The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness

The Roles of Intrusion The Roles of Intrusion Detection and Data Detection and Data Fusion in Cyber Security Fusion in Cyber Security Situational AwarenessSituational Awareness

A Review of the Published Literature and Discussion of Future Research Plans

Nicklaus A. Giacobe

Intrusion Detection (ID) Plays and Important Role in Developing Situational AwarenessCyber Situational Awareness =

Network Security Situational AwarenessActivities Performed on Behalf of an Organization – “Network Security Office”Activities Performed by Computer/Network Security AnalystsDifficult, Complex Work – Lots of Data from IDS, Antivirus Systems, Firewall Logs, Server Security Logs, etc.Ever-Changing Landscape - New Threats, New Technologies, New Software, New Vulnerabilities

Cyber Security Situational Awareness

Introduction

Current State ofID Technology

Theory and Background

Future Research

Conclusions &Discussion

This IntroductionPart 1: What is the Current State of

ID Technology?Part 2: What are We Trying to

Accomplish?Part 3: Future Research

RecommendationsConclusion/Discussion

Cyber Security Situational Awareness

Introduction



Future Research


History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualizations

Part 1: The Current State of Technology in ID

Introduction



Future Research


Two Different Locations to MonitorHost-Based IDS (Denning)

Log Files (C2 compliance) on Unix Machines (Denning 1987)

IDES/NIDES – Baseline “normal” user behavior (Javitz et al. 1994)

Network-Based IDS (Mukherjee/Heberlein)NSM (LAN Monitor) – history of previous

connections, known bad actors lists, signatures of attack types (Mukherjee et al. 1994)

NIDS (Multiple Network IDS and Host) (Snapp et al, 1991) (interesting JDL comparison)

History of Intrusion Detection

Introduction



Future Research


Two Different Methods of AnalysisPattern-Matching (Misuse) Detection (Spafford)

Match activity to patterns of known undesiredbehavior (Kumar et al. 1994, 1995)

Tripwire – MD Hashing of files (Kim et al. 1994)DDoS prevention /SYN Floods / Active DoS

prevention (Schuba et al. 1997)Anomaly Detection (Stolfo)

Looking for abnormalities in network traffic (Lee et al. 1999)

Qualitative evaluation of the data stream (statistical methods) (Portnoy, et al. 2001) – alert on infrequent types of data

Statistical Payload Evaluations – for Worm Detection (Wang et al. 2004, 2006a, 2006b) and mitigation (Locasto et al., 2006)


Introduction



Future Research


Testing and Evaluation of IDSsDARPA IDS Data Sets from 1998-20001999 Data Set Contained

2 Weeks of “training data” with labeled known intrusions

7 Weeks of unlabeled dataEvaluate IDSs under design or in

production

Over-fit problemIDSs could be developed that find all of

the problems in the “training data”, but could be very poor at alerting on novel intrusion methods


Introduction



Future Research




Introduction



Future Research


Correlate by Source, Destination or Attack Method

Non-Trivial port-number vs. service name, IP address vs. hostname, etc. (Cuppens 2001)

Need Adaptors – Different systems not designed for fusion (Debar et al. 2001)

Promise of better understanding… see next slide

Alert Correlation and Data Fusion

Introduction



Future Research


Understanding Through Correlation

Situation Combination Implication Situation 1 Same Source, target and alert

class Single attacker against same host

Situation 2-1 Same source and destination Single attacker on same host, possibly using varying attack methods

Situation 2-2 Same target and same alert class Distributed attack on a single host Situation 2-3 Same source and same alert class Single attacker using the same attack and

trying to find any host vulnerable to that attack

Situation3-1 Same source only Single attacker using a variety of attack methods on a variety of hosts

Situation 3-2 Same target only Distributed attacks Situation 3-3 Same attack class only Common or novel attack method in use by

many attackers

Adapted from (Debar et al. 2001)

Introduction



Future Research


JDL Fusion Model (Hall and McMullen 2004)


Introduction



Future Research


JDL Fusion Model (Hall and McMullen 2004)


Source Pre-Processing

Level 3 Threat

Refinement

Level 2Situation

Refinement

Level 1Object

Refinement

Introduction



Future Research


History of IDAlert Correlation and Data FusionData Fusion TechniquesVisualization of Underlying and Fused

Data


Introduction



Future Research


Bayesian InferenceComplete list of all possible states of the

systemProbabilities of current stateNeed for accurate historical data (Holsopple et

al. 2006)D-S Theory

No need for exact knowledgeSort out independent evidence and combine it

using the Dempster RuleVery human-like logical combinationCan combine evidence of non-similar

sources/data types

Data Fusion Techniques

Introduction



Future Research


Data Mining AlgorithmsSupport Vector Machines (SVMs) (Liu et al.

2007 x3)Neural Networks (Wang et al. 2007)May be helpful in rapidly combining

multiple sources of similar dataThomas and Balakrishnan (2008)

Combined alert data from 3 different IDSs (PHAD, ALAD, Snort) using MLFF-NN

Tested vs. DARPA 1999 data setShowed improved detection rates of the

known data over each individual IDS (68% vs. 28%, 32%, 51%)

Data Fusion Techniques

Introduction



Future Research




Introduction



Future Research


Based on Network TopologyBased on Geopolitical TopologyNetwork Traffic RepresentationsAlert and Track-Based Displays

Visualizations

Introduction



Future Research


Hierarchical Network Map from Mansmann and Vinnik (2006)

Introduction



Future Research


Representation of Threats and Actors on a Geopolitical Map from (Pike et al. 2008)

Introduction



Future Research


Representation of host to port to remote port to remote host of network traffic from (Fink et al. 2004)

Introduction



Future Research


Panel Displaying Network Connections from a Single Host from (Fischer et al. 2008)

Introduction



Future Research


Representing the Three Ws from (Foresti et al. 2007)

Introduction



Future Research


Introduction



Future Research


Definition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis

Part 2: What are We Trying to Accomplish?

Introduction



Future Research


(Computer) Security is…Manunta (1999)

Security is interaction of Asset (A), Protector (P) and Threat (T) in a given Situation (Si)

CIA Triad (Tipton et al. 2007)ConfidentialityIntegrityAvailability

Bishop (2003)Only authorized actions can be executed by

authorized users

Definitions…

Introduction



Future Research




Introduction



Future Research


Endsley (1995)State of Knowledge

ElementsSituationFuture Projection

“Awareness Machine” unlikelyFocus instead on “awareness support

technologies”

Theory of Situational Awareness

Introduction



Future Research


Endsley (1995)

Theory of Situational Awareness

Introduction



Future Research


Mapping of IDS Fusion tasks between JDL Model and Endsley SA Model. From Yang et al. (2009)

Higher Levels of Fusion = Situational Awareness

Introduction



Future Research


INFERDLevel 2 Fusion Engine – Based on a priori

knowledge from system experts – pattern matching attack methods and known vulnerabilities of the system

TANDILevel 3 Fusion – Projection of future attacks

based on knowledge of vulnerabilities of the system

(Yang et al. 2009)

Higher Levels of Fusion

Introduction



Future Research




Introduction



Future Research


Sweller et al. (1998)Working Memory (limited capacity)Long Term Memory (unlimited capacity,

based on schemas to represent complex, related information)

Split AttentionConflicting, RepetitiveModality Effect

Cognitive Load Theory

Introduction



Future Research




Introduction



Future Research


Biros and Eppich (2001) – CTA of IDS Analysts in the USAF - 5 capabilities requiredID non-local addressesID source addressesDevelop mental image of “normal” behaviorCreate and maintain SAKnowledge sharing

Killcrece et al. (2003) – CTA of gov’t/military security specialists – 3 general categoriesReactive Work (majority of the work)Proactive WorkQuality Management (training, etc)

Cognitive Task Analysis

Introduction



Future Research


D’Amico et al. (2007) – CTA of Network Security Professionals in the Department of Defense

Cognitive Task Analysis

Introduction



Future Research


Model BuildingTo understand the contributions of the

algorithm builders

CTATo understand the needs of the analyst

Visualization RecommendationsBased on the work above

Part 3: Where Do We Go From Here?

Introduction



Future Research


Current State of IDHistory of IDAlert Correlation and Data FusionData fusion techniquesVisualization of underlying and fused data

Theoretical Basis for Understanding SA in the Cyber Security DomainDefinition of Computer Security Theory of Situational AwarenessCognitive Load TheoryCognitive Task Analysis

Recommendations for Future WorkModel Building - To understand the contributions of the

algorithm buildersCTA - To understand the needs of the analystVisualization Recommendations – Based on Needs and

Cognitive Capabilities of Analysts

Conclusion

Introduction



Future Research


Discussion and Questions

Just in case you needed a prompt to ask questions … here it is

The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness

Documents

Transcript of The Roles of Intrusion Detection and Data Fusion in Cyber Security Situational Awareness