UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE · UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE 1 ... along with business IT ... –Understand the decision making processes of cyber defenders

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

1

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces

Chief

Network Science Division

U.S. Army Research Laboratory UNCLASSIFIED \\ APPROVED FOR PUBLIC RELEASE


2


U.S. Army Research Laboratory

Making today’s Army and the next Army obsolete

The Nation’s Premier Laboratory for Land Forces.

Mission

DISCOVER, INNOVATE, and TRANSITION

Science and Technology to ensure dominant

strategic land power

Vision


3


Command Relationships

ARDEC

Armaments

Research,

Development

& Engineering

Center

TARDEC

Tank &

Automotive

Research,

Development

&

Engineering

Center

NSRDEC

Natick Soldier

Research,

Development

& Engineering

Center

ECBC

Edgewood

Chemical

Biological

Center

AMRDEC

Aviation &

Missile

Research,

Development

& Engineering

Center

ARL

Army

Research

Laboratory

AMSAA

Army Material

Systems

Analysis

Activity

CERDEC

Communication

- Electronics

Research,

Development &

Engineering

Center

http://www.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/2/26/AMRDEC_Logo.jpg&imgrefurl=http://commons.wikimedia.org/wiki/File:AMRDEC_Logo.jpg&usg=__o4du7vGRqvcCi71_39Hrj4juaZ8=&h=128&w=168&sz=7&hl=en&start=8&itbs=1&tbnid=9FOqYxUuC6RBqM:&tbnh=75&tbnw=99&prev=/images?q=AMRDEC+logo&hl=en&gbv=2&tbs=isch:1


4



Aberdeen Proving Ground

Adelphi Laboratory Center

Orlando

Raleigh-Durham

White Sands Missile Range

United Kingdom

Japan

Primary Sites Field elements

America’s Laboratory for the Army

Direct Contact with thousands of Private Sector S&Es 2,013 Civilians 33 Military

275 Academic Partners

In 50 States + DC

1,121 Single Inv Grants

59 MURI 3 UARCs 3 COEs

77 Phase I SBIR 23 Phase II SBIR 11 Phase IIE SBIR

50 CRADAs 32 TSAs

28 DEA/IEA 3 PA/MOU 17 TTCP 7 NATO 3 ESEP

6 Collaborative Technology

Alliances

International Technology

Alliance

Chile


5



Army Research Office

Director Dr. Thomas Russell

MILDEP Deputy Director for Basic Science & Director ARO

Math & Info Sciences

Physical Sciences

Engineering Sciences

Vehicle Technology

Human Research & Engineering

Computational & Information Sciences

Sensors & Electron Devices

Weapons & Materials Research

Survivability/ Lethality Analysis


6


Characteristic Problems

in Cyber Science and Engineering

The science and engineering of (cyber)security

is a study and optimization of relations

between policy, attacker, and defender

Policy P: a set of assertions about what event

should and should not happen. To simplify, focus

on incidents I: events that should not happen.

Defender D: a model / description of defender’s

defensive tools and techniques Td, and operational

assets, networks and systems Nd

Attacker A: a model / description of attacker’s

tools and techniques Ta

UNCLASSIFIED \\ APPROVED FOR PUBLIC RELEASE


7


Characteristic Problems and Models

of Cyber

Then, we seek models

of relations between I, Td, Nd, Ta:

(I, Td, Nd, Ta) = 0

Note: The above does not mean I expect to see a fundamental

equation of this form. It is merely a shorthand for models that relate

I, Td, Nd, Ta

Kott, Alexander. "Towards fundamental science of cyber security." Network Science and

Cybersecurity. Springer New York, 2014. 1-13. arXiv:1512.00407

Similar perspective in:

• Schneider, F. B., “Blueprint for a Science of Cybersecurity,” The Next Wave, Vol. 19, No.2, 2012

• Bau, J., and Mitchell, J.C., “Security Modeling and Analysis ,” Security & Privacy, IEEE, May-

June 2011



8


Tentative Taxonomy of Common

Cyber-related Model s

• Emulation (often with simulation) of networks: actual hardware, software, humans, e.g., cyber

ranges.

• Training-focused simulations: presenting to human trainees the effects of a cyber attack,

without modeling underlying process.

• M&S of human cognitive processing of cyber events and situations: perception, recognition,

situation awareness, decision making.

• M&S of attack progress and malware propagation

• Attack-graph-based approaches

• Epidemiology analogy, e.g., Susceptible, Infected, Recovered (SIR)

• Abstract wargaming: game-theoretic model of cyber conflict, without modeling the underlying

processes of cyber attack and defense.

• Business processes models: defense, offense and business processes, along with business IT

architecture, simulated for observing resulting effects.

• Statistical models of cyber events: cyber processes are represented as, e.g., equations of

Poisson processes, and coefficients are learned from training dataset.

• Two classes of models used to support cyber modeling, but do not model cyber aspects:

• physical systems models to support modeling of cyber-physical effects;

• and network simulation models.



9


Human User Vulnerability to Cyber Attacks:

Effect of Psychological and Cognitive Aspects

J.H. Cho, H. Cam, and A. Oltramari, “Effect of

Personality Traits on Trust and Risk to Phishing

Vulnerability: Modeling and Analysis,” accepted to IEEE

International Multi-Disciplinary Conference on Cognitive

Methods in Situation Awareness and Decision Support

(CogSIMA’2016), 21-25 March 2016, San Diego, USA


10


Research Question: Can we predict an individual’s phishing

susceptibility, given his/her personality traits?

Motivation: Empirical experiments have shown that an individual’s

personality traits affect phishing vulnerability

Goal: Develop a mathematical model to predict an individual’s phishing

susceptibility in terms of perceived trust and risk and decision

performance

Contributions

• Investigated the correlations between phishing susceptibility and

personality traits

• Developed a mathematical model using Stochastic Petri Nets to

predict an individual’s vulnerability and resilience to phishing attacks

• Demonstrated experimental results on the effect of an individual’s

personality traits on perceived trust and risk and decision performance

to phishing attacks

Cho, Oltramari (CMU), Cam (NSD/ARL) – accepted to CogSIMA16

Personality Traits vs. Phishing

Susceptibility


11


Source: http://psytreasure.com/the-big-5-theory-of-personality-the-o-c-e-a-n-of-human-behavior/#

Are there any relationships between personality traits and phishing susceptibility?

Openness Fantasy, Aesthetics, Feelings, Actions, Ideas, Values

Conscientiousness Competence, Order, Dutifulness, Achievement Striving,

Self-Discipline, Deliberation

Extroversion Warmth, Gregariousness, Assertiveness, Activity,

Excitement Seeking, Positive Emotion

Agreeableness Trust, Straightforwardness, Altruism, Compliance,

Modesty, Tender-mindedness

Neuroticism Anxiety, Hostility, Depression, Self-Consciousness,

Impulsiveness, Vulnerability to Stress


Big Five Personality Traits


12


Humans’ trust and risk

assessments are subjective in

nature as they depend on

personality traits (Loewenstein et

al., 2001; Chauvin et al., 2007;

Ulleberg et al., 2003; Tupes et al.,

1992)

• Openness: lower perceived risk

• Neuroticism: higher perceived

risk

• Agreeableness: lower perceived

risk; more trust

Cho, Oltramari (CMU),

Cam (NSD/ARL) – accepted to CogSIMA16


Susceptibility


13


• N increases perceived risk while decreasing perceived trust

• However, high C can overcome the disadvantage of high N


Trust, Risk, and Accuracy for C vs. N under Low O & C


Susceptibility


14


Detection of Malicious Activities: Simulation of Learning and

Decisions by a Cyber Analyst

Ben-Asher, N., Oltramari, A, Erbacher, R.F., and

Gonzalez, C. (2015). Ontology-based Adaptive Systems

of Cyber Defense. The 10th International Conference on

Semantic Technology for Intelligence, Defense, and

Security (STIDS). Fairfax, VA, USA


15


Goal :

– Understand the decision making processes of cyber defenders

and attackers and predict their decisions

Benefits:

– Improve training of cyber defenders, develop cognitive-driven

decision support tools

– Long-term, automate tasks performed by defenders (and

attackers?)

Methodology:

– Cognitive models providing a computational framework for

capturing core elements of humans’ decision making

processes and learning from experience in dynamic

environments

Cognitive Modeling and Simulation in

Cyber Security


16


Understand and model the critical components for port

scanning detection

The defender model includes

– Instance-Based Learning model that captures decision making and

learning from experience in dynamic environments

– Develop and use a Packet-Centric ontology to represent the defender’s

information representation

Human holistic cycle Modeled decision making process

Modeling Detection of Adversarial

Reconnaissance


17


2 cognitive agents (defenders) with the same cognitive

mechanisms that differed only in their situation

awareness (i.e., availability of information)

– Experience Only agent assess one event at a time

– Information and Experience agent observes the temporal

properties of a sequence of packets by querying the packet-

centric ontology

An attacker executes a vertical port scanning using nmap

in a network with 16 nodes (i.e., unique IP addresses)

The agent’s rewards were based on a payoff matrix:

Simulation Experiment


18


Correct detection of scanning sequence - the proportion of conversations between two IPs that were correctly classified as scans. Answering the question “Does IP X scans IP Y?”

• Hits – Both Experience Only and Information and Experience agents detected that the malicious IP (192.168.1.8)

• False Alarms – The Experience Only agent detected additional 10% of the IPs as malicious Experience Only

Information and Experience

Scan Detection Results


19


What the agent learned? – By looking at the instances in the agent’s

memory and their activation, we can deduce the classification rules each

model formed

Experience Only agent:

– Any TCP SYN packet is a scan packet

Information and Experience agent:

– A TCP packet that is part of a sequence of packets in which:

• The packets come from a source that uses a small number of ports

• The packets are directed to a large number of destination ports

• The ratio between SYN packets and other packets is close to 1

• The common response of the destination to packets coming from

this source is an ACK-SYN packet (ratio between ACK-SYN packet

and other packets ~ 1)

Extracted Decision Rules


20


Situational Awareness in Tactical Ground Battle: Simulation of

Cyber Effects for Training

H. Marshall et al., Cyber Operations Battlefield Web

Services (COBWebS); Concept for a Tactical Cyber

Warfare Effect Training Prototype, Fall SIW 2015,

Orlando, FL, 2015

Best Paper Award


21

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces 21

Prototype Design

Cyber

Operations

Battlefield

Web

Service

COBWebS Definition

cob-web

1 a : the network spread by a spider

b : tangles of the silken threads of a spiderweb usually

covered with accumulated dirt and dust

2 : something that entangles, obscures, or confuses

"Cobweb." Merriam-Webster.com. Merriam-Webster, n.d. Web. 27 May 2014. <http://www.merriam-

webster.com/dictionary/cobweb>.


22


Design Overview

The Computer Network Attack Service provides

the capability for “Spyders” to get into the

COBWebS and attack inbound and outbound

data to and from the mission command

devices. The types of attack capabilities are:

• Directed Denial of Service

• Information Delay

• Information Forgery

• Information Interception

Simulation Client

Mission Command Adapter Web Service

Configs Toolss Messages Clientc

Configc Toolsc Messagec Clients

Tactical Network (JVMF, TADILJ, USMTF, FDL, etc.)

Simulation Network (DIS, HLA, etc.)

FBCB2 AFATDS DCGS-A AMDWS

Messagec Clients

Messages Clientc

CNAs

Information Interception

38.441212

-78.088818

8

Location:

Latitude:

Longitude:

Radius (km): Draw From Map

Launch II Attack

Intercepted Information:

Information Forgery

1511089

1511090

38.441212

-78.088818

100m

120m

Originator:

Recipient:

URN Code

Select From Map

Select From Map

Free Text Message:

Location:

Latitude:

Longitude:

Offest:

Launch IF Attack

Information Delay

1511089

1511090

15

Originator:

Recipient:

URN Code

Launch ID Attack

Select From Map

Select From Map

Duration(s):

Distributed Denial of Service

1511089

1511090

Originator:

Recipient:

URN Code

Launch DDOS Attack

Select From Map

Select From Map

Command Web Test Driver Interface

GAP CRITERIA CHECKLIST Remote mission command of multiple cyber offensive and

defensive platforms Modeling and execution of offensive and defensive cyber

activities providing force multiplier effects Virtualization of offensive/threat and defensive networks Offensive and defensive cyber tools developed as software

services available in secure cloud environments

Simple Object

Access Protocol

(SOAP)

<SERVICE NAME>c

<SERVICE NAME>s

Web service – client side

Web service – server side

LEGEND Note : URNs are Fictional

COBWebS


23


COBWebS Capabilities

• Provide the ability for trainer to incorporate cyber warfare

elements into their exercises to meet training objectives

• Train the trainees to recognize symptoms of cyber attacks

• Develop contingencies, based on what has been

compromised

• Develop workarounds

• Alternative Courses of Action (COAs)

• Help develop cyber doctrine based on detecting,

responding, and recovery to a cyber attack.

• Provides an Information Assurance (IA) safe environment

without corrupting the network infrastructure

• Typical in cyber range exercises

• Can be integrated with cyber test ranges

• Software solution only – no special hardware required


24


Potential Use Case Examples

Change all Opposing Force (OPFOR) (observation reports) to Blue Force

(BLUFOR) (position reports)

1. Intercept all entity position reports and observation reports (via II)

2. Deny original position reports from sender (via DoS)

3. Use the location information to generate observation reports (via IF)

4. Deny original observation reports from sender (via DoS)

5. Use the observed location information to generate position reports (via IF)

Postponement of critical information

1. Intercept to identify target units (via II)

2. Delay observation reports on receiving target (via ID)


25


Potential Use Case Examples (cont’d)

Man-in-the-middle attack

1. Discovery, searching, probing for

vulnerabilities (via II)

2. Denial of Service on sender (via DoS)

3. Send fake message to specified receiver

on original sender’s behalf (via IF)

Use IF to send Nuclear/Biological/Chemical (NBC) report to move to Mission

Oriented Protective Posture (MOPP) level 4

1. Discovery, searching, probing for vulnerabilities (via II)

2. Send fake NBC report (via IF)


26


Potential Use Case Examples (cont’d)

Using COBWebS’s II, DoS, ID, and IF capabilities to deceive and disrupt BLUFOR’s SA

as reflected on their Mission Command (MC) systems

Ground Truth simulated by

Constructive Simulation Perceived Truth as seen on MC

systems as a result of cyber attacks

Forged BLUFOR locations

Observation Reports (ObsRpts) sent by

BLUFOR were denied thus not reflected

X X X X

X

BLUFOR killed

Note : Units and graphics are fictional


27


Cyber Expertise

Development of a Distributed

Cyber Operations Modeling and

Simulation Framework

Won SIWzie Award

at 2012 Fall SIW! Won Outstanding paper Award

at 2014 & 2015 Fall SIW!

Development of a Cyber

Warfare Training Prototype for

Current Simulations

SIW = Simulation Interoperability Workshop

Cyber Operations Battlefield

Web Services (COBWebS);

Concept for a Tactical Cyber

Warfare Training Prototype


28


Tactical Communication Network: Effects of Cyber Maneuvers,

Mission and Environment on the Survival of Network

Marvel, L. M., Brown, S., Neamtiu, I., Harang, R.,

Harman, D., & Henz, B. (2015, October). A framework to

evaluate cyber agility. In Military Communications

Conference, MILCOM 2015-2015 IEEE (pp. 31-36).

IEEE.


29


Develop a framework to help evaluate the cost and utility of cyber

agility maneuvers within networks that have constrained

resources such as bandwidth and energy (e.g., MANETs).

– Introduce notional measures of health, security and capability

and their interrelationship

– Consider mission goals (e.g., maximizing capability while

securing a critical path), operating conditions, cost and

maneuver selection to construct evaluation metrics

Goal


30


Framework Preliminaries

Node States and Notional Measures for Potential Agility Maneuvers

Patched


31


Primary Mission Goal

Secure a critical communication path through a network for some time duration

to transfer vital information.

Secondary Mission Goal

The secondary goal is to secure the entire network in minimal time while

maximizing capability of network nodes and minimizing energy consumption.

While we are securing this critical

path/network, we have the option of

selecting agility maneuvers that will

maximize the capability of nodes on critical

path while minimizing energy consumption

expended to perform the maneuvers in a

resource constrained environment.

Consider the Mission …


32


Applying Framework

We consider two operating scenarios:

Scenario 1: In the presence of a known vulnerability for which a

patch is present within the network

Scenario 2: In the presence of a detected infection that propagates

through the network exploiting a known vulnerability for which a

patch exists and is present within the network


33


There are 505 possible maneuver sequence selection in the set;

P(infection) = 0.8 for each communication exchange with the

infected node.

Scenario 2: Health

Comparison of all maneuver sequences:

Satisfying first primary then secondary

mission goals

Best Health Heatmap (Scenario 2: Infection)


34


Scenario 2: Capability



mission goals and prioritizing capability

Best Capability Heatmap (Scenario 2: Infection)


35


Scenario 2: Security



mission goals and prioritizing security

Best Security Heatmap (Scenario 2: Infection)


36


Evaluation framework that can provide metric comparisons for future

agility maneuver and operating scenarios

Simulations can help to calculate costs in a dynamic network

environment where terrain, communication links, communication

volume, energy constraints and routing protocols can be varied

Future:

Consider multiple vulnerability and infections of varying the severity

Vary propagation rates

Competing mission goals

Add node mobility scenarios

Replacement of the notional measure of health, security and

capability with quantifiable metrics

Conclusions/Future Work


37


Simulated Network and Real Applications: Simulation of Stealthy

Software Migration and its Detection

http://www.appcomsci.com/research/tools/cybervan


38


The network is represented in a Discrete Event Simulator (DES) such as ns-

3, OPNET, QualNet, or ns-2

• Applications run on virtual machines (VMs) in their native environments

• Each VM is mapped to a node in the simulated network

• Applications on VMs communicate with each other over the simulated network

Simulated node

Simulated node

Simulated node

Simulated node

Simulated node

Simulated node

Simulated node SIMULATED

NETWORK

VIRTUAL MACHINE

APPLICATIONS

VIRTUAL MACHINE

APPLICATIONS

VIRTUAL MACHINE

APPLICATIONS

VIRTUAL MACHINE

APPLICATIONS

VIRTUAL MACHINE

APPLICATIONS

VIRTUAL MACHINE

APPLICATIONS

VIRTUAL MACHINE

APPLICATIONS

CyberVAN Concept: Run Real

Applications over a Simulated Network

CYBERVAN TESTBED

http://images.google.com/imgres?imgurl=http://www.global-b2b-network.com/direct/dbimage/50293259/Computer_Case.jpg&imgrefurl=http://www.global-b2b-network.com/b2b/96/536/computer_case_pc_case.html&h=360&w=360&sz=22&hl=en&start=18&usg=__JZbIyKx4pgbYfyWxTdipWlWB-6g=&tbnid=UTRuxKI618NLCM:&tbnh=121&tbnw=121&prev=/images?q=computer&gbv=2&hl=en








39


Several existing testbeds provide large-scale, real-time, wired

network emulation for cyber experimentation, e.g., DETER

– These testbeds make use of wired networks emulating large-scale

cyber environments

Drawback: No ability to model wireless networking environments

with any level of fidelity

In contrast, a simulated network provides:

– Very high fidelity reproduction of network effects like propagation,

interference, loss

– Node mobility

– High fidelity simulation of MAC layer and network layer protocols

– Ability to leverage existing simulation models of wireless networks,

e.g., JTN models of JTRS waveforms

Why use a simulated network?

The use of a simulated network in a cyber testbed enables high fidelity

representation of tactical networks – a critical need for the Army


40


Transparent Packet Forwarding

– Send network traffic generated by real applications over a

simulated network in a manner transparent to the applications

• Currently, simulators like OPNET and QualNet provide custom

solutions for this, requiring use of OPNET/QualNet-specific APIs

to enable such a capability; CyberVAN capability is generic and

independent of simulator type

TimeSync: Network Scalability

– Developed capability to synchronize time across the simulated

network and applications running outside of the simulation to

enable very large scale experiments

• Can run experiments slower or faster than real time

CyberVAN Key Innovations


41


Motivation:

– Migrating VMs from one physical machine to another is a frequently performed

operation in data centers, for many reasons such as moving target defense, load

balancing, hardware upgrades, performance optimization, etc.

– Virtually all attacks on live VM migration over a network require that the attacker be

able to detect that a VM migration is in progress

Problem addressed: Secure VM migration against traffic analysis

attacks

Problem Statement

– High-level approach:

Develop several

camouflaging techniques to

make a VM migration flow

indistinguishable from

normal traffic, by changing

its distinct traffic pattern

and statistical

characteristics


42


Traffic analysis can:

– Detect >90% of VM migrations on the network

– Determine migration duration

– Determine migration endpoints

– Calculate migration transmission

rate and migrated memory

VM migration is typically easily

detectable

• Encryption and tunneling do

not prevent traffic analysis

from detecting VM

migrations with high

accuracy


43


Shape network traffic using dynamic hierarchy token bucket

Introduce chaffing traffic that balances migration and chaffing traffic

Dynamically vary migration rate in a pseudo-random way within

normal statistical traffic bounds to camouflage migration traffic

Solution: Stealthy Migration System


44


Use CyberVAN scenario to run high fidelity experiments:

– Run baseline scenario without evasive maneuvers

– Run scenario with evasive maneuver and traffic conditioning

– Experiment with libvirt-based migration and native migration

– Experiment with different network speeds & latencies, different

background traffic

– Collect and analyze data at attacker and migration destination

– Determine whether attacker can detect VM migration

Use of TimeSync:

– Needed to simulate large volumes of traffic with very high fidelity,

resulting in DES running slower than real time

Experimentation Approach

RESULTS: Stealth System makes VM migration undetectable


45


S. Noel, J. Ludwig, P. Jain, D. Johnson, R.

Thomas, J. McFarland, B. King, S. Webster and B.

Tello, "Analyzing Mission Impacts of Cyber

Actions," in Proceedings of the NATO IST-128

Workshop on Cyber Attack Detection, Forensics

and Attribution for Assessment of Mission

Impact, Istanbul, 2015.

Enterprise-Wide Model

Effect of Cyber Attacks on Enterprise Control


46


Example 1: Model-Driven

Mission Impact Assessment

Analyzing Mission Impacts of Cyber Actions (AMICA)

Mission is Joint Targeting Process

MITRE, MIT-LL, IDA, CMU SEI

Questions it can answer:

• How long of an attack can the mission withstand without

impact?

• How long does it take the mission to recover from an attack?

• What is more damaging to the mission; loss reach back

availability or degradation of Air & Space Operations Center

(AOC) system assets?

• How many targets can be impacted by confidentiality/integrity

before impacting mission?


47


AMICA Connects Kinetic Mission to Cyber

Actions

Cyber Scenario

Attacker Cap’s

Defender Cap’s

Mission Scenario

Outputs

Inputs

Mission Metrics

Events Logs

Visualization

Adapted by permission from the paper by S. Noel et. al., “Analyzing

Mission Impacts of Cyber Actions,” presented at the NATO IST-128

Workshop on Assessment of Mission Impact, Istanbul, Turkey, June

15-17 2015


48


Developing parameterized libraries of models

Each piece of AMICA is designed to be modular and extensible to support future mission areas, cyber dependencies, attack patterns, defenses

Well defined interfaces

Library of Mission Models

(Targeting, BMD, etc)

Library of Infrastructure Models

(Covering multiple missions)

Malicious

Library of

Attacker

Models

(attack graphs) Malicious

Malicious Malicious

Library of Defender

Models (workflows)

Extensible M&S Libraries to Quickly Create

the Needed Analysis Environment


49


Process model capturing workflow, timing, and resources for the DoD kinetic

targeting process (from CJCSI 3370.01)

Originally developed for EUCOM as part of Austere Challenge 10 & selected

due to pedigree and maturity

– 200+ steps with timing & resources (dependent on target complexity)

– Covers targeting process from basic targeting development through

MAAP/ATO & BDA

Modified for AMICA by breaking into modules and connecting to CyCS nodes

Mission Model


50


Attacker Model

Modeled as process simulation that captures the steps the

attacker follows

– Assumes attacker has some knowledge of mission and access

on secure network

– Responsive to defense actions

– Adjust sophistication through probability of success/detection on

attack steps

Conceptually follows ‘Cyber:14’ threat models

– Cyber:14 study (ARCYBER, defense of Dept. of Defense

Information Network (DODIN))

– Contains 1000s of nodes (mainly system-steps) of integrated

attacker and defender/sensor actions for server-, host-, and

email-based attacks

Initial Foothold Lateral Movement Achieve Goal

- Initial access via spear phishing campaign

- Includes time for research to find targets

- Scan network for goal node (e.g. database) reachability

- Infect laterally until target node is reachable

- Realize an effect on confidentiality, integrity, or availability on goal node

- Maintain presence and re-infect as necessary

Get Spear

Phishing

Targets

Between(1,3)d

Targets

Available ?Infect Target

Between(30,90)m

No

YesTarget Infected ?

No

Goal Node

Reachable ?

Yes

Perform

Network Scan

Between(15,45)m

Compromise

Goal Node

Between(30,90)m

No

Goal Node

Compromised ?

Yes

Targets

Available ?

No

Choose &

Infect Target

Between(30,90)m

YesTarget Infected ?

No

Yes

Perform Attack

0m

Wait for desired time to affect Mission

Gate By Time:2 Hours

Yes

No

Periodically check for detection

Gate By Time:30 Minutes

Mission Still

affected ?

Goal Node Still

Compromised ?

Yes

No

No

Yes

getTargets()

launchAttack()

isInfected()

getTargets()

isReachable()

launchAttack()

launchAttack()

CyCS-createTicket()

CyCS() - check status

getNextTarget()getNextTarget()

Gate By Time:AttackTime Hours

Attack

Successfull ?

Yes No

launchAttack()

Affect Mission

0m

Create Alert

Attack

Type ?

Perform Attack

0m

Perform Attack

0m

Perform Attack

0m

ConfidentialityAttack

IntegrityAttack

AvailabilityAttacklaunchAttack()

launchAttack()


51


Defender Model

Process simulation of reactive defender (not

proactive) actions

Multi-tiered incident response model

– Defender can impact mission (by

alerts, taking down machines)

– Includes defender resource/personnel

constraints

Conceptually follows ‘Cyber:14’ defense

models

Triage Reboot, Restore,

Rebuild Forensics

- Defender response triggered by IT alert

- IT alerts prioritized by expected impact

- Mitigation based on alert type (crash, infection, corruption)

- More aggressive responses may impose greater mission impact

- For more serious threats

- Trace attack to source, build signatures

- Submit new alerts for all compromised machines

Get Next Alert

Release

Resource

Put online

5m

Wipe and

Restore

Between(1,3)h

Take offline

5m

Trace Attack

Source

Between(1,3)h

Issue New

Alert

0m

Get Signature

Between(2,6)h

Find other

infections

Between(3,9)h

Issue New

Alerts

0m

getNextAlert()

restoreHost() malwareDetected()

takeHostOffline() wipeHost() putHostOnline()

getInfectionSource() getAllInfected()

Wait to Issue

AlertIssue Alert

submitAlert()getWait()

Restore

Functionality

Between(1,3)h

Submit Alert

Malicious

Activity

Discovered

?

Submit AlertYes

No

No alert

present

Alert

Type ?

WipeAlert

ConfidentialityAlert

ForensicAlert

None

IntegrityAlert

InfectedAlert

AvailabilityAlert

submitAlert()

Targets

Available ?

Yes

No

CyCS-createTicket()CyCS-deleteTicket()

Start Defender

Create Alert

Create Alert

Create Alert

CyCS-deleteTicket()

CyCS-deleteTicket()


52


Enterprise-level Simulation of Cyber-physical impacts:

Automated Learning of Enterprise Model

M. Lange, R. Moeller, G. Lang and F. Kuhr, "Event

Prioritization and Correlation based on Pattern Mining

Techniques," in 14th International Conference on

Machine Learning and Applications, Miami, 2015.


53


PANOPTESEC project -- the Seventh Framework Programme for

Research (FP7) of the European Commission, 2013-2016

PANOPTESEC integrates and normalizes heterogeneous events,

correlates them with the infrastructure, evaluates their operational

impact, and calculates the risk an event poses to the monitored

infrastructure

PANOPTESEC consortium set up a testbed - authentic replication of an

Italian water and energy distribution company’s corporate enterprise

systems and supervisory control and data acquisition (SCADA) system

PANOPTESEC


54



55


Manual modeling of dependencies – capturing the network's

intended workflow and links to physical assets – is prohibitively

expensive in complex enterprises

We focus on development of an automated approach:

• Use network traffic;

• Automatically learn network dependencies;

• Deduce higher-level information about a network's mission based

on network services and applications

The Challenge of Manual Model

Construction


56


An example for a high level view of an

automatically derived mission models.

Swim lanes represent sub networks,

network devices are represented by tasks

and a human silhouette marks client

network devices


57


Advantage in Large-Scale Cyber Warfare as a Function of Strategy

and Network Properties

J.H. Cho and J. Gao, “Cyber War Game in Temporal

Networks,” accepted to PLOS ONE, 2016


58


Current State-of-the-Art • Cyber war strategies often require

resource efficiency solution under highly distributed, resource constrained networks

• Little prior work investigates heuristic cyber strategies studying the impact of network characteristics on performance

Goal: Identify near-optimal

strategies by attackers or defenders

to minimize resource consumption

and maximize a win probability; the

problem is formulated as:

Cho (ARL), Gao(NEU, NS CTA) – accepted to PLOS ONE Journal

Cyber War Strategies in Temporal

Networks

Node i’s resource level is defined as:

where resource consumption by taking an

action is:


59


BFA: Brute-Force Attack

with solution search in

O (N 2N)

RF-A: Resource First –

Attack with solution

search in O(N2)

IF-A: Influence First –

Attack with solution

search in O(N3)

Influence is measured

based on k-hop reachability

as:

Heuristic cyber strategies perform close to optimal solution(s) with

significantly less complexity; under a sparse network, influence-first-attack

strategy outperforms resource-first counterpart.


Optimality Analysis of Cyber Strategies


60


Network temporality differently

affect the performance of cyber

strategies under different network

density; overall influence-first is

preferred in terms of winning and

resource consumption;

Current State-of-the-Art

• Little existing work considers network temporality and density that may affect optimal cyber war strategies by attackers or defenders

Network density reduces win probability in a

highly temporal network

Influence-first attack incurs less resource

consumption in a dense network; there

exists a critical node degree maximizing

resource consumption


Performance Analysis: Win Probability

& Resource Consumption


61


• Less system failure occurs

under a sparse network;

• High temporality introduces

high system vulnerability or

system failure in an earlier

time than under low

temporality


System vulnerability is

highly sensitive to network

temporality and density.

Performance Analysis:

System Vulnerability


62


Simulation of collateral damage by malware in large populations

Agent-based simulation of various refresh policies in mobile

networks

Simulation of probability of cyber compromise in face of complex

network structure and defensive mechanisms

Other examples


63


Tentative Taxonomy of Common

Cyber-related Model s

• Emulation (often with simulation) of networks: actual hardware, software, humans, e.g., cyber

ranges.

• Training-focused simulations: presenting to human trainees the effects of a cyber attack,

without modeling underlying process.

• M&S of human cognitive processing of cyber events and situations: perception, recognition,

situation awareness, decision making.

• M&S of attack progress and malware propagation

• Attack-graph-based approaches

• Epidemiology analogy, e.g., Susceptible, Infected, Recovered (SIR)

• Abstract wargaming: game-theoretic model of cyber conflict, without modeling the underlying

processes of cyber attack and defense.

• Business processes models: defense, offense and business processes, along with business IT

architecture, simulated for observing resulting effects.

• Statistical models of cyber events: cyber processes are represented as, e.g., equations of

Poisson processes, and coefficients are learned from training dataset.

• Two classes of models used to support cyber modeling, but do not model cyber aspects:

• physical systems models to support modeling of cyber-physical effects;

• and network simulation models.



64


Kott, Alexander. "Towards fundamental science of cyber security."

Network Science and Cybersecurity. Springer New York, 2014. 1-

13. arXiv:1512.00407

Kott, Alexander, Nikolai Stoianov, Nazife Baykal, Alfred Moller,

Reginald Sawilla, Pram Jain, Mona Lange, and Cristian Vidu.

"Assessing Mission Impact of Cyberattacks: Report of the NATO

IST-128 Workshop." arXiv preprint arXiv:1601.00912 (2016).

A few more references

Documents

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE · UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE 1 ... along with business IT ... –Understand the decision making processes of cyber defenders