Upload
joanna
View
38
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Cyber Situation Awareness from a Cyber Security Perspective Sushil Jajodia, Massimiliano Albanese George Mason University Peng Liu Pennsylvania State University Doug Reeves, Peng Ning, Christopher Healey North Carolina State University V . S . Subrahmanian University of Maryland. - PowerPoint PPT Presentation
Citation preview
Cyber Situation Awareness from a Cyber Security PerspectiveSushil Jajodia, Massimiliano AlbaneseGeorge Mason University
Peng LiuPennsylvania State University
Doug Reeves, Peng Ning, Christopher HealeyNorth Carolina State University
V. S. SubrahmanianUniversity of Maryland
ARO-MURI on Cyber-Situation Awareness Review Meeting Phoenix AZ, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
2
Sample Scenario: Enterprise Network
Internet
Web Server (A)
Mobile App Server (C)
Catalog Server (E)
Order Processing Server (F)
DB Server (G)
Local DB Server (D)
Local DB Server (B)
Current situation. Is there any ongoing attack? If yes, where is the attacker?
Impact. How is the attack impacting the enterprise or mission? Can we assess the damage?
Evolution. How is the situation evolving? Can we track all the steps of an attack?
Behavior. How are the attackers expected to behave? What are their strategies?
Forensics. How did the attacker create the current situation? What was he trying to achieve?Information. What information sources can we rely upon? Can we assess their quality?
Prediction. Can we predict plausible futures of the current situation?
Scalability. How can we ensure that solutions scale well for large networks?
ARO-MURI on Cyber-Situation Awareness Review Meeting
3
Desired CSA Capabilities Aspects of cyber situational awareness that
need to be addressed in order to answers all the previous questions1. Be aware of current situation
Identification of past and ongoing attacks 2. Be aware of the impact of the attack
Damage assessment3. Be aware of how situations evolve
Real-time tracking of attacks4. Be aware of adversary behavior
Integration of knowledge of the attacker’s behavior into the attack model
5. Be aware of why and how the current situation is caused Forensics
6. Be aware of quality of information Information sources, data integration, quality measures
7. Assess plausible futures of the current situations Predict possible future and recommend corrective actions
ARO-MURI on Cyber-Situation Awareness Review Meeting
4
Situation Knowledge Reference
Model
Index &
Data Structures
Topological Vulnerability
Analysis
System Architecture
Monitored Network
Analyst
Alerts/Sensory Data
Cauldron
Switchwall
Vulnerability Databases
NVD OSVDCVE
Stochastic Attack Models
GeneralizedDependency
Graphs
Graph Processing
and Indexing
Dependency AnalysisNSDMin
er
Scenario Analysis & Visualization
Network Hardening
Unexplained Activities ModelAdversarial
modeling
Heavy Iron
Order Processing Server (F)
Mobile App Server (C) DB Server (G)
Local DB Server (D)
0.7
0.3
1
1
No information about the impact on missions of different courses
of actions
fdfd fs fs
fsfs
fs
hA hC
hE hF
hG
hDhB
Online ShoppingfsMobile Order
TrackingvD vE vF
vB vC
{(3,10),0.7}{(1,9),0.3}
{(1,3),0.8}{(2,7),0.2}
{(1,8),1}
{(1,7),1}
{(3,7),1}
{(1,3),1}
0.8
1
0.7
0.7
1
0.7
vA
vE
vC
vF
vG
vD
hA,fs8
hE, fs7
hC, fs7
hF, fs7
hG8
hD, fd5
hB, fd5
hS, fs10
hT, fs7
0.8
vB
5
System Architecture – Cyber Security Perspective (Y4)