Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bilar csiirw11


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

Bilar csiirw11

  1. 1. Monitoring Smart Grid Operations and Maintaining MissionAssurance through Adaptive Computer Network Defenses [Extended Abstract] Daniel Bilar James J. Solderitsch Elvis K. Hovor Siege Technologies LLC Accenture PLC Johns Hopkins University 33 S. Commercial Street 11951 Freedom Drive Information Security Institute Manchester NH 03101, USA Reston VA 20190, USA 3400 North Charles Street daniel.bilar james.j.solderitsch Baltimore MD 21218, USA ehovor1@jhu.eduABSTRACT guide allocation of best “bang for the buck” (ROI) defenseWe present adaptive computer network defenses with a focus mechanisms against various threat classes in a constrainedon Smart Grid operations. We model Smart Grid network simulation environment. We specifically address quantifica-domains in the MESA-ExtendSim simulator and continu- tion of metrics and experimental validation since they rep-ously measure mission assurance indicators (security proper- resent methodological lacunae in the literature. A meta-ties) to gauge the network’s mission state. When thresholds survey of ninety security papers between 1981 and 2008are reached, a binary integer optimization problem is solved showed that quantified security was a weak hypothesis be-to identify appropriate host and network defenses (security cause of lack of validation and comparison against empiricalcontrols) given parameters (attacker classes) and constraints data [11].(cost and mission assurance bounds). The solution is used toactuate defense mechanisms in the simulation. We present 2. RELATED WORKmission assurance indicators in an UI before and after de- A taxonomy given by [9] takes “mission assurance” to befense actuation to gauge defensive effectiveness. synonymous with Mission Essential Functionality (MEF). The conceptual framework’s goal, similar to ours, is detec-Categories and Subject Descriptors tion of MEF degradation with runtime support for missionC.2.3 [Communication Networks]: Network Operations— assurance in terms of Quality Of Service and Informationnetwork management, network monitoring; D.2.8 [Software Assurance criteria. Our project goes further in that we de-Engineering]: Metrics—process metrics, performance mea- fine metrics, measure them, and implement a quantitative,sures; G.1.6 [Numerical Analysis]: Optimization—con- optimization-based mission assurance framework.strained optimization, integer programming The optimization approach underlying our framework is based on QRAN [2]. QRAN, a quantitative risk analysis and management framework for computer networks, is fo-General Terms cused on the risk induced by vulnerabilities present in non-simulation, optimization, security metrics malicious software. It allowed risk managers to get a com- prehensive snapshot of the constitutive software on the net-Keywords work, assess its risk with the assistance of a vulnerability database via multi-factor risk metrics, and manage that riskOptimization, Security Properties, Adaptive Defenses, Mis- by rank ordering reduction measures subject to cost, func-sion Assurance, Smart Grid tionality and risk tolerance constraints. The LANL FRNSE (Framework for Responding to Net-1. INTRODUCTION work Security Events) project looks for evidence of threats to In 2008, IT decision makers at over 80 companies were the enterprise network and responds with automated steps.polled on their use of security metrics. Almost 80% re- One of its goals is substituting scripts for low level securitysponded that demonstrating IT security effectiveness through analysts. While FRNSE focuses on detecting and respond-metrics to other functional managers helps IT to justify ac- ing to all threats to the enterprise without considering thetion and budgets [1]. In our work, we use security metrics to cost of the response, our work focuses mainly on defensive adaptations that maximize Mission Assurance within the available resource budget. Rather than just responding to events, we try to anticipate attacker next-moves so as to getPermission to make digital or hard copies of all or part of this work for ahead of them (proactive vs. reactive). However, FRNSEpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copies could be one of the defensive tools in our arsenal to makebear this notice and the full citation on the first page. To copy otherwise, to first pass suggestions that are then folded in with our otherrepublish, to post on servers or to redistribute to lists, requires prior specific models and algorithms [3].permission and/or a fee.CSIIRW ’11, October 12-14, Oak Ridge, Tennessee, USACopyright 2011 ACM 978-1-4503-0945-5 ...$5.00.
  2. 2. 3. CONCEPTS Table 1: Optimization parameters A key concept of our approach is shaped by the mission (or parameter descriptionpurpose) of a network. Our reference Smart Grid (Fig. 1a) n # defense responses to optimize overcontains multiple networks (clouds), connecting disparate e # attack classes of interestdomains via gateway actors (bold rectangles). These net- m # mission assurance metrics of interestworked domains support different missions. Within these c # cost factors to be considerednetwork domains, we continuously measure mission assur-ance indicators (security properties) on actors as we opti-mize for defenses (security controls) given parameters (at-tacker classes) and constraints (cost and mission assurancebounds).3.1 Mission Assurance Properties We defend, or assure, security properties. In our frame-work, assuring these properties is akin to assuring the mis-sion. These properties include (but are not limited to) avail-ability (ability to use information/resources), integrity (pre-vention of unauthorized changes), confidentiality (conceal-ment of information), authenticity (identification and as-surance of origin), freshness (non-replay of stale data andcommands) and non-repudiation (proof of responsibility). Mission assurance (MA) decreases as attacker efforts in-creases. ‘Efforts’ is meant to denote a general placeholder Figure 2: Household power consumption. High vari-and includes (but needn’t be limited to) person-hours in- ation (load factor = 0.06). Figure drawn from datavested, technical resources marshaled and drive. in [8] Effort intensity serves to separate increasingly hardier at-tack classes. We distinguish between the following five at-tack classes: Opportunistic: quasi-random attacks (likelyautomated); Hobbyist: low skill human with no strong in- 3.3 Optimization Formulationcentives; Organized crime: medium skill humans with fi- Table 1 gives an overview of the parameters. Let n benancial incentives; Nation state: highly skilled humans with the number of defense responses, let e be number of attacknational security incentives; malicious insider: abuse of priv- classes, let m be the number of MA curves (e.g. m=3 forileged insider position with financial, ideological or personal Confidentiality, Integrity, Availability) and let c be the num-motives. ber of cost factors associated with defenses (e.g. acquisition, training, cost of ownership). Table 2 gives an overview of3.2 MESA Simulation Network the parameters used by the objective function (1) and the We used the Modeling Environment for SOA Analysis constraints (2), (3) of the optimization problem.(MESA) (designed by MITRE on top of the ExtendSim Let D be an m-by-n-by-e matrix whose elements denoteframework) to model and simulate parts of the Smart Grid the mission assurance effectiveness of defenses against(Fig. 1b). Our first-iteration prototype focuses just attacker classes.on assuring confidentiality, integrity and availabil- Let A(s) be an m-by-n subspace of D denoting the mis-ity properties in the Service Provider and Customer sion assurance effectiveness of defenses against sub-domains. set of attackers. A linear function f : D → A(s) serves to The Availability metric is generated in MESA by in- narrow down the attacker domain of interest. Examples in-creasing service time for polling requests, thereby mimicking clude an average over all attackers, largest attack effort, ordegradation of service and modeling DoS. A node outside the a partial subset (e.g. only hobbyist and organized crime).domain of interest periodically polls a node in the domain Let A(s,i) be the subspace of A(s) denoting the attackerof interest to measure the MA metric. domain of interest selected by function f . Let αi be the The Integrity metric is generated by increasing both relative weight of the mission assurance metrics wethe probability and magnitude of probabilistic error terms −→ − want to maximize over. Let MArhs denote the minimumadded to data. While negative terms model service theft by assurance bounds we need to safeguard for the mission.customers, positive and negative perturbations of control Let C be a c-by-n matrix whose entries denote the costdata serves to model integrity attacks against the utility −→ − associated with defense responses. Let Costrhs denotenetwork’s control systems [5]. A node periodically samples the total upper cost limits of the chosen defense responses.the readings to measure the metric against threshold values. The feasible solution(s) are returned in the n-by-1 indicator The Confidentiality metric is modeled in MESA by vector x which denotes the set of defense responses (suchsimulating an information leak (i.e client billing data, power as watermarking, blackholing, encryption) that should beconsumption signatures of clients) by increasing the proba- actuated. The objective function solves for x which maxi-bility of copying ‘files’ from a node that can only by reached mizes (weighed by relative factor αi ) chosen mission assur-from an internal network to a node that is reachable from ance metrics.outside. An external actor periodically pulls data from thatreachable node and upon success or when watermarked data αi A(s,i) x XX max (1)passes by a gateway router/firewall, information has ‘leaked’. x s i
  3. 3. (a) NIST Smart Grid: A domain is a grouping of actors (b) Simplified MESA-ExtendSim model of Smart Grid. Only somethat has similar objectives and rely on similar systems. actors and domains are shown. Figure 1: Conceptual (NIST) and MESA-ExtendSim Smart Grid models Table 4: Defense Responses defense responses description watermark hashtag data Table 2: Optimization Variables blackhole change network routes parameter description honeynet add subnets D mission assurance effective- encrypt add network encryption ness of defenses against at- SESRAA[6] active denial tacker classes signature enable whitelisting A(s) mission assurance effective- randomize change environment ness of defenses against sub- timestamp timestamp packets set of attackers data poison mutate data A(s,i) specific mission assurance failover add hosts effectiveness of defenses against subset of attacker classes C costs of defenses subject to MArhs minimum total mission as- −→ − surance to maintain A(s) x ≥ MArhs (2) Costrhs maximum total costs allow- −→ − Cx ≤ Costrhs (3) able αi relative weight of specific such that mission assurance x defense indicator vector x ∈ {0, 1}n X αi = 1 i We set up a binary integer program (BIP) in MS Excel and solve with a Solver plugin The BIP problem class is generally NP-hard. However, since MArhs and Costrhs are plausibly integer valued, the problem can be moved to an efficiently solvable subclass by transforming Table 3: Cost items C and A(s) into totally unimodular matrices [7]. cost items description configuration deploying defenses acquisition delivering defenses 4. IMPLEMENTATION maintenance updating defenses Our simulation model uses a native feature of MESA’s opportunity ‘road-not-taken’ ExtendSim to call out to an Excel macro, either manually utilization negative impact before the simulation runs, or automatically as part of the transition runtime adoption costs execution. Through this API, MESA sets the initial defense solution indicator vector to 0, executes macros in the Excel sheet to invoke the solver, and reads back the values back into MESA. The optimization response is translated into defense actuations.
  4. 4. (a) MA measured before defenses (b) MA measured after defensesFigure 3: Mission Assurance over time for Availability (upper left), Confidentiality (upper right) and Integrity(lower left) Simulation traces before and after defense actuation are [3] J. Doak and A. Lovato. Framework for responding togiven in Figs. 3a and 3b. The availability plot shows mea- network security events (FRNSE). Technical report,sured service processing time. In Fig. 3a we see a decrease Los Alamos National Laboratory, time 3. The confidentiality plot shows suspected data [4] B. Fuller, J. Sikora, and J. Lyons. Review ofleakage overtime (in KBs). The Integrity plot shows sen- residential electrical energy use data. Technical report,sor readings for a named sensor (blue line) and a count of NAHB Research Center, July 2001.the number of sensors with abnormal readings (red line). [5] O. Kosut, L. Jia, R. Thomas, and L. Tong. LimitingAfter actuation of three simultaneous defenses (signature, false data attacks on power system state estimation.blackholing and watermarking), the dashboard on the right In Information Sciences and Systems (CISS), pagessubfigure indicates increased assurance level measurements 1–6. IEEE, 2010.across the confidentiality, integrity and availability security [6] Q. Liao, D. Cieslak, A. Striegel, and N. Chawla. Usingproperties. selective, short-term memory to improve resilience against ddos exhaustion attacks. Security and5. DISCUSSION Communication Networks, 1(4):287–299, 2008. After actuating a single defense for each kind of attack, [7] J. F. Maurras, K. Truemper, and M. Akg¨ l. uthe measurements under each attack scenario return to nor- Polynomial algorithms for a class of linear programs.mal MA levels. In future work, we hope to show the effects Mathematical Programming, 21:121–136, 1981.of applying multiple defenses simultaneously, as well as mea- [8] M. Newborough and P. Augood. Demand-sidesure the rates of change of Mission Assurance levels in more management opportunities for the UK domestic sector.complex circumstances. In Generation, Transmission and Distribution, IEE In our prototype, we based defense actuation on devia- Proceedings, volume 146, pages 283–293. IET, 1999.tion from a baseline (effect-based anomaly detection). Our [9] P. Partha, K. Rohloff, M. Atighetchi, and R. Schantz.thresholds are set by tapping empirical high resolution (one Managed mission assurance - concept, methodologyto five minute intervals) data compiled from residential elec- and runtime support. In Proceedings of SOCIALCOM,tricity time use series [12]. Empirical studies show that pages 1159–1164. IEEE, 2010.consumption patterns fluctuate greatly within daily activ- [10] S. Taherian, M. Pias, G. Coulouris, and J. Crowcroft.ity periods, with load factors (maximum power compared to Profiling energy use in households and office spaces. Inmean value) of up to 0.06 (see Fig. 2) [4, 10]. This com- Proceedings EECN, pages 21–30. ACM, 2010.plicates setting thresholds within acceptable type I and II [11] V. Verendel. Quantified security is a weak hypothesis:errors. We will negotiate this problem in the next itera- a critical survey of results and assumptions. Intion by identifying anomalies through n-tuple (rather than Proceedings of NSPW, pages 37–50. ACM, 2009.just one) thresholds and by accurately modeling household [12] J. Widen, M. Lundh, I. Vassileva, E. Dahlquist,consumption through multi-state non-homogeneous Markov K. Elleg˚ and E. Wackelgard. Constructing load ard,chain activity models [13]. profiles for household electricity and hot water from time-use data-modelling approach and validation.6. REFERENCES Energy and Buildings, 41(7):753–768, 2009. [1] R. Ayoub. Analysis of business driven metrics: Measuring for security value. White Paper, 2008. [13] J. Widen and E. Wackelgard. A high-resolution [2] D. Bilar. Quantitative Risk Analysis Of Computer stochastic model of domestic activity patterns and Networks. PhD thesis, Thayer School of Engineering electricity demand. Applied Energy, 87(6):1880–1892, (Dartmouth College), June 2003. 2010.