a mission-centric framework for cyber situational awareness assessing the risk associated with...

A Mission-Centric Framework for

Cyber Situational Awareness

Assessing the Risk Associated with Zero-day Vulnerabilities: Automated Methods for Efficient and Effective Analysis of the Zero-day Landscape

S. Jajodia, M. AlbaneseGeorge Mason University

ARO-MURI on Cyber-Situation Awareness Review MeetingPhoenix, AZ , October 28-29, 2013

ARO-MURI on Cyber-Situation Awareness Review Meeting

2

Where We Stand in the Project

System Analysts

Computer network

•Software•Sensors, probes•Hyper Sentry•Cruiser

Mu

lti-

Sen

sory

H

um

an

C

om

pu

ter

Inte

racti

on

• Enterprise Model• Activity Logs • IDS reports• Vulnerabilities

Cognitive Models & Decision Aids

• Instance Based Learning Models

• Simulation• Measures of SA & Shared SA

Data

C

on

dit

ion

ing

Associa

tion

&

Corr

ela

tion

• • •

Automated Reasoning Tools• R-CAST• Plan-based

narratives• Graphical

models• Uncertainty

analysis

Information Aggregation & Fusion•Transaction Graph methods•Damage assessment

Computer

network

Real World

Test-bed

October 28-29, 2013

• • •


3

Quad Chart - Year 4Objectives: Improve Cyber Situation Awareness via• New efficient techniques for generating partial attack graphs on demand

in order to enable effective analysis of zero-day vulnerabilities• A three-step process to assess the risk associated with zero-day

vulnerabilities• A prototype of the probabilistic framework for unexplained activity

analysis

DoD Benefit: •Ability to answer some important questions automatically and

efficiently•Reduced workload on the analysts•Reduced gap between raw security data and mental models•Improved decision support

Scientific/Technical Approach• Developing an exact algorithm for identifying lower bounds on the

value of the -zero-day safety metric.

• Developing a heuristic algorithm for identifying upper bounds on the value of the -zero-day safety metric.

• Developing an efficient algorithm for calculating, under certain conditions, the exact value of k.

• Developing all the algorithms above in a way that they do not require the entire attack graph to be computed in advance.

Major Accomplishments• Developed an efficient approach to assessing the risk of zero-day

vulnerabilities (SECRYPT 2013) [Best Paper Award]

Challenges• Analyzing zero-day vulnerabilities for very large networks

October 28-29, 2013


4

Overview of contribution – Year 1 Technical accomplishments

A topological approach to Vulnerability Analysis that overcomes the drawbacks of traditional point-wise vulnerability analysis

Preliminary data structures and graph-based techniques and algorithms for processing alerts/sensory data

A novel security metric, k-zero day safety, that counts at least how many zero day vulnerabilities are required for compromising a network asset and algorithms for applying the metric for hardening a network

Major breakthroughs Capability of processing massive amounts of alerts/sensory

data in real-time Capability of forecasting all possible futures, along with their

probabilities and expected damage Capability of hardening a network against zero day

vulnerabilities

October 28-29, 2013


5


Generalized dependency graphs, which capture how network components depend on one other

Probabilistic temporal attack graphs, which encode probabilistic and temporal knowledge of the attacker’s behavior

Attack scenario graphs, which combine dependency and attack graphs, bridging the gap between known vulnerabilities and the services or missions that could be ultimately affected

Efficient algorithms for both detection and prediction A preliminary model to identify “unexplained” cyber activities,

i.e., activities incompatible with any given known activity model, thus potentially improving detection of zero day attacks

Major breakthroughs Capability of generating and ranking future attack scenarios in

real-time

October 28-29, 2013


6


An efficient and cost-effective algorithm to harden a network with respect to given security goals

A probabilistic framework for localizing attackers in mobile networks, based on the locations of nodes that have detected malicious activity in their neighborhood

A probabilistic framework for assessing the completeness and quality of available attack models, both at the intrusion detection level and at the alert correlation level (joint work with UMD and ARL)

A suite of novel techniques – enhancing NSDMiner – to automatically discover dependencies between network services from passively collected network traffic

Switchwall, an Ethernet-based network fingerprinting technique for detecting unauthorized changes to the L2/L3 network topology

Major breakthroughs Capability of automatically and efficiently executing several important

analysis tasks, namely hardening, dependency analysis, and attacker localization

October 28-29, 2013


7


Effective and efficient methods for generating partial attack graphs on demand in order to enable efficient analysis of zero-day vulnerabilities

A three-step process to assess the risk associated with zero-day vulnerabilities

A prototype of the probabilistic framework for unexplained activity analysis

Major breakthroughs Capability to reason about zero-day vulnerabilities and

efficiently assess the risk associated with such vulnerabilities without generating the entire attack graph

October 28-29, 2013


8

Year 4 Statistics

Publications & presentations 2 papers published in peer-reviewed conference

proceedings Best paper award at SECRYPT 2013

2 paper published in a peer-reviewed journal 1 book chapter 2 invited talks/lectures

Supported personnel 2 faculty 2 post doctorates 1 doctoral student

October 28-29, 2013


9

Situation Knowledge Reference

Model[Attack Scenario

Graphs]

Index & Data Structures

Topological Vulnerability

Analysis

Proposed Solution: System Architecture

Monitored Network

Analyst

Alerts/Sensory Data

Cauldron

Switchwall

Vulnerability Databases

NVD OSVDCVE

Stochastic Attack Models

GeneralizedDependency

Graphs

Graph Processing

and Indexing

Dependency AnalysisNSDMin

er

Scenario Analysis & Visualization

Network Hardening

Unexplained Behavior Analysis

Zero-day Analysis

Cauldron

October 28-29, 2013

10


M. Albanese, S. Jajodia, A. Singhal, and L. Wang. “An Efficient Approach to Assessing the Risk of Zero-Day Vulnerabilities”. In Proceedings of the 10th International Conference on Security and Cryptography, Reykjavìk, Iceland, July 29-31, 2013. [Best Paper Award]

Zero-Day Analysis

October 28-29, 2013


11

Background and Motivation (1/2)

October 28-29, 2013

Computer systems are vulnerable to both known and zero-day attacks Known attack patterns can be easily modeled

Suitable hardening strategies can be developed

Handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature

Attackers can leverage complex interdependencies among both known and unknown vulnerabilities and network configurations to penetrate seemingly well-guarded networks Attack graphs reveal such threats by enumerating

potential paths that attackers can take to penetrate networks


12

Background and Motivation (2/2)

October 28-29, 2013

Previous research has attempted to assess and quantify the risk associated with unknown attack patterns The -zero-day safety metric was defined

Existing algorithms for computing the -zero-day safety metric are not scalable assume that complete zero-day attack graphs have

been generated, which may be unfeasible in practice for large networks

L. Wang, S. Jajodia, A. Singhal, and S. Noel, “-zero day safety: Measuring the security risk of networks against unknown attacks”. In Proceedings of the 15th European Symposium on Research in Computer Security (ESORICS 2010), Springer, 2010


13

Example of Zero-Day Attack Graph

October 28-29, 2013

host 0

host 1•http• ssh

host 2• ssh


14

Contributions (1/2)

October 28-29, 2013

We propose a set of efficient solutions to address the limitations of current approaches enable zero-day analysis of practical importance

to be applied to networks of realistic sizes First, we consider the problem of deciding

whether a given network asset is at least -zero-day safe for a given value of We drop the assumption that a zero-day

vulnerability graph has been pre-computed We combine on-demand attack graph generation

with the evaluation of -zero-day safety


15

Contributions (2/2)

October 28-29, 2013

Second, we identify an upper bound on the value of This is done using a heuristic algorithm that integrates

attack graph generation and zero-day analysis Third, when the upper bound on is below an

admissible threshold, we compute the exact value of This phase reuses the previously computed partial

attack graph To the best of our knowledge, this is the first

attempt to define a comprehensive and efficient approach to zero-day analysis


16

Problem Statement (1/3)

October 28-29, 2013

Problem 1 (Lower bound) Given a network , a goal condition , and a

small integer , determine whether is true for with respect to

Our goal is to identify a lower bound on the value of Analogous to the problem addressed in

(Wang et al., 2010), but we do not assume the entire attack graph is available The network is defined in terms of initial

conditions and known and unknown exploits


17


October 28-29, 2013

Problem 2 (Upper bound) Given a network and a goal condition , find an

upper bound on the value of with respect to Our goal is to identify an upper bound on the

value of Using a heuristic approach, it is feasible to

compute a good upper bound in polynomial time If the value of is below a threshold , it may then

be feasible to compute the exact value of


18


October 28-29, 2013

Problem 3 (Exact value) Given a network and a goal condition such

that is true for with respect to , find the exact value of

In other words, when the value of is known to be bounded and the upper bound is small enough, we compute the exact value of , by leveraging the upper bound for pruning reusing the partial attack graph generated

during previous steps of the decision process


19

Overall Decision Process

October 28-29, 2013

𝑘≥ 𝑙Insufficient SecurityHarden Network

𝑘≤𝑢≤𝑢∗

Yes

Yes

Find exact

NoStart

End

Sufficient SecurityNo


20

Problem 1: Proposed Solution

October 28-29, 2013

We combine an exhaustive forward search of limited depth with partial attack graph generation Only attack paths with up to zero-day vulnerabilities

are generated and evaluated using the metric Connectivity information is used to hypothesize zero-

day exploits and guide the generation of the graph Algorithm

Input: a set of initial conditions, a set of known and zero-day exploits, an integer and a goal condition

Output: a partial zero-day attack graph, and a truth value indicating whether


21


October 28-29, 2013

In order to avoid the exponential explosion of the search space we propose an heuristic algorithm that, at each step, maintains only the best partial paths with respect to the metric

Algorithm builds the attack graph forward, starting from initial conditions Input: a set of initial conditions (or a partial attack

graph), a set of known and zero-day exploits, and a goal condition

Output: a partial zero-day attack graph, and an upper bound on the value of


22


October 28-29, 2013

Our solution consists in performing a forward search, similarly to algorithm The search starts from the partial attack graphs

computed in previous steps of the decision process

Although the value of is known to be no larger than , there still may be many paths with more the distinct zero-day vulnerabilities To limit the search space, compared to a traditional

forward search, and avoid the generation of the entire attack graph we use the upper bound computed by algorithm to prune paths not leading to the solution


23

Experiments

October 28-29, 2013

The objective of our experiments was three-fold We evaluated the performance of the proposed

algorithms in terms of processing time The algorithms are efficient enough to be practical

We evaluated the percentage of nodes included in the generated partial attack graph compared to the full attack graph This shows the benefits in terms of both time and

storage We evaluated the accuracy of estimations made

using algorithm compared to the exact results obtained using a brute force approach


24

: Processing Time

October 28-29, 2013

- 20,000 40,000 60,000 80,000 0

5000

10000

15000

20000

R² = 0.999906920908941

l = 1 Quadratic regressionl = 2 l = 3

Number of nodes

Pro

cessin

g t

ime (

secon

ds)


25

: Percentage of Nodes

October 28-29, 2013

- 20,000 40,000 60,000 80,000 0

0.10.20.30.40.50.60.70.80.9

1

l = 1 l = 2 l = 3

Number of nodes

Perc

en

tag

e o

f vis

ited

n

od

es


26

: Processing Time

October 28-29, 2013

- 20,000 40,000 60,000 80,000 0

20000400006000080000

100000120000140000160000180000200000

t = 1 t = 2 t = 5

Number of nodes

Pro

cessin

g t

ime (

secon

ds)


27

: Percentage of Nodes

October 28-29, 2013

- 20,000 40,000 60,000 80,000 0

0.10.20.30.40.50.60.70.80.9

1

t = 1 t = 2 t = 3

Number of nodes

Perc

en

tag

e o

f vis

ited

n

od

es


28

: Approximation Ratio

October 28-29, 2013

0 2 4 6 8 10 120.9

1

1.1

1.2

1.3

1.4

1.5

7 nodes 21 nodes 121 nodes 341 nodes

t

Ap

pro

xim

ati

on

rati

o


29

Conclusions

October 28-29, 2013

We studied the problem of efficiently estimating the -zero-day safety of networks We presented three polynomial algorithms for establishing

lower and upper bounds of and for calculating the actual value of , while generating only partial attack graphs on-demand

Experimental results confirm their efficiency and effectiveness Although we focused on -zero-day safety, our techniques

can be easily extended to other analyses on attack graphs

Future work includes Fine-tuning the approximation algorithm through various ways

for ranking partial solutions Evaluating the framework on diverse network scenarios

30


Future Work

October 28-29, 2013


31

Plan for Years 5

Year 5 will primary focus on integration of the results of our efforts with

results from other MURI team members extensive evaluation and refinement of

techniques proposed in years 1 to 4 Specific technical objectives include

Integrating zero-day analysis (Year 4) with our network hardening approach (year 3) The objective is to harden a target network w.r.t.

both known and unknown vulnerability in an effective and efficient way

October 28-29, 2013

32


Questions?

October 28-29, 2013

a mission-centric framework for cyber situational awareness assessing the risk associated with...

Documents