Gaining Big Picture Awareness through an Interconnected Cross-Layer Situation Knowledge Reference Model

In both military operations and the commercial world, cyber situation awareness (SA) is a key element of mission assurance. Due to the needs for mission damage and impact assessment and asset identification (and prioritization), cyber SA is beyond intrusion detection and attack graph analysis. In this paper, we propose a cross-layer situation knowledge reference model (SKRM) to address the unique cyber SA needs of real-world missions. SKRM provides new insight on how to break the "stovepipes" created by isolated situation knowledge collectors and gain comprehensive level big picture awareness. Through a concrete case study, we show that SKRM is the key enabler for two SA capabilities beyond intrusion detection and aintrusionttack graph analysis. The potentials and the current limitations of SKRM and SKRM-enabled analysis are also discussed.

[1]  E. Salas,et al.  Human Factors : The Journal of the Human Factors and Ergonomics Society , 2012 .

[2]  William H. Sanders,et al.  Managing business health in the presence of malicious attacks , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W).

[3]  Isidro Ramos,et al.  Advances in Database Technology — EDBT'98 , 1998, Lecture Notes in Computer Science.

[4]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[6]  Walid Gaaloul,et al.  Mining Workflow Patterns through Event-Data Analysis , 2005 .

[7]  Zahir Tari,et al.  On the Move to Meaningful Internet Systems. OTM 2018 Conferences , 2018, Lecture Notes in Computer Science.

[8]  Peng Liu,et al.  Self-healing workflow systems under attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[9]  Xiaoqi Jia,et al.  SHELF: Preserving Business Continuity and Availability in an Intrusion Recovery System , 2009, 2009 Annual Computer Security Applications Conference.

[10]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[11]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[12]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[13]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[14]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[15]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[16]  Ben Y. Zhao,et al.  An architecture for a secure service discovery service , 1999, MobiCom.

[17]  Wil M. P. van der Aalst,et al.  Workflow Mining: Current Status and Future Directions , 2003, OTM.

[18]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[19]  Dimitrios Gunopulos,et al.  Mining Process Models from Workflow Logs , 1998, EDBT.

[20]  Ranveer Chandra,et al.  What's going on?: learning communication rules in edge networks , 2008, SIGCOMM '08.

[21]  Paramvir Bahl,et al.  Towards highly reliable enterprise network services via inference of multi-level dependencies , 2007, SIGCOMM.

[22]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[23]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[24]  Boudewijn F. van Dongen,et al.  Workflow mining: A survey of issues and approaches , 2003, Data Knowl. Eng..

[25]  Xiaoqi Jia,et al.  Cross-layer comprehensive intrusion harm analysis for production workload server systems , 2010, ACSAC '10.

[26]  Xu Chen,et al.  Automating Network Application Dependency Discovery: Experiences, Limitations, and New Solutions , 2008, OSDI.

[27]  Xuxian Jiang,et al.  Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction , 2010, TSEC.

[28]  Robert Meersman,et al.  On The Move to Meaningful Internet Systems 2003: CoopIS, DOA, and ODBASE , 2003, Lecture Notes in Computer Science.