Proposal defense presentation

PROACTIVE SCHEMES FOR MISSION ASSURANCE IN CRITICAL SYSTEMS Ruchika Mehresh Ph.D. Dissertation Proposal Defense Department of Computer Science and Engineering University at Buffalo, The State University of New York December 20, 2011 Advisor : Dr. Shambhu Upadhyaya Committee Members : Dr. H. Raghav Rao Dr. Murat Demirbas

PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Threat Model Solution Evaluation Deception as a tool Component 1 “ Who watches the watcher” Component 2 “ Hiding detection” Component 3 “ Deception-based recovery”

Mission Critical Systems
essential services whose failure disrupts business operations
not restricted to military domain
day-by-day increasing complexity
leads to residual bugs and security vulnerabilities
worsened by increasing intelligence of attackers
example: electricity, communication channel for e-business
Mission assurance
diverse measures required to make the missions resilient
System engineering
Risk management
Etc.
INTRODUCTION

Basic needs for mission assurance:
Mission survivability
subset of mission assurance
ability of a system to fulfill its mission in a timely manner
focus is on an event’s impact on the mission, not its cause
phases: prevention, detection, recovery, adaptation
INTRODUCTION Focus
Against benign faults: Fault tolerance
Against malign attacks: Security
Prevention
+
Detection
+
Recovery

INTRODUCTION Prevention Detection Recovery

Attacker’s profile
smart
adaptive (not unpredictable)
resourceful (well sponsored)
stealthy
aggressive behavior easier to spot
stealth causes more damage
political, cooperate-espionage, hacktivism, cyber-extortionism
‘ Single-shot’ vs. ‘multi-stage stealth attacks’
multi-stage: initial low-risk, sniffing phases to obtain information, installing backdoors, etc.
Attacker executes well-planned multi-stage stealth attacks with a contingency plan
INTRODUCTION

Need: Another layer of defense beyond conventional recovery
Aim: Develop and evaluate a secure proactive recovery scheme to ensure mission survivability against smart and determined attackers.
MOTIVATION

Attacker’s behavior is generally categorized as
Rational: Attackers that care about both cost and incentive
Irrational: Attackers that care only about incentive
When risk is a cost
As in cyber warfare, industrial espionage
Rational attackers execute stealth attacks
Irrational attackers are aggressive and do not show stealth behavior
MOTIVATION

PRESENTATION OUTLINE Introduction Motivation Problem Formulation Background Solution Remaining Work Dissertation Outline Conclusion Deception as a tool Component 1 Component 2 Component 3 Threat Model Solution Evaluation

Design a realistic attack model that represents today’s era of cyber warfare and competitive open market
Provide mission assurance
By further strengthening the recovery phase of a mission critical system
Satisfy timeliness property ( low overhead )
MOTIVATION

PROBLEM FORMULATION 1. System type : Mission critical 2. Last wall of defense : secure recovery phase for mission survivability 3. Mission Survivability : Satisfy timeliness property 4. Indefinite missions : time-independent security strength 5. Focus : on event’s impact, not cause 6. Attack model : basis for solution design 7. Tamper-proof : ‘Who watches the watcher ?’ 8. Effective Evaluation 9. Integrity over availability

PROBLEM FORMULATION
Mode 1: A short running mission with a definite timeline
Example: Countdown timer for space shuttle launch
Final phase is the most crucial
Hold off the attacker from causing major damage till the mission completes
Mode 2: A long running mission with an unbounded timeline
Example: Electricity to run life-support system
Full system recovery is essential if an attack is suspected
Need to buy defender more time to figure out exact vulnerabilities exploited so the next recovery cycle can be more effective

BACKGROUND National Counter Intelligence executive mentioned malicious sleeper code left behind by other nation-states Multi-stage delivery of malware
Stuxnet
Configuration- specific actions
limited spread
Self-erasing
Spread in industry
“ Stuxnet is the new face of 21st-century warfare: invisible, anonymous, and devastating ”
Botnet ‘command and control’

Intrusion tolerance
Ensures that system provides service even in the presence of faults
Necessary for mission survivability
Types of intrusion tolerant systems
Detection triggered: Relies on IDS to trigger recovery (reactive)
Algorithm driven: employs algorithms like voting, threshold cryptography, fragment redundancy scattering, etc.
Recovery based: Periodic restoration
Hybrid: Proactive and reactive
BACKGROUND

BACKGROUND
McAfee survey report, 2011. includes 200 IT executives from critical infrastructure enterprises in 14 countries
Ongoing cyber-reconnaissance of US critical infrastructure by nation-states
Some electric companies report thousands of probes every month
Focus on resilience against denial-of-service-like cyber-attacks rather than a high-end attack intended to sabotage equipment, like stealthy infiltration, Stuxnet (leading threat)

Knapp and Boulton
Baskerville’s asymmetric war theory justifies need for innovation in defense.
BACKGROUND

SOLUTION DESIGN Component 1: Surreptitious intrusion detection by keeping the IDS tamper-proof Component 2: Making the integrity signature invisible and accessible to the attacker Component 3: Deception-based proactive recovery scheme, and multi-phase evaluation framework

Component 1:
Threat model to compromise IDS
Graph-based topological solution in multi-core environment
Component 2:
Threat model to attack recovery
Low cost hardware-based solution (timeliness property)
Component 3:
Threat model for smart attacker
Deception-based proactive recovery scheme
Other
Evaluation Framework
Two modes: Centralized, decentralized
CONTRIBUTIONS

“ All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. Hold out baits to entice the enemy. Feign disorder, and crush him. If he is secure at all points, be prepared for him. If he is in superior strength, evade him. If your opponent is prone to anger, seek to irritate him. Pretend to be weak, that he may grow arrogant. If he is taking his ease, give him no rest. If his forces are united, separate them. Attack him where he is unprepared, appear where you are not expected.”: Sun Tzu in ‘The Art of War’
DECEPTION FOR DEFENSE

DECEPTION FOR DEFENSE
Two ways to defeat a strong adversary:
be stronger
manipulate adversary into reduced effectiveness
Deception consists of:
determining the observables
induce desired observations & control the focus of attention
use concealment
Cyber deception (Cydec)
vast literature and taxonomies
deception techniques like fingerprint scrubbing, obfuscation, etc.
Internal discussions held by Air Force Cyber Command staff in 2008
current networks present a sitting target
need for change
Deception
hackers, hacktivists, etc.
honey pots

Smart burglar –disable ADT first before burglarizing a home!
Malware exists that subvert protection devices
user space components like, intrusion detection systems, antivirus
retrovirus
disables/infects antivirus
example: argument switch attacks
easier in multithread, multi-core setup
THREAT MODEL

Problem: “Who watches the watcher?”
Solutions proposed
use of virtual machine: High cost (mission survivability)
topological frameworks: Details later
We propose
a topological framework in multi-core environment
THREAT MODEL

Design and Implementation of IDS
user space
traditional deployment
kernel space
better protection, but increases the trusted computing base
Secure monitoring of user space IDS
running them on isolated virtual machines
self protection by redundancy and reconfiguration
We propose a hybrid of user-level and kernel level protection
EXISTING SOLUTIONS

EXISTING SOLUTIONS
Chameleon project at UIUC
Can be easily compromised
AAFID project at Purdue
Provides only a marginal increase in security

PROPOSED SOLUTION
Circulant digraph
Very difficult to subvert
Provides an infinite hierarchy of monitoring using finite number of monitors

WHY MULTI-CORE
Multi-core technology has become mainstream and it presents new security and design challenges
Existing solutions need to be reevaluated
Concurrency can be exploited to provide efficacy

SIMPLE ARCHITECTURE Intrusion detector or a crucial user space service Lightweight process monitor Direction of Monitoring Process i runs on core i , and 1≤i≤K, where K is the total number of cores on the processor Numbers from 1-K indicate the K cores of the host’s processor 2 3 4 5 6 1 K K-1

THREAT MODEL
Denial of Service attacks in multi-core
Memory hogging
Addressed by conditional check
Window of vulnerability
Scheduling interrupts continuous monitoring
Addressed by multiple degree of incidence
Exploiting system vulnerabilities
Crash attacks

FRAMEWORK TOPOLOGIES
Topology 1: Simple Ring
Topology 2: Circulant Digraph
A circulant digraph C K (a 1 , . . . , a n ) with K vertices v 0 , . . . v K−1 and jumps a 1 , . . . , a n , 0 < a i < ⌊K/2⌋, is a directed graph such that there is a directed edge each from all the vertices v j ±a i mod K, for 1 < i < n to the vertex v j , 0 < j <K – 1. It is also homogeneous i.e., every vertex has the same degree (number of incident edges), which is 2n, except when a i =K/2 for some i, when the degree is 2n−1 Figure: Circulant digraph with 8 process monitors running on 8 cores. One process monitor per core. This circulant digraph has a degree of incidence 3 and jumps {1,2} 3 5 4 6 7 8 2 1

FRAMEWORK TOPOLOGIES
Topology 3: Adaptive Cycle
Multiple degree of incidence raises multiple alerts for reporting the same instance of suspicious activity
Need to reduce the extra overhead (we just need one)
Figure: Adaptive topology when cores 2 and K are heavily loaded 1 K-1 … . … . 4 3 K 2

k-queue currently supports only exit(), fork() and exec() family of system calls
Currently, our experiments are limited to crash attacks
All processes can be crashed using the kill() system call
An attacker is given all information about vulnerabilities
Are TOCTOU style attacks possible?
Experiments performed under heavy system load
ATTACK SCENARIOES

EVALUATION
Multi-core simulator: AMD SimNow
Kernel level filters for tamper-resistant process monitoring
kqueue (event delivery/notification subsystem) – freeBSD
kqueue currently supports only exit(), fork() and exec()
Eight simulated cores
one process-monitor per core
Possibility of TOCTOU attacks under heavy system load.

EVALUATION – TIME OVERHEAD Figure: Time Overhead (Initial setup time for the kqueue subsystem to get loaded) for circulant digraph topology with 8 process monitors
Figure: Memory overhead (memory consumed by an instance of the framework as a % of the system memory capacity) in an 8-node circulant digraph topology

EVALUATION – TAMPER RESISTANCE Figure: Alerts generated for killing process monitors in sequential order without delay, under light system load Figure: Alerts generated for killing process monitors in sequential order without delay, under heavy system load

CONCLUSION
Monitoring framework to secure IDS in a multi-core environment
low time overhead
low memory overhead
strong tamper-resistance properties

Threats to recovery phase
attacks on byzantine protocols
attacks on proactive recovery protocols
attacks on proactive-reactive recovery protocols
attacks on proactive-reactive recovery with spatial diversity
the quiet invader
the physical access threat
Reactive recovery
can not detect all intrusions
false positives
predictive vs. reactive
THREAT MODEL

Profile: Smart, Adaptive, Resourceful, Stealthy
Irrational attacker
payoff = incentive
Rational attacker
payoff = incentive – cost
= incentive – (finance +risk)
smart attacker wants to keep incentive high, risk low
Be stealthy for low risk
Plan enough for high incentive
if attacker suspects detection, risk -> ∞, how can attacker maximize the payoff?
by making, incentive -> ∞
THREAT MODEL

THREAT MODEL

Assumed a centralized, replicated system for demonstration
Information hidden using low level built-in hardware that is not accessible to the adversary.
Defender’s response to detection
prepare while deceiving
secure recovery
COMPONENTS 2 AND 3 “ Hiding detection?” AND “Deception-based recovery”

Coordinator Replica 1 Replica 2 Replica 3 Replica n Workload Workload Workload Workload Workload Replica 3 R R R R Periodic checkpoint Hardware Signature Periodic checkpoint Hardware Signature Need at least a duplex system H C H C H C H C Periodic checkpoint Hardware Signature Periodic checkpoint Hardware Signature Periodic checkpoint Hardware Signature

HARDWARE SIGNATURE GENERATION

PERFORMANCE ANALYSIS
Cases
Case 1: S ystems with no checkpointing
Case 2: Systems with checkpointing, no failures/attacks
Case 3: Systems with checkpointing, failures/attacks
Workload
Java SciMark 2.0 benchmark workloads: FFT, SOR, Sparse, LU
Multi-step simulation based evaluation approach

Complex system with several hardware and software layers
Which is best?
Theoretical models like, CTMC
Prototype implementation
Functional simulation
We propose
Using a mix of methods in multiple steps
Benefits
Low cost
Low effort
Higher accuracy
Realistic results
MULTI-STEP EVALUATION

Divide-and-Conquer, system modularization
Start at the highest level and approach downwards
composability
sufficiency
Lowest level
black-box defined with parameters derived from implementation
Tools used
prototype development – JAVA
simulation – ARENA
hardware simulation - CADENCE
MULTI-STEP EVALUATION

MULTI-STEP APPROACH

RESULTS

CONCLUSION
Low cost solution to secure proactive recovery
Utilized redundant hardware
Small overhead in absence of failures
effective preventive measure

Framework implementation - threat specific
REVISITING SOLUTION DESIGN Intrusion Detection System Symptoms to Script mapping (Smart box) Smart Script Repository

REMAINING WORK
Extending the framework to decentralized environment
Choosing the topology
Designing a secure, distributed voting algorithm
Designing decentralized reputation based mechanism
Possible use of Nexus
Developing scheme for tamper-resistance and mission survivability

DISSERTATION OUTLINE Chapters Topic s Chapter 1 Introduction Chapter 2 Background Chapter 3 Problem Formulation Chapter 4 Surreptitious intrusion detection by keeping the IDS tamper-proof (For both centralized and decentralized environment) Chapter 5 Making the integrity signature invisible and accessible to the attacker (For both centralized and decentralized environment) Chapter 6 Deception-based secure proactive scheme (For both centralized and decentralized environment) Chapter 7 Evaluation Chapter 8 Conclusion

Developed a realistic attack model
Proposed a deception-based proactive recovery scheme to ensure mission survivability against smart and adaptive attackers
demonstrated using a centralized, replicated system
Proposed and evaluated scheme to make the proposed solution tamper-proof
Performance results so far:
low overhead
security strength is time-independent
CONCLUSION

Workshop publications
R. Mehresh, S. J. Upadhyaya and K. Kwiat, “A Multi-step Simulation Approach toward Secure Fault Tolerant System Evaluation,” in Third International Workshop on Dependable Network Computing and Mobile Systems (DNCMS), Co-located at 29th IEEE Symposium on Reliable Distributed Systems , 2010, pp. 363-367.
Conference publications
R. Mehresh, S. J. Upadhyaya and K. Kwiat, “Secure Proactive Recovery – A Hardware Based Mission Assurance Scheme,” in Sixth International Conference on Information Warfare and Security , 2011, pp. 171-179.
R. Mehresh, J. J. Rao, S. J. Upadhyaya, S. Natarajan and K. Kwiat, “Tamper-resistant Monitoring for Securing Multi-core Environments,” in Sixth International Conference on Security and Management (SAM) , vol. 2, 2011, pp. 372-378.
Journal publications
R. Mehresh, S. J. Upadhyaya and K. Kwiat, “Secure Proactive Recovery – A Hardware Based Mission Assurance Scheme,” in Journal of Network Forensics , vol 3(2), 2011, pp. 32-48.
REFERENCES

Proposal defense presentation

by Ruchika Mehresh

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 97

Statistics

Proposal defense presentation Presentation Transcript

http://www.rmehresh.com	63
http://www.ruchikamehresh.com	20
http://preview.utkarshprateek.vpweb.com	14