A Monitoring Fusion and Response Framework to Provide Cyber Resiliency - July 2017

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): William H. Sanders

Researchers: Brett Feddersen, Atul Bohara, Carmen Cheh, Ahmed Fawaz, Mohamad Noureddine, Uttam Thakore, and Benjamin E. Ujcich

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

• Resilient Architectures - Experience suggests that even heavily defended systems can be breached by attackers given enough time, resources and talent. We propose the concept of a response and recovery engine (RRE) so that a system could "tolerate" an intrusion and provide a base level of service. RRE incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals. Our work focuses on a few example attacks. These attacks include lateral movement within a network as part of an Advanced Persistent Threat (APT) and application-level distributed denial of service attacks (DDoS).
• Policy-Governed Secure Collaboration - We analyzed the issues surrounding the software-defined networking (SDN) architecture from an accountability standpoint, considering various principals involved (e.g., controller software, network applications, administrators, end users, organizations), mechanisms for assurance about past network state (e.g., data provenance, replicated data stores, roots of trust), thoughts on judging and assessing standards for accountability (e.g., legal, contractual, regulatory), and mechanisms for decentralized enforcement (e.g., blockchain-based smart contracts). We motivated the need for accountability though a network application use case, and we argued that an assured understanding of the past for attribution can help lead to taking better responses for resiliency.

PUBLICATIONS
Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.

C. Cheh, B. Chen, W. G. Temple, and W. H. Sanders, "Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs", 14th International Conference on Quantitative Evaluation of Systems (QEST 2017), Berlin, Germany, September 5-7, 2017, to appear.

Abstract: The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this paper, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system's assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.

Atul Bohara, Mohammad A. Noureddine, Ahmed Fawaz, and William H. Sanders, "An Unsupervised Multi-Detector Approach for Identifying Malicious Lateral Movement", 36th IEEE International Symposium on Reliable Distributed Systems (SRDS 2017), Hong Kong, September 26-29, 2017, to appear.

Abstract: Lateral movement-based attacks increasingly lead to compromises in large private and government networks, often resulting in information exfiltration or service disruption. Such attacks are often slow and stealthy and usually evade existing security products. To enable effective detection of such attacks, we present a new approach based on graph-based modeling of the security state of the target system and correlation of diverse indicators of anomalous host behavior. We believe that irrespective of specific attack vectors used, attackers typically establish a command and control (C&C) channel to operate, and move in the target system to escalate their privileges and reach sensitive areas. Accordingly, we identify important features of C&C and lateral movement activities and extract them from internal and external communication traffic. Driven by the analysis of the features, we propose the use of multiple anomaly detection techniques to identify compromised hosts. These methods include Principal Component Analysis, k-means clustering, and Median Absolute Deviation-based outlier detection. We evaluate the accuracy of identifying compromised hosts by using injected attack traffic in a real enterprise network dataset, for various attack communication models. Our results show that the proposed approach can detect infected hosts with high accuracy and low false positive rate.

Policy-Governed Secure Collaboration

B. E. Ujcich, A. Miller, A. Bates, and W. H. Sanders, "Towards an Accountable Software-Defined Networking Architecture." 3rd IEEE Conference on Network Softwarization (NetSoft 2017), Bologna, Italy, July 3-7, 2017, to appear.

Abstract: Software-defined networking (SDN) overcomes many limitations of traditional networking architectures because of its programmable and flexible nature. Security applications, for instance, can dynamically reprogram a network to respond to ongoing threats in real time. However, the same flexibility also creates risk, since it can be used against the network. Current SDN architectures potentially allow adversaries to disrupt one or more SDN system components and to hide their actions in doing so. That makes assurance and reasoning about past network events more difficult, if not impossible. In this paper, we argue that an SDN architecture must incorporate various notions of accountability for achieving system wide cyber resiliency goals. We analyze accountability based on a conceptual framework, and we identify how that analysis fits in with the SDN architecture's entities and processes. We further consider a case study in which accountability is necessary for SDN network applications, and we discuss the limits of current approaches.

ACCOMPLISHMENT HIGHLIGHTS

Our RRE work incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals. In the area of intrusion detection, we proposed data-driven model-based frameworks to detect abnormal movement in a system. We have used lateral movement within an enterprise network and physical movement within railway transit stations as examples. For the physical movement case, we have developed a framework that uses the building topology and historical user movement data in order to build models that describe normal user movement behavior. During system operation, physical accesses are compared to the models and those that deviate from the model are labeled as malicious. In that work, we use real-world physical data to show that our approach can detect malicious movement in an online manner.

For lateral movement within an enterprise network, we have developed an approach to correlate lateral movement behavior with command and control indicators to identify infected hosts. The approach uses an ensemble of anomaly detectors to have an accurate detection even when attacker deviates from assumed threat model. As an example, we modelled lateral movement within the network using a virus spread model. RRE takes as input information about which host are part of the lateral movement. RRE responds by first allowing the attack to proceed to learn more about it, and then by designing an optimal response (changing connectivity and healing events) to stop the spread. In this work, we prove that the response results in a stable disease-free equilibrium.

We tackled the problem of ensuring cloud application resiliency against application distributed denial of service attacks (DDoS). We proposed an engine that uses OpenStack's cloud telemetry infrastructure to monitor the cloud applications and uses change point detection to differentiate periods of high load from DDoS attacks. Once an attack has been detected, the engine bootstraps a resiliency response module that use proof of work client puzzles to rate limit attackers in a stateless fashion. Finally, we suggest that the monitoring information can be used to perform horizontal scaling of the cloud application when under attack.