack scenario graphs, which combine dependency and attack graphs, bridging the gap between known vulnerabilities and the services or missions that could be ultimately affected
Efficient algorithms for both detection and prediction A preliminary model to identify “unexplained” cyber activities,
i.e., activities incompatible with any given known activity model, thus potentially improving detection of zero day attacks
Major breakthroughs Capability of generating and ranking future attack scenarios in
real-time
October 28-29, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
6
Overview of contribution – Year 3 Technical accomplishments
An efficient and cost-effective algorithm to harden a network with respect to given security goals
A probabilistic framework for localizing attackers in mobile networks, based on the locations of nodes that have detected malicious activity in their neighborhood
A probabilistic framework for assessing the completeness and quality of available attack models, both at the intrusion detection level and at the alert correlation level (joint work with UMD and ARL)
A suite of novel techniques – enhancing NSDMiner – to automatically discover dependencies between network services from passively collected network traffic
Switchwall, an Ethernet-based network fingerprinting technique for detecting unauthorized changes to the L2/L3 network topology
Major breakthroughs Capability of automatically and efficiently executing several important analysis
tasks, namely hardening, dependency analysis, and attacker localization
October 28-29, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
7
Overview of contribution – Year 4 Technical accomplishments
Effective and efficient methods for generating partial attack graphs on demand in order to enable efficient analysis of zero-day vulnerabilities
A three-step process to assess the risk associated with zero-day vulnerabilities
A prototype of the probabilistic framework for unexplained activity analysis
Major breakthroughs Capability to reason about zero-day vulnerabilities and
efficiently assess the risk associated with such vulnerabilities without generating the entire attack graph
October 28-29, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
8
Year 4 Statistics Publications & presentations
2 papers published in peer-reviewed conference proceedings Best paper award at SECRYPT 2013
2 paper published in a peer-reviewed journal 1 book chapter 2 invited talks/lectures
Supported personnel 2 faculty 2 post doctorates 1 doctoral student
October 28-29, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
9
Situation Knowledge Reference
Model[Attack Scenario
Graphs]
Index & Data Structures
Topological Vulnerability
Analysis
Proposed Solution: System Architecture
Monitored Network
Analyst
Alerts/Sensory Data
Cauldron
Switchwall
Vulnerability Databases
NVD OSVDCVE
Stochastic Attack Models
GeneralizedDependency
Graphs
Graph Processing
and Indexing
Dependency AnalysisNSDMin
er
Scenario Analysis & VisualizationNetwork Hardening
Unexplained Behavior Analysis
Zero-day Analysis
Cauldron
October 28-29, 2013
10
ARO-MURI on Cyber-Situation Awareness Review Meeting
M. Albanese, S. Jajodia, A. Singhal, and L. Wang. “An Efficient Approach to Assessing the Risk of Zero-Day Vulnerabilities”. In Proceedings of the 10th International Conference on Security and Cryptography, Reykjavìk, Iceland, July 29-31, 2013. [Best Paper Award]
Zero-Day Analysis
October 28-29, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
11
Background and Motivation (1/2)
October 28-29, 2013
Computer systems are vulnerable to both known and zero-day attacks Known attack patterns can be easily modeled
Suitable hardening strategies can be developed Handling zero-day vulnerabilities is inherently difficult due to
their unpredictable nature Attackers can leverage complex interdependencies
among both known and unknown vulnerabilities and network configurations to penetrate seemingly well-guarded networks Attack graphs reveal such threats by enumerating potential
paths that attackers can take to penetrate networks
ARO-MURI on Cyber-Situation Awareness Review Meeting
12
Background and Motivation (2/2)
October 28-29, 2013
Previous research has attempted to assess and quantify the risk associated with unknown attack patterns The -zero-day safety metric was defined
Existing algorithms for computing the -zero-day safety metric are not scalable assume that complete zero-day attack graphs have
been generated, which may be unfeasible in practice for large networks
L. Wang, S. Jajodia, A. Singhal, and S. Noel, “-zero day safety: Measuring the security risk of networks against unknown attacks”. In Proceedings of the 15th European Symposium on Research in Computer Security (ESORICS 2010), Springer, 2010
ARO-MURI on Cyber-Situation Awareness Review Meeting
13
Example of Zero-Day Attack Graph
October 28-29, 2013
host 0
host 1•http• ssh
host 2• ssh
ARO-MURI on Cyber-Situation Awareness Review Meeting
14
Contributions (1/2)
October 28-29, 2013
We propose a set of efficient solutions to address the limitations of current approaches enable zero-day analysis of practical importance
to be applied to networks of realistic sizes First, we consider the problem of deciding
whether a given network asset is at least -zero-day safe for a given value of We drop the assumption that a zero-day
vulnerability graph has been pre-computed We combine on-demand attack graph generation
with the evaluation of -zero-day safety
ARO-MURI on Cyber-Situation Awareness Review Meeting
15
Contributions (2/2)
October 28-29, 2013
Second, we identify an upper bound on the value of This is done using a heuristic algorithm that integrates
attack graph generation and zero-day analysis Third, when the upper bound on is below an
admissible threshold, we compute the exact value of This phase reuses the previously computed partial
attack graph To the best of our knowledge, this is the first
attempt to define a comprehensive and efficient approach to zero-day analysis
ARO-MURI on Cyber-Situation Awareness Review Meeting
16
Problem Statement (1/3)
October 28-29, 2013
Problem 1 (Lower bound) Given a network , a goal condition , and a
small integer , determine whether is true for with respect to
Our goal is to identify a lower bound on the value of Analogous to the problem addressed in (Wang
et al., 2010), but we do not assume the entire attack graph is available The network is defined in terms of initial conditions
and known and unknown exploits
ARO-MURI on Cyber-Situation Awareness Review Meeting
17
Problem Statement (2/3)
October 28-29, 2013
Problem 2 (Upper bound) Given a network and a goal condition , find an
upper bound on the value of with respect to Our goal is to identify an upper bound on the
value of Using a heuristic approach, it is feasible to
compute a good upper bound in polynomial time If the value of is below a threshold , it may then
be feasible to compute the exact value of
ARO-MURI on Cyber-Situation Awareness Review Meeting
18
Problem Statement (3/3)
October 28-29, 2013
Problem 3 (Exact value) Given a network and a goal condition such
that is true for with respect to , find the exact value of
In other words, when the value of is known to be bounded and the upper bound is small enough, we compute the exact value of , by leveraging the upper bound for pruning reusing the partial attack graph generated
during previous steps of the decision process
ARO-MURI on Cyber-Situation Awareness Review Meeting
19
Overall Decision Process
October 28-29, 2013
𝑘≥ 𝑙 Insufficient SecurityHarden Network
𝑘≤𝑢≤𝑢∗
Yes
Yes
Find exact
NoStart
End
Sufficient SecurityNo
ARO-MURI on Cyber-Situation Awareness Review Meeting
20
Problem 1: Proposed Solution
October 28-29, 2013
We combine an exhaustive forward search of limited depth with partial attack graph generation Only attack paths with up to zero-day vulnerabilities
are generated and evaluated using the metric Connectivity information is used to hypothesize zero-
day exploits and guide the generation of the graph Algorithm
Input: a set of initial conditions, a set of known and zero-day exploits, an integer and a goal condition
Output: a partial zero-day attack graph, and a truth value indicating whether
ARO-MURI on Cyber-Situation Awareness Review Meeting
21
Problem 2: Proposed Solution
October 28-29, 2013
In order to avoid the exponential explosion of the search space we propose an heuristic algorithm that, at each step, maintains only the best partial paths with respect to the metric
Algorithm builds the attack graph forward, starting from initial conditions Input: a set of initial conditions (or a partial attack
graph), a set of known and zero-day exploits, and a goal condition
Output: a partial zero-day attack graph, and an upper bound on the value of
ARO-MURI on Cyber-Situation Awareness Review Meeting
22
Problem 3: Proposed Solution
October 28-29, 2013
Our solution consists in performing a forward search, similarly to algorithm The search starts from the partial attack graphs
computed in previous steps of the decision process Although the value of is known to be no larger
than , there still may be many paths with more the distinct zero-day vulnerabilities To limit the search space, compared to a traditional
forward search, and avoid the generation of the entire attack graph we use the upper bound computed by algorithm to prune paths not leading to the solution
ARO-MURI on Cyber-Situation Awareness Review Meeting
23
Experiments
October 28-29, 2013
The objective of our experiments was three-fold We evaluated the performance of the proposed
algorithms in terms of processing time The algorithms are efficient enough to be practical
We evaluated the percentage of nodes included in the generated partial attack graph compared to the full attack graph This shows the benefits in terms of both time and
storage We evaluated the accuracy of estimations made
using algorithm compared to the exact results obtained using a brute force approach
ARO-MURI on Cyber-Situation Awareness Review Meeting
24
: Processing Time
October 28-29, 2013
- 20,000 40,000 60,000 80,000 0
5000
10000
15000
20000
R² = 0.999906920908941
l = 1 Quadratic regressionl = 2 l = 3
Number of nodes
Proc
essi
ng ti
me
(sec
onds
)
ARO-MURI on Cyber-Situation Awareness Review Meeting
25
: Percentage of Nodes
October 28-29, 2013
- 20,000 40,000 60,000 80,000 0
0.10.20.30.40.50.60.70.80.9
1l = 1 l = 2 l = 3
Number of nodes
Perc
enta
ge o
f vis
ited
no
des
ARO-MURI on Cyber-Situation Awareness Review Meeting
26
: Processing Time
October 28-29, 2013
- 20,000 40,000 60,000 80,000 0
20000400006000080000
100000120000140000160000180000200000
t = 1 t = 2 t = 5
Number of nodes
Proc
essi
ng ti
me
(sec
onds
)
ARO-MURI on Cyber-Situation Awareness Review Meeting
27
: Percentage of Nodes
October 28-29, 2013
- 20,000 40,000 60,000 80,000 0
0.10.20.30.40.50.60.70.80.9
1t = 1 t = 2 t = 3
Number of nodes
Perc
enta
ge o
f vis
ited
no
des
ARO-MURI on Cyber-Situation Awareness Review Meeting
28
: Approximation Ratio
October 28-29, 2013
0 2 4 6 8 10 120.9
11.11.21.31.41.5
7 nodes 21 nodes 121 nodes 341 nodes
t
Appr
oxim
atio
n ra
tio
ARO-MURI on Cyber-Situation Awareness Review Meeting
29
Conclusions
October 28-29, 2013
We studied the problem of efficiently estimating the -zero-day safety of networks We presented three polynomial algorithms for establishing
lower and upper bounds of and for calculating the actual value of , while generating only partial attack graphs on-demand
Experimental results confirm their efficiency and effectiveness Although we focused on -zero-day safety, our techniques
can be easily extended to other analyses on attack graphs
Future work includes Fine-tuning the approximation algorithm through various ways
for ranking partial solutions Evaluating the framework on diverse network scenarios
30
ARO-MURI on Cyber-Situation Awareness Review Meeting
Future Work
October 28-29, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
31
Plan for Years 5 Year 5 will primary focus on
integration of the results of our efforts with results from other MURI team members
extensive evaluation and refinement of techniques proposed in years 1 to 4
Specific technical objectives include Integrating zero-day analysis (Year 4) with our
network hardening approach (year 3) The objective is to harden a target network w.r.t.
both known and unknown vulnerability in an effective and efficient way
October 28-29, 2013
32
ARO-MURI on Cyber-Situation Awareness Review Meeting
Questions?
October 28-29, 2013