research development roadmap n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Research & Development Roadmap PowerPoint Presentation
Download Presentation
Research & Development Roadmap

Loading in 2 Seconds...

play fullscreen
1 / 28

Research & Development Roadmap - PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on

Research & Development Roadmap. 1. Outline. A New Communication Framework Giving Bro Control over the Network Security Monitoring for Industrial Control Systems Parallelism on Concurrent Architectures. 2. COMMUNICATION NG. 3. Communication Today. Primitives Sending events

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Research & Development Roadmap' - gerda


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline
Outline
  • A New Communication Framework
  • Giving Bro Control over the Network
  • Security Monitoring for Industrial Control Systems
  • Parallelism on Concurrent Architectures

2

communication today
Communication Today
  • Primitives
    • Sending events
    • &synchronized
  • Limitations
    • Model doesn’t scale; no hierarchies
    • Loose semantics: best effort service
    • No integration with persistence
    • Implementation lacks robustness
    • Two separate protocol implementations

4

initial proposal
Initial Proposal
  • Extend event propagation
    • Routing
    • Subscription groups
    • Push/pull models
  • Remove &synchronized (and the proxies...)
  • Add global, persistent data structure
    • Probably just key/value store
    • Explicit API

5

initial proposal cont d
Initial Proposal (cont’d.)
  • Implementation
    • “Data nodes” in charge of tables; nodes attach
    • Receive updates and broadcast them back out
    • Limit values to atomic data types
    • Use existing libraries
    • Implement as a library
  • Trading “magic” for better semantics and control

6

objectives
Objectives
  • Bro controls what it sees
    • Adapt the front-end load-balancing
  • Bro controls what the network does
    • Block, steer, shape

8

science dmzs
Science DMZs

100G

10/100G

Source: ESNet

10

100 gb s cluster

Science DMZ Switch

API

API

100 Gb/s Cluster

10GE

Control

Control

100GE

Border

Router

100G Load-balancer

Bro Cluster

11

transparent script interface
Transparent Script Interface
  • Packet Acquisition
    • drop(entity)
    • sample(entity)
    • notify(entity, cond)
  • Packet Control
    • drop(entity)
    • sample(entity)
    • throttle(entity)
    • redirect(entity, destination)

12

transparent script interface cont d
Transparent Script Interface (cont’d.)
  • “Entity” could be very different things ...
  • Plugins implement what hardware supports

13

industrial control systems
Industrial Control Systems
  • Critical resources, yet lacking in protection
    • Often legacy hardware hard to protect
    • Not built with security in mind
  • Class IDS not a good fit
    • Attacks rare / unknown
    • Behavioral approaches don’t take context into account

15

industrial control systems cont d
Industrial Control Systems (cont’d.)
  • Significant potential through incorporating semantics
    • Understand protocols Bro-style
    • Create visibility
    • Develop models of what we should be seeing
  • Anomaly detection could actually work here

16

first steps
First steps ...
  • Protocol support in 2.2
    • Modbus
    • DNP3
  • Only basic script analysis so far

17

research thrusts 1
Research Thrusts (1)
  • Measurement study: What do we see?
    • Actors, workloads, cross-site characterization
    • As we do that, extend Bro’s logging
  • Environments
    • Municipal water and gas plants
    • Campus power-plant
    • Building automation at a large research lab
    • Looking for more ...

18

research thrusts 2
Research Thrusts (2)
  • Semantic models for monitoring
  • Statistical profiling
    • Summary statistics framework
  • Power Grid State Model
  • PLC Memory Maps

19

plc memory maps
PLC Memory Maps
  • Categorize registers
    • Constant, attribute, continuos
  • Derive predictive models
    • ... and validate them

20

concurrent analysis
Concurrent Analysis

Logs

Notification

Event Engine

Policy Script Interpreter

Network

Analysis Logic

Protocol Decoding

Events

Packets

23

architecture

Detection Logic

Dispatcher

Packet Dispatcher (NIC)

Architecture

Notification

Events

Network

Packet Analysis

Scripting Language

Script Threads

Event Engine

Event Engine

Threads

24

new platform abstract machine

A High-Level Intermediary Language for Traffic Inspection

Domain-specific Data Types

State Management

Concurrent Analysis

Real-time Performance

Robust/Secure Execution

High-level Standard Components

New Platform: Abstract Machine

First-class networking types built-in

Containers with state management support

Domain-specific concurrency model

Scalability through parallelization

Well-defined, contained execution environment

Platform for building high-level, reusable functionality on

Timers can drive execution

Support for incremental processing

Compilation to native code

Static type-system, and robust error handling

Extensive optimization potential

26

research questions
Research Questions
  • How to identify state dependencies?
    • Static program analysis to drive scheduling
  • How to leverage hardware capabilities?
    • E.g., network processors, hardware lookup modules

28

hilti enables more
HILTI enables more ...

BinPAC++ Demo

29

slide28
Robin Sommer
  • International Computer Science Institute, & Lawrence Berkeley National Laboratory
  • robin@icsi.berkeley.edu
  • http://www.icir.org/robin

30