1 / 30

Summer VFRP Experience

Summer VFRP Experience. Tool Development for a Cyber SA System . Martin Q. Zhao. October 1, 2010. VFRP when and where. Applied for SFFP (summer faculty fellowship program) jointly sponsored by ASEE (American Society of Engineering Education) and AFRL Application submitted: December, 2009

abby
Download Presentation

Summer VFRP Experience

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Summer VFRP Experience Tool Development for a Cyber SA System Martin Q. Zhao October 1, 2010

  2. VFRP when and where • Applied for SFFP (summer faculty fellowship program) jointly sponsored by ASEE (American Society of Engineering Education) and AFRL • Application submitted: December, 2009 • Accepted (through VFRP): March, 2010 • Thanks to Drs. Allen, Cozart and Digh for their help • Worked at AFRL’s Rome Research Site for 10 weeks (May 24 – July 30) • Griffiss Business and Technology Park http://www.griffissbusinesspark.com/

  3. AFRL/RI an overview • US Air Force Research Laboratory Information Directorate in Rome, NY. • AFRL/RI is the component responsible for command, control, communication and computers and intelligence (C4I) research and development. • Core Technology Competencies (CTCs): -Information Exploitation -Information Fusion & Understanding -Information Management -Advanced Computing Architectures -Cyber Operations -Connectivity -Command and Control

  4. Information Fusion • Data fusion is a formal framework in which are expressed the means and tools for the alliance of data originating from different sources. • Data fusion aims at obtaining information of greater quality; the exact definition of 'greater quality' will depend upon the application. • In the context of military applications, it emphasizes collecting and processing raw data from various sensory sources and tracking and identifying activities of interest, so as to enable situation awareness (SA) for the decision maker to take appropriate actions.

  5. Unified SA Modelby Salerno et al['05] • Dr. Endsley’s model['95] : • Perception • Comprehension • Projection Dr. Salerno also co-chaired a Social Computing conference for 3 times JDL (joint director of labs) model['91, revised '98]: Level 0: Source Preprocessing/subobject refinement Level 1: Object refinement Level 2: Situation refinement Level 3: Impact Assessment Level 4: Process Refinement

  6. Cyber SA Virtual Terrain The virtual terrain is a graphical representation of a computer network containing information relevant for a security analysis of a computer network, including: • Hosts & Subnets • Routers, sensors & firewalls • Physical & wireless links • Services & exposures • Users and accounts • Mission & criticality scores

  7. Sample Virtual Terrain cs.mercer.edu Internet xxx.xxx.xxx.xxx Cobra 168.15.1.2 Raptor 168.15.1.4 Intruder 168.15.1.6 Lab 100 168.15.2.1 -.21 Main Switch 168.15.1.1 Eagle 168.15.1.3 Apache 168.15.1.5 Zeus 168.15.1.7 Lab 204 168.15.4.1 -.21 Faculty - 1 168.15.5.1 - .8 Lab 200 168.15.6.1 - .17 2ndFlr. Switch 168.15.3.2 Lab 306 168.15.8.1 -.21 Lab 304 168.15.10.1 - .15 Faculty - 2 168.15.9.1 - .4 3rdFlr. Switch 168.15.7.2

  8. Sample Mission Tree cs.mercer.edu mission Sub-mission_1 Sub-mission_n … App_1_1 … App_1_m Asset … Asset

  9. Cyber SA Tracking Attack Events (1) ICMP Ping NMAP (62.34.46.54  45.34.12.1) (2) SCAN nmap fingerprint attempt (38.244.61.9  45.34.12.2) (3) x86 mountd overflow (62.34.46.54  45.34.12.1) (4) gobbles SSH overflow (62.34.46.54  45.34.12.1) (5) SCAN cybercop os SFU12 probe (38.244.61.9  45.34.12.2) (6) WEB-MISC windmail.exe access (38.244.61.9  45.34.12.2) (7) ICMP Ping NMap (45.34.12.1  45.34.13.1) (8) EXPLOIT RADIUS MSID overflow attempt (45.34.12.2  45.34.12.2) (9) chown command attempt (62.34.46.54  45.34.12.1) (10) MS-SQL:PROCEDURE-DUMP (45.34.12.2  45.34.12.2) IDS alerts

  10. Cyber SA Attack Method Categories

  11. Cyber SA Attack Guidance Template

  12. SITA situation identification & threat assessment

  13. Summer Research An Overview • Title of the proposal: Knowledge Representation & Reasoning for Impact/ Threat Assessment in Cyber Situation Awareness Systems • Objective: Enhancing the SITA system • Find ways to model domain knowledge • Develop a tool for VT creation/modification • Collaborators: • Dr. John Salerno • Mike Manno • Jimmy Swistak • Warren Geiler

  14. Problems to Solve • Tools need to be developed to feed SITA with data • Amount of data is huge • A computer network can have hundreds of machines, thousands of software applications and user accounts • Known vulnerabilities are in the thousands, and the number is ever growing. • XML files are used: they can contain redundant data • Harm efficiency • Hard to change anything: due to well-known anomalies • Insertion • Deletion • Update

  15. Conceptual Data Model

  16. Relational Data Model-VT S/W H/W Link & Policy Exposure

  17. Relational Data Model-Mission

  18. Relational Data Model-Exposure

  19. Mission Map Editor-Requirements • Requirements modeling w/ a use-case diagram • (Type of) User:SA Operator • System Functions: • Access data in file/DB • Display a mission tree • Modify a mission tree • Save changes to file/DB • Create a mission tree

  20. Mission Map Editor-Tree creation 6 File | Save 1 File | New 5 Assign assets 2 Top mission 3 Add more 4 Set criticality

  21. Mission Map Editor-Architecture XML Mission Map Model VT Model DB

  22. Mission Map Editor-Dynamics

  23. Vulnerability Lookup-Overview National Vulnerability Database (NVD) contains • What is a vulnerability? • What is an exposure? • How is it stored in NVD? • What is CVE? • What is CPE? • How are they related to SITA? Common Vulnerabilities and Exposures (CVE) <entry id="CVE-2010-0278"> … … <cpe-lang:logical-test negate="false" operator="OR"> <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_7"/> <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_vista"/> … … </entry> Common Platform Enumeration (CPE) <cpe-item name="cpe:/o:microsoft:windows_7"> <title xml:lang="en-US">Microsoft Windows 7</title> … … </cpe-item>

  24. Vulnerability Lookup-Prototype 0 Load files C Exposure Apps affected B A CVSS Rating

  25. Vulnerability Lookup-Ideal ways cpe:/o:microsoft:windows_7

  26. Future R&D • MissionMapEditor: Thorough testing and refactoring • VulnerabilityTracker: • Research the processes of checking/updating CVE and CPE data feeds • Design a layered system architecture • Design and implement GUI that organizes products by category (such as OS, apps, HW), vendor, product family, version, etc • IDS (e.g. Snort) alerts specifics and mapping with CVE, as well as with SITA • VT model generation using automatic scanning data • Cyber situation visualization

  27. Q&A

  28. Fall Extension Updates– Vul’Tracker

  29. Fall Extension Updates – Vul’Tracker

  30. Fall Extension Updates – Vul’Tracker The data feed file download and DB loading/update functions have been tested with • CVE data feed files for • 2010 (two versions, one from July [15 MB] and another from December revision [39 MB]) and • 2009 [34 MB]; and • CPE file from July 2010 [6.8 MB]. • Table 1 – Vendor Counts by Platform Types • Table 2 – Count of Vulnerable Software by Year

More Related