One of the major trends in research on Self-Protecting Systems is to use a model of the system to be protected to predict its evolution. However, very often, devising the model requires special knowledge of mathematical frameworks, that prevents the adoption of this technique outside of the academic environment. Furthermore, some of the proposed approaches suffer from the curse of dimensionality, as their complexity is exponential in the size of the protected system. In this paper, we introduce a model-integrated approach for the design of Self-Protecting Systems, which automatically generates and solves Markov Decision Processes (MDPs) to obtain optimal defense strategies for systems under attack. MDPs are created in such a way that the size of the state space does not depend on the size of the system, but on the scope of the attack, which allows us to apply it to systems of arbitrary size.
ICSE 2019 A Model-Integrated Approach to Desiging Self Protecting Systems
1. www.cci.msstate.edu
A Model-Integrated Approach to
Designing Self-Protecting Systems
Stefano Iannucci, Member, IEEE, Sherif Abdelwahed, Senior Member, IEEE,
Andrea Montemaggio, Melissa Hannis, Leslie Leonard, Jason S. King, John A. Hamilton, Jr., Senior Member, IEEE
Presented by:
Andrea Montemaggio
Research Engineer II, CCI
a.montemaggio@msstate.edu
Funding for this work was partially provided by
the U.S. Army Engineer Research and Development Center (ERDC)
under contract W912HZ-17-C-0019
2. www.cci.msstate.edu
Automation
New Demand in Cyber Security
Past and Present
• Independent heterogeneous security
components
• Manual correlation of security events
• Manual planning and execution of the defense
strategy
• Sometimes, static attack/response mapping
The Future: Autonomic Security Management
• Automatic learning of system and attacker’s
behavior
• Prediction of the system evolution and of the
attacker strategy
• Proactive and automatic defense with security
components orchestration or choreography
3. www.cci.msstate.edu
MAPE loop for Cyber Security domain
Autonomic Security Management
Monitor
Information
Gathering
NIDS
Event
LOG
Event
HIDS
Event
Analyze
Event Manager
Plan
Defense Strategy
Planner
Execute
Policy Executor
Response
Policy
Distributed System
Response Policy Execution
Event
Stream
Sensors Effectors
Different
Event Streams
4. www.cci.msstate.edu
System model design workflow with GME1
Model-Integrated Approach
Components
and Topology
Attributes Actions Security Policy
[1] Generic Modeling Environment, http://www.isis.vanderbilt.edu/Projects/gme.
5. www.cci.msstate.edu
System model to Markov Decision Process (MDP)
Model-Integrated Approach
System Model
Interpretation and
Transformation
MDP Planning
XSLTXML
JAXB
Transformation
MDP BURLAP2
[2] Brown-UBMC Reinforcement Learning and Planning Java library, http://burlap.cs.brown.edu.
Plan
6. www.cci.msstate.edu
“The curse of dimensionality” (Bellman, 1957)
Challenges
Model Reduction
Theorem. All the attributes that do not directly or
indirectly affect the security policy can be
eliminated.
• Optimal solutions are preserved.
• Off-line application: does not depend on the
system state.
• Complexity is bound to the security policy, not
the whole model.
Richard E. Bellman
Hey, you’ve got a problem here.
The state space grows exponentially with the number of attributes in your model!
Knowledge-Based Heuristics
Knowledge coming from sensors (system state) is
leveraged to determine the set of attributes to
keep.
• More aggressive state space reduction, at the
cost of producing sub-optimal solutions.
• On-line application: depend on the system
state.
7. www.cci.msstate.edu
Building a reduced model to counter the attack’s effects
Attack Scope Heuristic
The smaller the attack scope, the more effective the
reduction is (less variables are retained).
A case showing that the planned solution may be sub-
optimal.
8. www.cci.msstate.edu
Thank you for your time.
Andrea Montemaggio
a.montemaggio@msstate.edu
Mississippi State University
2 Research Blvd
Starkville, MS 39759
USA
How to reach me
Autonomic Computing for
Cyber Security
Model-Integrated
approach
Model Interpretation:
building a Markov
Decision Process
MDP-based planning:
complexity issues and
mitigation strategies
Attack scope heuristic:
experimental data
Editor's Notes
There’s a new demand in Cyber Security: automation.
Every day, system administrators face new cyber attacks and most of the tasks along the cyber threat management process are still performed manually or require human intervention, especially in the Intrusion Response phase.
While a lot of research has been done on the Intrusion Detection phase, very few exists on the Intrusion Response phase, and most of the available tools address the problem providing a static mapping between a certain attack signature and a specific response. However, the increasing complexity of the enterprise systems to be protected, as well as the huge growth of cyber threats make this process overwhelming for any security professional.
Instead, our research tries to attack the problem from a different angle, trying to apply the concepts of the Autonomic Computing initiative to the Cyber Security domain.
The reference framework on top of that we built the Autonomic Security Management system is the MAPE loop for Autonomic Computing.
In the context on Cyber Security, we have the enterprise system we want to protect which is instrumented with several sensors capable of gathering different kind of information at runtime. For instance, think about these sensors as the monitoring systems and the Intrusion Detection Systems you already have in place.
All the information coming from the sensors is collected in the Monitor phase of the MAPE loop. Afterwards, the different information streams are aggregated into a unified view: the system state.
Hence, the Analyzer component constantly evaluates the system state stream against the security policy that has been defined for the system to tell if the system is safe or not.
When the security policy is not satisfied, a system state is considered unsafe, and a change request is issued. The Planner component catches the change request and plans a defense strategy, which is a sequence of actions to protect the system.
Finally, this sequence of actions is passed to the Executor component, that interprets it and oversees its execution on the system.
All the phases make use of some knowledge about the system to protect: this knowledge is encoded into a system model.
The system model is designed with the Generic Modeling Environment tool from Vanderbilt University, according to the following workflow.
Firstly, the components of the system and their topology are defined.
Secondly, for each component the attributes must be defined, in terms of variable name and type.
Afterwards, all the actions that can be performed on the various components are specified: an action is defined by its name, a Boolean expression over the system attributes that defines the pre-conditions that must hold in a certain state for the action to be executable in that state, and a probability distribution of post-conditions that model the impact of the action on the system state.
Finally, the security policy for the system is defined through a Boolean expression over the system attributes. The evaluation of this expression against a certain system state determines if the system is safe or not.
Our approach to planning is based on Reinforcement Learning so, for a given a system model, we must build and solve a Markov Decision Process to deliver a defense plan to bring the system from the unsafe state that triggered the planning to a safe one.
The process of building an MDP from a GME model starts from the XML representation produced by GME and goes through an interpretation and transformation stage that produces an MDP instance suitable to be solved with the open-source Java library BURLAP.
Once the problem is solved, the plan is ready to be picked-up by the Executor and run onto the system.
As Richard Bellman kindly reminds us, this approach suffers of the “curse of dimensionality”, so the state space grows exponentially with the number of attributes used to model the system.
This is true, so we developed several techniques to mitigate the impact of this problem and keep the MDP-based approach feasible for the domain of interest.
The first one is an off-line model reduction technique that eliminates all the attributes that do not affect the security policy, preserving the possibility to find optimal solutions.
The same attribute elimination technique can be applied in an on-line fashion, thus leveraging some knowledge gathered at run time.
As an example, given a certain attack, instead of solving the MDP for all the attributes, we can build a reduced MDP model by keeping only the attributes included in the attack scope.
Here we have some experimental results for this heuristic: the solid line is relative to the full MDP model, while the dashed line is relative to the reduced model built for the given attack scope.
On the left we can see the effectiveness of the reduction of the explored state space, while on the right side we depict a case of sub-optimality of the solution.