Cybaware: A Cyber Awareness Framework for Attack Analysis,

Prediction, and Visualization

University of California, Santa BarbaraUniversity of California, BerkeleyGeorgia Institute of Technology

ARO/MURI Annual Review August 23, 2010

Richard A. Kemmerer

The Problem

• Cyber networks are ubiquitous and the Internet has become a mission-critical asset

• There is a need to monitor and protect cyber assets to support mission execution

• The impact of current (security) events on a mission can be understood only if cyber situation awareness is achieved– Situation Awareness: the perception of the elements of the

environment, the comprehension of their meaning, and the projection of their status in order to enable decision superiority [Salerno05]

Objective of the Research

We will develop novel situation awareness theories and techniques to obtain an accurate view of the available cyber-assets and to automatically determine the assets required to carry out each mission task.

Based on this information, we will automatically assess the damage of attacks, possible next moves, and the impact on the missions.

We will also model the behavior of adversaries to predict the threat of future attacks to the success of a mission.

Finally, we will present the status of the current missions and the impact of possible countermeasures to a security officer, using a semantically-rich environment.

Each of these technologies will be integrated into a coherent cyber-situation awareness framework, called Cybaware.

Extract & Abstract

Assets Configuration Impact Threat

Knowledge about assets is incomplete

Relationships betweenassets and mission

are unknown

Effects of an attack on the mission are unknown

Type and goalsof the adversary

are unknown

Situation Awareness Framework

Novel tools and techniques to automatically obtain an

up-to-date view of the cyber-assets

Novel analysis approachesto automatically extract

dependencies between the mission and the assets

Comprehensive correlationframework to automatically

determine the impact of attacks on the mission

Game-theoretic techniquesto characterize the attackerand predict future actions

Chal

leng

esSo

lutio

ns

Visualization

Meaningful view of the mission’s state is missing

Extract & Abstract Extract & Abstract Extract & Abstract Extract & Abstract

Create a semantically-rich view of the cyber-mission status, on a

variety of display platforms

Inte

grat

ion

Cybaware Approach

MissionMission

Five Key Concepts

1. Up-to-date views of the available cyber-assets2. A comprehensive analysis of the dependencies

between cyber-missions and cyber-assets,3. An accurate understanding of the impact of cyber-

attacks4. Actionable cyber-attack forecasts5. A semantically-rich, easy-to-grasp view of the cyber-

mission status.

Thrust I: Obtaining an up-to-date view of the available cyber-assets

• Develop tools and techniques for automated analysis of the network event data about resources, services, hosts, and network connections– Modeling assets– Passive monitoring– Active probing– Host-based monitoring

Thrust I: Obtaining an up-to-date view of the available cyber-assets

• Obtained internal syslog and NetFlow data for LBNL – Almost 5 years from the email, DNS, and LDAP servers– 5 years of centralized syslogs– 15 months of NetFlow data from internal routers– 2 months of DHCP logs

• Obtained data from ICSI– 6 months of connection log summaries– 6 months of HTTP URLs and request headers

• Setup logging facility at UCSB to obtain and anonomize CS Department Netflow capture

Thrust I: Obtaining an up-to-date view of the available cyber-assets

• Developed preliminary tools to analyze flow records to:– Explore the evolution of the role of different systems over

time– Develop signatures reflecting the activity of individual hosts– Identify sets of servers, including back-up (failover) servers,

based on commonality of connections

“Network Asset Discovery and Tracking”– Vern Paxson

Thrust I: Obtaining an up-to-date view of the available cyber-assets

• Developed models that leverage network-level properties and content-level properties to develop “fingerprints” for specific programs/network service– Captured the behavior of specific bot (malware) programs by

monitoring their traffic in a controlled environment – Created detection models that could later identify malware-

generated traffic in real-world networks

“Network-based Modeling of Assets and Malicious Actors ”– Christopher Kruegel

Thrust II: Obtaining dependencies between missions and assets

• Develop analysis approaches to automatically extract relationships (either manifest or hidden) between cyber-mission tasks and the resources required– Modeling missions– Mapping assets to tasks and missions– Indirect dependencies– Inferring types of dependencies

Thrust II: Obtaining dependencies between missions and assets

• Developed mission/resource models that – Take into account multiple missions– Support cyber-triaging of mission in the event that resources

become compromised or unavailable

“Mission Models for Cyber-Awareness ”– Giovanni Vigna

Thrust III: Obtaining an accurate view of the impact of cyber-attacks

• Develop techniques to automatically correlate the information about ongoing attacks with the affected cyber-assets that are needed to successfully complete a mission– Alert correlation– Speculative analysis– Cyber-triaging

Thrust III: Obtaining an accurate view of the impact of cyber-attacks

• Developed preliminary approaches to determine the impact of attacks on missions and how these can be scientifically studied using security competitions

• Developed approaches for the detection of “bad neighborhoods” on the Internet– Can detect rogue actors on the network that persistently act

maliciously– Can use this knowledge to reason about network

connections between the internal network and the outside Internet

Thrust IV: Obtaining actionable cyber-attack forecasts

• Develop game-theoretic techniques for modeling adversary behavior and predicting the effects of future attacks that can be launched to prevent a cyber-mission from completing successfully– Computation of effective strategies

– Uncertainty and adversarial intent

– Detection in adversarial environments

Thrust IV: Obtaining actionable cyber-attack forecasts

Constructed simple adversarial models for the cyber awareness domain focusing on competitive deterministic models

• Developed solution of large zero-sum matrix games using randomized methods (security policies against an adversary)– Solving subgames that are much smaller than the original

game– Probabilistic bounds on the size of the subgames are

independent of the size of the original game

“Randomized Methods for Solving Large-scale Games Arising in Cyber-Awareness”

– João P. Hespanha & Shaunak Bopardikar

Thrust IV: Obtaining actionable cyber-attack forecasts

• Studied two-player games (system administrator vs. attacker)– Administrator has information about state of the system– Attacker has probabilistic beliefs about the state of the system– Uses non-revealing strategy– Derive computable conditions under which a non-revealing

strategy is optimal

“Cyber-Awareness and Games of Incomplete Information”– Jeff Shamma

Thrust IV: Obtaining actionable cyber-attack forecasts

• Developed a history based detection of attacks that – Uses previous traces of attacks against a particular network.– Provides some indication of what the next step for an attacker

could be

Thrust V: Obtaining a semantically-rich, easy-to-grasp view of the cyber-mission

• Develop techniques and tools for displaying the relevant components of the current cyber-missions in an immersive environment that leverages novel cognitive science techniques to improve large-scale attack comprehension and response under duress– Display and interaction platforms– Information needs and user modeling– Interactive what-if scenarios

Thrust V: Obtaining a semantically-rich, easy-to-grasp view of the cyber-mission

• User and task analysis for realistic usage scenarios (LBNL and UCSB/CS data)

• Developed scalable network visualization technology for representing graph-based information with tens or hundreds of thousands of nodes and edges on web-based platforms

• Designed and implemented initial interfaces for an immersive situational awareness room

• Evaluation of candidate platforms for user interfaces“Interactive Visualizations for Cyber-Mission Awareness”

– Tobias Hollerer

Analyzing the Underground Economy

• Took over the Torpig botnet for ten days– ~180K unique hosts connected every 20 minutes– 8.7 GB Apache logs and 69 GB pcap data

– 8,310 unique accounts from 410 financial institutions and 1,660 credit cards

– Worked with the FBI and National Cyber-Forensics and Training Alliance (NCFTA) to repatriate the data

• Investigating click fraud and fake AV campaigns

“Analyzing the Underground Economy”– Dick Kemmerer

Technology Transfer

• One-day Security Symposium at UCSB, "Solving Tomorrow's Security Problems,"– Participants from Cisco, Yardi, Novacoast, Microsoft,

Greenhills Software, Rightscale, Boeing, Citrix, Facebook, Special Technologies Lab, Appfolio,Aerospace Corporation

• Invited Participant, ISAT Black Cloud Workshop, Berkeley, CA, (DARPA sponsored)

• Various keynotes, invited talks, and government briefings

The Team

• University of California, Santa Barbara – Richard A. Kemmerer, PI, Computer Science– Joao P. Hespanha, Electrical and Computer Engineering– Tobias Hollerer, Computer Science and Media Arts and

Technology– Christopher Kruegel, Computer Science– Giovanni Vigna, Computer Science

• University of California, Berkeley– Vern Paxson, Electrical Engineering and Computer Science

• Georgia Institute of Technology– Jeff S. Shamma, School of Electrical and Computer

Engineering

Papers Published

• “WiGis: A Framework for Scalable Web-based Interactive Graph Visualizations,” GraphDrawing 2009, September 2009

• "Your Botnet is My Botnet: Analysis of a Botnet Takeover," ACM CCS, November 2009

• “On Calibrating Enterprise Switch Measurements,” ACM IMC, November 2009

• “FIRE: FInding Rogue nEtworks,” ACSAC09, December 2009• “Learning Approaches to the Witsenhausen Counterexample

from a View of Potential Games,” 48th IEEE Conference on Decision and Control, December 2009

• “Botnet Judo: Fighting Spam with Itself,” NDSS, February 2010• “A Reaction-Diffusion Model for Epidemic Routing in Sparsely

Connected MANETs,” IEEE INFOCOM, March 2010

More Papers Published

• “Randomized Sampling for Large Zero-Sum Games,”Conference on Decision and Control, April 2010

• “On the Potential of Proactive Domain Blacklisting,” USENIX LEET, April 2010

• “Insights from the Inside: A View of Botnet Management from Infiltration,” USENIX LEET, April 2010

• “Outside the Closed World: On Using Machine Learning For Network Intrusion Detection,” IEEE Symposium on Security and Privacy, May 2010

• “SmallWorlds: Visualizing Social Recommendations,” The International Journal of the Eurographics Association, Computer Graphics Forum, June 2010

• “Behaviorism: a Framework for Dynamic Data Visualization,”IEEE Transactions on Visualization and Computer Graphics, November-December 2010 (to appear)