Upload
buck-clarke
View
214
Download
0
Embed Size (px)
Citation preview
1Approved for Public Release, Distribution Unlimited
7/20/04 Kickoff
Walt Heimerdinger Mike Pelican David
MuslinerJohn Allen
CORTEX:
Mission-Aware Closed-Loop Cyber Assessment and Response
~circadia/talks/review-1-01 2Approved for Public Release, Distribution Unlimited
OutlineOutline
• Technical overview:
– Motivation
– Situational awareness
– Proactive planning and execution
– CORTEX
• Quadchart
3Approved for Public Release, Distribution Unlimited
MotivationMotivation
• Systems are increasingly dynamic– Missions evolve– Unexpected failures hazard mission goals– Multi-exploit attacks propagate rapidly– Self-reconfigurable systems change to rapidly to respond to
attacks and failures
• Current computational mission state (resources, tasks) affects:– Detection of attacks and failures.– Appropriate responses.
• Existing detection and response systems does not incorporate real-time– Mission awareness– Attack success knowledge
4Approved for Public Release, Distribution Unlimited
ApproachApproach
• A probabilistic situation assesor to estimate:– System health
– Active threats
– Mission status
– Feasible configurations
• A proactive planner to control reconfiguration:– Continually produce feasible contingency plans
– Execute plans in real time
5Approved for Public Release, Distribution Unlimited
Assessment Technology from ScyllarusAssessment Technology from Scyllarus
A management and analysis system for network security monitoring:
• Correlates reports from many disparate intrusion detectors to provide information useful to operating personnel or administrators.
– Weighs evidence for/against intrusions to reduce false alarms.
– Assesses intrusion events for plausibility and severity.
– Discounts attacks against non-susceptible targets.
• Consolidates and retains all report data for forensic investigation.
• Maintains detector and system configuration information.
6Approved for Public Release, Distribution Unlimited
How Scyllarus Intrusion Detection WorksHow Scyllarus Intrusion Detection Works
Audit reportof
network probe
Audit reportof communication
attempt
Audit reportof unauthorized
user
Intrusionin
progress
Accidentallymis-configuredapplication
Hypotheses(Possible situations)
NetworkModel
SecurityModel
AttackModels
Dynamic Evidence Aggregator
Intrusion Reference Model
LikelySecuritySituation
AuditReports
H1 H2
IntrusionsAttacks
7Approved for Public Release, Distribution Unlimited
Intrusion Reference Model Static ComponentsIntrusion Reference Model Static Components
• Network Entity Relationship Database (NERD)– Hardware and services in the protected domain– Potential targets such as protected files or applications– Services and relationships between entities– Deployed detectors– Users, groups and permissions
• Security Goal Database– Captures security policies– Security objects, actors, and relationships
• Attack Plan Library– Potential exploits and attack plans– Innocent events that can be confused with attacks (future work)
• Intrusion detector “contracts”– IDS locations and scope– IDS capabilities
8Approved for Public Release, Distribution Unlimited
IRM Layered OntologyIRM Layered Ontology
• IRM base ontology– abstract concepts
– vulnerabilities
• Specialized extensions– local network entities
– vendor specific data
IRM Base Ontology
LocalNet
RealSecIDS
DragonIDS
SnortIDS
SunPatches
Report Analyzer
Approved for Public Release, Distribution Unlimited
Dynamic Evidence AggregatorDynamic Evidence Aggregator
• Goal: Combine evidence from multiple instances and kinds of detectors to provide a more accurate and complete state assessment
• Use qualitative probabilistic reasoning that allows:– Probabilistic reasoning to weigh likelihood of multiple
hypothesis.
– Doesn’t require actual probabilities, just relative surprise values.
10Approved for Public Release, Distribution Unlimited
Event AnalyzerEvent Analyzer
Goal:
use a qualitiative scheme to separate the small number of plausible threats from a much larger mass of false positives, without a crushing burden of knowledge engineering
Approach:
• use System Z+ qualitative probability.
• develop calculating engine
• work iteratively to identify parameters that satisfy hypothesis (small number of likelihood classes).
Approved for Public Release, Distribution Unlimited
Theoretical Basis: Qualitative ProbabilityTheoretical Basis: Qualitative Probability
• Instead of probabilities, degrees of surprise.
• Surprise measures are order of magnitude abstractions of probabilities.– k(a) defined as P(a) = e-k
– e is infinitesimal.
– Support qualitative judgments of likelihood - e.g., certain types of sensor failure occur every day; certain types of major plant equipment failure occur every 10 years
• Surprise measures behave like probabilities --- use Bayes’ Law, etc.
• Based on System Z+ developed by Goldszmidt and Pearl
12Approved for Public Release, Distribution Unlimited
Reducing False Alarms with Scyllarus Reducing False Alarms with Scyllarus
1
10
100
1000
10000
100000
Days in November, 2001
IDS Reports
Events
All Plausible Events
Med/HighPlausibility &Med/High SeverityHigh Plausibility &High Severity
13Approved for Public Release, Distribution Unlimited
Proactive Planning from CIRCADIAProactive Planning from CIRCADIA
Cooperative Intelligent Real-time Control Architecture for Dynamic Information Assurance
• Autonomic defense for computing resources.
• Adaptive monitoring.
• Real-time reactive control responses to survive.
• Uses control-theoretic methods to automatically synthesize its control strategies, rather than relying on hand-built rules or other knowledge.
14Approved for Public Release, Distribution Unlimited
• Use control theory to derive appropriate response actions automatically.
• Automatically tailor monitoring and responses according to mission, available resources, varying threats, and policies.
• Reason explicitly about response time requirements to provide performance guarantees.
• Automatic responses guaranteed to defeat intruders in real-time.
• System derives appropriate responses for novel attack combinations.
• Automatic tradeoffs of security and monitoring vs. service and accessibility.
• Easier to deploy & maintain than manual rule bases.
IMPACT NEW IDEAS
`̀
Active Security ControllerExecutive
Controller Synthesis Module
Security Tradeoff Planner
Automatically Synthesizing Security Control SystemsAutomatically Synthesizing Security Control Systems
Intrusion Assessment
Networks, computers
Computational mission services
15Approved for Public Release, Distribution Unlimited
Controller Synthesis ModuleController Synthesis Module
Controller Synthesis Module
Active Security ControllerExecutive
Security Tradeoff Planner
ThreatModel
DynamicsModel
ActionModel
Projection/Synthesis Algorithm
SchedulerVerifier
Controller Synthesis Module reasons about models of goals, threats, cyberspace dynamics and actions to derive new sets of control rules online.
– Timed automata models capture temporal constraints, probabilities.
– Game theoretic view plus time: search for controller automaton while projecting adversary’s moves.
– Temporal reasoning derives requirements on sensing/monitoring.
– Formal methods verify controller behavior against policy requirements.
16Approved for Public Release, Distribution Unlimited
Controlled State Space GraphControlled State Space Graph
• Considers different orders of attacker actions, consistent with preconditions.– Factored, transition-based attacker model allows CIRCADIA to
generalize beyond single-path characterization of a given attack script.
• Includes sequences of CIRCADIA actions to prevent further damage and recover from current (non-goal) situations.
17Approved for Public Release, Distribution Unlimited
World Model DynamicsWorld Model Dynamics
• The world model is a generalized semi-Markov process (GSMP).
• The world occupies a single state at any point in time.
• Enabled transitions in the current state compete to trigger.
• One transition triggers in each state, determining the next state.
• Non-Markovian because trigger distributions depend on dwell times.
• There are no analytic solutions for unrestricted GSMPs.
• Must use a sampling-based approach to estimate state probabilities (or determine if failure is too likely).
18Approved for Public Release, Distribution Unlimited
Decision-Theoretic CIRCA PlanningDecision-Theoretic CIRCA Planning
• Decision theory provides mechanism to trade risk against goal achievement using expected utility.
• Need to add a utility model to capture relative value of mission goals.– Not addressed in traditional GSMP models.
• If we can compute expected utility for a plan, we can optimize controller design automatically, at cost of additional search.
19Approved for Public Release, Distribution Unlimited
Probabilistic Transition EffectsProbabilistic Transition Effects
• In the classical CIRCA framework, a transition can have undeterministic transition time and undeterministic effects.
• We add the ability to model transitions with a probabilistic transition time.
• We add probabilistic effects as well:– Each transition has a probability distribution (T-distribution) for
transition time, and another distribution (E-distribution) for the effect of the transition.
– For each state, a set of transitions compete to trigger. The one with the shortest transition time (sampled from its T-distribution) wins and triggers the state transition.
– Given a transition that won the trigger race, the state will transition to a new state sampled from its E-distribution.
20Approved for Public Release, Distribution Unlimited
Reward for CIRCADIA ModelsReward for CIRCADIA Models
• Maintenance/accumulation goals: more value the longer you stay in those states (“Web server is up”).– Using dwell-time-weighted probability.
• Repeated achievement/reaction goals (opportunistic): get value each time you achieve (“Sanitize compromised machines”).
• One-shot achievement goals: get all the value as soon as you get there (“Complete network self-configuration”).
• Cost of actions and losses/failure (“Attacker compromises database” vs. “Attacker gains root”).
• Overall utility is sum of these rewards U = UM + UA +URA-Ucost.
21Approved for Public Release, Distribution Unlimited
Estimating a Plan’s Expected UtilityEstimating a Plan’s Expected Utility
• Key premise:
– Due to the complexity of the goal models and non-Markovian time representation, the EU is difficult to compute analytically.
– Thus we turn to the sampling-based approach.
• What is the purpose of sampling? Not necessarily to estimate the EU!
• We can sample to:
– Determine if the current plan is too likely to fail (hypothesis testing).
– Determine if the current plan has lower EU than the current best plan (hypothesis testing).
– Estimate the EU of the current plan to with given error margin and given confidence coefficient (interval estimation).
• All of these can be done sequentially (which saves time).
22Approved for Public Release, Distribution Unlimited
Focusing Production of PlansFocusing Production of Plans
• Two ways to improve controller synthesis:– Rapidly reject bad candidates.
– Don’t generate bad candidates.
• Focus plan generation on more-likely candidates by leveraging information about current plans. Some ideas:– Revise decisions that led to failure in sampled traces.
– Exploit heuristic information from plan generation process. Heuristic provides equivalence class of decisions. Revise plans for states where there is more than one preferred decision (heuristic ambiguity).
23Approved for Public Release, Distribution Unlimited
Learning
The CORTEX VisionThe CORTEX Vision
Controller Synthesis Module
Mission Aware Meta Planner
Active Security Controller Executive
Mission/phase specific planning problem
Custom reactive plan (proactive protection, reactive defense, and healing)
System, security,
and mission
application actions
LikelySecuritySituation
Sensor inputs
System ReferenceModel
Dynamic EvidenceAggregator
Unexpected states, unhandled contingencies
24Approved for Public Release, Distribution Unlimited
CORTEX Advances in Situation AssessmentCORTEX Advances in Situation Assessment
• Add mission modeling capability to form System Reference Model.
• Incorporate propagation models to represent information flow and filtering components.
• Enhance state assessment for mission awareness:
– Mission affects expected sensor behavior.
– Mission affects criticality of failures and attacks.
• Bring state assessment fully online for soft real-time performance.
• Stretch Goal: Retrospective revision of alerts based on new information.
25Approved for Public Release, Distribution Unlimited
CORTEX Advances in Proactive PlanningCORTEX Advances in Proactive Planning
• Automatically map System Reference Model elements to planning problem for controller synthesis
• Develop new controller synthesis algorithms for qualitative probabilistic models, based on local search
• Develop meta-level control to focus and adjust response planning algorithms based on mission phasing and urgency of self-reconfiguration
• Interface to state assessment for real-time response
26Approved for Public Release, Distribution Unlimited
CORTEX Advances in LearningCORTEX Advances in Learning
• Adapt existing concept drift algorithms to update surprise levels (qualitative probabilities) within the threat models
• Adapt performance profiles within the Mission models and Self (meta-level) models
• Develop strategies for preemptively testing resource capacities based on mission, self, and threat models.
– Predict and test for failures and adapt before they are critical.
27Approved for Public Release, Distribution Unlimited
SCHEDULE
CORTEX – Mission-Aware Closed-Loop Cyber Assessment and Response
• System Reference Model including mission models drives intrusion assessment, diagnosis, and response.
• Automatically search for response policies that optimize tradeoff of security against mission ops.
• “Taste-tester” server redundancy supports robustness and learning from new attacks.
• High confidence intrusion assessment and diagnosis.
• Pre-planned automatic responses to contain and recover from faults and attacks.
• Automatic tradeoffs of security vs. service level & accessibility.
• Learns to recognize and defeat novel attacks.
Computing services
Active Security ControllerExecutive
Controller Synthesis ModuleNetworks, Computers
Attacks, Failures
IMPACT
NEW IDEAS
JUL 04
Security Tradeoff Planner
Demos: Thin slice demo
MAR 05 DEC 05
Monitor, plan react, learn
DEC 06
Integrated with other
SRS results
Scyllarus Intrusion
AssessmentCIRCADIA