Recommended
More Related Content
Similar to ICSE 2019 A Model-Integrated Approach to Desiging Self Protecting Systems
Similar to ICSE 2019 A Model-Integrated Approach to Desiging Self Protecting Systems (20)
Recently uploaded
Recently uploaded (20)
ICSE 2019 A Model-Integrated Approach to Desiging Self Protecting Systems
- 1. www.cci.msstate.edu A Model-Integrated Approach to Designing Self-Protecting Systems Stefano Iannucci, Member, IEEE, Sherif Abdelwahed, Senior Member, IEEE, Andrea Montemaggio, Melissa Hannis, Leslie Leonard, Jason S. King, John A. Hamilton, Jr., Senior Member, IEEE Presented by: Andrea Montemaggio Research Engineer II, CCI a.montemaggio@msstate.edu Funding for this work was partially provided by the U.S. Army Engineer Research and Development Center (ERDC) under contract W912HZ-17-C-0019
- 2. www.cci.msstate.edu Automation New Demand in Cyber Security Past and Present • Independent heterogeneous security components • Manual correlation of security events • Manual planning and execution of the defense strategy • Sometimes, static attack/response mapping The Future: Autonomic Security Management • Automatic learning of system and attacker’s behavior • Prediction of the system evolution and of the attacker strategy • Proactive and automatic defense with security components orchestration or choreography
- 3. www.cci.msstate.edu MAPE loop for Cyber Security domain Autonomic Security Management Monitor Information Gathering NIDS Event LOG Event HIDS Event Analyze Event Manager Plan Defense Strategy Planner Execute Policy Executor Response Policy Distributed System Response Policy Execution Event Stream Sensors Effectors Different Event Streams
- 4. www.cci.msstate.edu System model design workflow with GME1 Model-Integrated Approach Components and Topology Attributes Actions Security Policy [1] Generic Modeling Environment, http://www.isis.vanderbilt.edu/Projects/gme.
- 5. www.cci.msstate.edu System model to Markov Decision Process (MDP) Model-Integrated Approach System Model Interpretation and Transformation MDP Planning XSLTXML JAXB Transformation MDP BURLAP2 [2] Brown-UBMC Reinforcement Learning and Planning Java library, http://burlap.cs.brown.edu. Plan
- 6. www.cci.msstate.edu “The curse of dimensionality” (Bellman, 1957) Challenges Model Reduction Theorem. All the attributes that do not directly or indirectly affect the security policy can be eliminated. • Optimal solutions are preserved. • Off-line application: does not depend on the system state. • Complexity is bound to the security policy, not the whole model. Richard E. Bellman Hey, you’ve got a problem here. The state space grows exponentially with the number of attributes in your model! Knowledge-Based Heuristics Knowledge coming from sensors (system state) is leveraged to determine the set of attributes to keep. • More aggressive state space reduction, at the cost of producing sub-optimal solutions. • On-line application: depend on the system state.
- 7. www.cci.msstate.edu Building a reduced model to counter the attack’s effects Attack Scope Heuristic The smaller the attack scope, the more effective the reduction is (less variables are retained). A case showing that the planned solution may be sub- optimal.
- 8. www.cci.msstate.edu Thank you for your time. Andrea Montemaggio a.montemaggio@msstate.edu Mississippi State University 2 Research Blvd Starkville, MS 39759 USA How to reach me Autonomic Computing for Cyber Security Model-Integrated approach Model Interpretation: building a Markov Decision Process MDP-based planning: complexity issues and mitigation strategies Attack scope heuristic: experimental data
Editor's Notes
- There’s a new demand in Cyber Security: automation. Every day, system administrators face new cyber attacks and most of the tasks along the cyber threat management process are still performed manually or require human intervention, especially in the Intrusion Response phase. While a lot of research has been done on the Intrusion Detection phase, very few exists on the Intrusion Response phase, and most of the available tools address the problem providing a static mapping between a certain attack signature and a specific response. However, the increasing complexity of the enterprise systems to be protected, as well as the huge growth of cyber threats make this process overwhelming for any security professional. Instead, our research tries to attack the problem from a different angle, trying to apply the concepts of the Autonomic Computing initiative to the Cyber Security domain.
- The reference framework on top of that we built the Autonomic Security Management system is the MAPE loop for Autonomic Computing. In the context on Cyber Security, we have the enterprise system we want to protect which is instrumented with several sensors capable of gathering different kind of information at runtime. For instance, think about these sensors as the monitoring systems and the Intrusion Detection Systems you already have in place. All the information coming from the sensors is collected in the Monitor phase of the MAPE loop. Afterwards, the different information streams are aggregated into a unified view: the system state. Hence, the Analyzer component constantly evaluates the system state stream against the security policy that has been defined for the system to tell if the system is safe or not. When the security policy is not satisfied, a system state is considered unsafe, and a change request is issued. The Planner component catches the change request and plans a defense strategy, which is a sequence of actions to protect the system. Finally, this sequence of actions is passed to the Executor component, that interprets it and oversees its execution on the system. All the phases make use of some knowledge about the system to protect: this knowledge is encoded into a system model.
- The system model is designed with the Generic Modeling Environment tool from Vanderbilt University, according to the following workflow. Firstly, the components of the system and their topology are defined. Secondly, for each component the attributes must be defined, in terms of variable name and type. Afterwards, all the actions that can be performed on the various components are specified: an action is defined by its name, a Boolean expression over the system attributes that defines the pre-conditions that must hold in a certain state for the action to be executable in that state, and a probability distribution of post-conditions that model the impact of the action on the system state. Finally, the security policy for the system is defined through a Boolean expression over the system attributes. The evaluation of this expression against a certain system state determines if the system is safe or not.
- Our approach to planning is based on Reinforcement Learning so, for a given a system model, we must build and solve a Markov Decision Process to deliver a defense plan to bring the system from the unsafe state that triggered the planning to a safe one. The process of building an MDP from a GME model starts from the XML representation produced by GME and goes through an interpretation and transformation stage that produces an MDP instance suitable to be solved with the open-source Java library BURLAP. Once the problem is solved, the plan is ready to be picked-up by the Executor and run onto the system.
- As Richard Bellman kindly reminds us, this approach suffers of the “curse of dimensionality”, so the state space grows exponentially with the number of attributes used to model the system. This is true, so we developed several techniques to mitigate the impact of this problem and keep the MDP-based approach feasible for the domain of interest. The first one is an off-line model reduction technique that eliminates all the attributes that do not affect the security policy, preserving the possibility to find optimal solutions. The same attribute elimination technique can be applied in an on-line fashion, thus leveraging some knowledge gathered at run time. As an example, given a certain attack, instead of solving the MDP for all the attributes, we can build a reduced MDP model by keeping only the attributes included in the attack scope.
- Here we have some experimental results for this heuristic: the solid line is relative to the full MDP model, while the dashed line is relative to the reduced model built for the given attack scope. On the left we can see the effectiveness of the reduction of the explored state space, while on the right side we depict a case of sub-optimality of the solution.