Professional Documents
Culture Documents
An Open Security Defense Architecture For Open Collaborative Cyber Infrastructures
An Open Security Defense Architecture For Open Collaborative Cyber Infrastructures
An Open Security Defense Architecture For Open Collaborative Cyber Infrastructures
Multi-step Attacks
Internet
Firewall 1
Corporation
webPages
workStation
Solution
Information about users
Reasoning System
Security expert
Host configuration
Automated analyzer
baseline security status
Information collection
OVAL/Nessus Repository
NVD
CVSS
User information
MulVAL
Ou, Govindavajhala, and Appel. Usenix Security 2005
Analyzer
MulVAL Scanner
Answers
Interaction Rules
Oops! execCode(attacker, webServer, apache).
execCode(Attacker, Host, PrivilegeLevel) :vulExists(Host, Program, remote, privilegeEscalation), serviceRunning(Host, Program, Protocol, Port, PrivilegeLevel), networkAccess(Attacker, Host, Protocol, Port).
internet networkAccess(attacker, webServer, tcp, 80). Derived serviceRunning(webServer, httpd, tcp, 80, apache). From MulVAL Scanner webServer vulExists(webServer, httpd, remote, privilegeEscalation). From MulVAL Scanner & OVAL, NVD GPN 2009 May 29, Kansas City, Missouri
6 Firewall 1
dmz
Datalog representation
Proofs of assertions
Graph Builder
Network configuration
Machine configuration
system administrator Abnormally high traffic TrendMicro server communicating with known BotNet controllers Seemingly malicious code modules Found open IRC sockets with other TrendMicro servers netflow dump memory dump
These TrendMicro Servers are certainly compromised! GPN 2009 May 29, Kansas City, Missouri
Internal model
Reasoning Engine
Mapping observations to their semantics
Targeting subsequent observations
Observations
IDS alerts, netflow dump, syslog, server log GPN 2009 May 29, Kansas City, Missouri
10
Internal model
Reasoning Engine
Mapping observations to their semantics
Targeting subsequent observations
Observations
IDS alerts, netflow dump, syslog, server log GPN 2009 May 29, Kansas City, Missouri
11
Observation Correspondence
Mapping observations to Internal condition.
what you can see what you want to know
p
obs(anomalyHighTraffic) int(attackerNetActivity)
int(compromised(H))
l l
int(compromised(H)) int(exchangeCtlMessage(H1,H2))
12
Internal model
Reasoning Engine
Mapping observations to their semantics
Targeting subsequent observations
Observations
IDS alerts, netflow dump, syslog, server log GPN 2009 May 29, Kansas City, Missouri
13
Internal Model
Logical relation among internal conditions.
Condition1
m1 m2
Condition2
pc
int(compromised(H1)) int(probeOtherMachine(H1,H2))
pc
int(compromised(H1)) int(sendExploit(H1,H2)) int(compromised(H1)), int(compromised(H2)) int(sendExploit(H1,H2))
l p pc
int(compromised(H2))
int(exchangeCtlMessage(H1,H2))
14
Proof Strengthening
f is certainly true
proof strengthening
f is likely true
f is likely true
Observations:
O1
O2
O3
15
Observation Correspondence
Internal Model
Reasoning Engine
(summarized tuples)
pre-processing
Snort alerts
16
17
obsMap(obsRuleId_3615, obs(snort(1:1140, FromHost, ToHost, _Time)), int(probeOtherMachine(FromHost, ToHost)), ). obsMap(obsRuleId_3614, obs(snort(1:1140, FromHost, ToHost, _Time)), int(compromised(ToHost)), p) GPN 2009 May 29, Kansas City, Missouri
l ?
18
Coverage
Internal Predicate Predicates Handled by the internal model Suspicious % of rules 59% 41%
Snort has about 9000 rules. This is just a base-line and needs to be fine-tuned.
Would make more sense for the rule writer to define the observation correspondence relation when writing a rule.
GPN 2009 May 29, Kansas City, Missouri
19
Some Results
192.168.10.90 was certainly | ?- show_trace(int(compromised(H), c)). compromised! int(compromised(192.168.10.90),c) strengthenedPf A probe int(compromised(192.168.10.90),l) intRule_1was sent from 192.168.10.90 int(probeOtherMachine(192.168.10.90,192.168.70.49),l) obsRulePre_1 obs(snort(122:1,192.168.10.90,192.168.70.49,_h272)) An exploit int(compromised(192.168.10.90),l) intRule_3 was sent to 192.168.10.90 int(sendExploit(128.111.49.46,192.168.10.90),c) obsRuleId_3749 obs(snort(1:1807,128.111.49.46,192.168.10.90,_h336)) GPN 2009 May 29, Kansas City, Missouri
21
Summary
Open knowledge sharing and automated knowledge reuse is key in effective cyber defense Advantages of logic-based techniques
Publishing and incorporation of knowledge/information through well-understood logical semantics Efficient and sound analysis by leveraging the reasoning power of well-developed logic-deduction systems
22
Who We Are
Argus: Cyber Security Research Group at Kansas State University http://people.cis.ksu.edu/~xou/argus/ Contact me: Simon Ou xou@ksu.edu
23
Thank You!
Questions?