Cortex Program Status Brief Christopher Geib July 12 th 2005
Self Regeneration is not enough • Systems must be designed that are capable of response and regeneration after deliberate attack and catastrophic failures. • However, response and regeneration must be sensitive to… - the mission that is being executed, w What tools and services are critical for the current mission goals? w What tools and services are not critical for the current mission goals? - and the lessons learned from the previous failure. w What features of the protocol were exploited in the attack? w Have features of the domain changed? • Are there new kinds of connections that should be blocked? • Are some kinds of attacks more common than we thought? Mission Aware Planning and Learning 2 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Program Technical Objectives • Prove the viability of automatically synthesizing a meta-level controller for model-based, system response and regeneration. • Such regeneration control systems must have two critical capabilities: - planning that is sensitive to the system mission, w How much of the systems resources should be committed or held in reserve? w Planning conditional responses to known threats. w Trading off commitments for mission critical objectives. - and learning to prevent similar failures in the future. w Patch the services that were exploited w Modify the mission model to capture changes to the world. Meta Level Planning and Learning 3 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Existing Practice • Automated system rebooting will bring elements of the system back on line after an attack, but these are limited: - Simple scripts that are not sensitive to the mission model. - Can’t make trade offs between competing needs. - Single system reboot. • Learning of exploits and diagnosing root causes of the failure is handled offline by system experts. - Conclusions are not captured at the mission model level. - Often performed somewhere else. - Slow and requires significant expertise. Done By Hand If At All 4 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Talk Outline • What is the mission? - Mission model - Conops for Cortex within this Model • What is our technical approach? - Current system design and use cases - Thrust areas w Learning w Planning • What progress have we made? • How are we performing against our metrics? • Conclusions 5 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
What Is The Mission?
Mission Model Motivation • Critical Problem Features - Real world applicability and importance. - Military relevance clear. - Challenging complexity exceeds simple solutions. - Multiple mission phases with differing objectives requiring differing responses to attack. - Easy to find cyber attack methods within the literature. • Daily mission planning cycle - Based on DARPA Cyber Panel Grand Challenge Problem - Defense of an operations critical My. SQL database for mission planning. w Direct access w Apache/php mediated access 7 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Daily Mission Cycle 17: 00 -19: 45 20: 00 -22: 10 1: High Level Planning by Commander j 5: Scheduled Maintenance 2: Detailed Planning by Naval Operations Ongoing: Battle Damage Assessment from other ships 3: Scheduling & Task Orders by Naval Operations 15: 00 -16: 00 08: 00 -11: 20 4: Task Orders Sent to Ships 12: 00 -12: 05 8 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Mission Domain System Architecture Database and Web Server Host radio link FW https (Blueridge LAN) Static Content (. html) Apache Web Server http PHP interpreter Dynamic Content (. php) (Planning LAN) SQL 9 My. SQL Planning d. B My. SQL_BRP_Plan HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Cortex Role in this Domain • Protect the My. SQL database: - Guarantee availability - Guarantee data integrity • Making use of: - Redundant “taste tester” architecture - CIRCA planning for response and resource use - Learning based on active experimentation • Cortex control capabilities: - Control query replication. - Manage tasters (which is lead-taster, building new ones) - Control access to DB (block known exploits) - Invoke learning module 10 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
What Is Our Technical Approach?
New Technology • What is truly new? - Automated synthesis of meta-level controllers based on decision theoretic tradeoffs among mission requirements for response and regeneration. - Active experimentation based learning to prevent zero-day exploits and extend our mission model. • How much will it improve? - New capability in some cases w Mission-based cost benefit trade offs and dynamic reallocation of resources after system failure. - In others automating a process currently done by hand. w Automated learning/generalization of exploits can’t increase the runtime. 12 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
CIRCA Planning: Generalized Semi-Markov Decision Processes • Most existing decision-theoretic planning systems are based on the Markov Decision Processes and have difficulty handling multiple, asynchronous events. • GSMDP provides the most natural framework for this purpose. • CIRCA (Cooperative Intelligent Real-Time Control Architecture) is the first GSMDP planner. w Uses the decision-theoretic principle of maximizing expected utility (e. g. to trade off performance against safety). w Uses rich stochastic models of world, transitions, actions, and time to construct best defense plans. w Does not hand-build, but automatically synthesizes plans and can thus adapt to defend against combinations/mutations of existing exploits based on the mission model. 13 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Exploratory Experiments With New Heuristics Optimal plan found in only 1% time. 14 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Active Learning Approach • We know an attack succeeded, but we don’t know why. - Need an educated guess as to culprits, then validate • We want to explore the possibilities. - Model normal mission traffic according to several axes of variability w Score each attack according to these axes w Experiment for most suspicious values Attack Query Learner Historical (Normal) Queries 15 Build Model of Normal Traffic Model of Normal Use model to identify suspicious elements HONEYWELL - CONFIDENTIAL Experiment Blocking Rules Site. Visit. Overview. ppt
Axes of Variability (Definition) • The different ways an attack (e. g. to My. SQL) might be formulated. - Provided a priori by a domain expert • Query content - Word order (e. g. some permutations cause My. SQL to crash) - Binary machine instructions - Unusual payload (e. g. unix commands, registry keys, database administrative commands) • Query length (single/multiple terms) • Resource consumption patterns • Probing (e. g. password guessing) • Session-wide (multiple queries) 16 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Axes of Variability (detectors) • We currently detect: - Text Queries: w String length: overall query length w SQL parser: term length (table, col, row), number of terms (table, row, col) w Word order: if there are no other suspicious elements in the attack - Packet Content (Using hex values of the packet): w Command type w Joint probability: each command has different expected byte patterns • Plausible to design new or better detectors: - String content (e. g. look for hex) - Unusual payload (parser, keyword filter, content-filtering) - Session-wide (frequent patterns analysis) - Word order (patterns analysis) - More Joint probability distributions (e. g. strings may generally be long, but passwords are short) 17 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Modeling Mission Traffic • Model normal traffic - Domain expert creates measures for each axis of variability (or - combinations thereof) Currently stored as histograms of the computed values e. g. • Compare attack to the model - Compute a “suspicion score”: how unusual is this attack for this axis of - variability Score = (value – μ) / σ e. g. add “ 32” to above histogram; score is 12. 6 • Experiment (Active Learning) - Sort the suspicion scores. - Experiment in the “most” suspicious axis first. w Test hypothesis of culprit w Discover the boundary conditions 18 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Cortex Demo Architecture and Use Cases Normal Query AMP CSM Once per phase Proxy (Dexter) Block known bad queries Taste test Log results RTS. Replicate Switch Tasters Rebuild Tasters Send to Learning Master DB Replicator Replicate queries Switch Tasters Create tasters Tasters Delete tasters Heartbeat Status Learner Read Training Data Experiment Generate Rules New Ability Since January Demo 19 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Cortex Demo Architecture and Use Cases Attack is blocked Attack gets through Query Proxy (Dexter) Block known bad queries Taste test Log results AMP CSM RTS. Replicate Switch Tasters Rebuild Tasters Send to Learning Master DB Replicator Replicate queries Switch Tasters Create tasters Tasters Delete tasters Heartbeat Status Learner Read Training Data Experiment Generate Rules 20 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Risks and Mitigations • Search space for the controller is large. - Mitigation: Our work is focused on heuristics that are solving these problems without covering the whole space. - Mitigation: Plans are built offline before system commission. - Mitigation: Possible to build plans that provide safe reduced functionality states to move to while regenerating. • Identification of a covering set of axes of variability and experimentation methods. - Mitigation: Fixed protocols have limited degrees of freedom making it easier to enumerate. - Mitigation: Axis only has to be identified once. • “Binary poisons” - Mitigation: Don’t eat the second half of the poison. - Mitigation: Use program diversity tools to push some code level violations that would be binary poisons into our space. 21 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
What Progress Have We Made?
Current Demo • Complete system protecting My. SQL with normal background traffic for our mission model. • All three end-to-end use cases. - Integration of CIRCA planning for single mission phase. - Learning via active experimentation. • Two different attacks in Mission Model Phase 1 - Both kill My. SQL 3. 23. 49 server but are very different. w Password buffer-overflow (BID 8590) • Exploits the lack of bounds-checking on the password field for a user. w Binary attack against COM_TABLE_DUMP command (BID 6368) • Exploits a casting vulnerability of signed integer values. • Sends a negative value as one of the string length parameters to the command, and corrupts internal My. SQL memory. 23 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Major Accomplishments Since Last Meeting • Infrastructure - Mission model defined. - 2 Specific attacks identified and implemented. - Background traffic generators built. - Improved & new GUIs developed. - Extending to Apache/PHP server (in progress). - Identifying Apache exploits (in progress). • Learning - Design and Implementation of learning architecture and activeexperimentation approach. w Identification of axes of variability. w Traffic modeling. - Successful testing against 2 very different attacks. • Planning - Successful exploratory experiments on new planning heuristics. 24 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
How Are We Performing Against Our Metrics?
Program Level Metrics • Correctly diagnosing root cause 10% of attacks. - System correctly diagnoses all of the attacks covered by an identified axis of variability. - Question becomes one of coverage of the axes of variability relative to the set of attacks. • Correctly responding to 5% of diagnosed attacks - CORTEX plans controllers that respond to all (100%) of the possible attacks enumerated within the mission model. - Learning blocking rules for all (100%) of the diagnosed attacks. 26 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Project Metrics • Time to synthesize optimal controller (measured) - Experiments have cut the time to find the optimal plan for this problem by >90%. Continuing experiments in other problems to identify efficacy of the method. • Accuracy of the rules learned (measured) - Anecdotal analysis suggests no false positives; performing measurements against traffic model. • Overhead added to normal processing (measured) - Anecdotal evidence suggests this is not too bad, but awaiting final system configuration to measure. • Improved throughput from increased mission specific system availability. (measured) 27 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
Expected Major Achievements • Prove the viability of automatically synthesizing a meta-level controller for model-based system response and regeneration. - Limited impact on current users - Over all improved system throughput from increased system mission sensitive availability. - Demonstrate system scalability in two mission phases • Demonstrate system planning for at least two different mission phases with significantly different requirements and responses. • Demonstrate the viability of learning zero-day exploits within well understood protocols for at least two different protocols. Significant Research Results 28 HONEYWELL - CONFIDENTIAL Site. Visit. Overview. ppt
CORTEX – Mission-Aware Closed-Loop Cyber Assessment and Response Security Tradeoff Planner Controller Synthesis Module Active Security Controller Executive Attacks, intrusions Networks, Computers NEW IDEAS Computing services Scyllarus Intrusion Assessment • System Reference Model drives intrusion assessment, diagnosis, and response. • Automatically search for response policies that optimize tradeoff of security against mission ops. • “Taste-tester” server redundancy supports robustness and learning from new attacks. IMPACT • High confidence intrusion assessment Demos: and diagnosis. Thin slice • Pre-planned automatic responses to demo contain and recover from faults and attacks. Jan 05 • Automatic tradeoffs of security vs. service level & accessibility. • Learns to recognize and defeat novel attacks. 29 HONEYWELL - CONFIDENTIAL SCHEDULE Learning Demo PI Meeting Demo Mission Aware Learning and Response Demo May 05 Jul 05 Dec 05 Site. Visit. Overview. ppt
End Come See the Demo
Скачать презентацию Cortex Program Status Brief Christopher Geib July 12
19c8050a414cb698fffc7537f3f5254e.ppt