here. - TakeDownCon

unknownlippsAI and Robotics

Oct 16, 2013 (3 years and 8 months ago)

63 views

Research Advancements Towards
Protecting Critical Assets

Dr. Richard “Rick” Raines

Cyber Portfolio Manager

Oak Ridge National Laboratory


15 July 2013

The Cyber Defense?

The Economist May 9, 2009

The Threat Landscape


National intellectual property is being stolen at alarming
rates


National assets are vulnerable to attack and exploitation


Personal Identifiable Information at risk


Competing and difficult national priorities for resources

The Landscape is continually changing

Transportation

Water

Electric Power

Oil
& Gas

Communications

Financial

Emergency

Understanding the Challenges


Dynamic environment with a constant churn


A domain of operations

”within” and “through”


Anytime, anywhere access to data and information


Policy and Statutory lanes emerging


Agile adversaries


Cyber and Cyber Physical


Overt and covert attacks/exploits


Data continues to grow


Sensor feeds yield terabytes of raw data


Analyst burdens continue to grow

We Continue to Play Catch Up

Who Are the Threat Actors ?


Unintended
threat actors
--

Can be just about anyone??


Target rich environment

people, processes, machines


Personal gain threat actors
--

individual and organized crime


Insiders?


Ideological threat actors


Hacktivists
, extremists and terrorists


Nation
-
state threat actors


Intelligence gathering, military actions


The Sophistication of the Actors Continue to Increase

#
OpUSA

(7 May 13)

#
OpNorthKorea

(25 Jun 13)

Who “Really” Are the Threat
Actors?


Over 90% of threat actors are external to an organization


55% of the actors associated with organized crime


Predominantly in U.S. and Eastern Europe


~20% of actors associated with nation
-
state operations


Over 90% attributable to China


Internal actors: large percentage of events tied to
unintentional misconfigurations

But, sophistication not always needed….

Source: www
.
verizonenterprise
.
com/DBIR/2013

The Targets


37% of incidents affected financial organizations


Organized crime

virtual and physical methods


Since 9/2012, 46 U.S. institutions in over 200 separate intrusions
(FBI)


24% targeted individuals in retail environments


40% of data thefts attributed to employees in the direct

payment chain


Waiters, cashiers, bank tellers

”skimmers” and like
-
devices


Organizations will always be targets for who

they are and what they do

Actors will continue to look for the “low hanging fruit”

Source: www
.
verizonenterprise
.
com/DBIR/2013

Understanding Your Mission


What does cyber Situational Awareness really mean?


User
-
defined


Real
-
time awareness of mission health


Highly relevant information to the decision
-
maker


What are the “crown jewels” in your mission space?


The critical components that you can’t operate without


Understanding the interdependencies


What are the capabilities needed for success?


Revolutionary advances rather than evolutionary

progress


The right talent and enough to ensure success


Partnerships are critical

Mission Assurance = Operational Success

Long Term Grand Challenges

System of systems approach to ensure continuity of operations (COOP)

Identify

mission
-

critical

capabilities

Assess

c
omplex

attack

planning

problem

Design

defense

in depth

Detect/

block

attacks

Discover/

mitigate

attacks

Enable

graceful

degradation

of resilient

(self
-
healing)

systems

Operate Through An Outage/Attack

Cyber R&D Challenges

Mission
-
critical systems available and functional to operate through

Near
-
real
-
time

situational

awareness

of the

battlespace

Automated/

user
-
defined

view

Network

mapping

Predictive/

self
-
healing

systems

Anticipate

failure

or attack

and react

automatically

Predictive Awareness

Cyber R&D Challenges

Cyber R&D Challenges

Visibility of data and computations without access to specific problem

Approach:

Wholly owned/

cloud service/

public

internet

Complex

attack

planning

problem

Variety

of security

structures

Masking

deception

Continuous

maneuver

G
raceful

degradation

of resilient

(self
-
healing)

systems

Security in the Cloud

High user confidence in data and software

Resilient

data

(at rest and

in motion)

Protocols:

Secure,

resilient,

active

Trustworthy

computing

High
-
user
-

confidence

check sum

Hardware
-

backed

trust

G
raceful

degradation

of mission
-

critical data to

“last known

good”

Self
-
Protective Data/Software

Cyber R&D Challenges

Bring your own
device (disaster?)

Biometric

security

features

Classified/

UNCLAS


encryption

Power and

performance

issues

addressed


Hardware


root of

trust

Self

healing

Data

Validated


Leakage/

Transfer

contained

Security of Mobile Devices

Cyber R&D Challenges

Evidence
-

based action

Computational

cyber

security

Science
-

based

security

Protection and
control

Nonclassical

light sources

Quantum

simulation

Application
-

oriented

research

Analytics

Information

visualization

Data

management


Observation
-
based

generative models


Control of false
positives/negatives


Modeling

of adversaries


Mathematical rigor


Computationally

intensive methods


At scale, near real time


Statistics
vs

metrics


Repeatability

and reproducibility


Trend observation

and identification


Photon pair and
continuous variable
entanglement


Comprehensive

source design

and simulation


High
-
performance

computing resources


Putting quantum and
computing together


From first principles

to real solutions


Quantum for computing,
communication,

sensing, and security


Probabilistic modeling


Social network analysis


Relational learning


Heterogeneous data analysis


Geospatial and temporal
display methods


Multiple, coordinated
visualizations


User
-
centered design

and user testing


Online, near
-
real
-
time

methods


Graph modeling/retrieval


Distributed storage

and analysis methods

ORNL Cyber Research Strengths

Evidence
-

based action

Computational

cyber

security

Real
-
time

Monitoring

Detection,

control
and
wide
-
area
visualization

Standards

development

Resilient

control
systems

Advanced
components

Analytics

Information

visualization

Data

management


Observation
-
based

generative models


Control of false
positives/negatives


Modeling

of adversaries


Vulnerability assessments


Mathematical rigor


Computationally

intensive methods


At scale, near real time


Time synchronized data


Fault disturbances
recorders, PMUs


Voltage, frequency,
phase 3, current


Industry guidelines


Interoperability


Physics based
protection schemes


Cyber physical
interface


Fault current limiters


Saturable

reactors


Power electronics


Probabilistic modeling


Social network analysis


Relational learning


Heterogeneous data analysis


Geospatial and temporal
display methods


Multiple, coordinated
visualizations


User
-
centered design

and user testing


Online, near
-
real
-
time

methods


Graph modeling/retrieval


Distributed storage

and analysis methods

ORNL Control Systems Security

Research Strengths

Wide
-
Area Power Grid Situational Awareness

Impact Models and Data Analysis

Distribution Outages Analysis


Monitoring Capability


Situational awareness of subset of
transmission lines (above 65 KV)


Situational awareness of distribution
outages (status of approximately 100
Million power customers)


Social
-
media feeds ingest


Real
-
time weather overlays



Modeling and Analysis


Predictive and post
-
event impact
modeling and contingency simulation


Automatic forecasts of power recovery


Energy interdependency modeling


Mobile application


Cyber dependency

VERDE: Visualizing Energy Resources
Dynamically on Earth









Validation. Software
can be analyzed for

intended functionality
.

Readiness. Software
can be analyzed for

malicious content.

Instruction semantics
can be mathematically
combined to compute
the functional effect of
programs.

Function and security analysis of compiled binaries through behavior computation

HOW
IT WORKS:



Hyperion Protocol technology computes the
behavior of compiled binaries.


Structure theorem shows how to transform
code into standard control structures with no
arbitrary branching.


Correctness theorem shows how to express
behavior of control structures as non
-
procedural specifications.


Computed behavior can be compared to
semantic signatures of vulnerabilities and
malicious operations.

Current technology
provides no practical
means to validate the full
behavior of software.



Software
may contain
unknown vulnerabilities
and sleeper code that
compromise operations.

Program instructions
implement functional
semantics that can be
precisely defined.

Determination
of
vulnerabilities and
malicious
content
can be carried out at
machine speeds.

System for computing
behavior of binaries to
identify vulnerabilities
sleeper codes
and
malware.

QUANTITATIVE IMPACT

GOAL

STATUS QUO

NEW INSIGHTS



Mathematical Foundations developed at IBM


SEI/CMU developed Function Extraction (FX)


ORNL developing 2
nd

Gen FX on HPC

Hyperion Protocol

Oak Ridge Cyber Analytics: Detecting
Zero Day Attacks

Approach:


Generalize computer communication behaviors
using machine
learning
models.


Classify incoming network data in real
-
time.


Complement signature
-
based
sensor arrays to
focus on attack variants.

Advantages:


No signatures


trains on examples of attacks


Detects attacks missed by the most advanced
OTS intrusion detectors.


Detect zero day attacks that are variants of
existing attack vectors.

DoD

Warfighter
Challenge evaluation of ORNL’s ORCA:


Supervised Learner (Tweaked
AdaBoost
):


Detected

94% of attacks
using machine learning methods


False positive
rate is only 1.8%


Semi
-
supervised Learner (Linear
Laplacian

RLS):


Detected

60%
of attacks
using machine learning methods


No false positives


Detecting both
previously seen and never before seen
attacks.

Moving Ahead


Increased national focus on cyber security


Cyber law enforcement capabilities growing


“who”


Digital forensics are improving
--

“how”


Information Sharing and Analysis Centers (ISACs)


“what”


Maturing education and training for the professionals


Better education for “the masses”


Rapidly evolving R&D breakthroughs

The Human is still the weakest element in the cyber domain

Questions?


rainesra@ornl.gov