UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
1
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Chief
Network Science Division
U.S. Army Research Laboratory UNCLASSIFIED \\ APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
2
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
U.S. Army Research Laboratory
Making today’s Army and the next Army obsolete
The Nation’s Premier Laboratory for Land Forces.
Mission
DISCOVER, INNOVATE, and TRANSITION
Science and Technology to ensure dominant
strategic land power
Vision
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
3
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Command Relationships
ARDEC
Armaments
Research,
Development
& Engineering
Center
TARDEC
Tank &
Automotive
Research,
Development
&
Engineering
Center
NSRDEC
Natick Soldier
Research,
Development
& Engineering
Center
ECBC
Edgewood
Chemical
Biological
Center
AMRDEC
Aviation &
Missile
Research,
Development
& Engineering
Center
ARL
Army
Research
Laboratory
AMSAA
Army Material
Systems
Analysis
Activity
CERDEC
Communication
- Electronics
Research,
Development &
Engineering
Center
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
4
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
U.S. Army Research Laboratory
Aberdeen Proving Ground
Adelphi Laboratory Center
Orlando
Raleigh-Durham
White Sands Missile Range
United Kingdom
Japan
Primary Sites Field elements
America’s Laboratory for the Army
Direct Contact with thousands of Private Sector S&Es 2,013 Civilians 33 Military
275 Academic Partners
In 50 States + DC
1,121 Single Inv Grants
59 MURI 3 UARCs 3 COEs
77 Phase I SBIR 23 Phase II SBIR 11 Phase IIE SBIR
50 CRADAs 32 TSAs
28 DEA/IEA 3 PA/MOU 17 TTCP 7 NATO 3 ESEP
6 Collaborative Technology
Alliances
International Technology
Alliance
Chile
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
5
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
U.S. Army Research Laboratory
Army Research Office
Director Dr. Thomas Russell
MILDEP Deputy Director for Basic Science & Director ARO
Math & Info Sciences
Physical Sciences
Engineering Sciences
Vehicle Technology
Human Research & Engineering
Computational & Information Sciences
Sensors & Electron Devices
Weapons & Materials Research
Survivability/ Lethality Analysis
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
6
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Characteristic Problems
in Cyber Science and Engineering
The science and engineering of (cyber)security
is a study and optimization of relations
between policy, attacker, and defender
Policy P: a set of assertions about what event
should and should not happen. To simplify, focus
on incidents I: events that should not happen.
Defender D: a model / description of defender’s
defensive tools and techniques Td, and operational
assets, networks and systems Nd
Attacker A: a model / description of attacker’s
tools and techniques Ta
UNCLASSIFIED \\ APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
7
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Characteristic Problems and Models
of Cyber
Then, we seek models
of relations between I, Td, Nd, Ta:
(I, Td, Nd, Ta) = 0
Note: The above does not mean I expect to see a fundamental
equation of this form. It is merely a shorthand for models that relate
I, Td, Nd, Ta
Kott, Alexander. "Towards fundamental science of cyber security." Network Science and
Cybersecurity. Springer New York, 2014. 1-13. arXiv:1512.00407
Similar perspective in:
• Schneider, F. B., “Blueprint for a Science of Cybersecurity,” The Next Wave, Vol. 19, No.2, 2012
• Bau, J., and Mitchell, J.C., “Security Modeling and Analysis ,” Security & Privacy, IEEE, May-
June 2011
UNCLASSIFIED \\ APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
8
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Tentative Taxonomy of Common
Cyber-related Model s
• Emulation (often with simulation) of networks: actual hardware, software, humans, e.g., cyber
ranges.
• Training-focused simulations: presenting to human trainees the effects of a cyber attack,
without modeling underlying process.
• M&S of human cognitive processing of cyber events and situations: perception, recognition,
situation awareness, decision making.
• M&S of attack progress and malware propagation
• Attack-graph-based approaches
• Epidemiology analogy, e.g., Susceptible, Infected, Recovered (SIR)
• Abstract wargaming: game-theoretic model of cyber conflict, without modeling the underlying
processes of cyber attack and defense.
• Business processes models: defense, offense and business processes, along with business IT
architecture, simulated for observing resulting effects.
• Statistical models of cyber events: cyber processes are represented as, e.g., equations of
Poisson processes, and coefficients are learned from training dataset.
• Two classes of models used to support cyber modeling, but do not model cyber aspects:
• physical systems models to support modeling of cyber-physical effects;
• and network simulation models.
UNCLASSIFIED \\ APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
9
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Human User Vulnerability to Cyber Attacks:
Effect of Psychological and Cognitive Aspects
J.H. Cho, H. Cam, and A. Oltramari, “Effect of
Personality Traits on Trust and Risk to Phishing
Vulnerability: Modeling and Analysis,” accepted to IEEE
International Multi-Disciplinary Conference on Cognitive
Methods in Situation Awareness and Decision Support
(CogSIMA’2016), 21-25 March 2016, San Diego, USA
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
10
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Research Question: Can we predict an individual’s phishing
susceptibility, given his/her personality traits?
Motivation: Empirical experiments have shown that an individual’s
personality traits affect phishing vulnerability
Goal: Develop a mathematical model to predict an individual’s phishing
susceptibility in terms of perceived trust and risk and decision
performance
Contributions
• Investigated the correlations between phishing susceptibility and
personality traits
• Developed a mathematical model using Stochastic Petri Nets to
predict an individual’s vulnerability and resilience to phishing attacks
• Demonstrated experimental results on the effect of an individual’s
personality traits on perceived trust and risk and decision performance
to phishing attacks
Cho, Oltramari (CMU), Cam (NSD/ARL) – accepted to CogSIMA16
Personality Traits vs. Phishing
Susceptibility
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
11
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Source: http://psytreasure.com/the-big-5-theory-of-personality-the-o-c-e-a-n-of-human-behavior/#
Are there any relationships between personality traits and phishing susceptibility?
Openness Fantasy, Aesthetics, Feelings, Actions, Ideas, Values
Conscientiousness Competence, Order, Dutifulness, Achievement Striving,
Self-Discipline, Deliberation
Extroversion Warmth, Gregariousness, Assertiveness, Activity,
Excitement Seeking, Positive Emotion
Agreeableness Trust, Straightforwardness, Altruism, Compliance,
Modesty, Tender-mindedness
Neuroticism Anxiety, Hostility, Depression, Self-Consciousness,
Impulsiveness, Vulnerability to Stress
Cho, Oltramari (CMU), Cam (NSD/ARL) – accepted to CogSIMA16
Big Five Personality Traits
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
12
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Humans’ trust and risk
assessments are subjective in
nature as they depend on
personality traits (Loewenstein et
al., 2001; Chauvin et al., 2007;
Ulleberg et al., 2003; Tupes et al.,
1992)
• Openness: lower perceived risk
• Neuroticism: higher perceived
risk
• Agreeableness: lower perceived
risk; more trust
Cho, Oltramari (CMU),
Cam (NSD/ARL) – accepted to CogSIMA16
Personality Traits vs. Phishing
Susceptibility
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
13
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
• N increases perceived risk while decreasing perceived trust
• However, high C can overcome the disadvantage of high N
Cho, Oltramari (CMU), Cam (NSD/ARL) – accepted to CogSIMA16
Trust, Risk, and Accuracy for C vs. N under Low O & C
Personality Traits vs. Phishing
Susceptibility
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
14
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Detection of Malicious Activities: Simulation of Learning and
Decisions by a Cyber Analyst
Ben-Asher, N., Oltramari, A, Erbacher, R.F., and
Gonzalez, C. (2015). Ontology-based Adaptive Systems
of Cyber Defense. The 10th International Conference on
Semantic Technology for Intelligence, Defense, and
Security (STIDS). Fairfax, VA, USA
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
15
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Goal :
– Understand the decision making processes of cyber defenders
and attackers and predict their decisions
Benefits:
– Improve training of cyber defenders, develop cognitive-driven
decision support tools
– Long-term, automate tasks performed by defenders (and
attackers?)
Methodology:
– Cognitive models providing a computational framework for
capturing core elements of humans’ decision making
processes and learning from experience in dynamic
environments
Cognitive Modeling and Simulation in
Cyber Security
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
16
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Understand and model the critical components for port
scanning detection
The defender model includes
– Instance-Based Learning model that captures decision making and
learning from experience in dynamic environments
– Develop and use a Packet-Centric ontology to represent the defender’s
information representation
Human holistic cycle Modeled decision making process
Modeling Detection of Adversarial
Reconnaissance
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
17
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
2 cognitive agents (defenders) with the same cognitive
mechanisms that differed only in their situation
awareness (i.e., availability of information)
– Experience Only agent assess one event at a time
– Information and Experience agent observes the temporal
properties of a sequence of packets by querying the packet-
centric ontology
An attacker executes a vertical port scanning using nmap
in a network with 16 nodes (i.e., unique IP addresses)
The agent’s rewards were based on a payoff matrix:
Simulation Experiment
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
18
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Correct detection of scanning sequence - the proportion of conversations between two IPs that were correctly classified as scans. Answering the question “Does IP X scans IP Y?”
• Hits – Both Experience Only and Information and Experience agents detected that the malicious IP (192.168.1.8)
• False Alarms – The Experience Only agent detected additional 10% of the IPs as malicious Experience Only
Information and Experience
Scan Detection Results
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
19
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
What the agent learned? – By looking at the instances in the agent’s
memory and their activation, we can deduce the classification rules each
model formed
Experience Only agent:
– Any TCP SYN packet is a scan packet
Information and Experience agent:
– A TCP packet that is part of a sequence of packets in which:
• The packets come from a source that uses a small number of ports
• The packets are directed to a large number of destination ports
• The ratio between SYN packets and other packets is close to 1
• The common response of the destination to packets coming from
this source is an ACK-SYN packet (ratio between ACK-SYN packet
and other packets ~ 1)
Extracted Decision Rules
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
20
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Situational Awareness in Tactical Ground Battle: Simulation of
Cyber Effects for Training
H. Marshall et al., Cyber Operations Battlefield Web
Services (COBWebS); Concept for a Tactical Cyber
Warfare Effect Training Prototype, Fall SIW 2015,
Orlando, FL, 2015
Best Paper Award
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
21
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces 21
Prototype Design
Cyber
Operations
Battlefield
Web
Service
COBWebS Definition
cob-web
1 a : the network spread by a spider
b : tangles of the silken threads of a spiderweb usually
covered with accumulated dirt and dust
2 : something that entangles, obscures, or confuses
"Cobweb." Merriam-Webster.com. Merriam-Webster, n.d. Web. 27 May 2014. <http://www.merriam-
webster.com/dictionary/cobweb>.
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
22
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces 22
Design Overview
The Computer Network Attack Service provides
the capability for “Spyders” to get into the
COBWebS and attack inbound and outbound
data to and from the mission command
devices. The types of attack capabilities are:
• Directed Denial of Service
• Information Delay
• Information Forgery
• Information Interception
Simulation Client
Mission Command Adapter Web Service
Configs Toolss Messages Clientc
Configc Toolsc Messagec Clients
Tactical Network (JVMF, TADILJ, USMTF, FDL, etc.)
Simulation Network (DIS, HLA, etc.)
FBCB2 AFATDS DCGS-A AMDWS
Messagec Clients
Messages Clientc
CNAs
Information Interception
38.441212
-78.088818
8
Location:
Latitude:
Longitude:
Radius (km): Draw From Map
Launch II Attack
Intercepted Information:
Information Forgery
1511089
1511090
38.441212
-78.088818
100m
120m
Originator:
Recipient:
URN Code
Select From Map
Select From Map
Free Text Message:
Location:
Latitude:
Longitude:
Offest:
Launch IF Attack
Information Delay
1511089
1511090
15
Originator:
Recipient:
URN Code
Launch ID Attack
Select From Map
Select From Map
Duration(s):
Distributed Denial of Service
1511089
1511090
Originator:
Recipient:
URN Code
Launch DDOS Attack
Select From Map
Select From Map
Command Web Test Driver Interface
GAP CRITERIA CHECKLIST Remote mission command of multiple cyber offensive and
defensive platforms Modeling and execution of offensive and defensive cyber
activities providing force multiplier effects Virtualization of offensive/threat and defensive networks Offensive and defensive cyber tools developed as software
services available in secure cloud environments
Simple Object
Access Protocol
(SOAP)
<SERVICE NAME>c
<SERVICE NAME>s
Web service – client side
Web service – server side
LEGEND Note : URNs are Fictional
COBWebS
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
23
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces 23
COBWebS Capabilities
• Provide the ability for trainer to incorporate cyber warfare
elements into their exercises to meet training objectives
• Train the trainees to recognize symptoms of cyber attacks
• Develop contingencies, based on what has been
compromised
• Develop workarounds
• Alternative Courses of Action (COAs)
• Help develop cyber doctrine based on detecting,
responding, and recovery to a cyber attack.
• Provides an Information Assurance (IA) safe environment
without corrupting the network infrastructure
• Typical in cyber range exercises
• Can be integrated with cyber test ranges
• Software solution only – no special hardware required
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
24
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces 24
Potential Use Case Examples
Change all Opposing Force (OPFOR) (observation reports) to Blue Force
(BLUFOR) (position reports)
1. Intercept all entity position reports and observation reports (via II)
2. Deny original position reports from sender (via DoS)
3. Use the location information to generate observation reports (via IF)
4. Deny original observation reports from sender (via DoS)
5. Use the observed location information to generate position reports (via IF)
Postponement of critical information
1. Intercept to identify target units (via II)
2. Delay observation reports on receiving target (via ID)
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
25
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces 25
Potential Use Case Examples (cont’d)
Man-in-the-middle attack
1. Discovery, searching, probing for
vulnerabilities (via II)
2. Denial of Service on sender (via DoS)
3. Send fake message to specified receiver
on original sender’s behalf (via IF)
Use IF to send Nuclear/Biological/Chemical (NBC) report to move to Mission
Oriented Protective Posture (MOPP) level 4
1. Discovery, searching, probing for vulnerabilities (via II)
2. Send fake NBC report (via IF)
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
26
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces 26
Potential Use Case Examples (cont’d)
Using COBWebS’s II, DoS, ID, and IF capabilities to deceive and disrupt BLUFOR’s SA
as reflected on their Mission Command (MC) systems
Ground Truth simulated by
Constructive Simulation Perceived Truth as seen on MC
systems as a result of cyber attacks
Forged BLUFOR locations
Observation Reports (ObsRpts) sent by
BLUFOR were denied thus not reflected
X X X X
X
BLUFOR killed
Note : Units and graphics are fictional
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
27
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces 27
Cyber Expertise
Development of a Distributed
Cyber Operations Modeling and
Simulation Framework
Won SIWzie Award
at 2012 Fall SIW! Won Outstanding paper Award
at 2014 & 2015 Fall SIW!
Development of a Cyber
Warfare Training Prototype for
Current Simulations
SIW = Simulation Interoperability Workshop
Cyber Operations Battlefield
Web Services (COBWebS);
Concept for a Tactical Cyber
Warfare Training Prototype
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
28
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Tactical Communication Network: Effects of Cyber Maneuvers,
Mission and Environment on the Survival of Network
Marvel, L. M., Brown, S., Neamtiu, I., Harang, R.,
Harman, D., & Henz, B. (2015, October). A framework to
evaluate cyber agility. In Military Communications
Conference, MILCOM 2015-2015 IEEE (pp. 31-36).
IEEE.
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
29
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Develop a framework to help evaluate the cost and utility of cyber
agility maneuvers within networks that have constrained
resources such as bandwidth and energy (e.g., MANETs).
– Introduce notional measures of health, security and capability
and their interrelationship
– Consider mission goals (e.g., maximizing capability while
securing a critical path), operating conditions, cost and
maneuver selection to construct evaluation metrics
Goal
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
30
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Framework Preliminaries
Node States and Notional Measures for Potential Agility Maneuvers
Patched
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
31
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Primary Mission Goal
Secure a critical communication path through a network for some time duration
to transfer vital information.
Secondary Mission Goal
The secondary goal is to secure the entire network in minimal time while
maximizing capability of network nodes and minimizing energy consumption.
While we are securing this critical
path/network, we have the option of
selecting agility maneuvers that will
maximize the capability of nodes on critical
path while minimizing energy consumption
expended to perform the maneuvers in a
resource constrained environment.
Consider the Mission …
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
32
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Applying Framework
We consider two operating scenarios:
Scenario 1: In the presence of a known vulnerability for which a
patch is present within the network
Scenario 2: In the presence of a detected infection that propagates
through the network exploiting a known vulnerability for which a
patch exists and is present within the network
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
33
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
There are 505 possible maneuver sequence selection in the set;
P(infection) = 0.8 for each communication exchange with the
infected node.
Scenario 2: Health
Comparison of all maneuver sequences:
Satisfying first primary then secondary
mission goals
Best Health Heatmap (Scenario 2: Infection)
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
34
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Scenario 2: Capability
Comparison of all maneuver sequences:
Satisfying first primary then secondary
mission goals and prioritizing capability
Best Capability Heatmap (Scenario 2: Infection)
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
35
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Scenario 2: Security
Comparison of all maneuver sequences:
Satisfying first primary then secondary
mission goals and prioritizing security
Best Security Heatmap (Scenario 2: Infection)
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
36
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Evaluation framework that can provide metric comparisons for future
agility maneuver and operating scenarios
Simulations can help to calculate costs in a dynamic network
environment where terrain, communication links, communication
volume, energy constraints and routing protocols can be varied
Future:
Consider multiple vulnerability and infections of varying the severity
Vary propagation rates
Competing mission goals
Add node mobility scenarios
Replacement of the notional measure of health, security and
capability with quantifiable metrics
Conclusions/Future Work
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
37
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Simulated Network and Real Applications: Simulation of Stealthy
Software Migration and its Detection
http://www.appcomsci.com/research/tools/cybervan
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
38
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
The network is represented in a Discrete Event Simulator (DES) such as ns-
3, OPNET, QualNet, or ns-2
• Applications run on virtual machines (VMs) in their native environments
• Each VM is mapped to a node in the simulated network
• Applications on VMs communicate with each other over the simulated network
Simulated node
Simulated node
Simulated node
Simulated node
Simulated node
Simulated node
Simulated node SIMULATED
NETWORK
VIRTUAL MACHINE
APPLICATIONS
VIRTUAL MACHINE
APPLICATIONS
VIRTUAL MACHINE
APPLICATIONS
VIRTUAL MACHINE
APPLICATIONS
VIRTUAL MACHINE
APPLICATIONS
VIRTUAL MACHINE
APPLICATIONS
VIRTUAL MACHINE
APPLICATIONS
CyberVAN Concept: Run Real
Applications over a Simulated Network
CYBERVAN TESTBED
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
39
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Several existing testbeds provide large-scale, real-time, wired
network emulation for cyber experimentation, e.g., DETER
– These testbeds make use of wired networks emulating large-scale
cyber environments
Drawback: No ability to model wireless networking environments
with any level of fidelity
In contrast, a simulated network provides:
– Very high fidelity reproduction of network effects like propagation,
interference, loss
– Node mobility
– High fidelity simulation of MAC layer and network layer protocols
– Ability to leverage existing simulation models of wireless networks,
e.g., JTN models of JTRS waveforms
Why use a simulated network?
The use of a simulated network in a cyber testbed enables high fidelity
representation of tactical networks – a critical need for the Army
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
40
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Transparent Packet Forwarding
– Send network traffic generated by real applications over a
simulated network in a manner transparent to the applications
• Currently, simulators like OPNET and QualNet provide custom
solutions for this, requiring use of OPNET/QualNet-specific APIs
to enable such a capability; CyberVAN capability is generic and
independent of simulator type
TimeSync: Network Scalability
– Developed capability to synchronize time across the simulated
network and applications running outside of the simulation to
enable very large scale experiments
• Can run experiments slower or faster than real time
CyberVAN Key Innovations
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
41
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Motivation:
– Migrating VMs from one physical machine to another is a frequently performed
operation in data centers, for many reasons such as moving target defense, load
balancing, hardware upgrades, performance optimization, etc.
– Virtually all attacks on live VM migration over a network require that the attacker be
able to detect that a VM migration is in progress
Problem addressed: Secure VM migration against traffic analysis
attacks
Problem Statement
– High-level approach:
Develop several
camouflaging techniques to
make a VM migration flow
indistinguishable from
normal traffic, by changing
its distinct traffic pattern
and statistical
characteristics
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
42
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Traffic analysis can:
– Detect >90% of VM migrations on the network
– Determine migration duration
– Determine migration endpoints
– Calculate migration transmission
rate and migrated memory
VM migration is typically easily
detectable
• Encryption and tunneling do
not prevent traffic analysis
from detecting VM
migrations with high
accuracy
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
43
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Shape network traffic using dynamic hierarchy token bucket
Introduce chaffing traffic that balances migration and chaffing traffic
Dynamically vary migration rate in a pseudo-random way within
normal statistical traffic bounds to camouflage migration traffic
Solution: Stealthy Migration System
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
44
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Use CyberVAN scenario to run high fidelity experiments:
– Run baseline scenario without evasive maneuvers
– Run scenario with evasive maneuver and traffic conditioning
– Experiment with libvirt-based migration and native migration
– Experiment with different network speeds & latencies, different
background traffic
– Collect and analyze data at attacker and migration destination
– Determine whether attacker can detect VM migration
Use of TimeSync:
– Needed to simulate large volumes of traffic with very high fidelity,
resulting in DES running slower than real time
Experimentation Approach
RESULTS: Stealth System makes VM migration undetectable
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
45
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
S. Noel, J. Ludwig, P. Jain, D. Johnson, R.
Thomas, J. McFarland, B. King, S. Webster and B.
Tello, "Analyzing Mission Impacts of Cyber
Actions," in Proceedings of the NATO IST-128
Workshop on Cyber Attack Detection, Forensics
and Attribution for Assessment of Mission
Impact, Istanbul, 2015.
Enterprise-Wide Model
Effect of Cyber Attacks on Enterprise Control
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
46
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Example 1: Model-Driven
Mission Impact Assessment
Analyzing Mission Impacts of Cyber Actions (AMICA)
Mission is Joint Targeting Process
MITRE, MIT-LL, IDA, CMU SEI
Questions it can answer:
• How long of an attack can the mission withstand without
impact?
• How long does it take the mission to recover from an attack?
• What is more damaging to the mission; loss reach back
availability or degradation of Air & Space Operations Center
(AOC) system assets?
• How many targets can be impacted by confidentiality/integrity
before impacting mission?
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
47
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
AMICA Connects Kinetic Mission to Cyber
Actions
Cyber Scenario
Attacker Cap’s
Defender Cap’s
Mission Scenario
Outputs
Inputs
Mission Metrics
Events Logs
Visualization
Adapted by permission from the paper by S. Noel et. al., “Analyzing
Mission Impacts of Cyber Actions,” presented at the NATO IST-128
Workshop on Assessment of Mission Impact, Istanbul, Turkey, June
15-17 2015
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
48
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Developing parameterized libraries of models
Each piece of AMICA is designed to be modular and extensible to support future mission areas, cyber dependencies, attack patterns, defenses
Well defined interfaces
Library of Mission Models
(Targeting, BMD, etc)
Library of Infrastructure Models
(Covering multiple missions)
Malicious
Library of
Attacker
Models
(attack graphs) Malicious
Malicious Malicious
Library of Defender
Models (workflows)
Extensible M&S Libraries to Quickly Create
the Needed Analysis Environment
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
49
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Process model capturing workflow, timing, and resources for the DoD kinetic
targeting process (from CJCSI 3370.01)
Originally developed for EUCOM as part of Austere Challenge 10 & selected
due to pedigree and maturity
– 200+ steps with timing & resources (dependent on target complexity)
– Covers targeting process from basic targeting development through
MAAP/ATO & BDA
Modified for AMICA by breaking into modules and connecting to CyCS nodes
Mission Model
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
50
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Attacker Model
Modeled as process simulation that captures the steps the
attacker follows
– Assumes attacker has some knowledge of mission and access
on secure network
– Responsive to defense actions
– Adjust sophistication through probability of success/detection on
attack steps
Conceptually follows ‘Cyber:14’ threat models
– Cyber:14 study (ARCYBER, defense of Dept. of Defense
Information Network (DODIN))
– Contains 1000s of nodes (mainly system-steps) of integrated
attacker and defender/sensor actions for server-, host-, and
email-based attacks
Initial Foothold Lateral Movement Achieve Goal
- Initial access via spear phishing campaign
- Includes time for research to find targets
- Scan network for goal node (e.g. database) reachability
- Infect laterally until target node is reachable
- Realize an effect on confidentiality, integrity, or availability on goal node
- Maintain presence and re-infect as necessary
Get Spear
Phishing
Targets
Between(1,3)d
Targets
Available ?Infect Target
Between(30,90)m
No
YesTarget Infected ?
No
Goal Node
Reachable ?
Yes
Perform
Network Scan
Between(15,45)m
Compromise
Goal Node
Between(30,90)m
No
Goal Node
Compromised ?
Yes
Targets
Available ?
No
Choose &
Infect Target
Between(30,90)m
YesTarget Infected ?
No
Yes
Perform Attack
0m
Wait for desired time to affect Mission
Gate By Time:2 Hours
Yes
No
Periodically check for detection
Gate By Time:30 Minutes
Mission Still
affected ?
Goal Node Still
Compromised ?
Yes
No
No
Yes
getTargets()
launchAttack()
isInfected()
getTargets()
isReachable()
launchAttack()
launchAttack()
CyCS-createTicket()
CyCS() - check status
getNextTarget()getNextTarget()
Gate By Time:AttackTime Hours
Attack
Successfull ?
Yes No
launchAttack()
Affect Mission
0m
Create Alert
Attack
Type ?
Perform Attack
0m
Perform Attack
0m
Perform Attack
0m
ConfidentialityAttack
IntegrityAttack
AvailabilityAttacklaunchAttack()
launchAttack()
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
51
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Defender Model
Process simulation of reactive defender (not
proactive) actions
Multi-tiered incident response model
– Defender can impact mission (by
alerts, taking down machines)
– Includes defender resource/personnel
constraints
Conceptually follows ‘Cyber:14’ defense
models
Triage Reboot, Restore,
Rebuild Forensics
- Defender response triggered by IT alert
- IT alerts prioritized by expected impact
- Mitigation based on alert type (crash, infection, corruption)
- More aggressive responses may impose greater mission impact
- For more serious threats
- Trace attack to source, build signatures
- Submit new alerts for all compromised machines
Get Next Alert
Release
Resource
Put online
5m
Wipe and
Restore
Between(1,3)h
Take offline
5m
Trace Attack
Source
Between(1,3)h
Issue New
Alert
0m
Get Signature
Between(2,6)h
Find other
infections
Between(3,9)h
Issue New
Alerts
0m
getNextAlert()
restoreHost() malwareDetected()
takeHostOffline() wipeHost() putHostOnline()
getInfectionSource() getAllInfected()
Wait to Issue
AlertIssue Alert
submitAlert()getWait()
Restore
Functionality
Between(1,3)h
Submit Alert
Malicious
Activity
Discovered
?
Submit AlertYes
No
No alert
present
Alert
Type ?
WipeAlert
ConfidentialityAlert
ForensicAlert
None
IntegrityAlert
InfectedAlert
AvailabilityAlert
submitAlert()
Targets
Available ?
Yes
No
CyCS-createTicket()CyCS-deleteTicket()
Start Defender
Create Alert
Create Alert
Create Alert
CyCS-deleteTicket()
CyCS-deleteTicket()
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
52
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Enterprise-level Simulation of Cyber-physical impacts:
Automated Learning of Enterprise Model
M. Lange, R. Moeller, G. Lang and F. Kuhr, "Event
Prioritization and Correlation based on Pattern Mining
Techniques," in 14th International Conference on
Machine Learning and Applications, Miami, 2015.
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
53
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
PANOPTESEC project -- the Seventh Framework Programme for
Research (FP7) of the European Commission, 2013-2016
PANOPTESEC integrates and normalizes heterogeneous events,
correlates them with the infrastructure, evaluates their operational
impact, and calculates the risk an event poses to the monitored
infrastructure
PANOPTESEC consortium set up a testbed - authentic replication of an
Italian water and energy distribution company’s corporate enterprise
systems and supervisory control and data acquisition (SCADA) system
PANOPTESEC
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
54
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
55
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Manual modeling of dependencies – capturing the network's
intended workflow and links to physical assets – is prohibitively
expensive in complex enterprises
We focus on development of an automated approach:
• Use network traffic;
• Automatically learn network dependencies;
• Deduce higher-level information about a network's mission based
on network services and applications
The Challenge of Manual Model
Construction
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
56
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
An example for a high level view of an
automatically derived mission models.
Swim lanes represent sub networks,
network devices are represented by tasks
and a human silhouette marks client
network devices
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
57
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Advantage in Large-Scale Cyber Warfare as a Function of Strategy
and Network Properties
J.H. Cho and J. Gao, “Cyber War Game in Temporal
Networks,” accepted to PLOS ONE, 2016
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
58
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Current State-of-the-Art • Cyber war strategies often require
resource efficiency solution under highly distributed, resource constrained networks
• Little prior work investigates heuristic cyber strategies studying the impact of network characteristics on performance
Goal: Identify near-optimal
strategies by attackers or defenders
to minimize resource consumption
and maximize a win probability; the
problem is formulated as:
Cho (ARL), Gao(NEU, NS CTA) – accepted to PLOS ONE Journal
Cyber War Strategies in Temporal
Networks
Node i’s resource level is defined as:
where resource consumption by taking an
action is:
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
59
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
BFA: Brute-Force Attack
with solution search in
O (N 2N)
RF-A: Resource First –
Attack with solution
search in O(N2)
IF-A: Influence First –
Attack with solution
search in O(N3)
Influence is measured
based on k-hop reachability
as:
Heuristic cyber strategies perform close to optimal solution(s) with
significantly less complexity; under a sparse network, influence-first-attack
strategy outperforms resource-first counterpart.
Cho (ARL), Gao(NEU, NS CTA) – accepted to PLOS ONE Journal
Optimality Analysis of Cyber Strategies
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
60
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Network temporality differently
affect the performance of cyber
strategies under different network
density; overall influence-first is
preferred in terms of winning and
resource consumption;
Current State-of-the-Art
• Little existing work considers network temporality and density that may affect optimal cyber war strategies by attackers or defenders
Network density reduces win probability in a
highly temporal network
Influence-first attack incurs less resource
consumption in a dense network; there
exists a critical node degree maximizing
resource consumption
Cho (ARL), Gao(NEU, NS CTA) – accepted to PLOS ONE Journal
Performance Analysis: Win Probability
& Resource Consumption
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
61
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
• Less system failure occurs
under a sparse network;
• High temporality introduces
high system vulnerability or
system failure in an earlier
time than under low
temporality
Cho (ARL), Gao(NEU, NS CTA) – accepted to PLOS ONE Journal
System vulnerability is
highly sensitive to network
temporality and density.
Performance Analysis:
System Vulnerability
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
62
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Simulation of collateral damage by malware in large populations
Agent-based simulation of various refresh policies in mobile
networks
Simulation of probability of cyber compromise in face of complex
network structure and defensive mechanisms
Other examples
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
63
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Tentative Taxonomy of Common
Cyber-related Model s
• Emulation (often with simulation) of networks: actual hardware, software, humans, e.g., cyber
ranges.
• Training-focused simulations: presenting to human trainees the effects of a cyber attack,
without modeling underlying process.
• M&S of human cognitive processing of cyber events and situations: perception, recognition,
situation awareness, decision making.
• M&S of attack progress and malware propagation
• Attack-graph-based approaches
• Epidemiology analogy, e.g., Susceptible, Infected, Recovered (SIR)
• Abstract wargaming: game-theoretic model of cyber conflict, without modeling the underlying
processes of cyber attack and defense.
• Business processes models: defense, offense and business processes, along with business IT
architecture, simulated for observing resulting effects.
• Statistical models of cyber events: cyber processes are represented as, e.g., equations of
Poisson processes, and coefficients are learned from training dataset.
• Two classes of models used to support cyber modeling, but do not model cyber aspects:
• physical systems models to support modeling of cyber-physical effects;
• and network simulation models.
UNCLASSIFIED \\ APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE
64
UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE The Nation’s Premier Laboratory for Land Forces
Kott, Alexander. "Towards fundamental science of cyber security."
Network Science and Cybersecurity. Springer New York, 2014. 1-
13. arXiv:1512.00407
Kott, Alexander, Nikolai Stoianov, Nazife Baykal, Alfred Moller,
Reginald Sawilla, Pram Jain, Mona Lange, and Cristian Vidu.
"Assessing Mission Impact of Cyberattacks: Report of the NATO
IST-128 Workshop." arXiv preprint arXiv:1601.00912 (2016).
A few more references