Download A Biologically Inspired Approach to Network Vulnerability Identification

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Genetic algorithm wikipedia , lookup

Network science wikipedia , lookup

Computer security wikipedia , lookup

Types of artificial neural networks wikipedia , lookup

Transcript
A Biologically Inspired Approach to
Network Vulnerability Identification
Evolving CNO Strategies for CND
Todd Hughes, Aron Rubin, Andrew
Cortese, Harris Zebrowitz
Senior Member, Engineering Staff
Advanced Technology Laboratories
Presentation Outline
1. Cyber Attack Workstation
2. Problem Description
3. Rule Discovery Engine
4. Virtual Network Simulator
5. Approach
6. Experiment
7. Results
8. Conclusion and Future Work
10/30/03
2
Cyber Attack Workstation
Reconnaissance
Reconnaissance
Reconnaissance and Attack
Tool Automation
• Automates the process of
monitoring and attacking
network
• Provides library of intelligence
gathering, penetration, and
denial of service tools for use
through single interface
• Allows user with little
experience in hacking to test
attack mechanisms
Tool
ToolOptions
Options
Account
Accountfor
for
Risk
Risk
10/30/03
Exploit
Exploit
Options
Options
Defense
Defense through
through
Understanding
Understanding
of
of the
the Offense
Offense
3
Cyber Attack Workstation
Is it possible to learn
robust cyber
reconnaissance
campaigns?
10/30/03
4
Problem Description
• Learn robust cyber reconnaissance campaigns
– Use genetic algorithm and network simulation to
evolve reconnaissance campaigns
– Facilitate automated covert reconnaissance of
unknown network
• Benefit
– Automate discovery of vulnerabilities of known
network
• Leveraged technology
– Virtual Network Simulator
– Rule Discovery Engine
10/30/03
5
Virtual Network Simulator
• Developed by ATL and Atlantic Consulting Services
for US Army CECOM
–
–
–
Information assurance specialist training
Operational planning and vulnerability assessment
Exercise support and situation awareness
• Capabilities
– Provides real-time, interactive, visual simulation to exhibit
attack effects and user reconfigurations
– Simulates up to 50,000 node networks
– Faster than and equal to real-time
– Easy to configure and operate
– Simulates actual security management systems
– Logs, reports, and allows after action review
10/30/03
6
VNS Overall Architecture
Instructor
Selects and
initiates attacks
Student
Configures
scenario
SQL Database
Attack,
software, OS,
etc.
descriptions
VNS Attack
Launcher
Configures and
monitors network
Responds to attacks
VNS Network
Simulator
Runtime Infrastructure (RTI)
• Rapidly configures and simulates tactical network
scenarios
• Capable of modeling operationally specific layouts
and displays
10/30/03
7
VNS Models
• Hosts
• Routers
• Bridges
• Relays
• Services
• Ports
•
•
•
10/30/03
Firewalls
IDS
Attacks
•
•
•
Wired
Wireless
Traffic
8
Rule Discovery Engine
• Uses genetic algorithms to evolve rules that define
a control strategy
– Given a pool of sensory inputs and elementary
behavior units, generates and catalogs behavior
rules for complex situations
– Rules are then arbitrated and used depending on
the conditions of a simulated environment
– Rules evolve over a series of generations, guided
by a fitness function
• Based on ECJ (Java-based Evolutionary
Computation and Genetic Programming Research
System) from George Mason University
10/30/03
9
RDE-VNS Framework
Behavior
Pool
VNS Attack
Launcher
RDE
VNS Network
Simulator
Evolved Recon
Strategies
Runtime Infrastructure (RTI)
• RDE interfaced with VNS
– Filled “instructor” role
• RDE selected behavior rules, calculated fitness for
rules, evolved subsequent rules
10/30/03
10
Approach
• For genetic algorithm, we developed a novel
representation and sequential macro replacement
scheme
GA
• Each individual rule contained
a series of actions
Network
– Port scan
Discovered
– Traceroute
Initial IP
– Fingerprint
Data
– Time delay
Actions
VNS
Detection Rate
• As campaign progressed, macros dynamically
replaced with network data as it was discovered
10/30/03
11
Representation Technique
• Each individual represented a series of action
types, including time delays
– Use 4-bit opcodes (16 possible values) to
represent each action
– An individual is then simply a bit string made up
of a series of opcodes
• Each action contained macros that were
dynamically replaced with data specific to the
current individual
– i.e., network data already discovered
10/30/03
12
Fitness
• Assumptions
– Less time for an individual is better
– Lower detection rate is better
– More network information is better
• Higher score given for port than node
information
Network Discovered
Fitness =
Time of Run + Detection
10/30/03
13
Experiment
• 180 trials
• Two variables
– Three simulated networks
– Three intrusion detection sensitivity
levels
• Trained GA on each network individually
– Trained on one, tested on other two
10/30/03
14
Results
• TBD
10/30/03
15
Conclusion and Future Work
• Conclusion
– Successfully demonstrated an
architecture which can automatically
generate an effective reconnaissance
campaign
• Future Work
– Experiment with penetration attack
campaigns exploiting vulnerabilities on
victim network
– Experiment with alternative fitness
function
10/30/03
16