Upload
scot-copeland
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
The Roles of Intrusion The Roles of Intrusion Detection and Data Detection and Data Fusion in Cyber Security Fusion in Cyber Security Situational AwarenessSituational Awareness
A Review of the Published Literature and Discussion of Future Research Plans
Nicklaus A. Giacobe
Intrusion Detection (ID) Plays and Important Role in Developing Situational AwarenessCyber Situational Awareness =
Network Security Situational AwarenessActivities Performed on Behalf of an Organization – “Network Security Office”Activities Performed by Computer/Network Security AnalystsDifficult, Complex Work – Lots of Data from IDS, Antivirus Systems, Firewall Logs, Server Security Logs, etc.Ever-Changing Landscape - New Threats, New Technologies, New Software, New Vulnerabilities
Cyber Security Situational Awareness
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
This IntroductionPart 1: What is the Current State of
ID Technology?Part 2: What are We Trying to
Accomplish?Part 3: Future Research
RecommendationsConclusion/Discussion
Cyber Security Situational Awareness
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualizations
Part 1: The Current State of Technology in ID
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualizations
Part 1: The Current State of Technology in ID
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Two Different Locations to MonitorHost-Based IDS (Denning)
Log Files (C2 compliance) on Unix Machines (Denning 1987)
IDES/NIDES – Baseline “normal” user behavior (Javitz et al. 1994)
Network-Based IDS (Mukherjee/Heberlein)NSM (LAN Monitor) – history of previous
connections, known bad actors lists, signatures of attack types (Mukherjee et al. 1994)
NIDS (Multiple Network IDS and Host) (Snapp et al, 1991) (interesting JDL comparison)
History of Intrusion Detection
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Two Different Methods of AnalysisPattern-Matching (Misuse) Detection (Spafford)
Match activity to patterns of known undesiredbehavior (Kumar et al. 1994, 1995)
Tripwire – MD Hashing of files (Kim et al. 1994)DDoS prevention /SYN Floods / Active DoS
prevention (Schuba et al. 1997)Anomaly Detection (Stolfo)
Looking for abnormalities in network traffic (Lee et al. 1999)
Qualitative evaluation of the data stream (statistical methods) (Portnoy, et al. 2001) – alert on infrequent types of data
Statistical Payload Evaluations – for Worm Detection (Wang et al. 2004, 2006a, 2006b) and mitigation (Locasto et al., 2006)
History of Intrusion Detection
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Testing and Evaluation of IDSsDARPA IDS Data Sets from 1998-20001999 Data Set Contained
2 Weeks of “training data” with labeled known intrusions
7 Weeks of unlabeled dataEvaluate IDSs under design or in
production
Over-fit problemIDSs could be developed that find all of
the problems in the “training data”, but could be very poor at alerting on novel intrusion methods
History of Intrusion Detection
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualizations
Part 1: The Current State of Technology in ID
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Correlate by Source, Destination or Attack Method
Non-Trivial port-number vs. service name, IP address vs. hostname, etc. (Cuppens 2001)
Need Adaptors – Different systems not designed for fusion (Debar et al. 2001)
Promise of better understanding… see next slide
Alert Correlation and Data Fusion
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Understanding Through Correlation
Situation Combination Implication Situation 1 Same Source, target and alert
class Single attacker against same host
Situation 2-1 Same source and destination Single attacker on same host, possibly using varying attack methods
Situation 2-2 Same target and same alert class Distributed attack on a single host Situation 2-3 Same source and same alert class Single attacker using the same attack and
trying to find any host vulnerable to that attack
Situation3-1 Same source only Single attacker using a variety of attack methods on a variety of hosts
Situation 3-2 Same target only Distributed attacks Situation 3-3 Same attack class only Common or novel attack method in use by
many attackers
Adapted from (Debar et al. 2001)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
JDL Fusion Model (Hall and McMullen 2004)
Alert Correlation and Data Fusion
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
JDL Fusion Model (Hall and McMullen 2004)
Alert Correlation and Data Fusion
Source Pre-Processing
Level 3 Threat
Refinement
Level 2Situation
Refinement
Level 1Object
Refinement
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualization of Underlying and Fused
Data
Part 1: The Current State of Technology in ID
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Bayesian InferenceComplete list of all possible states of the
systemProbabilities of current stateNeed for accurate historical data (Holsopple et
al. 2006)D-S Theory
No need for exact knowledgeSort out independent evidence and combine it
using the Dempster RuleVery human-like logical combinationCan combine evidence of non-similar
sources/data types
Data Fusion Techniques
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Data Mining AlgorithmsSupport Vector Machines (SVMs) (Liu et al.
2007 x3)Neural Networks (Wang et al. 2007)May be helpful in rapidly combining
multiple sources of similar dataThomas and Balakrishnan (2008)
Combined alert data from 3 different IDSs (PHAD, ALAD, Snort) using MLFF-NN
Tested vs. DARPA 1999 data setShowed improved detection rates of the
known data over each individual IDS (68% vs. 28%, 32%, 51%)
Data Fusion Techniques
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualizations
Part 1: The Current State of Technology in ID
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Based on Network TopologyBased on Geopolitical TopologyNetwork Traffic RepresentationsAlert and Track-Based Displays
Visualizations
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Hierarchical Network Map from Mansmann and Vinnik (2006)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Representation of Threats and Actors on a Geopolitical Map from (Pike et al. 2008)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Representation of host to port to remote port to remote host of network traffic from (Fink et al. 2004)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Panel Displaying Network Connections from a Single Host from (Fischer et al. 2008)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Representing the Three Ws from (Foresti et al. 2007)
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Part 2: What are We Trying to Accomplish?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Part 2: What are We Trying to Accomplish?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
(Computer) Security is…Manunta (1999)
Security is interaction of Asset (A), Protector (P) and Threat (T) in a given Situation (Si)
CIA Triad (Tipton et al. 2007)ConfidentialityIntegrityAvailability
Bishop (2003)Only authorized actions can be executed by
authorized users
Definitions…
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Part 2: What are We Trying to Accomplish?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Endsley (1995)State of Knowledge
ElementsSituationFuture Projection
“Awareness Machine” unlikelyFocus instead on “awareness support
technologies”
Theory of Situational Awareness
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Endsley (1995)
Theory of Situational Awareness
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Mapping of IDS Fusion tasks between JDL Model and Endsley SA Model. From Yang et al. (2009)
Higher Levels of Fusion = Situational Awareness
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
INFERDLevel 2 Fusion Engine – Based on a priori
knowledge from system experts – pattern matching attack methods and known vulnerabilities of the system
TANDILevel 3 Fusion – Projection of future attacks
based on knowledge of vulnerabilities of the system
(Yang et al. 2009)
Higher Levels of Fusion
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Part 2: What are We Trying to Accomplish?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Sweller et al. (1998)Working Memory (limited capacity)Long Term Memory (unlimited capacity,
based on schemas to represent complex, related information)
Split AttentionConflicting, RepetitiveModality Effect
Cognitive Load Theory
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Part 2: What are We Trying to Accomplish?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Biros and Eppich (2001) – CTA of IDS Analysts in the USAF - 5 capabilities requiredID non-local addressesID source addressesDevelop mental image of “normal” behaviorCreate and maintain SAKnowledge sharing
Killcrece et al. (2003) – CTA of gov’t/military security specialists – 3 general categoriesReactive Work (majority of the work)Proactive WorkQuality Management (training, etc)
Cognitive Task Analysis
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
D’Amico et al. (2007) – CTA of Network Security Professionals in the Department of Defense
Cognitive Task Analysis
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Model BuildingTo understand the contributions of the
algorithm builders
CTATo understand the needs of the analyst
Visualization RecommendationsBased on the work above
Part 3: Where Do We Go From Here?
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Current State of IDHistory of IDAlert Correlation and Data FusionData fusion techniquesVisualization of underlying and fused data
Theoretical Basis for Understanding SA in the Cyber Security DomainDefinition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis
Recommendations for Future WorkModel Building - To understand the contributions of the
algorithm buildersCTA - To understand the needs of the analystVisualization Recommendations – Based on Needs and
Cognitive Capabilities of Analysts
Conclusion
Introduction
Current State ofID Technology
Theory and Background
Future Research
Conclusions &Discussion
Discussion and Questions
Just in case you needed a prompt to ask questions … here it is