![Page 1: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/1.jpg)
1Maita Final, Dec. 5, 2002 -- **Not for distribution**
Adaptive Knowledge-Based Monitoring for Information Assurance
Peter Szolovits ([email protected]), MIT LCSHoward Shrobe ([email protected]), MIT AI Lab
William J. Long, Glenn S. Burke, Mike McGeachie, Delin Shen, Ying Zhang, Steve Bull, Joe Hastings, MIT
Isaac S. Kohane, Marco Ramoni, The Children’s Hospital, BostonJon Doyle, North Carolina State University
Adaptive Knowledge-Based Monitoring
![Page 2: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/2.jpg)
3Maita Final, Dec. 5, 2002 -- **Not for distribution**
Domain Background
• Defense against information attacks requires broad and deep understanding of:– Mission
– Systems used to accomplish it
– Ability to operate with diminished resources• Trade-offs among competing objectives
– Threats
– Capabilities of adversary
– Experience
![Page 3: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/3.jpg)
4Maita Final, Dec. 5, 2002 -- **Not for distribution**
Our Aims/Cyber Panel
• Provide situational awareness to commanders• “Inside the loop” monitor construction/adaptation
– Timely concerns
– Empirical
– Simplify CC of monitoring
• Guidance for automatic trust management– Self-monitoring, resource allocation
• Common description language(s) and library(ies)
![Page 4: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/4.jpg)
5Maita Final, Dec. 5, 2002 -- **Not for distribution**
Potential Contributions
• Conceptual– Advance role of probabilistic, decision analytic,
preference-based dynamic reasoning– Develop new methods for adaptive knowledge-based
monitoring– Learning of new monitoring methods– Expressive languages for description of domain, tasks,
attacks, monitoring strategies, etc.
• Artifactual– Maita system as a testbed to foster and test above ideas
![Page 5: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/5.jpg)
8Maita Final, Dec. 5, 2002 -- **Not for distribution**
Maita Monitors
• Maita is based on a general-purpose distributed system archtecture whose primitive (and composed) components are monitors– Control inputs via specialized HTTP server
– Set of input terminals; a monitor with no inputs is a data source, often “wrapping” a lower-level system resource.
– Set of output terminals; a monitor with no outputs is a display or alerting service
![Page 6: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/6.jpg)
9Maita Final, Dec. 5, 2002 -- **Not for distribution**
Other Maita Components
• MOM (Monitor of Monitors)• Human/Computer Interface
– Control Panels
– General-purpose display
• Boot server – starts monitors on its machine
![Page 7: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/7.jpg)
10Maita Final, Dec. 5, 2002 -- **Not for distribution**
Outline
• Incremental Progress since Charleston PI meeting• (Not here:
– Preference compilation– Markov analysis of system call traces– Multi-stream data segmentation– Efficient trend matching)
• Maita• Vulnerability Analysis• Lessons Learned
![Page 8: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/8.jpg)
11Maita Final, Dec. 5, 2002 -- **Not for distribution**
Progress since PI Meeting
• Making Maita implementation more– Complete
• Run on Windows as well as Unix platforms
• Ability for monitoring processes to save checkpoint data in MoM
– Robust• Restart capabilities from various kinds of system,
communication, … failure
• More thorough self-monitoring
• Status: progress, but still not completed*
![Page 9: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/9.jpg)
12Maita Final, Dec. 5, 2002 -- **Not for distribution**
Progress since PI Meeting• More sources of monitoring data
– System log (ftp, sendmail, imapd)– Auth log (logins, ipmon, popper)– Daemon log (ftp details, stunnel, telnet, …)– Sendmail volume, relaying– Disk utilization– Backup sizes– CPU load– Lincoln Labs TCPDUMP
• Additional filters & detectors, with HCI, using– Configurable parameters– Temporal sequencing
![Page 10: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/10.jpg)
13Maita Final, Dec. 5, 2002 -- **Not for distribution**
Routinely monitoring
![Page 11: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/11.jpg)
14Maita Final, Dec. 5, 2002 -- **Not for distribution**
Control Panel showing various monitors
![Page 12: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/12.jpg)
15Maita Final, Dec. 5, 2002 -- **Not for distribution**
Sendmail/relaying & trend lines
![Page 13: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/13.jpg)
16Maita Final, Dec. 5, 2002 -- **Not for distribution**
Backup sizes
![Page 14: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/14.jpg)
17Maita Final, Dec. 5, 2002 -- **Not for distribution**
FTP activity
![Page 15: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/15.jpg)
18Maita Final, Dec. 5, 2002 -- **Not for distribution**
FTP analysis
![Page 16: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/16.jpg)
19Maita Final, Dec. 5, 2002 -- **Not for distribution**
SNORT
![Page 17: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/17.jpg)
20Maita Final, Dec. 5, 2002 -- **Not for distribution**
FTP Transshipment Trend Template
• ESA = external site activity average• RLA = resource load activity average
ESA ESA ESAESA ESA
RLA RLA RLA
Sta
rt o
f abnorm
al pro
bin
g
Cess
ati
on o
f abnorm
al
pro
bin
g
Sta
rt o
f unusu
al tr
ansf
ers
Satu
rati
on o
f host
capaci
ty
Levelin
g o
ff o
f unusu
al
Tra
nsf
er
dest
inati
ons
![Page 18: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/18.jpg)
21Maita Final, Dec. 5, 2002 -- **Not for distribution**
Events recognized by ftp-monitor as preconditions and as events
Parameters that must match for precondition to enable event
Label to put on resulting event
Recognizing: passwordscan(IP) -> ftp uploads(IP) -> excess diskuse
![Page 19: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/19.jpg)
22Maita Final, Dec. 5, 2002 -- **Not for distribution**
Work in Progress• Writing• “Completion” of Maita code to distributable state• Web site summarizing project accomplishments and distributing
results• Student research
– Preferences for student interest matching, collaboration, and retrieval of focused information
– Real-time machine learning from intensive care unit data– Markov analysis of system call patterns as another basis for detecting
anomalies• Planning for future use:
– mMesh proposal (distributed health records, system monitoring)– ARMS (IXO) proposal on secure ship computing environment
infrastructure– Potential industrial collaborations (under discussion)
![Page 20: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/20.jpg)
23Maita Final, Dec. 5, 2002 -- **Not for distribution**
Computational Vulnerability Analysis
• Grounding the attack model in systematic analysis
• Ontology of:– System Properties
– System Types
– System Structure
– Control and Dependencies
![Page 21: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/21.jpg)
24Maita Final, Dec. 5, 2002 -- **Not for distribution**
Generating Attack ModelsThrough Vulnerability Analysis
• The problem: Where does the attack model and its links to behavioral modes come from?– So far, by hand crafting
• Vulnerability Analysis supplants this by a systematic analysis:– Forming an ontology of how computer systems are structured– Building models of the environment
• Network topology: nodes, routers, switches, filter, firewalls• System types: hardware, operating systems• Server and user suites: Which servers and users run where
– Analyzing how properties depend on resources– Analyzing the vulnerabilities of the resources
![Page 22: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/22.jpg)
25Maita Final, Dec. 5, 2002 -- **Not for distribution**
Modeling System Structure
Hardware
Processor
Memory DeviceControllers
Devicescontrols
Part-of
OperatingSystem
LogonController
Scheduler
DeviceDrivers
Part-of
JobAdmitter
Resides-In
controls
UserSet
WorkLoad
FileSystem
AccessController
resources
controls
files
Part-of
Input-to
Input-to
controls
SchedulerPolicy
![Page 23: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/23.jpg)
26Maita Final, Dec. 5, 2002 -- **Not for distribution**
Modeling the topologyMachine name: sleepyOS Type: Windows-NTServer Suite: IIS…..User Authentication Pool: Dwarfs…
Router: Enclave restrictions. ….
Topology tells you:who can share (and sniff) which packetswho can affect what types of connections to whom
Switch: subnet restrictions. ….
Switch: subnet restrictions. ….
![Page 24: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/24.jpg)
27Maita Final, Dec. 5, 2002 -- **Not for distribution**
The Key Notion is Dependency• Start with the desirable properties of systems:
– Reliable performance
– Privacy of communications
– Integrity and/or privacy of data
• Analyze which system components impact those properties– Performance - scheduler
– Privacy - access-controller
• Rule 1: To affect a desirable property control a component that contributes to the delivery of that property
![Page 25: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/25.jpg)
28Maita Final, Dec. 5, 2002 -- **Not for distribution**
Controlling components (1)• One way to gain control of a component is to
directly exploit a known vulnerability– One way to control a Microsoft IIS web server is to use a
buffer overflow attack on it.
IIS Web Server Process
Buffer-Overflow Attack
Takes control of
IIS Web Server
Buffer-Overflow Attack
Is vulnerable to
![Page 26: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/26.jpg)
29Maita Final, Dec. 5, 2002 -- **Not for distribution**
Controlling components (2)• Another way to control a component is to find an
input to the component and then find a way to modify the input– Modify the scheduler policy parameters
Scheduler
Scheduler Policy
Parameters
Input to
Scheduler
control by
Modification-action
Scheduler Policy
Parameters
![Page 27: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/27.jpg)
30Maita Final, Dec. 5, 2002 -- **Not for distribution**
Controlling components (3)• Another way to control a component is to find one
of its sub-components and then to find a way to gain control of the sub-component
Job-Admitter
User Job Admitter
Component-of
Job-Admitter
control by
Control-action
User JobAdmitter
![Page 28: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/28.jpg)
31Maita Final, Dec. 5, 2002 -- **Not for distribution**
Modifying Inputs (1)• One way to modify an input is to find a
component which controls the input and then to find a way to gain control component
Scheduler
Workload
Input-of
Scheduler
control by
Job Admitter Workload
Job Admitter
Controls
Controls
Attack.
Controls
![Page 29: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/29.jpg)
32Maita Final, Dec. 5, 2002 -- **Not for distribution**
Modifying Inputs (2)• One way to modify an input is to find a
component of the input and then to find a way to modify the component
Scheduler
Workload
Input-of
Scheduler
controlled by
User Workload
Component
User Workload
WorkloadComponent
Attack.Modify
![Page 30: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/30.jpg)
33Maita Final, Dec. 5, 2002 -- **Not for distribution**
Access Rights• Each object specifies a set of capabilities required for
each operation on that object– Capabilities are organized in an DAG – This generalizes the access mechanisms of all OS’s.
• Each actor (user or process) possesses certain capabilities.
• An actor can perform an action on an object only if it possesses a capability at least as strong as that required for the operation– This is a generalization of the access mechanisms in all
current OS’s.
• An access pool is a set of machines that shares resources, password & access right descriptions
![Page 31: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/31.jpg)
34Maita Final, Dec. 5, 2002 -- **Not for distribution**
Netchex
The AI Lab Topology (partial)
Router Netchex Filters out Telnet.
ServerSwitch
8th-Floor-1
8th-Floor-2
7th-Floor-1
RouterAccesspool
Life
Kenmore
Maytag
Server Access Pool
Doc
Dopey
Sleepy
DwarfAccess Pool
Sneezy
Sakharov
Truman
Quincy-Adams
LispAccess Pool
Jefferson
Wilson
CreepyCrawler
GeneralAccess Pool
![Page 32: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/32.jpg)
35Maita Final, Dec. 5, 2002 -- **Not for distribution**
Obtaining Access (1)• One way to gain access to an operation on an
object is to find a process with an adequate capability and take control of the process
Typical User File
User Read Capability
Required forRead
Typical User File
To Read
Control-action
Typical UserProcess
Typical User Process
User Read Capability
PossessesCapability
![Page 33: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/33.jpg)
36Maita Final, Dec. 5, 2002 -- **Not for distribution**
Obtaining Access (2)• Another way to gain access to an operation on an
object is to find a user with an adequate capability and find a way to log in as that user and launch a process with the user’s capabilities
Typical User File
User Read Capability
Required forRead
Typical User File
To Read
Logon asTypical User
UserProcess
Typical User
User Read Capability
PossesesCapability
Launches
![Page 34: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/34.jpg)
37Maita Final, Dec. 5, 2002 -- **Not for distribution**
Logging On
• Logging on requires obtaining knowledge of a password
• To gain knowledge of a password– Guess it, using guessing attacks
– Sniff it• By placing a parasitic virus on the user’s machine
• By monitoring network traffic
– Change it• By hacking the password file, for example.
![Page 35: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/35.jpg)
38Maita Final, Dec. 5, 2002 -- **Not for distribution**
Monitoring and Changing Network Traffic
• Network are broken down into subnet segments• Segments are connected by Routers
– Routers can monitor traffic on any connected segment
• Each segment may be:– Shared media
• Coaxial ethernet• Wireless ethernet• Any connected computer can monitor traffic
– Switched media• 10 (100, 1000) base-T• Only the switch (or reflected ports) can monitor Traffic
• Switches and Routers are computers – They can be controlled– But they may be members of special access pools
• To gain knowledge of some information, gain the ability to monitor network traffic
![Page 36: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/36.jpg)
39Maita Final, Dec. 5, 2002 -- **Not for distribution**
Residences
• Components reside in several places– Main memory
– Boot files
– Paging Files
• They migrate between residences– Through local peripheral controllers
– Through networks
• To modify/observe a component find a residence of the component and modify/observe it in the residence
• To modify/observe a component find a migration path and modify/observe it during the transmission
![Page 37: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/37.jpg)
40Maita Final, Dec. 5, 2002 -- **Not for distribution**
Formats and Transformations
• Components live in several different formats– Source code
– Compiled binary code
– Linked executable images
• Processes transform one format into another– Compilation
– Linking
• To modify a component change an upstream format and cause the transformations to happen
• To modify a component gain control of the processes that perform the transformations
![Page 38: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/38.jpg)
41Maita Final, Dec. 5, 2002 -- **Not for distribution**
Modification during Transmission• To control traffic on a network segment launch a
“man in the middle attack”– Get control of a machine, redirect traffic to it
• To observe network traffic get control of a switch/router and a user machine and then reflect traffic to the user machine
• To modify network traffic launch an “inserted packet” attack.– Get control of a machine
– Send a packet from the controlled machine with the correct serial number but wrong data before the sender sends the real packet
![Page 39: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/39.jpg)
42Maita Final, Dec. 5, 2002 -- **Not for distribution**
An Example• Affecting reliable performance:
– Control the scheduler - • The scheduler is a component that impacts performance
– By modifying the scheduler’s policy parameters• The policy parameters are inputs to the scheduler
– By gaining root access• The policy parameters require root access for writing
– By using a buffer overflow attack on the web-server• The web-server process possesses root capabilities• The web-server process is vulnerable to a buffer-overflow attack.
• For this attack to impact performance, all the actions must succeed– Each has an a priori probability based on its inherent difficulty and
current evidence suggesting that it occurred.
![Page 40: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/40.jpg)
43Maita Final, Dec. 5, 2002 -- **Not for distribution**
Affecting Data Privacy (1)
![Page 41: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/41.jpg)
44Maita Final, Dec. 5, 2002 -- **Not for distribution**
Affecting Data Privacy (2)
![Page 42: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/42.jpg)
45Maita Final, Dec. 5, 2002 -- **Not for distribution**
Affecting Data Privacy (3)
![Page 43: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/43.jpg)
46Maita Final, Dec. 5, 2002 -- **Not for distribution**
Affecting Performance (1)
![Page 44: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/44.jpg)
47Maita Final, Dec. 5, 2002 -- **Not for distribution**
Affecting Performance (2)
![Page 45: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/45.jpg)
48Maita Final, Dec. 5, 2002 -- **Not for distribution**
Trust Model:TrustworthinessCompromises
Attacks
Attack Models and Monitoring
![Page 46: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/46.jpg)
49Maita Final, Dec. 5, 2002 -- **Not for distribution**
Using Attack Scenarios• This information is captured in an object-oriented
Knowledge Representation and a rule-base system that reasons about it.
• The inference process develops multi-stage attack scenarios
• The scenarios can be transformed into trend templates for plan recognition purposes
• The scenarios can be transformed into Bayesian network fragment for diagnostic purposes
• The model can be used to audit an environment for possible cascaded vulnerabilities
![Page 47: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/47.jpg)
50Maita Final, Dec. 5, 2002 -- **Not for distribution**
Technical Validation
• Conceptual adequacy of– Descriptive languages
– Monitoring methods
– Learning approaches
• Performance of artifacts– Ability to recognize events of interest to human
sysadmins
– Resource utilization
![Page 48: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/48.jpg)
51Maita Final, Dec. 5, 2002 -- **Not for distribution**
Schedule (and Future Milestones)• End-to-end data feed, analysis and display
– Accomplished• New, more efficient Trend Template matcher as monitor
component – Partly Accomplished
• Maita system– Robust “complete” implementation (almost)– Demonstration on local data sources (accomplished)– Validation against sysadmins (not done)
• Preference utility function compiler– Complete, numerous applications under way
• Analyses, refinements and papers
![Page 49: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/49.jpg)
52Maita Final, Dec. 5, 2002 -- **Not for distribution**
Transition
• Potentially transferable results:– Monitoring architecture
– Languages of descriptions
– Monitoring methods
– Diagnostic methods
– Learning of trend templates
– Compilation of utilities
– Visualizations
• Plans and Interest– Preference compiler
• Teknowledge interest
• Harvard/MIT HST program interest matching “Red Book”
– Maita monitors• NLM proposal for
distributed clinical data sharing
• Potential commercial collaboration/transfer
![Page 50: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/50.jpg)
53Maita Final, Dec. 5, 2002 -- **Not for distribution**
Lessons
• Recognize as large systems problem– Distributed, secure, authenticated, dynamic, self-
monitoring computing infrastructure• Design and implement for robustness, generality• Collaborate with others
• Recognize as large knowledge-based system problem– Need lots of knowledge– Systematic representation– Basic inference system as substrate
![Page 51: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/51.jpg)
54Maita Final, Dec. 5, 2002 -- **Not for distribution**
More Lessons
• Recognize as large HCI problem• The total problem is unsolvable
– Focus on limited goals
– Collaborate with others
• Need good data for development and “formative” evaluation
![Page 52: 1Maita Final, Dec. 5, 2002 -- **Not for distribution** Adaptive Knowledge-Based Monitoring for Information Assurance Peter Szolovits (psz@mit.edu), MIT](https://reader035.vdocuments.net/reader035/viewer/2022062409/5697bfaf1a28abf838c9d47e/html5/thumbnails/52.jpg)
55Maita Final, Dec. 5, 2002 -- **Not for distribution**
Recent Publications
1. McGeachie, Michael, “Efficient Utility Functions for Ceteris Paribus Preferences”, AAAI 2002.
2. Shrobe, Howard, “Computational Vulnerability Analysis for Information Survivability”, AAAI 2002.
3. Long, William, Doyle, Jon, Burke, Glenn, and Szolovits, Peter, Detection of Intrusion across Multiple Sensors, submitted.
4. McGeachie, Michael and Doyle, Jon, “Utility Functions for Ceteris Paribus Preferences”, submitted.
5. Steven Bull, “Diagnostic Process Monitoring with Temporally Uncertain Models,” MIT EECS SM Thesis, May 2002.
6. Jon Doyle, Isaac Kohane, William Long, Howard Shrobe, and Peter Szolovits, "Agile Monitoring for Cyber Defense", Second DARPA Information Survivability Conference and Exposition (DISCEX-II), Anaheim, California, June 12-14, 2001.
7. Jon Doyle, Isaac Kohane, William Long, Howard Shrobe, and Peter Szolovits, "Event recognition beyond signature and anomaly", Second IEEE-SMC Information Assurance Workshop, West Point, New York, June 5-6, 2001.
http://medg.lcs.mit.edu/projects/maita/