0 honeywell laboratories 1/27/05 pi meeting david musliner christopher geib mike pelican c ortex :...
TRANSCRIPT
![Page 1: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/1.jpg)
1
Honeywell LaboratoriesHoneywell Laboratories
1/27/05 PI Meeting David MuslinerChristopher Geib
Mike Pelican
CORTEX:
Mission-Aware Closed-Loop Cyber Assessment and Response
![Page 2: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/2.jpg)
~circadia/talks/review-1-01 2
OutlineOutline
• Project overview.
• Thin-slice initial demo.
• Proactive response planning.
• Planner evaluation tools.
• Quadchart.
![Page 3: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/3.jpg)
3
Project OverviewProject Overview
• Technical Objectives – Automated defense systems that:
– Model and understand their changing mission needs.
– Automatically develop defensive plans to recognize and stop attacks.
– Automatically regenerate and rebuild system infrastructure.
– Learn to prevent attacks.
– Resulting in a highly reliable self-regenerative system.
• Existing Practice – Very limited condition-action rules within some IDS systems.
– Not mission aware, not self-aware.
– No lookahead, no proactive resource testing.
– No dynamic replanning or performance tradeoffs.
![Page 4: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/4.jpg)
4
Project OverviewProject Overview
• Technical Approach – Integrate, extend & improve:
– Scyllarus’ state of the art intrusion detection/correlation technology.
– CIRCADIA’s automated planning and controller synthesis.
– Learning methods to:
- Refine models of attacks.
- Improve recognition of new attacks.
• Truly New –
– Mission-aware, context-sensitive response and self-regeneration.
– Planned preemptive self-testing to detect faults in mission-critical assets before they are required.
– Focused learning to improve the system’s performance on its specific mission.
![Page 5: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/5.jpg)
5
The CORTEX VisionThe CORTEX Vision
Controller Synthesis Module
Mission Aware Meta Planner
Active Security ControllerExecutive
Mission/phase specific planning problem
Custom reactive plan (proactive protection, reactive defense, and healing)
Unexpected states, unhandled contingencies
System, security,
and mission
application actions
System Reference Model
(Mission, behaviors, faults, threats)
Dynamic Evidence Aggregator
LikelySecuritySituation
Learning
Sensor inputs
![Page 6: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/6.jpg)
6
Overview (cont’d)Overview (cont’d)
• Major Risks and Mitigations –
– Planning domain complexity:
- System demonstrations on limited-scope domain.
- Scalable synthetic evaluation domains for planning.
- Alternative planning approaches.
– Learning:
- Focused learning techniques for knowledge-rich parts of the problem (e.g., learning size limits on buffer overflow vulnerability).
– Aggressive schedule:
- Thin-slice first demonstration emphasizing infrastructure.
- Cyclic development plan focusing on incremental improvement in each sub-area.
![Page 7: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/7.jpg)
7
Overview (cont’d)Overview (cont’d)
• Quantitative Metrics –
– Measures of attack learning and detection rates.
– Respond to 100% of detected attacks.
• Expected Major Achievements –
– High confidence intrusion assessment and diagnosis.
– Pre-planned responses to contain/recover from faults and attacks.
– Automatic tradeoffs of security vs. service level & accessibility.
– Learning to recognize and defeat novel attack.
![Page 8: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/8.jpg)
8
OverviewOverview
• Task Schedule:
– Develop thin-slice demonstration (first version complete).
– Extend scenario (in progress).
– Develop learning capability & experiments (in progress).
– Model mission phases (in progress).
– Proactive response planning (in progress).
• Milestones
JUL 04
Demos: Thin slice demo
DEC 04 APR 05
Learning Demo
DEC 05
Mission Aware Demo
![Page 9: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/9.jpg)
9
Thin Slice Demo:
Self-Regenerative MySQL
![Page 10: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/10.jpg)
10
Demo ObjectivesDemo Objectives
• Implement “taste-tester” architecture to form a redundant, high-reliability MySQL server system.
• Illustrate detection and self-regenerative response to successful attack.
• Illustrate (simple) learning to improve immunity.
• Provide basis for future demonstrations of multi-phase mission-awareness and learning.
![Page 11: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/11.jpg)
11
Demo ScenarioDemo Scenario
• N (8) MySQL servers are available as redundant, replicable assets.
• Queries arrive and are processed by the designated “Lead Taster”.
• If the Lead Taster has no problem with the query, it is replicated to each of the servers.
• If the Lead Taster fails:
– Bad query is not sent to other servers.
– A backup server becomes Lead Taster.
– Bad query is sent to learning module for generalization.
– Dead server is restarted.
• Future occurrences of the same or similar exploits are ineffective.
![Page 12: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/12.jpg)
12
Demo Development ProcessDemo Development Process
• Design architecture for integrating sensor data aggregation, reaction planning, plan execution, and learning.
• Design reduced-scope architecture for Demo 1.
• Survey MySQL vulnerabilities to identify suitable host versions and exploits.
• Build infrastructure and simple visualization machinery.
• Execute demonstration with hand-generated plan.
• Build planning input model of domain.
• Evaluate planner performance on domain model.
![Page 13: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/13.jpg)
13
Demo System ArchitectureDemo System Architecture
![Page 14: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/14.jpg)
14
Demo 1 ArchitectureDemo 1 Architecture
SQL Query
VerterPush Cache RTS
SnortRules
Append new rule
After rule update Kill -HUP
Learning
Write new snort rules via CIRCADIA proto
LeadTaster
Good Query
Good | Bad Query Result
Alert Distributor
HB_syncIf(alert)
Q=Qb
Else
Q=Qg
SnortHB_sync, good/bad, Query
Are we dead after this “good” query?
If(hb_sync_good) {
Replicate to all tasters
}
Tasters
If(hb_sync_bad) {
Send bad query to learning
}
High Events
If(hb_sync_bad) {
switch to next taster
}
Tail alerts
Tail xml
Replicator
![Page 15: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/15.jpg)
15
Survey of MySQL VulnerabilitiesSurvey of MySQL VulnerabilitiesBUGTRAQ vulns for MySQL VULNERABLE VERSIONS
Vulnerability BID rem/loc 3.20 3.21. 3.22. 3.23. 4.0. 4.1. 5.0. IMPACT EXPLOIT NOTESglobal password changing 926 R/L ? ? 27-29 8 ? ? ? Access Yunauth remote access vuln 975 R ? ? 26-30 8-10 ? ? ? Access Fweak authentication algorithm 1826 R all all all all? ? ? ? Access FSELECT local buffer overflow 2262 L ? ? 26-32 8-31 ? ? ? Exec Yshow grants password disclosure 2380 L ? ? ? 3-30 ? ? ? Access Froot op symbolic link overwriting 2522 L 32 ? ? 34 ? ? ? Access Ynull root password 5503 R 32 ? 26-32 2-52 ? ? ? Access Y wdatadir parameter bov 5853 L ? ? ? 49 0-1 ? ? DoS/Exec F/N wCOM_TABLE_DUMP corrupt 6368 R ? ? 26-32 2-53 0-5 ? ? DoS Fclient read_rows bov 6370 R 32 ? 26-32 2-53 0-5 ? ? DoS/Exec F/N cCOM_CHANGE_USER passwd 6373 R ? ? 26-32 3-53 0-5 ? ? Access Yclient read_one_row bov 6374 R 32a ? 26-32 <54 0-5 ? ? DoS F cCOM_CHANGE_USER corrupt 6375 R ? ? 26-32 < 54 0-5 ? ? DoS/Exec F/Ndouble free heap corruption 6718 R ? ? ? < 55 ? ? ? DoS Froot privilege escalation vuln 7052 R ? ? ? 36-55 ? ? ? Access Yweak password encryption 7500 L all all all all 0-11 0 ? Access Yclient mysql_real_connect bov 7887 R/L ? ? ? all 0-13 ? ? DoS/Exec Y/N codbc driver plain text password 8245 L - - - - - - - Access Y wpassword handler bov 8590 R ? ? ? all < 15 0 ? Access Ymultiple vulnerabilities 8796 - ? ? ? < 54 ? ? ? DoS/Exec Yaborted bug report tmp file 9976 L 32 ? 26-32 2-58 0-18 0 ? DoS Ymysql_multi insecure tmp file 10142 L 32 ? 26-32 2-58 0-18 0 ? DoS Fauthentication bypass vuln 10654 R ? ? ? ? ? <3 0 Access Ypassword length remote bov 10655 R ? ? ? ? ? 0, 2, 3 0 DoS/Exec F/NMysql_real_connect bov 10981 R all all 26-32 all < 19 0-3 0 DoS/Exec F/NBounded param statemnt bov 11261 R/L ? ? ? ? ? < 5 ? DoS/Exec F/NInsecure tmp file creation 11291 L ? ? ? ? 18 ? ? DoS FMultiple local vulnerabilities 11357 L ? ? ? < 59 < 21 ? ? DoS YFULLTEXT search DoS 11432 R ? ? ? ? < 21 none ? DoS FUnauthorized GRANT Privilege 11435 R all all all all < 21 ? ? Access Y
How easy to exploit this exploit? code * Bold face Vulnerability descriptions for remotely exploitable with available exploitexploit would not be easy N * Not all versions/platforms have been tested against all vulnerabilities so some may have broader coverage.exploit feasible with some work F * Exploits are linux or cross-platform unless otherwise noted. exploit code readily available Y
3.23.8NOTES code 4.0.0
demonstrated in ms windows wvulnerability in mysql client cexploit worked in our lab x
The sweet spot seems to be an early 3.23 version of MySQLalthough 4.0.0/1 are also ripe.
![Page 16: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/16.jpg)
16
Assumptions Assumptions
• Attacks take the Lead Taster off line.
– We are now beginning to look at other forms of attacks.
• The query just processed is responsible for failures.
– Queries must be transactional in effect.
- Required adding synchronous commits for non-transactional administrative commands that did, in fact, contain a vulnerability.
– For “binary poisons,” we assume that preventing the final step of the attack is sufficient.
![Page 17: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/17.jpg)
17
Before the AttackBefore the Attack
Bad Guy
Good Guy
Replicator
Verter RTS (Executive)
Tasters
Snort
![Page 18: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/18.jpg)
18
Before the AttackBefore the AttackBad Guy enters exploit…
![Page 19: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/19.jpg)
19
After the AttackAfter the Attack
Lead Taster died
RTS detects failure and switches Lead, sends bad query to learning
New Lead Taster
![Page 20: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/20.jpg)
20
Before the 2nd AttackBefore the 2nd Attack
Learner builds new tailored Snort rule
Dead Taster is restarted
![Page 21: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/21.jpg)
21
After the 2nd AttackAfter the 2nd AttackBad Guy enters exploit again…
To no avail; system has learned to block bad
query
![Page 22: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/22.jpg)
22
Show Movie
![Page 23: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/23.jpg)
23
Proactive Response Planning
![Page 24: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/24.jpg)
24
Simple Planner Model for Demo 1Simple Planner Model for Demo 1
(def-temporal query-arrives :preconds ((query F)) :postconds ((query T)) :delay-distribution (uniform-distribution 10 20) :min-delay 10 )
(def-temporal query-stale :preconds ((query T)) :postconds ((failure T)) :delay-distribution (uniform-distribution 20 50) :min-delay 20 )
![Page 25: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/25.jpg)
25
Planner Model (cont’d)Planner Model (cont’d)
(def-reliable process:preconds ((taster T) (query T)):postconds ( (.5 (taster F) (query F) (hb-sync F)) (.5 (current F) (query F) (hb-sync T)))
:delay-distribution (uniform-distribution 1 1) :cost 1 )
(def-action replicate-to-tasters :preconds ( (current F) (taster T) (backup T) ) :postconds ( (current T) ) :wcet 1 :cost 1 )
![Page 26: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/26.jpg)
26
Planner ModelPlanner Model
• Goal: maximize Expected Utility (EU).
• Rewards: maintain “(current T)” for 10 utils/tick.
• Arbitrary duration: 200 ticks.
• Maximum possible EU < 2000 (200 duration * 10 utils/tick)– Less than because some queries will arrive, incurring cost.
• Planner uses goal-driven heuristic to derive plan.
• Evaluates safety and EU performance of plan using simulation (sampling).
• Backtracks/jumps to create new plans, directed by failures.– Not yet well-directed in search after non-failure plan found.
![Page 27: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/27.jpg)
27
Plan EU vs. Elapsed Planning TimePlan EU vs. Elapsed Planning Time
1870
1880
1890
1900
1910
1920
1930
1940
1950
100 1000 10000 100000 1e+06 1e+07
Exp
ect
ed
Utilit
y
Time (ms)
![Page 28: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/28.jpg)
28
First Safe Plan FoundFirst Safe Plan Found
Blue states satisfy goal.
Two non-goal states.
EU = 1880.
Elapsed planning time: 800 milliseconds.
If query kills taster, wait until next query arrives to switch tasters and rebuild the dead one.
![Page 29: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/29.jpg)
29
12th Safe Plan Found12th Safe Plan Found
• Only one non-goal state.
• EU = 1940.
• Elapsed planning time: 30 minutes.
• Key: Switch tasters and restart backup server immediately, even though you are in the goal state.
• Pre-position for eventuality of being pushed out of goal state and pre-arranging to speed restoration of goal state.
![Page 30: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/30.jpg)
30
Improving the PlannerImproving the Planner
• Local search (plan patching) based on heuristic guidance.
– E.g.: If the current plan includes a multi-step chain to re-establish a maintenance goal, try to move one or more of the steps earlier, before the goal is violated.
– Random restarts probably required to escape local maxima.
• Investigate alternative solution method: map to MDPs.
– Younes (CMU): Tempastic-DTP planner maps GSMDP problems to MDPs using phase-type distributions.
– Exponential state space growth, but solution method is non-iterative.
![Page 31: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/31.jpg)
31
Scalable Planner Evaluation DomainsScalable Planner Evaluation Domains
• In addition to demo-specific domains, we have built scalable test domain generators to provide rigorous evaluation metrics.
• Expands test coverage to domains where utilities and probabilities determine success.
– Include abstractions for important SRS domain characteristics.
– Goal: help drive Cortex planner development by identifying relevant weaknesses.
![Page 32: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/32.jpg)
32
Basic AbstractionsBasic Abstractions
• Each test consists of "games", revolving around a single "goal".
• Dwell goals: per-tick reward for maintaining a feature in face of clobbering threats, e.g., providing a network service, while under attack.
• Achievement goals: one-time reward for completing multi-step process, e.g., configuring a network.
• Goals and threats can be combined to test scalability or the ability to make trade-offs.
![Page 33: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/33.jpg)
33
Example Scalability BaselineExample Scalability Baseline
• Domain: single dwell goal subject to N threats.
• Threat delay: uniform distribution from 1 to 100.
• Time-to-failure: 20 ticks.
• Response time: 1 tick.
100
1000
10000
100000
1e+006
0 1 2 3 4 5 6 7 8
Tim
e to b
est
pla
n (
mse
cs)
Num Threats
"new-scaling-num-threats-fixed.data" using 1:2
![Page 34: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/34.jpg)
34
SCHEDULE
CORTEX – Mission-Aware Closed-Loop Cyber Assessment and Response
• System Reference Model including mission models drives intrusion assessment, diagnosis, and response.
• Automatically search for response policies that optimize tradeoff of security against mission ops.
• “Taste-tester” server redundancy supports robustness and learning from new attacks.
• High confidence intrusion assessment and diagnosis.
• Pre-planned automatic responses to contain and recover from faults and attacks.
• Automatic tradeoffs of security vs. service level & accessibility.
• Learns to recognize and defeat novel attacks.
Computing services
Active Security ControllerExecutive
Controller Synthesis ModuleNetworks, Computers
Attacks, intrusions
IMPACT
NEW IDEAS
Security Tradeoff Planner
Scyllarus Intrusion
Assessment
JUL 04
Demos: Thin slice demo
DEC 04 APR 05
Learning Demo
DEC 05
Mission Aware Demo
![Page 35: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/35.jpg)
35
The End
![Page 36: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/36.jpg)
36
How Scyllarus Intrusion Detection WorksHow Scyllarus Intrusion Detection Works
Audit reportof
network probe
Audit reportof communication
attempt
Audit reportof unauthorized
user
Intrusionin
progress
Accidentallymis-configuredapplication
Hypotheses(Possible situations)
NetworkModel
SecurityModel
AttackModels
Dynamic Evidence Aggregator
Intrusion Reference Model
LikelySecuritySituation
AuditReports
H1 H2
IntrusionsAttacks
![Page 37: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/37.jpg)
37
Sifting Key Events from Raw ReportsSifting Key Events from Raw Reports
• Daily Traffic Example
16,000Raw
Reports
IDS-1
IDS-2
IDS-3
ClusteringReports
into Events
1000
4000
EvidenceAnalysis
10
Uninteresting events
Interesting events
Believable Interesting
events
![Page 38: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/38.jpg)
38
Example of How Scyllarus Reduces WorkloadExample of How Scyllarus Reduces Workload
1
10
100
1000
10000
100000
Days in November, 2001
IDS Reports
Events
All Plausible Events
Med/HighPlausibility &Med/High SeverityHigh Plausibility &High Severity
![Page 39: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/39.jpg)
39
Controller Synthesis ModuleController Synthesis Module
Controller Synthesis Module
Active Security ControllerExecutive
Security Tradeoff Planner
ThreatModel
DynamicsModel
ActionModel
Projection/Synthesis Algorithm
SchedulerVerifier
Controller Synthesis Module reasons about models of goals, threats, cyberspace dynamics and actions to derive new sets of control rules online.
– Timed automata models capture temporal constraints, probabilities.
– Game theoretic view plus time: search for controller automaton while projecting adversary’s moves.
– Temporal reasoning derives requirements on sensing/monitoring.
– Formal methods verify controller behavior against policy requirements.
![Page 40: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/40.jpg)
40
Controlled State Space GraphControlled State Space Graph
• Considers different orders of attacker actions, consistent with preconditions.
– Factored, transition-based attacker model allows CIRCADIA to generalize beyond single-path characterization of a given attack script.
• Includes sequences of CIRCADIA actions to prevent further damage and recover from current (non-goal) situations.
![Page 41: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/41.jpg)
41
MotivationMotivation
• Current computational mission (resources, tasks) affects:
– Detection of attacks and failures.
– Appropriate responses.
• Existing intrusion detection and response does not incorporate knowledge of mission.
• Thesis: mission awareness will enable Self-Regenerative System behavior.
![Page 42: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/42.jpg)
42
ScyllarusScyllarus
A management and analysis system for network security monitoring:
• Correlates reports from many disparate intrusion detectors to provide information useful to operating personnel or administrators.
– Weighs evidence for/against intrusions to reduce false alarms.
– Assesses intrusion events for plausibility and severity.
– Discounts attacks against non-susceptible targets.
• Consolidates and retains all report data for forensic investigation.
• Maintains detector and system configuration information.
![Page 43: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/43.jpg)
43
Scyllarus Capability Summary Scyllarus Capability Summary• Process reports from a variety
of intrusion detection sensors:
– Network, host, and hybrid.
– Commercial, open-source, research.
• Process substantial report volume: thousands of reports/hour.
• Provide significant reductions in report volume: thousands -> tens.
• Monitor sizeable networks
– Up to 1000 nodes with one system.
• Cluster and correlate reports from multiple sensors:
– More effective detection of stealthy attacks.
– Vast reduction in false alarms and noise.
• Categorize events for efficient review
– Plausibility, severity, utility of events.
• Discount attacks on unsusceptible targets.
• Retain events and reports in database for forensic analysis.
![Page 44: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/44.jpg)
44
CIRCADIACIRCADIA
Cooperative Intelligent Real-time Control Architecture for Dynamic Information Assurance
• Autonomic defense for computing resources.
• Adaptive monitoring.
• Real-time reactive control responses.
• Uses control-theoretic methods to automatically synthesize its control strategies, rather than relying on hand-built rules or other knowledge.
![Page 45: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/45.jpg)
45
• Use control theory to derive appropriate response actions automatically.
• Automatically tailor monitoring and responses according to mission, available resources, varying threats, and policies.
• Reason explicitly about response time requirements to provide performance guarantees.
• Automatic responses guaranteed to defeat intruders in real-time.
• System derives appropriate responses for novel attack combinations.
• Automatic tradeoffs of security and monitoring vs. service and accessibility.
• Easier to deploy & maintain than manual rule bases.
IMPACT NEW IDEAS
`̀
Active Security ControllerExecutive
Controller Synthesis Module
Security Tradeoff Planner
Automatically Synthesizing Security Control SystemsAutomatically Synthesizing Security Control Systems
Intrusion Assessment
Networks, computers
Computational mission services
![Page 46: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/46.jpg)
46
CORTEX Advances (Beyond Scyllarus)CORTEX Advances (Beyond Scyllarus)
• Add mission modeling capability to form System Reference Model.
• Incorporate propagation models to represent information flow and filtering components.
• Enhance state assessment for mission awareness:
– Mission affects expected sensor behavior.
– Mission affects criticality of failures and attacks.
• Bring state assessment fully online for soft real-time performance.
• Stretch Goal: Retrospective revision of alerts based on new information.
![Page 47: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/47.jpg)
47
CORTEX Advances (Beyond CIRCADIA)CORTEX Advances (Beyond CIRCADIA)
• Automatically map System Reference Model elements to planning problem for controller synthesis.
• Develop new controller synthesis algorithms for qualitative probabilistic models, based on local search.
• Develop meta-level control to focus and adjust response planning algorithms based on mission phasing and urgency of self-reconfiguration.
• Interface to state assessment for real-time response.
![Page 48: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/48.jpg)
48
CORTEX Advances (Learning)CORTEX Advances (Learning)
• Adapt existing concept drift algorithms to update surprise levels (qualitative probabilities) within the threat models.
• Adapt performance profiles within the Mission models and Self (meta-level) models.
• Develop strategies for preemptively testing resource capacities based on mission, self, and threat models.
– Predict and test for failures and adapt before they are critical.
![Page 49: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/49.jpg)
49
(def-action rebuild-taster
:preconds ( (backup F) )
:postconds ( (backup T) )
:wcet 5
:cost 1
)
;;; ************ problem def ***********
(def-machine system-ops (query-arrives
query-stale
process
)
)
(def-machine manage-system (send_to_learning_switch_tasterdb
replicate-to-tasters
rebuild-taster
)
)
(def-maintenance-goal dbcurrent
;;:features ((current T)(taster T)(backup T))
:features ((current T))
:reward 10
)
(def-problem cortex-taster
:version "$Revision: 1.2 $"
:machines (system-ops
manage-system
)
:initial-states (scenario1-initial-state)
:transitions ()
:goals (dbcurrent)
)
(solve-problem cortex-taster)
![Page 50: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/50.jpg)
50
;;; cortex-taster.lisp
#|
(defun t1 () (load "domains/taster/cortex-taster"))
(set-verifier-mode :meu)(set-search-mode :forward)(setf *sim-maxtime* 200)(setf *max-utility* 2000)
(setf *debug-list* NIL)(pushnew :top *debug-list*)(pushnew :csm *debug-list*)(pushnew :meu *debug-list*)
(setf *max-number-of-intermediate-plans-considered* 10000)
(setf *TEMPSWITCH-FIX-MC-SIM-CULPRIT-NO-OP-BUG* T)
(setf *store-all-improved-plans* T);;(setf *check-all-plans-diff* T)
;;(setf *backjump-if-inferior* T);;(setf *cautious-culprit-match* T)
(reset-randoms)
;; testing results stuff....
(setf *omit-no-ops* nil)
; a= first plan produced...(setf a (first (last *stored-plan-list*)))
(setf b (first *stored-plan-list*))
(diff a b)
(mapcar #'eu *stored-plan-list*)(mapcar #'elapsed-time *stored-plan-list*)
(restore-stored-plan a)(davinci-draw-sim-reachable-states)
(restore-stored-plan b)(davinci-draw-sim-reachable-states)
|#
(def-state scenario1-initial-state :features ((failure F)
(query F) (current T) ;
backups are current (taster T) ; taster is
up (hb-sync T) ; last
query was good (backup T) ; backup
is up )
)
(def-temporal query-arrives :preconds ((query F)) :postconds ((query T))
:delay-distribution (uniform-distribution 10 20) :min-delay 10
)
(def-temporal query-stale :preconds ((query T))
:postconds ((failure T)) :delay-distribution (uniform-distribution 20 50)
:min-delay 20 )
(def-reliable process :preconds ((taster T) (query T))
:postconds ( (.5 (taster F) (query F) (hb-sync F)) (.5 (query F) (hb-sync T) (current
F))) :delay-distribution (uniform-distribution 1 1)
:delay (make-range 1 1) :cost 1
)
;;; ************ manage tasters **************(def-action send-to-learning-switch-tasterdb
:preconds ( (taster F) (backup T) ) :postconds ( (taster T ) (backup F) )
:wcet 1 :cost 1
)
(def-action replicate-to-tasters :preconds ( (current F) (taster T) (backup T))
:postconds ( (current T) ) :wcet 1 :cost 1
)
(def-action rebuild-taster :preconds ( (backup F) ) :postconds ( (backup T) )
:wcet 5 :cost 1
)
;;; ************ problem def ***********
(def-machine system-ops (query-arrives query-stale process
) )
(def-machine manage-system (send_to_learning_switch_tasterdb
replicate-to-tasters
rebuild-taster )
)
(def-maintenance-goal dbcurrent ;;:features ((current T)(taster T)(backup T))
:features ((current T)) :reward 10
)
(def-problem cortex-taster :version "$Revision: 1.2 $"
:machines (system-ops manage-system
) :initial-states (scenario1-initial-state)
:transitions () :goals (dbcurrent)
)
(solve-problem cortex-taster)
![Page 51: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/51.jpg)
51
GSMDP Solution MethodGSMDP Solution Method
Continuous-time MDPGSMDP Discrete-time MDPDiscrete-time MDP
Phase-type distributions(approximation)
Uniformization (optional)[Jensen 1953; Lippman 1975]
GSMDP Continuous-time MDP
MDP policyGSMDP policySimulate
phase transitions
![Page 52: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/52.jpg)
52
Continuous Phase-Type Distributions [Neuts 1981]
Continuous Phase-Type Distributions [Neuts 1981]
• Time to absorption in a continuous-time Markov chain with n transient states
1
Exponential
21p1
(1 – p)1
2
Two-phase Coxian
n21 …p
(1 – p)
n-phase generalized Erlang
![Page 53: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/53.jpg)
53
Approximating GSMDP with Continuous-time MDP
Approximating GSMDP with Continuous-time MDP
• Approximate each distribution Ge with a continuous phase-type distribution
– Phases become part of state description
– Phases represent discretization into random-length intervals of the time events have been enabled
![Page 54: 0 Honeywell Laboratories 1/27/05 PI Meeting David Musliner Christopher Geib Mike Pelican C ORTEX : Mission-Aware Closed-Loop Cyber Assessment and Response](https://reader035.vdocuments.us/reader035/viewer/2022070408/56649e715503460f94b6edfa/html5/thumbnails/54.jpg)
54
Policy ExecutionPolicy Execution
• The policy we obtain is a mapping from modified state space to actions
• To execute a policy we need to simulate phase transitions
• Times when action choice may change:
– Triggering of actual event or action
– Simulated phase transition