alexandre barreto ita/gmu gmustids.c4i.gmu.edu/papers/stidspresentations/stids... · alexandre...
TRANSCRIPT
The New World Increasing automa�on of processes and systems that are part of cri�cal infrastructures.
Society is increasingly dependent on technology [1].
Cyber domain as the new dimension of war, together with air, land and sea.
Need to understand how ac�ons performed in the cyber domain (space and �me) affect the opera�ons taking place in other domains [2], [3].
Research Question To understand how ac�ons performed in the cyber domain (space and �me) affect the opera�ons (in o t h e r d o m a i n s ) , i t s necessary to correlate cyber and physical behaviors in an integrated view that allows tasks to be evaluated in real �me.
Cyber-‐Argus Framework
Collect Cyber and Mission SA
Develop Cyber Impact
Evalua�on
Knowledge Base
Model Mission
Model Infrastructure
The Cyber-ARGUS Framework Links
Mission Information to Network Information to Assess Cyber Impacts.
Model Mission (1/2) Mission: The task, together with the purpose, that clearly indicates the ac�on to be taken and the reason therefore. In common usage, especially when applied to lower military units, a duty assigned to an individual or unit (DoD, 2010).
Why BPMN/OWL to describe Mission?
Describe the task; Describe the pre and post condi�ons; Describe the resources envolved (services); Describe restric�on (temporal and func�onal using gateways); Describe events (temporal, func�onal, etc.); and Describe who performes the task.
Mapping BPMN <-‐> Mission Concept Model
Concept Source
Mission Model BPMN
Organiza�on Pool
System Lane
Ac�vity Task
Service Performer
Condi�on Gateway or Event
BPMN and OWL
What can’t be easily described in BPMN/OWL?
Service Level Agreement; Goals; Measures; Other restric�ons; and Restric�on in run�me.
Model Infrastructure
Uses basic informa�on provided by the
Mission Model (name of service, cyber
asset, etc) to enable Cyber-‐ARGUS to build
the network architecture (rou�ng and
neighbor table -‐ SNMP).
Building Knowledge Base
Model the mission (resources, tasks and some condi�ons)
Knowledge Base
Model Infrastructure (nodes, services, ports)
Ontology Representa�on Graph Representa�on
Convert Ontology to graph representa�on
PPeerrffoorrmmeerr CCoonncceepptt
Collect Cyber and Mission SA Tasks
Iden�fy what is relevant to SA;
Classify incoming data and
a n d I n f e r n e w
informa�on; and
Update KB.
Develop Impact Evaluation
Dependence paths analysis
Temporal analysis
Cost analysis
History Degrada�on Analysis
�me
A B C
D
E
F
G
Temporal analysis
slot-‐�me
v What’s task do I need to monitor? (relevant tasks)
v How much �me do I need to finish the task and accomplish the goal?
Develop Impact Evaluation
�me
A B C
D
E
F
G
slot-‐�me
v In this state, can I reach the goal?
v If task C fails, do I have alternate path to reach the goal?
Dependence paths analysis
Develop Impact Evaluation
�me
A B C
D
E
F
G
slot-‐�me
v Can I do the task within the planed cost?
v If task C is compromised, does the alterna�ve route have an acceptable cost?
Cost analysis
Develop Impact Evaluation
�me
A B C
D
E
F
G
slot-‐�me
v How fast my network is degrading?
Cost analysis
History Degrada�on Analysis
t0=10 un t1=15un t2=25 un t3=45 un
Δd=23.45 un/t
Develop Impact Evaluation
C2 Collaborative Research Testbed
The C2 Collabora�ve Research Testbed is a set of Commercial Off-‐the-‐Shelf (COTS) tools that provides a realis�c and complex s imula�on env i ronment to conduct C2 research experiments.
Campos Basin Scenario • The scenario models Air Traffic Control opera�ons in the Campos Basin.
• The Campos Bas in i s a petroleum rich area located in the Rio de Janeiro state, and is responsible for 80% of Brazil's petroleum produc�on (1 million 265 thousand barrels).
• Oil development opera�ons include heavy helicopter traffic between the con�nent and oceanic fields during day�me, with an average of 50 minutes per flight.
Legend
Airfield
Oil Field
The goal is to simulate the effect of multiple cyber-attacks on the Campos Basin operation, and to understand the impact these attacks might have on the security and safety of air transportation operations.
Cyber-‐Argus – Campos Basin Study Case
Mission and Infrastructure Model
Knowledge Base
Cyber-‐Argus Mission Manager
What are the performers?
[node1, node2,..., nodex]
node1
Give me your neighbors and
services!
Services: FTP, SMTP, MYSQL neighbors: node2,node3, node4
node2 node3 node4
Give me your neighbors and
services! [...]
Using Rules to update Mission Model
Goal01 -‐> Aircra�(?x) ^ flightTime(?x,?y) ^ swrlb:lessThanOrEqual(?y,30) Sla03 -‐> Asset(?x) ^ hasMemory (?x,?y) ^ memoryFree(?y,?k) ^ swrlb:less(?k,100)
Security Tools Applica�ons Logs
Other Log Systems
SNMP Tools
Ontology Representa�on Classify, Inference & Search
Graph Representa�on
Cyber-‐Argus Event Manager
Relevant Informa�on
Network Monitoring Tools
Update KKnnoowwlleeddggee BBaassee
Final Remarks This paper presented an approach for connec�ng the cyber and physical domains, with the objec�ve of assessing the impact that ac�ons in the former have in the la�er.
This is research in progress in an area where clear answers are usually not a�ainable, mostly due to the complexity as well as to the level of subjec�vity involved in real �me impact assessment.
It is a firm step, since a�er a�emp�ng various approaches we remain convinced that the solu�on to this problem relies in a combina�on of techniques where seman�c technologies and simula�on play a major role.
36
IV Integrated Center of Air Defense and Air Traffic Control (CINDACTA IV)
Manaus – AM Brazil
Questions?