Cyber Situation Awareness from a Cyber Security Perspective

Sushil Jajodia, Massimiliano AlbaneseGeorge Mason University

Peng LiuPennsylvania State University

Doug Reeves, Peng Ning, Christopher HealeyNorth Carolina State University

V. S. SubrahmanianUniversity of Maryland

ARO-MURI on Cyber-Situation Awareness Review Meeting Phoenix AZ, 2013

ARO-MURI on Cyber-Situation Awareness Review Meeting

2

Sample Scenario: Enterprise Network

Internet

Web Server (A)

Mobile App Server (C)

Catalog Server (E)

Order Processing Server (F)

DB Server (G)

Local DB Server (D)

Local DB Server (B)

Current situation. Is there any ongoing attack? If yes, where is the attacker?

Impact. How is the attack impacting the enterprise or mission? Can we assess the damage?

Evolution. How is the situation evolving? Can we track all the steps of an attack?

Behavior. How are the attackers expected to behave? What are their strategies?

Forensics. How did the attacker create the current situation? What was he trying to achieve?Information. What information sources can we rely upon? Can we assess their quality?

Prediction. Can we predict plausible futures of the current situation?

Scalability. How can we ensure that solutions scale well for large networks?

ARO-MURI on Cyber-Situation Awareness Review Meeting

3

Desired CSA Capabilities

Aspects of cyber situational awareness that need to be addressed in order to answers all the previous questions1. Be aware of current situation

Identification of past and ongoing attacks 2. Be aware of the impact of the attack

Damage assessment3. Be aware of how situations evolve

Real-time tracking of attacks4. Be aware of adversary behavior

Integration of knowledge of the attacker’s behavior into the attack model

5. Be aware of why and how the current situation is caused Forensics

6. Be aware of quality of information Information sources, data integration, quality measures

7. Assess plausible futures of the current situations Predict possible future and recommend corrective actions

ARO-MURI on Cyber-Situation Awareness Review Meeting

4

Situation Knowledge Reference

Model

Index &

Data Structures

Topological Vulnerability

Analysis

System Architecture

Monitored Network

Analyst

Alerts/Sensory Data

Cauldron

Switchwall

Vulnerability Databases

NVD OSVDCVE

Stochastic Attack Models

GeneralizedDependency

Graphs

Graph Processing

and Indexing

Dependency AnalysisNSDMin

er

Scenario Analysis & Visualization

Network Hardening

Unexplained Activities Model

Adversarial modeling

Heavy Iron

Order Processing Server (F)

Mobile App Server (C) DB Server (G)

Local DB Server (D)

0.7

0.3

1

1

No information about the impact on missions of different courses

of actions

fdfd fs fs

fsfs

fs

hA hC

hE hF

hG

hDhB

Online Shopping

fsMobile Order

Tracking

vD vE vF

vB vC

{(3,10),0.7}{(1,9),0.3}

{(1,3),0.8}{(2,7),0.2}

{(1,8),1}

{(1,7),1}

{(3,7),1}

{(1,3),1}

0.8

1

0.7

0.7

1

0.7

vA

vE

vC

vF

vG

vD

hA,fs

8

hE, fs

7

hC, fs

7

hF, fs

7

hG

8

hD, fd

5

hB, fd

5

hS, fs

10

hT, fs

7

0.8

vB

5

System Architecture – Cyber Security Perspective