research & development roadmap 1. outline a new communication framework giving bro control over...
TRANSCRIPT
Research & Development Roadmap
1
Outline
A New Communication Framework Giving Bro Control over the NetworkSecurity Monitoring for Industrial Control SystemsParallelism on Concurrent Architectures
2
COMMUNICATION NG
3
Communication Today
PrimitivesSending events&synchronized
LimitationsModel doesn’t scale; no hierarchiesLoose semantics: best effort serviceNo integration with persistenceImplementation lacks robustnessTwo separate protocol implementations
4
Initial Proposal
Extend event propagationRoutingSubscription groupsPush/pull models
Remove &synchronized (and the proxies...)Add global, persistent data structure
Probably just key/value storeExplicit API
5
Initial Proposal (cont’d.)
Implementation“Data nodes” in charge of tables; nodes attachReceive updates and broadcast them back outLimit values to atomic data types Use existing librariesImplement as a library
Trading “magic” for better semantics and control
6
GIVING BRO CONTROL OVER THE NETWORK
7
Objectives
Bro controls what it seesAdapt the front-end load-balancing
Bro controls what the network doesBlock, steer, shape
8
Science DMZs
10Source: ESNet
100G
10/100G
Science DMZ Switch
Con
trol
API
100 Gb/s Cluster
11
100G Load-balancer
10GE
Bro Cluster
API
Con
trol
Border Router
100GE
Transparent Script Interface
Packet Acquisitiondrop(entity)sample(entity)notify(entity, cond)
Packet Controldrop(entity)sample(entity)throttle(entity)redirect(entity, destination)
12
Transparent Script Interface (cont’d.)
“Entity” could be very different things ...Plugins implement what hardware supports
13
SECURITY MONITORING FOR ICS
14
Industrial Control Systems
Critical resources, yet lacking in protectionOften legacy hardware hard to protectNot built with security in mind
Class IDS not a good fitAttacks rare / unknownBehavioral approaches don’t take context into account
15
Industrial Control Systems (cont’d.)
Significant potential through incorporating semantics
Understand protocols Bro-styleCreate visibilityDevelop models of what we should be seeing
Anomaly detection could actually work here
16
First steps ...
Protocol support in 2.2ModbusDNP3
Only basic script analysis so far
17
Research Thrusts (1)
Measurement study: What do we see?Actors, workloads, cross-site characterizationAs we do that, extend Bro’s logging
EnvironmentsMunicipal water and gas plantsCampus power-plantBuilding automation at a large research lab
Looking for more ...
18
Research Thrusts (2)
Semantic models for monitoringStatistical profiling
Summary statistics framework
Power Grid State ModelPLC Memory Maps
19
PLC Memory Maps
20
Categorize registersConstant, attribute, continuos
Derive predictive models... and validate them
PARALLELISM ON CONCURRENT ARCHITECTURES
21
Concurrency Potential
22
Concurrent Analysis
23
Network
Event EngineProtocol Decoding
Policy Script Interpreter
Analysis Logic
Logs
Events
Packets
Notification
Architecture
24
Event Engine
Network
Events
Notification
Script Threads
Scripting Language
Event Engine Threads
Packet Analysis
Detection Logic
Dispatcher Packet Dispatcher (NIC)
New Platform: Abstract Machine
26
First-class networking types
built-in
Containers with state management
support
Platform for building high-level,
reusable functionality on
Domain-specific concurrency model
Well-defined, contained execution
environment
Domain-specific Data
Types
Robust/Secure Execution
Concurrent Analysis
High-level Standard
Components
State Management
Timers can drive execution
Real-time Performance
Support for incremental processing
Extensive optimization
potential
Scalability through parallelization
Static type-system, and robust error
handling
Compilation to native code
A High-Level Intermediary Language for Traffic Inspection
HILTI Toolchain
27
A High-Level Intermediary Language for Traffic Inspection
Research Questions
How to identify state dependencies?Static program analysis to drive scheduling
How to leverage hardware capabilities?E.g., network processors, hardware lookup modules
28
HILTI enables more ...
29
BinPAC++ Demo
Robin SommerInternational Computer Science Institute, &
Lawrence Berkeley National Laboratory
http://www.icir.org/robin
30