Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Impact of Stealthy Attacks on Networks of Autonomous Systems Brian Thompson1, James Morris-King1,2, and Hasan Cam1 1 UNCLASSIFIED 2 CNS Workshop on Cyber-Physical Systems Security (CPS-Sec) 2016 1 UNCLASSIFIED agility Effectiveness of Proactive Reset for Mitigating Impact of Stealthy Attacks on Networks of Autonomous Systems uncertainty Brian Thompson1, James Morris-King1,2, and Hasan Cam1 1 UNCLASSIFIED 2 CNS Workshop on Cyber-Physical Systems Security (CPS-Sec) 2016 2 UNCLASSIFIED Motivation • Networks of autonomous systems such as robotic factory workers, security robots, and unmanned aerial vehicles (UAVs, aka drones) are increasingly being used in military, commercial, and recreational settings to perform tasks with limited or no human intervention • Their autonomy and interconnectedness increases their susceptibility to cyber attack as well as the magnitude of damage an attack could cause • Self-propagating malware can exploit vulnerabilities in hardware, software, or communication protocols to spread through and gain control over such networks – 2012: a remotely-controlled drone called Virus-Copter wirelessly infects other drones with malware that hijacks their control systems and uses them to spread the malware to additional drones – 2013: a drone called SkyJack autonomously identifies and hacks into nearby drones wirelessly – 2015: a backdoor called Maldrone is developed that replaces a drone’s controller program and communicates directly with device drivers and sensors to control navigation and other systems UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 3 UNCLASSIFIED Motivation • As a defensive maneuver, autonomous systems infected with malware can undergo a reset operation that restores them to a malware-free state – Implementation depends on the context and type of device • However, stealthy malware can remain undetected by avoiding changing the behavior of infected devices while spreading using zero-day exploits • Such malware may not be discovered until a successful attack has already been executed, at which point it may be too late • Many existing cybersecurity solutions are reactive, such as signaturebased anti-virus software, intrusion detection systems, or the patching of discovered vulnerabilities, and do not prescribe any defensive action if nothing has been detected • On the other hand, too many detections (true or false positives) could cause adversarial effects (e.g. a DoS attack) UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 4 UNCLASSIFIED Related Work • Kephart & White (1991) apply compartmental (SIR-type) models from epidemiology to study malware spread – Uniformity assumptions only permit population-level decisions • Khouzani et al. (2012) and Eshghi et al. (2016) propose patching or cleaning strategies to limit the spread of propagating malware – These rely on patching known vulnerabilities or knowing which nodes are infected, so aren’t applicable to stealthy attacks • Some work on collaborative trust in networks – This also relies on observable differences in the behavior of clean and infected nodes • A variety of MTD approaches have been proposed – Typically for a single system rather than a coordinated effort over networked devices, not sensitive to needs of network as a whole • We propose a proactive network-wide automated approach to combat the spread of stealthy malware in networks of autonomous systems UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 5 UNCLASSIFIED Model • Network of autonomous systems cooperating on a common task • When operational, pairs of systems periodically communicate with one another, providing a channel for data transfer between them • Attacker wants to establish and maintain a presence on systems in the network, which could then be used at an opportune time for malicious purposes e.g. preventing task completion or causing physical damage • Attacker injects self-propagating malware, which spreads stealthily when an infected system comes within range of or communicates with a clean system • Defender decides when and which autonomous systems should perform the reset operation, subject to the operational requirements • While a system is resetting, it does not engage in communication with other systems in the network; when resetting is complete, it re-enters the network clean of all malware • Stealthy malware means that the Defender may not be able to distinguish between clean and infected systems UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 6 UNCLASSIFIED Model • Each autonomous system can be clean, infected, or resetting • Malware starts on a initial set of systems and spreads when an infected system comes within range of or communicates with a clean system • Systems are inoperable while resetting, but after the reset is complete, they resume functioning clean of the malware UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 7 UNCLASSIFIED Model • Each autonomous system can be clean, infected, or resetting • Malware starts on a initial set of systems and spreads when an infected system comes within range of or communicates with a clean system • Systems are inoperable while resetting, but after the reset is complete, they resume functioning clean of the malware UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 8 UNCLASSIFIED Problem & Approach Problem Statement: • Given the reset time 𝑟 and an operational threshold 𝜃, design a reset policy to minimize the number of infected nodes when under attack by an adversary using stealthy propagating malware Approach: • We propose proactive reset, in which systems periodically get reset even when no malware has been detected • Reset policies leveraging knowledge of communication or other activity can help determine which systems are at highest risk of being infected and prioritize them for resetting UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 9 UNCLASSIFIED General Implementation • Each autonomous system has a secure module that is responsible for the resetting process e.g. reprogramming parts of the system from an authenticated clean copy Monitor Activity or Environment Perform Reset (If Desired) may depend on available resources and situational awareness UNCLASSIFIED for signs of unexpected behavior or potential sources of exposure Compute Risk Score Decide Whether to Reset may be computed individually or collaboratively Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 10 UNCLASSIFIED Reset Policies • We consider three classes of proactive reset policies, each defined by how the risk score for each autonomous system is computed: – Random Reset policy: All systems have the same risk score, so that systems are reset at random until the operational threshold has been reached – Communication-based policy: The risk score is proportional to the number of other systems it has communicated or interacted with since its last reset – Risk-flow policy: When one autonomous system interacts with another, its risk score increases in proportion to the risk score of the other system (transmitted securely by the systems’ reset modules) UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 11 UNCLASSIFIED Experimental Setup • To evaluate the effectiveness of our proposed reset policies, we develop and implement a discrete-time agent-based simulation in Java based on our network model • We perform experiments on a network of 100 nodes and let each simulation run for 10,000 time steps, corresponding to 1,000 minutes (16 hours, 40 minutes) • To simulate communication, we consider the worst case scenario in which each autonomous system is equally likely to communicate with any other, which leads to the greatest degree of unpredictability and uncertainty regarding the spread of the malware • We set the reset time 𝑟 to be 1 minute and the operational threshold 𝜃 to vary between 50% and 100%, and each system communicates with a random system in the network on average once every 1 minute – In practice, these network parameters should be known or estimated based on past observations or domain knowledge, and may be system- and context- dependent UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 12 UNCLASSIFIED Results • We compare the effectiveness of the proposed proactive reset policies (Random Reset, Communication-based, Risk-flow) to two baselines: – No Resetting: never resets any systems – Perfect Detector: only resets infected systems UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 13 UNCLASSIFIED Results • We compare the effectiveness of the proposed proactive reset policies (Random Reset, Communication-based, Risk-flow) to two baselines: – No Resetting: never resets any systems – Perfect Detector: only resets infected systems UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 14 UNCLASSIFIED Results • We compare the effectiveness of the proposed proactive reset policies (Random Reset, Communication-based, Risk-flow) to two baselines: – No Resetting: never resets any systems – Perfect Detector: only resets infected systems UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 15 UNCLASSIFIED Discussion • Our experiments represent a worst-case scenario, where: – Malware starts with 100% infection and spreads instantaneously every time that an infected node communicates with a clean node – Any node can communicate with any other node – Defender can not distinguish between clean and infected nodes • Our approach is equally effective against known and unknown threats, independent of detection capabilities – In fact, a proactive approach may be preferable to using feedback from detectors (e.g. IDS alerts) because favoring defense against detectable malware may reduce security against undetected malware • Ability to purge malware from a network is dependent on resource constraints and other network parameters – Defender may invest additional resources to improve security, e.g. by increasing redundancy so more systems can reset simultaneously or reducing the time required to perform a reset UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 16 UNCLASSIFIED Conclusions • We introduced a proactive network-wide automated approach to combat the spread of stealthy malware in networks of autonomous systems • Even a naive proactive policy provides significant benefits over detectionbased mechanisms in the face of a stealthy cyber attack • Despite not knowing which nodes are infected, the Risk-flow policy achieves nearly identical performance to that of a perfect detector by leveraging systems’ communication histories • When the number of available nodes sufficiently exceeds the operational requirement, the Risk-flow policy completely purges malware from the network, even starting from 100% infection • Directions for future work: – Considering arbitrary (fixed or dynamic) network structures instead of assuming all-pairs reachability – Incorporating a mobility model – Explicitly modeling a network of heterogeneous systems/devices with different risks, functionalities, and requirements UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 17 UNCLASSIFIED Questions? Brian Thompson [email protected] UNCLASSIFIED Effectiveness of Proactive Reset for Mitigating Stealthy Cyber Attacks 18