Approved for Public Release, Distribution Unlimited 0 7/20/04 Kickoff Walt Heimerdinger Mike Pelican David Musliner John Allen C ORTEX : Mission-Aware

1Approved for Public Release, Distribution Unlimited

7/20/04 Kickoff

Walt Heimerdinger Mike Pelican David

MuslinerJohn Allen

CORTEX:

Mission-Aware Closed-Loop Cyber Assessment and Response

~circadia/talks/review-1-01 2Approved for Public Release, Distribution Unlimited

OutlineOutline

• Technical overview:

– Motivation

– Situational awareness

– Proactive planning and execution

– CORTEX

• Quadchart


MotivationMotivation

• Systems are increasingly dynamic– Missions evolve– Unexpected failures hazard mission goals– Multi-exploit attacks propagate rapidly– Self-reconfigurable systems change to rapidly to respond to

attacks and failures

• Current computational mission state (resources, tasks) affects:– Detection of attacks and failures.– Appropriate responses.

• Existing detection and response systems does not incorporate real-time– Mission awareness– Attack success knowledge


ApproachApproach

• A probabilistic situation assesor to estimate:– System health

– Active threats

– Mission status

– Feasible configurations

• A proactive planner to control reconfiguration:– Continually produce feasible contingency plans

– Execute plans in real time


Assessment Technology from ScyllarusAssessment Technology from Scyllarus

A management and analysis system for network security monitoring:

• Correlates reports from many disparate intrusion detectors to provide information useful to operating personnel or administrators.

– Weighs evidence for/against intrusions to reduce false alarms.

– Assesses intrusion events for plausibility and severity.

– Discounts attacks against non-susceptible targets.

• Consolidates and retains all report data for forensic investigation.

• Maintains detector and system configuration information.


How Scyllarus Intrusion Detection WorksHow Scyllarus Intrusion Detection Works

Audit reportof

network probe

Audit reportof communication

attempt

Audit reportof unauthorized

user

Intrusionin

progress

Accidentallymis-configuredapplication

Hypotheses(Possible situations)

NetworkModel

SecurityModel

AttackModels

Dynamic Evidence Aggregator

Intrusion Reference Model

LikelySecuritySituation

AuditReports

H1 H2

IntrusionsAttacks


Intrusion Reference Model Static ComponentsIntrusion Reference Model Static Components

• Network Entity Relationship Database (NERD)– Hardware and services in the protected domain– Potential targets such as protected files or applications– Services and relationships between entities– Deployed detectors– Users, groups and permissions

• Security Goal Database– Captures security policies– Security objects, actors, and relationships

• Attack Plan Library– Potential exploits and attack plans– Innocent events that can be confused with attacks (future work)

• Intrusion detector “contracts”– IDS locations and scope– IDS capabilities


IRM Layered OntologyIRM Layered Ontology

• IRM base ontology– abstract concepts

– vulnerabilities

• Specialized extensions– local network entities

– vendor specific data

IRM Base Ontology

LocalNet

RealSecIDS

DragonIDS

SnortIDS

SunPatches

Report Analyzer

Approved for Public Release, Distribution Unlimited

Dynamic Evidence AggregatorDynamic Evidence Aggregator

• Goal: Combine evidence from multiple instances and kinds of detectors to provide a more accurate and complete state assessment

• Use qualitative probabilistic reasoning that allows:– Probabilistic reasoning to weigh likelihood of multiple

hypothesis.

– Doesn’t require actual probabilities, just relative surprise values.


Event AnalyzerEvent Analyzer

Goal:

use a qualitiative scheme to separate the small number of plausible threats from a much larger mass of false positives, without a crushing burden of knowledge engineering

Approach:

• use System Z+ qualitative probability.

• develop calculating engine

• work iteratively to identify parameters that satisfy hypothesis (small number of likelihood classes).

Approved for Public Release, Distribution Unlimited

Theoretical Basis: Qualitative ProbabilityTheoretical Basis: Qualitative Probability

• Instead of probabilities, degrees of surprise.

• Surprise measures are order of magnitude abstractions of probabilities.– k(a) defined as P(a) = e-k

– e is infinitesimal.

– Support qualitative judgments of likelihood - e.g., certain types of sensor failure occur every day; certain types of major plant equipment failure occur every 10 years

• Surprise measures behave like probabilities --- use Bayes’ Law, etc.

• Based on System Z+ developed by Goldszmidt and Pearl


Reducing False Alarms with Scyllarus Reducing False Alarms with Scyllarus

1

10

100

1000

10000

100000

Days in November, 2001

IDS Reports

Events

All Plausible Events

Med/HighPlausibility &Med/High SeverityHigh Plausibility &High Severity


Proactive Planning from CIRCADIAProactive Planning from CIRCADIA

Cooperative Intelligent Real-time Control Architecture for Dynamic Information Assurance

• Autonomic defense for computing resources.

• Adaptive monitoring.

• Real-time reactive control responses to survive.

• Uses control-theoretic methods to automatically synthesize its control strategies, rather than relying on hand-built rules or other knowledge.


• Use control theory to derive appropriate response actions automatically.

• Automatically tailor monitoring and responses according to mission, available resources, varying threats, and policies.

• Reason explicitly about response time requirements to provide performance guarantees.

• Automatic responses guaranteed to defeat intruders in real-time.

• System derives appropriate responses for novel attack combinations.

• Automatic tradeoffs of security and monitoring vs. service and accessibility.

• Easier to deploy & maintain than manual rule bases.

IMPACT NEW IDEAS

`̀

Active Security ControllerExecutive

Controller Synthesis Module

Security Tradeoff Planner

Automatically Synthesizing Security Control SystemsAutomatically Synthesizing Security Control Systems

Intrusion Assessment

Networks, computers

Computational mission services


Controller Synthesis ModuleController Synthesis Module




ThreatModel

DynamicsModel

ActionModel

Projection/Synthesis Algorithm

SchedulerVerifier

Controller Synthesis Module reasons about models of goals, threats, cyberspace dynamics and actions to derive new sets of control rules online.

– Timed automata models capture temporal constraints, probabilities.

– Game theoretic view plus time: search for controller automaton while projecting adversary’s moves.

– Temporal reasoning derives requirements on sensing/monitoring.

– Formal methods verify controller behavior against policy requirements.


Controlled State Space GraphControlled State Space Graph

• Considers different orders of attacker actions, consistent with preconditions.– Factored, transition-based attacker model allows CIRCADIA to

generalize beyond single-path characterization of a given attack script.

• Includes sequences of CIRCADIA actions to prevent further damage and recover from current (non-goal) situations.


World Model DynamicsWorld Model Dynamics

• The world model is a generalized semi-Markov process (GSMP).

• The world occupies a single state at any point in time.

• Enabled transitions in the current state compete to trigger.

• One transition triggers in each state, determining the next state.

• Non-Markovian because trigger distributions depend on dwell times.

• There are no analytic solutions for unrestricted GSMPs.

• Must use a sampling-based approach to estimate state probabilities (or determine if failure is too likely).


Decision-Theoretic CIRCA PlanningDecision-Theoretic CIRCA Planning

• Decision theory provides mechanism to trade risk against goal achievement using expected utility.

• Need to add a utility model to capture relative value of mission goals.– Not addressed in traditional GSMP models.

• If we can compute expected utility for a plan, we can optimize controller design automatically, at cost of additional search.


Probabilistic Transition EffectsProbabilistic Transition Effects

• In the classical CIRCA framework, a transition can have undeterministic transition time and undeterministic effects.

• We add the ability to model transitions with a probabilistic transition time.

• We add probabilistic effects as well:– Each transition has a probability distribution (T-distribution) for

transition time, and another distribution (E-distribution) for the effect of the transition.

– For each state, a set of transitions compete to trigger. The one with the shortest transition time (sampled from its T-distribution) wins and triggers the state transition.

– Given a transition that won the trigger race, the state will transition to a new state sampled from its E-distribution.


Reward for CIRCADIA ModelsReward for CIRCADIA Models

• Maintenance/accumulation goals: more value the longer you stay in those states (“Web server is up”).– Using dwell-time-weighted probability.

• Repeated achievement/reaction goals (opportunistic): get value each time you achieve (“Sanitize compromised machines”).

• One-shot achievement goals: get all the value as soon as you get there (“Complete network self-configuration”).

• Cost of actions and losses/failure (“Attacker compromises database” vs. “Attacker gains root”).

• Overall utility is sum of these rewards U = UM + UA +URA-Ucost.


Estimating a Plan’s Expected UtilityEstimating a Plan’s Expected Utility

• Key premise:

– Due to the complexity of the goal models and non-Markovian time representation, the EU is difficult to compute analytically.

– Thus we turn to the sampling-based approach.

• What is the purpose of sampling? Not necessarily to estimate the EU!

• We can sample to:

– Determine if the current plan is too likely to fail (hypothesis testing).

– Determine if the current plan has lower EU than the current best plan (hypothesis testing).

– Estimate the EU of the current plan to with given error margin and given confidence coefficient (interval estimation).

• All of these can be done sequentially (which saves time).


Focusing Production of PlansFocusing Production of Plans

• Two ways to improve controller synthesis:– Rapidly reject bad candidates.

– Don’t generate bad candidates.

• Focus plan generation on more-likely candidates by leveraging information about current plans. Some ideas:– Revise decisions that led to failure in sampled traces.

– Exploit heuristic information from plan generation process. Heuristic provides equivalence class of decisions. Revise plans for states where there is more than one preferred decision (heuristic ambiguity).


Learning

The CORTEX VisionThe CORTEX Vision


Mission Aware Meta Planner

Active Security Controller Executive

Mission/phase specific planning problem

Custom reactive plan (proactive protection, reactive defense, and healing)

System, security,

and mission

application actions

LikelySecuritySituation

Sensor inputs

System ReferenceModel

Dynamic EvidenceAggregator

Unexpected states, unhandled contingencies


CORTEX Advances in Situation AssessmentCORTEX Advances in Situation Assessment

• Add mission modeling capability to form System Reference Model.

• Incorporate propagation models to represent information flow and filtering components.

• Enhance state assessment for mission awareness:

– Mission affects expected sensor behavior.

– Mission affects criticality of failures and attacks.

• Bring state assessment fully online for soft real-time performance.

• Stretch Goal: Retrospective revision of alerts based on new information.


CORTEX Advances in Proactive PlanningCORTEX Advances in Proactive Planning

• Automatically map System Reference Model elements to planning problem for controller synthesis

• Develop new controller synthesis algorithms for qualitative probabilistic models, based on local search

• Develop meta-level control to focus and adjust response planning algorithms based on mission phasing and urgency of self-reconfiguration

• Interface to state assessment for real-time response


CORTEX Advances in LearningCORTEX Advances in Learning

• Adapt existing concept drift algorithms to update surprise levels (qualitative probabilities) within the threat models

• Adapt performance profiles within the Mission models and Self (meta-level) models

• Develop strategies for preemptively testing resource capacities based on mission, self, and threat models.

– Predict and test for failures and adapt before they are critical.


SCHEDULE

CORTEX – Mission-Aware Closed-Loop Cyber Assessment and Response

• System Reference Model including mission models drives intrusion assessment, diagnosis, and response.

• Automatically search for response policies that optimize tradeoff of security against mission ops.

• “Taste-tester” server redundancy supports robustness and learning from new attacks.

• High confidence intrusion assessment and diagnosis.

• Pre-planned automatic responses to contain and recover from faults and attacks.

• Automatic tradeoffs of security vs. service level & accessibility.

• Learns to recognize and defeat novel attacks.

Computing services


Controller Synthesis ModuleNetworks, Computers

Attacks, Failures

IMPACT

NEW IDEAS

JUL 04


Demos: Thin slice demo

MAR 05 DEC 05

Monitor, plan react, learn

DEC 06

Integrated with other

SRS results

Scyllarus Intrusion

AssessmentCIRCADIA

Documents

Approved for Public Release, Distribution Unlimited 0 7/20/04 Kickoff Walt Heimerdinger Mike Pelican David Musliner John Allen C ORTEX : Mission-Aware