summer vfrp experience
Download
Skip this Video
Download Presentation
Summer VFRP Experience

Loading in 2 Seconds...

play fullscreen
1 / 30

Summer VFRP Experience - PowerPoint PPT Presentation


  • 132 Views
  • Uploaded on

Summer VFRP Experience. Tool Development for a Cyber SA System . Martin Q. Zhao. October 1, 2010. VFRP when and where. Applied for SFFP (summer faculty fellowship program) jointly sponsored by ASEE (American Society of Engineering Education) and AFRL Application submitted: December, 2009

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Summer VFRP Experience' - abby


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
summer vfrp experience

Summer VFRP Experience

Tool Development for a Cyber SA System

Martin Q. Zhao

October 1, 2010

vfrp when and where
VFRP when and where
  • Applied for SFFP (summer faculty fellowship program) jointly sponsored by ASEE (American Society of Engineering Education) and AFRL
    • Application submitted: December, 2009
    • Accepted (through VFRP): March, 2010
    • Thanks to Drs. Allen, Cozart and Digh for their help
    • Worked at AFRL’s Rome Research Site for 10 weeks (May 24 – July 30)
  • Griffiss Business and Technology Park http://www.griffissbusinesspark.com/
afrl ri an overview
AFRL/RI an overview
  • US Air Force Research Laboratory Information Directorate in Rome, NY.
  • AFRL/RI is the component responsible for command, control, communication and computers and intelligence (C4I) research and development.
  • Core Technology Competencies (CTCs): -Information Exploitation -Information Fusion & Understanding -Information Management -Advanced Computing Architectures -Cyber Operations -Connectivity -Command and Control
information fusion
Information Fusion
  • Data fusion is a formal framework in which are expressed the means and tools for the alliance of data originating from different sources.
  • Data fusion aims at obtaining information of greater quality; the exact definition of \'greater quality\' will depend upon the application.
  • In the context of military applications, it emphasizes collecting and processing raw data from various sensory sources and tracking and identifying activities of interest, so as to enable situation awareness (SA) for the decision maker to take appropriate actions.
unified sa model by salerno et al 05
Unified SA Modelby Salerno et al[\'05]
  • Dr. Endsley’s model[\'95] :
  • Perception
  • Comprehension
  • Projection

Dr. Salerno also co-chaired a Social Computing conference for 3 times

JDL (joint director of labs) model[\'91, revised \'98]:

Level 0: Source Preprocessing/subobject refinement

Level 1: Object refinement

Level 2: Situation refinement

Level 3: Impact Assessment

Level 4: Process Refinement

cyber sa virtual terrain
Cyber SA Virtual Terrain

The virtual terrain is a graphical representation of a computer network containing information relevant for a security

analysis of a computer network, including:

  • Hosts & Subnets
  • Routers, sensors & firewalls
  • Physical & wireless links
  • Services & exposures
  • Users and accounts
  • Mission & criticality scores
sample virtual terrain cs mercer edu
Sample Virtual Terrain cs.mercer.edu

Internet

xxx.xxx.xxx.xxx

Cobra

168.15.1.2

Raptor

168.15.1.4

Intruder

168.15.1.6

Lab 100

168.15.2.1 -.21

Main Switch

168.15.1.1

Eagle

168.15.1.3

Apache

168.15.1.5

Zeus

168.15.1.7

Lab 204

168.15.4.1 -.21

Faculty - 1

168.15.5.1 - .8

Lab 200

168.15.6.1 - .17

2ndFlr. Switch

168.15.3.2

Lab 306

168.15.8.1 -.21

Lab 304

168.15.10.1 - .15

Faculty - 2

168.15.9.1 - .4

3rdFlr. Switch

168.15.7.2

sample mission tree cs mercer edu
Sample Mission Tree cs.mercer.edu

mission

Sub-mission_1

Sub-mission_n

App_1_1

App_1_m

Asset

Asset

cyber sa tracking attack events
Cyber SA Tracking Attack Events

(1) ICMP Ping NMAP (62.34.46.54  45.34.12.1)

(2) SCAN nmap fingerprint attempt (38.244.61.9  45.34.12.2)

(3) x86 mountd overflow (62.34.46.54  45.34.12.1)

(4) gobbles SSH overflow (62.34.46.54  45.34.12.1)

(5) SCAN cybercop os SFU12 probe (38.244.61.9  45.34.12.2)

(6) WEB-MISC windmail.exe access (38.244.61.9  45.34.12.2)

(7) ICMP Ping NMap (45.34.12.1  45.34.13.1)

(8) EXPLOIT RADIUS MSID overflow attempt (45.34.12.2  45.34.12.2)

(9) chown command attempt (62.34.46.54  45.34.12.1)

(10) MS-SQL:PROCEDURE-DUMP (45.34.12.2  45.34.12.2)

IDS alerts

summer research an overview
Summer Research An Overview
  • Title of the proposal: Knowledge Representation & Reasoning for Impact/ Threat Assessment in Cyber Situation Awareness Systems
  • Objective: Enhancing the SITA system
    • Find ways to model domain knowledge
    • Develop a tool for VT creation/modification
  • Collaborators:
    • Dr. John Salerno
    • Mike Manno
    • Jimmy Swistak
    • Warren Geiler
problems to solve
Problems to Solve
  • Tools need to be developed to feed SITA with data
  • Amount of data is huge
    • A computer network can have hundreds of machines, thousands of software applications and user accounts
    • Known vulnerabilities are in the thousands, and the number is ever growing.
  • XML files are used: they can contain redundant data
    • Harm efficiency
    • Hard to change anything: due to well-known anomalies
      • Insertion
      • Deletion
      • Update
relational data model vt
Relational Data Model-VT

S/W

H/W

Link &

Policy

Exposure

mission map editor requirements
Mission Map Editor-Requirements
  • Requirements modeling w/ a use-case diagram
  • (Type of) User:SA Operator
  • System Functions:
    • Access data in file/DB
    • Display a mission tree
    • Modify a mission tree
    • Save changes to file/DB
    • Create a mission tree
mission map editor tree creation
Mission Map Editor-Tree creation

6

File | Save

1

File | New

5

Assign assets

2

Top mission

3

Add more

4

Set criticality

mission map editor architecture
Mission Map Editor-Architecture

XML

Mission Map Model

VT

Model

DB

vulnerability lookup overview
Vulnerability Lookup-Overview

National Vulnerability

Database (NVD) contains

  • What is a vulnerability?
  • What is an exposure?
  • How is it stored in NVD?
  • What is CVE?
  • What is CPE?
  • How are they related to SITA?

Common Vulnerabilities

and Exposures (CVE)

<entry id="CVE-2010-0278">

… …

<cpe-lang:logical-test negate="false" operator="OR">

<cpe-lang:fact-ref name="cpe:/o:microsoft:windows_7"/>

<cpe-lang:fact-ref name="cpe:/o:microsoft:windows_vista"/>

… …

</entry>

Common Platform

Enumeration (CPE)

<cpe-item name="cpe:/o:microsoft:windows_7">

<title xml:lang="en-US">Microsoft Windows 7</title>

… …

</cpe-item>

vulnerability lookup prototype
Vulnerability Lookup-Prototype

0

Load files

C

Exposure

Apps affected

B

A

CVSS Rating

vulnerability lookup ideal ways
Vulnerability Lookup-Ideal ways

cpe:/o:microsoft:windows_7

future r d
Future R&D
  • MissionMapEditor: Thorough testing and refactoring
  • VulnerabilityTracker:
    • Research the processes of checking/updating CVE and CPE data feeds
    • Design a layered system architecture
    • Design and implement GUI that organizes products by category (such as OS, apps, HW), vendor, product family, version, etc
  • IDS (e.g. Snort) alerts specifics and mapping with CVE, as well as with SITA
  • VT model generation using automatic scanning data
  • Cyber situation visualization
fall extension updates vul tracker2
Fall Extension Updates – Vul’Tracker

The data feed file download and DB loading/update functions have been tested with

  • CVE data feed files for
    • 2010 (two versions, one from July [15 MB] and another from December revision [39 MB]) and
    • 2009 [34 MB]; and
  • CPE file from July 2010 [6.8 MB].
  • Table 1 – Vendor Counts by Platform Types
  • Table 2 – Count of Vulnerable Software by Year
ad