Upload
randell-flowers
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Cyber Situation Awareness from a Cyber Security Perspective
Sushil Jajodia, Massimiliano AlbaneseGeorge Mason University
Peng LiuPennsylvania State University
Doug Reeves, Peng Ning, Christopher HealeyNorth Carolina State University
V. S. SubrahmanianUniversity of Maryland
ARO-MURI on Cyber-Situation Awareness Review Meeting Phoenix AZ, 2013
ARO-MURI on Cyber-Situation Awareness Review Meeting
2
Sample Scenario: Enterprise Network
Internet
Web Server (A)
Mobile App Server (C)
Catalog Server (E)
Order Processing Server (F)
DB Server (G)
Local DB Server (D)
Local DB Server (B)
Current situation. Is there any ongoing attack? If yes, where is the attacker?
Impact. How is the attack impacting the enterprise or mission? Can we assess the damage?
Evolution. How is the situation evolving? Can we track all the steps of an attack?
Behavior. How are the attackers expected to behave? What are their strategies?
Forensics. How did the attacker create the current situation? What was he trying to achieve?Information. What information sources can we rely upon? Can we assess their quality?
Prediction. Can we predict plausible futures of the current situation?
Scalability. How can we ensure that solutions scale well for large networks?
ARO-MURI on Cyber-Situation Awareness Review Meeting
3
Desired CSA Capabilities
Aspects of cyber situational awareness that need to be addressed in order to answers all the previous questions1. Be aware of current situation
Identification of past and ongoing attacks 2. Be aware of the impact of the attack
Damage assessment3. Be aware of how situations evolve
Real-time tracking of attacks4. Be aware of adversary behavior
Integration of knowledge of the attacker’s behavior into the attack model
5. Be aware of why and how the current situation is caused Forensics
6. Be aware of quality of information Information sources, data integration, quality measures
7. Assess plausible futures of the current situations Predict possible future and recommend corrective actions
ARO-MURI on Cyber-Situation Awareness Review Meeting
4
Situation Knowledge Reference
Model
Index &
Data Structures
Topological Vulnerability
Analysis
System Architecture
Monitored Network
Analyst
Alerts/Sensory Data
Cauldron
Switchwall
Vulnerability Databases
NVD OSVDCVE
Stochastic Attack Models
GeneralizedDependency
Graphs
Graph Processing
and Indexing
Dependency AnalysisNSDMin
er
Scenario Analysis & Visualization
Network Hardening
Unexplained Activities Model
Adversarial modeling
Heavy Iron
Order Processing Server (F)
Mobile App Server (C) DB Server (G)
Local DB Server (D)
0.7
0.3
1
1
No information about the impact on missions of different courses
of actions
fdfd fs fs
fsfs
fs
hA hC
hE hF
hG
hDhB
Online Shopping
fsMobile Order
Tracking
vD vE vF
vB vC
{(3,10),0.7}{(1,9),0.3}
{(1,3),0.8}{(2,7),0.2}
{(1,8),1}
{(1,7),1}
{(3,7),1}
{(1,3),1}
0.8
1
0.7
0.7
1
0.7
vA
vE
vC
vF
vG
vD
hA,fs
8
hE, fs
7
hC, fs
7
hF, fs
7
hG
8
hD, fd
5
hB, fd
5
hS, fs
10
hT, fs
7
0.8
vB
5
System Architecture – Cyber Security Perspective