MURI_CyberCog_Meeting_20Sep_UPDx

ocelotgiantΤεχνίτη Νοημοσύνη και Ρομποτική

7 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

122 εμφανίσεις

CYBERCOG

Test Bed Overview

The Experiment Setup

2 Screens per analyst

A common
projector screen

Experimenter
observing the
interactions and
taking notes

Resources for each cyber analyst


Each participant takes the role of a cyber analyst.


Each participant will have two computer screens.


The first screen displays the events, alerts, attack patterns
and messages from other analyst in the experiment


The second screen displays the map of the network
segment that the analyst is responsible for, and also the
alerts and events of importance, identified by the team.


The common projector screen displays the entire network
map and a timer to indicate the time left to complete the
task.

Information available to each cyber analyst

Overview of tasks performed during an exercise

Sample Network Map

Attack Scenario

Example attack scenario [1]

Example Scenario


Workstations of several employees in a company XYZ
becomes non responsive. Work is majorly affected in the
company. It is estimated that if the situation continues for
more than 2 hours, the company could incur a net loss of
over a million dollars.

Ground Truth available to each Cyber Analyst


Cyber Analyst 1


Web Server: reachability
(Internet,
webService
, TCP,80)


Web server :
networkServiceInfo
(
webServer
, httpd,tcp,80,apache)


Web server :
VulExists
(webServer
,’CAN
-
2002
-
0392’,httpd,remoteExploit,
privEscalation


Cyber Analyst 2


Fileserver: reachability(webserver,fileserver,rpc,100005)


Fileserver:
vulExists
(
fileserver,vulID,mountd,remoteExploit,privEscalation
)


Fileserver:
networkServiceInfo
(fileServer,mountd,rpc,100005,root
)


Fileserver:
canAccessFile
(
fileServer,root,write
,’/export’)


Fileserver:
nfsExportInfo
(
fileServer
,’/export’,
write,webServer
)


Fileserver: reachability(
webserver,fileServer,nfsProtocol,nfsPort
)


Cyber Analyst 3


nfsMounted
(workstation,’/
usr
/local/share’,
fileServer
,’/
export’,read
)

Event distribution


Cyber Analyst 1


Event
1:TCP probe on port 80 on web server fails.


Event
2:Successful data transfer through port 80 on web server


Event
3:TCP
probe
on
port 80 on web server
fails
.


Event
4:Successful data transfer through port 80 on web server


Event
5:Successful data transfer through port 80 on
web
server
.


Event Successful data transfer through port 80 on web server.


Event 7:Successful data transfer through port 80 on web
server.


Event 8:TCP probe
on port
80 on web server
succeeds


Event 9:Successful remote login to FTP server.


Event 10:Unauthorized access to FTP server blocked.

Event distribution


Cyber Analyst 2


Event 1:TCP probe
to the RPC port of
fileServer

fails
.


Event
2:Successful data transfer to
the RPC port of
fileServer
.


Event
3:TCP probe to
the
rpc

port of
fileServer

succeeds.


Event 4:
Successful data transfer
to the RPC port of
fileServer
.


Event 5:Successful
data transfer to
the
RPC port of
fileServer
.


Event
6:Binary
file

config.temp

in directory “/export” is
changed by

shanter
”.


Event
7:Binary
file “
config.temp


in directory “/export” is
changed
by “
jhun
”.


Event
8:Binary
file “
config.temp
” in directory “/export” is
changed by
“unknown”


malicious file override.


Event
9:Binary
file

source.temp
” in directory “/export” is
changed by

nfinch
”.


Event 10:File “world.xml” updated by admin.

Event
distribution
-

Cyber Analyst 3


Event1:Bad File “
config.temp

is
downloaded
by

rjay
”.


Event2:File “
config.temp
” is executed on “
rjay
” user
computer


Event3:Executable File “free.exe” downloaded by “
jkay
”.


Event4:File “free.exe”
is executed
by “
jkay
”.


Event5:Bad
File “
config.temp
” is downloaded by

praj



Event6:
File “
config.temp
” is executed on
on


praj


user
computer


Event7:
Executable File “free.exe” downloaded by

skay

.


Event8:File
“free.exe” is executed by

skay
”.


Event9:
Bad File “
config.temp
” is downloaded by

skay
”.


Event10:
Trojan Horse detected on “
skay


user computer


Alert distribution
-

Cyber Analyst 1


AE1 against Event 1: The probing packet matches a
signature compromising
webServer
.


AE2 against Event 3:
The probing packet
matches a
signature compromising
webServer
.


AE3
against Event 8: The probing packet matches a
signature compromising
webServer
.


AE4 false positive: saying that
webServer

runs a
malicious NSF shell.



Alert distribution
-

Cyber Analyst 2


FN1 False Negative against Event 3: the sensor did not
raise any alert about probe to file server.


AE1 against event 6: file “
change.temp
” in directory
“/export” is changed.


AE2 against event 7:
file “
change.temp
” in directory
“/export” is changed.


AE3 against event 8:
file “
change.temp
” in directory
“/export” is changed.


AE4 against event 8:
file “
change.temp


is a Trojan horse.


AE3 against event
9:
file

source.temp
” in directory
“/export” is changed
.


AE3 against event
10:
file “
change.temp
” in directory
“/export” is changed.



Alert distribution
-

Cyber Analyst 3


AE1
against event
2: Trojan
horse is being
executed on
rjay

user computer.


AE2
against event
6:
Trojan horse is being executed on
praj

user computer.


AE2 against event
10:
Trojan horse is being executed on
skay

user computer
.



CyberCog


Feedback System


Feedback to the users of what they have accomplished so far.


The severity level (high, medium or low) of attacks identified and
mitigated in the current exercise.



Dynamic factors to measure SA


Increasing information(Events & alerts) and data overload.


Introducing new attacks.


Changing environment factors real time.


A delay to provide an important alert.


Change to possible assumptions.


Increasing and decreasing the time to respond to an attack.



Providing multiple solutions in defending an attack (choosing the most
cost effective solution).


Road blocks introduced while defending an attack
eg
:
-

tool crash.


Flashing new attack information on to individual user’s screen.



16

CyberCog


Measuring and logging


Team interaction is logged real time


Team performance measured through the
number of attacks identified and mitigated.


Dynamic nature of the environment is used to
measure SA.


Enhancements Planned


Visual representation of events and alerts E.g.


attack graph.

17

Reference


[1]


“Using Bayesian Networks for Cyber Security
Analysis”,
Peng

Xie
, Jason H Li ,
Xinming

Ou

,
Peng

Liu ,
Renato

Levy