Download Effectiveness of Proactive Reset for Mitigating

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts

Distributed operating system wikipedia , lookup

Distributed firewall wikipedia , lookup

Airborne Networking wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
UNCLASSIFIED
Effectiveness of Proactive Reset for
Mitigating Impact of Stealthy Attacks
on Networks of Autonomous Systems
Brian Thompson1, James Morris-King1,2, and Hasan Cam1
1
UNCLASSIFIED
2
CNS Workshop on Cyber-Physical Systems Security (CPS-Sec) 2016
1
UNCLASSIFIED
agility
Effectiveness of Proactive Reset for
Mitigating Impact of Stealthy Attacks
on Networks of Autonomous Systems
uncertainty
Brian Thompson1, James Morris-King1,2, and Hasan Cam1
1
UNCLASSIFIED
2
CNS Workshop on Cyber-Physical Systems Security (CPS-Sec) 2016
2
UNCLASSIFIED
Motivation
• Networks of autonomous systems such as robotic factory workers,
security robots, and unmanned aerial vehicles (UAVs, aka drones) are
increasingly being used in military, commercial, and recreational
settings to perform tasks with limited or no human intervention
• Their autonomy and interconnectedness increases their susceptibility to
cyber attack as well as the magnitude of damage an attack could cause
• Self-propagating malware can exploit vulnerabilities in hardware,
software, or communication protocols to spread through and gain
control over such networks
– 2012: a remotely-controlled drone called Virus-Copter wirelessly infects
other drones with malware that hijacks their control systems and uses them
to spread the malware to additional drones
– 2013: a drone called SkyJack autonomously identifies and hacks into
nearby drones wirelessly
– 2015: a backdoor called Maldrone is developed that replaces a drone’s
controller program and communicates directly with device drivers and
sensors to control navigation and other systems
UNCLASSIFIED
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
3
UNCLASSIFIED
Motivation
• As a defensive maneuver, autonomous systems infected with malware
can undergo a reset operation that restores them to a malware-free state
– Implementation depends on the context and type of device
• However, stealthy malware can remain undetected by avoiding changing
the behavior of infected devices while spreading using zero-day exploits
• Such malware may not be discovered until a successful attack has
already been executed, at which point it may be too late
• Many existing cybersecurity solutions are reactive, such as signaturebased anti-virus software, intrusion detection systems, or the patching of
discovered vulnerabilities, and do not prescribe any defensive action if
nothing has been detected
• On the other hand, too many detections (true or false positives) could
cause adversarial effects (e.g. a DoS attack)
UNCLASSIFIED
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
4
UNCLASSIFIED
Related Work
• Kephart & White (1991) apply compartmental (SIR-type) models from
epidemiology to study malware spread
– Uniformity assumptions only permit population-level decisions
• Khouzani et al. (2012) and Eshghi et al. (2016) propose patching or
cleaning strategies to limit the spread of propagating malware
– These rely on patching known vulnerabilities or knowing which
nodes are infected, so aren’t applicable to stealthy attacks
• Some work on collaborative trust in networks
– This also relies on observable differences in the behavior of clean
and infected nodes
• A variety of MTD approaches have been proposed
– Typically for a single system rather than a coordinated effort over
networked devices, not sensitive to needs of network as a whole
• We propose a proactive network-wide automated approach to combat
the spread of stealthy malware in networks of autonomous systems
UNCLASSIFIED
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
5
UNCLASSIFIED
Model
• Network of autonomous systems cooperating on a common task
• When operational, pairs of systems periodically communicate with one
another, providing a channel for data transfer between them
• Attacker wants to establish and maintain a presence on systems in the
network, which could then be used at an opportune time for malicious
purposes e.g. preventing task completion or causing physical damage
• Attacker injects self-propagating malware, which spreads stealthily
when an infected system comes within range of or communicates with a
clean system
• Defender decides when and which autonomous systems should
perform the reset operation, subject to the operational requirements
• While a system is resetting, it does not engage in communication with
other systems in the network; when resetting is complete, it re-enters
the network clean of all malware
• Stealthy malware means that the Defender may not be able to
distinguish between clean and infected systems
UNCLASSIFIED
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
6
UNCLASSIFIED
Model
• Each autonomous system can be clean, infected, or resetting
• Malware starts on a initial set of systems and spreads when an infected
system comes within range of or communicates with a clean system
• Systems are inoperable while resetting, but after the reset is complete,
they resume functioning clean of the malware
UNCLASSIFIED
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
7
UNCLASSIFIED
Model
• Each autonomous system can be clean, infected, or resetting
• Malware starts on a initial set of systems and spreads when an infected
system comes within range of or communicates with a clean system
• Systems are inoperable while resetting, but after the reset is complete,
they resume functioning clean of the malware
UNCLASSIFIED
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
8
UNCLASSIFIED
Problem & Approach
Problem Statement:
• Given the reset time 𝑟 and an operational threshold 𝜃, design a reset
policy to minimize the number of infected nodes when under attack
by an adversary using stealthy propagating malware
Approach:
• We propose proactive reset, in which systems periodically get reset
even when no malware has been detected
• Reset policies leveraging knowledge of communication or other activity
can help determine which systems are at highest risk of being infected
and prioritize them for resetting
UNCLASSIFIED
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
9
UNCLASSIFIED
General Implementation
• Each autonomous system has a secure module that is responsible for
the resetting process
e.g. reprogramming
parts of the system
from an authenticated
clean copy
Monitor
Activity or
Environment
Perform
Reset
(If Desired)
may depend on
available resources
and situational
awareness
UNCLASSIFIED
for signs of unexpected
behavior or potential
sources of exposure
Compute
Risk Score
Decide
Whether
to Reset
may be computed
individually or
collaboratively
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
10
UNCLASSIFIED
Reset Policies
• We consider three classes of proactive reset policies, each defined by
how the risk score for each autonomous system is computed:
– Random Reset policy: All systems have the same risk score, so
that systems are reset at random until the operational threshold has
been reached
– Communication-based policy: The risk score is proportional to
the number of other systems it has communicated or interacted
with since its last reset
– Risk-flow policy: When one autonomous system interacts with
another, its risk score increases in proportion to the risk score of the
other system (transmitted securely by the systems’ reset modules)
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
11
UNCLASSIFIED
Experimental Setup
• To evaluate the effectiveness of our proposed reset policies, we
develop and implement a discrete-time agent-based simulation in Java
based on our network model
• We perform experiments on a network of 100 nodes and let each
simulation run for 10,000 time steps, corresponding to 1,000 minutes
(16 hours, 40 minutes)
• To simulate communication, we consider the worst case scenario in
which each autonomous system is equally likely to communicate with
any other, which leads to the greatest degree of unpredictability and
uncertainty regarding the spread of the malware
• We set the reset time 𝑟 to be 1 minute and the operational threshold 𝜃
to vary between 50% and 100%, and each system communicates with
a random system in the network on average once every 1 minute
– In practice, these network parameters should be known or estimated based
on past observations or domain knowledge, and may be system- and
context- dependent
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
12
UNCLASSIFIED
Results
• We compare the effectiveness of the proposed proactive reset policies
(Random Reset, Communication-based, Risk-flow) to two baselines:
– No Resetting: never resets any systems
– Perfect Detector: only resets infected systems
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
13
UNCLASSIFIED
Results
• We compare the effectiveness of the proposed proactive reset policies
(Random Reset, Communication-based, Risk-flow) to two baselines:
– No Resetting: never resets any systems
– Perfect Detector: only resets infected systems
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
14
UNCLASSIFIED
Results
• We compare the effectiveness of the proposed proactive reset policies
(Random Reset, Communication-based, Risk-flow) to two baselines:
– No Resetting: never resets any systems
– Perfect Detector: only resets infected systems
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
15
UNCLASSIFIED
Discussion
• Our experiments represent a worst-case scenario, where:
– Malware starts with 100% infection and spreads instantaneously
every time that an infected node communicates with a clean node
– Any node can communicate with any other node
– Defender can not distinguish between clean and infected nodes
• Our approach is equally effective against known and unknown threats,
independent of detection capabilities
– In fact, a proactive approach may be preferable to using feedback
from detectors (e.g. IDS alerts) because favoring defense against
detectable malware may reduce security against undetected malware
• Ability to purge malware from a network is dependent on resource
constraints and other network parameters
– Defender may invest additional resources to improve security, e.g. by
increasing redundancy so more systems can reset simultaneously or
reducing the time required to perform a reset
UNCLASSIFIED
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
16
UNCLASSIFIED
Conclusions
• We introduced a proactive network-wide automated approach to combat
the spread of stealthy malware in networks of autonomous systems
• Even a naive proactive policy provides significant benefits over detectionbased mechanisms in the face of a stealthy cyber attack
• Despite not knowing which nodes are infected, the Risk-flow policy
achieves nearly identical performance to that of a perfect detector by
leveraging systems’ communication histories
• When the number of available nodes sufficiently exceeds the operational
requirement, the Risk-flow policy completely purges malware from the
network, even starting from 100% infection
• Directions for future work:
– Considering arbitrary (fixed or dynamic) network structures instead of
assuming all-pairs reachability
– Incorporating a mobility model
– Explicitly modeling a network of heterogeneous systems/devices with
different risks, functionalities, and requirements
UNCLASSIFIED
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
17
UNCLASSIFIED
Questions?
Brian Thompson
[email protected]
UNCLASSIFIED
Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks
18
Related documents
OASIS UTILIZATION- MICC FDO Eustis
OASIS UTILIZATION- MICC FDO Eustis
Cyber attack! Could you run services without IT for a week?
Cyber attack! Could you run services without IT for a week?
Namibia – land of the brave
Namibia – land of the brave
pdf
pdf
Establish bounds on the total rate of data exfiltration
Establish bounds on the total rate of data exfiltration
Open ended challenge rationale
Open ended challenge rationale
Do you know someone may be watching you?
Do you know someone may be watching you?
Cyber Security Metrics
Cyber Security Metrics
Reset Switch or Normally Open Contact
Reset Switch or Normally Open Contact
MS Word Format - Artificial Intelligence Applications Institute
MS Word Format - Artificial Intelligence Applications Institute