* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Establish bounds on the total rate of data exfiltration
Survey
Document related concepts
Network tap wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Computer security wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Transcript
UNCLASSIFIED Controlling Risk of Data Exfiltration in Cyber Networks Due to Stealthy Propagating Malware Brian Thompson1,2, James Morris-King1,2, and Hasan Cam1 1 UNCLASSIFIED 2 MILCOM 2016 1 UNCLASSIFIED Motivation • In 2015, Kaspersky Lab discovered malware (Duqu 2.0) that had been hiding in its network for months, spying on new technologies being developed at the lab • Also in 2015, Bitdefender customers’ data was leaked after an attack that hijacked several servers in Amazon’s Elastic Compute Cloud • These and other recent cyber attacks demonstrate that even the best contemporary security systems can not prevent well-resourced adversaries from infiltrating the computer networks of governments, companies, and organizations • Once inside a network, self-propagating malware can spread throughout the network, causing damage, disrupting services, or exfiltrating sensitive information • Stealthy malware can remain undetected by using zero-day exploits to spread and hiding malicious behavior in normal activity UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 2 UNCLASSIFIED Defender Model • An intrusion detection system (IDS) monitors activity on a computer or network and sets off an alert when suspected malicious activity occurs, prompting human analysts to investigate and take defensive action as deemed necessary • Alternatively, an intrusion prevention system (IPS) takes automated actions to block or purge a potential intrusion when an alert goes off • We consider a defensive maneuver in which devices are taken offline while an automated recovery or reset operation is performed and then come back online clean of any malware – Device could then get reinfected – Implementation depends on the context and type of device • Due to service availability needs, monetary constraints, or other operational requirements, there is often a limit to the number of devices that can be resetting at any one time UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 3 UNCLASSIFIED Network Model • Each node in the network communicates with other nodes, and also uploads some information externally, e.g. to respond to user queries, report sensor readings, or send an email • The Attacker unleashes self-propagating malware, which spreads from infected nodes to clean nodes when they communicate • Infected nodes additionally exfiltrate sensitive data at a rate pre-determined by the Attacker • Each node has a detector that generates alerts when the total outgoing data rate is higher than expected, which prompts the recovery or reset operation • The Defender controls the detection sensitivity, which along with the outgoing data rate determines the alert rate and therefore the reset rate • Aside from their observed outgoing data rate (uploads + exfiltration), the detector can not distinguish between clean and infected nodes UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 4 UNCLASSIFIED Problem Statement The Game: • Attacker chooses the exfiltration rate, which is hard-coded into the malware (and therefore the same for all infected nodes) • Defender chooses the detection sensitivity, with the constraint that the number of resetting nodes does not violate the operational requirement • The higher the exfiltration rate, the faster data will be exfiltrated from each infected node, but the easier it will be to detect them, resulting in fewer infected nodes Objective: • Attacker: Maximize total rate of data exfiltration from all infected nodes • Defender: Minimize total rate of data exfiltration from all infected nodes Our goal: • Establish bounds on the total rate of data exfiltration by an optimal attacker, expressed in terms of network parameters UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 5 UNCLASSIFIED Related Work • Kephart & White (1991) apply compartmental (SIR-type) models from epidemiology to study malware spread • Okhravi and Nicol (2008) evaluate the tradeoff between the time spent on pre-deployment testing and the timely deployment of patches for software vulnerabilities • Khouzani et al. (2012) explore how to allocate resources to prevent malware spread in mobile wireless networks • Eshghi et al. (2016) propose patching strategies for countering propagating malware in both a replicative context (patches can be transmitted by other patched devices) and a non-replicative context (patches are only disseminated by designated sources) • These approaches rely on patching known vulnerabilities or knowing which nodes are infected, so aren’t applicable to stealthy attacks • Proactive defense mechanisms have also been proposed, but typically for a single system rather than a coordinated effort over networked devices, thus are not sensitive to the needs of the network as a whole UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 6 UNCLASSIFIED Our Approach • We take a mean-field approach, using a compartmental Markov model to describe the fraction of nodes in each possible state (Clean, Infected, or Resetting) and the transition rates between them, which are captured by a set of differential equations: 𝑑𝜋𝐶 𝑡 𝑑𝑡 = 𝛼 𝜋𝑅 𝑡 − 𝛽 𝑡 + 𝜌𝐶 𝜋𝐶 𝑡 𝑑𝜋𝐼 𝑡 𝑑𝑡 𝑑𝜋𝑅 𝑡 𝑑𝑡 Model Parameter 𝛼 𝛽 𝑡 𝜌𝐶 𝜌𝐼 𝜋𝐶 𝑡 𝜋𝐼 𝑡 𝜋𝑅 𝑡 UNCLASSIFIED = 𝛽 𝑡 𝜋𝐶 𝑡 − 𝜌𝐼 𝜋𝐼 𝑡 = 𝜌𝐶 𝜋𝐶 𝑡 + 𝜌𝐼 𝜋𝐼 𝑡 − 𝛼 𝜋𝑅 𝑡 Description activation rate for each node infection rate for each clean node at time 𝑡 reset rate for each clean node reset rate for each infected node fraction of nodes that are Clean at time 𝑡 fraction of nodes that are Infected at time 𝑡 fraction of nodes that are Resetting at time 𝑡 Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 7 UNCLASSIFIED Theoretical Analysis • We express the transition rates in terms of several network parameters: 𝛼 = 1𝑟 𝜋𝐼 𝑡 𝐶 𝑡 +𝜋𝐼 𝑡 𝛽 𝑡 =𝜆⋅𝜋 𝜌𝐶 = 𝜎 ⋅ 𝜐 𝜌𝐼 = 𝜎 ⋅ 𝜐 + 𝜉 Param 𝑟 𝜆 𝜎 𝜐 𝜉 𝜃 Description time to perform the reset operation communication rate for each node detection sensitivity normal upload rate for each node exfiltration rate for each infected node operational threshold for the network 𝐶 𝑡 = 𝑑𝜋𝐼 𝑡 = 𝑑𝜋𝑅 𝑡 = 0 and 𝜋 • Solving for 𝑑𝜋𝑑𝑡 𝐶 𝑡 + 𝜋𝐼 𝑡 + 𝜋𝑅 𝑡 = 1 𝑑𝑡 𝑑𝑡 yields the equilibrium distribution 𝜋𝐶 , 𝜋𝐼 , 𝜋𝑅 over node states: 𝜎 𝜐+𝜉 𝜋𝐶 = 𝜆 + 𝑟𝜎 𝜐 + 𝜉 𝜆 − 𝜎𝜉 𝜋𝐼 = 𝜆−𝜎 𝜐+𝜉 𝜆 + 𝑟𝜎 𝜐 + 𝜉 𝜆 − 𝜎𝜉 𝜆 𝜋𝑅 = 1 − 𝜆 + 𝑟𝜎 𝜐 + 𝜉 𝜆 − 𝜎𝜉 UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 8 UNCLASSIFIED Theoretical Analysis • The optimal detection sensitivity for the Defender is the maximum value of 𝜎 that respects the operational threshold, i.e. the solution to 𝜆 𝜋𝑅 𝜎 = 1 − 𝜆+𝑟𝜎 𝜐+𝜉 =1−𝜃 𝜆−𝜎𝜉 which is 4𝜉 1−𝜃 𝜆 𝜎 = 2𝜉 ⋅ 1 − 1 − 𝑟𝜆𝜃 𝜐+𝜉 • The Attacker wants to maximize the total data exfiltration rate: max𝜉 𝑓 𝜉 where 𝑓 𝜉 = 𝜉 ⋅ 𝜋𝐼 𝜉 which occurs when 𝜉=𝜐⋅ 1−𝜃 𝑟𝜆𝜃 1−𝜃 2 −1 𝑟𝜆𝜃 1− yielding a total data exfiltration rate of 𝑓 𝜉 = 12 𝜐 ⋅ 𝜃 ⋅ UNCLASSIFIED 1−𝜃 𝑟𝜆𝜃 − 1−𝜃 2 −1 𝑟𝜆𝜃 2−3 2 1−𝜃 𝑟𝜆𝜃 −1 Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 9 UNCLASSIFIED Results • Examining the boundary cases, we find that: 1−𝜃 4 1−𝜃 1 – If 𝑟𝜆𝜃 ≥ 9, the Defender will purge the malware from the network, regardless of the data exfiltration rate – If 𝑟𝜆𝜃 ≤ 4, the Defender can not keep up with the spread of the malware, so the Attacker can exfiltrate data at an arbitrarily high rate without being purged from the network 1 1−𝜃 4 – For ≤ ≤ , the optimal total rate of data exfiltration that the 4 𝑟𝜆𝜃 9 Attacker can achieve is 𝑓 𝜉 = 12 𝜐 ⋅ 𝜃 ⋅ 1−𝜃 𝑟𝜆𝜃 − 1−𝜃 2 −1 𝑟𝜆𝜃 2−3 2 1−𝜃 𝑟𝜆𝜃 −1 • Note that these are dependent on 𝑟 (reset time), 𝜆 (communication rate), 𝜐 (normal upload rate), and 𝜃 (operational threshold) UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 10 UNCLASSIFIED Conclusions • Our model represents a worst-case scenario, where: – Malware spreads instantaneously every time that an infected node communicates with a clean node – Any node can communicate with any other node – Detectors can not distinguish between clean and infected nodes • Without modifying normal network behavior (node communication and upload rate) or knowing anything about the Attacker’s strategy, the Defender can control the maximum total rate of data exfiltration by: – reducing the time required to perform the reset or recovery operation – reducing the operational threshold, e.g. by acquiring additional nodes • Our results allow cybersecurity decision-makers to – assess the maximal risk to their network – estimate the benefit of investing additional resources in improving the robustness of their network UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 11 UNCLASSIFIED Questions? Brian Thompson [email protected] UNCLASSIFIED Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware 12