Visible to the public Monitoring, Fusion, and Response for Cyber Resilience - July 2020Conflict Detection Enabled

Submitted by mikeprosise on Tue, 07/14/2020 - 5:19pm

PI: William Sanders

Researchers: Mohammad Noureddine, Uttam Thakore, and Ben Ujcich

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

  • HARD PROBLEM(S) ADDRESSED
    Resilient Architectures - Experience suggests that even heavily defended systems can be breached by attackers given enough time, resources and talent. We propose the concept of a response and recovery engine (RRE) so that a system could "tolerate" an intrusion and provide a base level of service. RRE incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals. Our work focuses on a few example attacks. These attacks include lateral movement within a network as part of an Advanced Persistent Threat (APT), tampering with monitoring data to hide attacker activity, and application-level distributed denial of service attacks (DDoS).
  • Policy-Governed Secure Collaboration - We analyzed the issues surrounding the software-defined networking (SDN) architecture from an accountability standpoint, considering various principals involved (e.g., controller software, network applications, administrators, end users, organizations), mechanisms for assurance about past network state (e.g., data provenance, replicated data stores, roots of trust), thoughts on judging and assessing standards for accountability (e.g., legal, contractual, regulatory), and mechanisms for decentralized enforcement (e.g., blockchain-based smart contracts). We motivated the need for accountability though a network application use case, and we argued that an assured understanding of the past for attribution can help lead to taking better responses for resiliency.

PUBLICATIONS
Papers written as a result of your research from the current quarter only.

None to report.

KEY HIGHLIGHTS
Each effort should submit one or two specific highlights. Each item should include a paragraph or two along with a citation if available. Write as if for the general reader of IEEE S&P.
The purpose of the highlights is to give our immediate sponsors a body of evidence that the funding they are providing (in the framework of the SoS lablet model) is delivering results that "more than justify" the investment they are making.

Our RRE work incorporates modules to monitor current state of a system, detect intrusions, and respond to achieve resilience-specific goals. Intrusion detection in large-scale distributed systems, which is a necessary precondition for intrusion tolerance and resilience, is highly susceptible to malicious manipulation of system data used for detection (e.g., using rootkits and log tampering), which we term "monitor compromise". Existing literature attempts to counteract the problem using reputation systems, which weight the trustworthiness of monitor data based on past trustworthiness of the data, but such systems are themselves subject to "betrayal attacks" and "sleeper attacks". We instead propose the use of data-driven methods for detecting potential monitor compromise. We leverage the insight that systems usually contain multiple monitors that provide redundant information about system activity, so we can use discrepancies between observations of system activity across different monitors (sometimes referred to as differential observability in literature) to identify potential monitor compromise.

For monitor compromise detection, we have developed a data-driven method to detect missing monitor information, an indicator of potential monitor compromise, using evidential reasoning and data mining. To construct the model for our approach, we have devised a method to mine meaningful correlations between system activity (i.e., events) and the discrete data points produced by monitors (i.e., alerts) and between alerts of different types from heterogeneous historical system data. We have trained our models for evidential reasoning and association rule mining on real data from an enterprise system, and applied our detection ensemble method to the real data with meaningful results. We implemented our monitor compromise detection approach such that it runs in real-time on online monitor data and ran experiments on enterprise network and host data from the National Center for Supercomputing Applications (NCSA) with different injected compromise scenarios.

To support coordinated analysis of heterogeneous monitor data (which spans numerical metrics to unstructured, textual log data) that is present in large-scale distributed systems, such as enterprise and cloud systems, we have developed a framework to semi-automatically process monitor data from multiple levels of said systems into a manageable set of meaningful time series features for further intrusion or incident analysis. Based on an analysis of how incident response teams in industry utilize monitor data, we have come up with a taxonomy of monitor data fields and devised an approach in which we can take monitor data for which fields have been annotated using our taxonomy, automatically unstack and aggregate them into meaningful time series features, and group together redundant features across all monitors in the system. We have evaluated our approach on experimental PaaS cloud data from an industry partner containing eight different monitor types.

To improve the resilience of intrusion and incident detection against monitor compromise in a manner that does not require changing the detection mechanisms already in place, we have developed a model-based approach to quantify the resilience of a system's monitoring and incident detection infrastructure against monitor compromise and to maximize resilience under monitoring cost constraints. Our approach uses constraint programming to quantify the effect of monitor compromise on incident detection capabilities, and formulates the problem of maximizing resilience against monitor compromise as a cost-constrained optimization problem searching over the space of monitor deployments. We have implemented our approach using state-of-the-art tools for constraint programming and constrained, nonlinear optimization. We have evaluated our approach using randomly-generated models of varying sizes and structures, and compared its performance against our previous work published in DSN 2016 titled "A Quantitative Methodology for Security Monitor Deployment.". We demonstrate how our analysis can help system administrators make more effective monitoring decisions in line with their incident detection objectives and priorities.

COMMUNITY ENGAGEMENTS

No community engagements this quarter.

EDUCATIONAL ADVANCES:

None to report.

Groups: