the roles of intrusion detection and data fusion in cyber security situational awareness a review of...
TRANSCRIPT
![Page 1: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/1.jpg)
The Roles of Intrusion The Roles of Intrusion Detection and Data Detection and Data Fusion in Cyber Security Fusion in Cyber Security Situational AwarenessSituational Awareness
A Review of the Published Literature and Discussion of Future Research Plans
Nicklaus A. Giacobe
![Page 2: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/2.jpg)
Intrusion Detection (ID) Plays and Important Role in Developing Situational AwarenessCyber Situational Awareness =
Network Security Situational AwarenessActivities Performed on Behalf of an Organization – “Network Security Office”Activities Performed by Computer/Network Security AnalystsDifficult, Complex Work – Lots of Data from IDS, Antivirus Systems, Firewall Logs, Server Security Logs, etc.Ever-Changing Landscape - New Threats, New Technologies, New Software, New Vulnerabilities
Cyber Security Situational Awareness
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 3: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/3.jpg)
This IntroductionPart 1: What is the Current State of
ID Technology?Part 2: What are We Trying to
Accomplish?Part 3: Future Research
RecommendationsConclusion/Discussion
Cyber Security Situational Awareness
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 4: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/4.jpg)
History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualizations
Part 1: The Current State of Technology in ID
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 5: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/5.jpg)
History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualizations
Part 1: The Current State of Technology in ID
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 6: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/6.jpg)
Two Different Locations to MonitorHost-Based IDS (Denning)
Log Files (C2 compliance) on Unix Machines (Denning 1987)
IDES/NIDES – Baseline “normal” user behavior (Javitz et al. 1994)
Network-Based IDS (Mukherjee/Heberlein)NSM (LAN Monitor) – history of previous
connections, known bad actors lists, signatures of attack types (Mukherjee et al. 1994)
NIDS (Multiple Network IDS and Host) (Snapp et al, 1991) (interesting JDL comparison)
History of Intrusion Detection
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 7: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/7.jpg)
Two Different Methods of AnalysisPattern-Matching (Misuse) Detection (Spafford)
Match activity to patterns of known undesiredbehavior (Kumar et al. 1994, 1995)
Tripwire – MD Hashing of files (Kim et al. 1994)DDoS prevention /SYN Floods / Active DoS
prevention (Schuba et al. 1997)Anomaly Detection (Stolfo)
Looking for abnormalities in network traffic (Lee et al. 1999)
Qualitative evaluation of the data stream (statistical methods) (Portnoy, et al. 2001) – alert on infrequent types of data
Statistical Payload Evaluations – for Worm Detection (Wang et al. 2004, 2006a, 2006b) and mitigation (Locasto et al., 2006)
History of Intrusion Detection
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 8: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/8.jpg)
Testing and Evaluation of IDSsDARPA IDS Data Sets from 1998-20001999 Data Set Contained
2 Weeks of “training data” with labeled known intrusions
7 Weeks of unlabeled dataEvaluate IDSs under design or in
production
Over-fit problemIDSs could be developed that find all of
the problems in the “training data”, but could be very poor at alerting on novel intrusion methods
History of Intrusion Detection
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 9: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/9.jpg)
History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualizations
Part 1: The Current State of Technology in ID
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 10: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/10.jpg)
Correlate by Source, Destination or Attack Method
Non-Trivial port-number vs. service name, IP address vs. hostname, etc. (Cuppens 2001)
Need Adaptors – Different systems not designed for fusion (Debar et al. 2001)
Promise of better understanding… see next slide
Alert Correlation and Data Fusion
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 11: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/11.jpg)
Understanding Through Correlation
Situation Combination Implication Situation 1 Same Source, target and alert
class Single attacker against same host
Situation 2-1 Same source and destination Single attacker on same host, possibly using varying attack methods
Situation 2-2 Same target and same alert class Distributed attack on a single host Situation 2-3 Same source and same alert class Single attacker using the same attack and
trying to find any host vulnerable to that attack
Situation3-1 Same source only Single attacker using a variety of attack methods on a variety of hosts
Situation 3-2 Same target only Distributed attacks Situation 3-3 Same attack class only Common or novel attack method in use by
many attackers
Adapted from (Debar et al. 2001)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 12: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/12.jpg)
JDL Fusion Model (Hall and McMullen 2004)
Alert Correlation and Data Fusion
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 13: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/13.jpg)
JDL Fusion Model (Hall and McMullen 2004)
Alert Correlation and Data Fusion
Source Pre-Processing
Level 3 Threat
Refinement
Level 2Situation
Refinement
Level 1Object
Refinement
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 14: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/14.jpg)
History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualization of Underlying and Fused
Data
Part 1: The Current State of Technology in ID
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 15: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/15.jpg)
Bayesian InferenceComplete list of all possible states of the
systemProbabilities of current stateNeed for accurate historical data (Holsopple et
al. 2006)D-S Theory
No need for exact knowledgeSort out independent evidence and combine it
using the Dempster RuleVery human-like logical combinationCan combine evidence of non-similar
sources/data types
Data Fusion Techniques
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 16: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/16.jpg)
Data Mining AlgorithmsSupport Vector Machines (SVMs) (Liu et al.
2007 x3)Neural Networks (Wang et al. 2007)May be helpful in rapidly combining
multiple sources of similar dataThomas and Balakrishnan (2008)
Combined alert data from 3 different IDSs (PHAD, ALAD, Snort) using MLFF-NN
Tested vs. DARPA 1999 data setShowed improved detection rates of the
known data over each individual IDS (68% vs. 28%, 32%, 51%)
Data Fusion Techniques
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 17: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/17.jpg)
History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualizations
Part 1: The Current State of Technology in ID
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 18: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/18.jpg)
Based on Network TopologyBased on Geopolitical TopologyNetwork Traffic RepresentationsAlert and Track-Based Displays
Visualizations
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 19: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/19.jpg)
Hierarchical Network Map from Mansmann and Vinnik (2006)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 20: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/20.jpg)
Representation of Threats and Actors on a Geopolitical Map from (Pike et al. 2008)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 21: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/21.jpg)
Representation of host to port to remote port to remote host of network traffic from (Fink et al. 2004)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 22: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/22.jpg)
Panel Displaying Network Connections from a Single Host from (Fischer et al. 2008)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 23: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/23.jpg)
Representing the Three Ws from (Foresti et al. 2007)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 24: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/24.jpg)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 25: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/25.jpg)
Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Part 2: What are We Trying to Accomplish?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 26: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/26.jpg)
Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Part 2: What are We Trying to Accomplish?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 27: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/27.jpg)
(Computer) Security is…Manunta (1999)
Security is interaction of Asset (A), Protector (P) and Threat (T) in a given Situation (Si)
CIA Triad (Tipton et al. 2007)ConfidentialityIntegrityAvailability
Bishop (2003)Only authorized actions can be executed by
authorized users
Definitions…
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 28: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/28.jpg)
Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Part 2: What are We Trying to Accomplish?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 29: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/29.jpg)
Endsley (1995)State of Knowledge
ElementsSituationFuture Projection
“Awareness Machine” unlikelyFocus instead on “awareness support
technologies”
Theory of Situational Awareness
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 30: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/30.jpg)
Endsley (1995)
Theory of Situational Awareness
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 31: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/31.jpg)
Mapping of IDS Fusion tasks between JDL Model and Endsley SA Model. From Yang et al. (2009)
Higher Levels of Fusion = Situational Awareness
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 32: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/32.jpg)
INFERDLevel 2 Fusion Engine – Based on a priori
knowledge from system experts – pattern matching attack methods and known vulnerabilities of the system
TANDILevel 3 Fusion – Projection of future attacks
based on knowledge of vulnerabilities of the system
(Yang et al. 2009)
Higher Levels of Fusion
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 33: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/33.jpg)
Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Part 2: What are We Trying to Accomplish?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 34: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/34.jpg)
Sweller et al. (1998)Working Memory (limited capacity)Long Term Memory (unlimited capacity,
based on schemas to represent complex, related information)
Split AttentionConflicting, RepetitiveModality Effect
Cognitive Load Theory
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 35: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/35.jpg)
Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Part 2: What are We Trying to Accomplish?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 36: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/36.jpg)
Biros and Eppich (2001) – CTA of IDS Analysts in the USAF - 5 capabilities requiredID non-local addressesID source addressesDevelop mental image of “normal” behaviorCreate and maintain SAKnowledge sharing
Killcrece et al. (2003) – CTA of gov’t/military security specialists – 3 general categoriesReactive Work (majority of the work)Proactive WorkQuality Management (training, etc)
Cognitive Task Analysis
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 37: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/37.jpg)
D’Amico et al. (2007) – CTA of Network Security Professionals in the Department of Defense
Cognitive Task Analysis
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 38: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/38.jpg)
Model BuildingTo understand the contributions of the
algorithm builders
CTATo understand the needs of the analyst
Visualization RecommendationsBased on the work above
Part 3: Where Do We Go From Here?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 39: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/39.jpg)
Current State of IDHistory of IDAlert Correlation and Data FusionData fusion techniquesVisualization of underlying and fused data
Theoretical Basis for Understanding SA in the Cyber Security DomainDefinition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Recommendations for Future WorkModel Building - To understand the contributions of the
algorithm buildersCTA - To understand the needs of the analystVisualization Recommendations – Based on Needs and
Cognitive Capabilities of Analysts
Conclusion
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
![Page 40: The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness A Review of the Published Literature and Discussion of Future](https://reader035.vdocuments.us/reader035/viewer/2022081519/56649f275503460f94c3fb73/html5/thumbnails/40.jpg)
Discussion and Questions
Just in case you needed a prompt to ask questions … here it is