Theory and Models for Cyber Situation Awareness

In this chapter, we provide an overview of Cyber Situational Awareness, an emerging research area in the broad field of cyber security, and discuss, at least at a high level, how to gain Cyber Situation Awareness. Our discussion focuses on answering the following questions: What is Cyber Situation Awareness? Why is research needed? What are the current research objectives and inspiring scientific principles? Why should one take a multidisciplinary approach? How could one take an end-to-end holistic approach? What are the future research directions? 1 What Is Cyber Situation Awareness Cyber operations – in the context of mission assurance – give rise – especially within large enterprises to the questions that are at the core of Cyber Situation Awareness (Cyber SA). Without loss of generality, the process of situational awareness can be viewed as a three-phase process: situation perception, situation comprehension, and situation projection. Perception gains awareness about the status, attributes, and dynamics of relevant elements within the enterprise networks. Comprehension of the situation encompasses how analysts combine, correlate, and interpret information. Projection of the situation into the near future encompasses the ability to make predictions based on the knowledge acquired through perception and comprehension. Figure 1 shows a simplified illustration of cyber operations in a large enterprise. Essentially, cyber operations are centered on answering four key questions whenever an adversary is launching a cyber-attack: • What has happened to the networked enterprise information systems (“enterprise networks” for short)? • What is the impact? © Springer International Publishing AG 2017 P. Liu et al. (Eds.): Cyber Sitation Awareness, LNCS 10030, pp. 3–25, 2017. DOI: 10.1007/978-3-319-61152-5_1 • Why did it happen? • What should we do? In our viewpoint, the first three questions form the “core” of Cyber SA, and Cyber SA serves as a key enabler for answering the last question, “What should we do”. In other words, Cyber SA is geared towards gaining awareness about what has happened or what the adversary has done, the impact of the cyber-attacks, and how the current situation was determined. Here, the impact includes at least two aspects: damage assessment and mission impact analysis. Regarding why the current situation is what it is, the security analysts should identify the exploited vulnerabilities. In many cases, the exploited vulnerabilities include both known and unknown vulnerabilities associated with the enterprise networks. From the perspective of “data to decisions,” Cyber SA can be viewed as a particular data triaging system. As illustrated in Fig. 2, the output of any sensor shown in Fig. 1 can be viewed as a data source. Because there are a large variety of sensors out there, there are actually many kinds of data sources. Here, we roughly classify the data sources as follows: • Class A: in-band data – A1: static data. In this class, the data are seldom updated. For example, network topology, naming data, routing tables, vulnerability scan data (e.g., NESSUS reports), attack graphs, and certain host configurations belong to this class. – A2: dynamic data. In this class, the data are either data streams or dynamically updated data. Each data item is explicitly or implicitly associated with a timestamp. The timestamps clearly show the stateful nature of cyber SA. What has happened?

[1]  Jaideep Chandrashekar,et al.  Macroscope: end-point approach to networked application dependency discovery , 2009, CoNEXT '09.

[2]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[3]  Mica R. Endsley,et al.  Theoretical Underpinnings of Situation Awareness, A Critical Review , 2000 .

[4]  Steven A. Hofmeyr,et al.  Intrusion Detection via System Call Traces , 1997, IEEE Softw..

[5]  Sushil Jajodia,et al.  On the Accurate Identification of Network Service Dependencies in Distributed Systems , 2012, LISA.

[6]  Peng Liu,et al.  Self-healing workflow systems under attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[7]  C. R. Ramakrishnan,et al.  Model-Based Analysis of Configuration Vulnerabilities , 2002, J. Comput. Secur..

[8]  อนิรุธ สืบสิงห์,et al.  Data Mining Practical Machine Learning Tools and Techniques , 2014 .

[9]  Walid Gaaloul,et al.  Mining Workflow Patterns through Event-Data Analysis , 2005 .

[10]  Martin L. Fracker A Theory of Situation Assessment: Implications for Measuring Situation Awareness , 1988 .

[11]  Paramvir Bahl,et al.  Discovering Dependencies for Network Management , 2006, HotNets.

[12]  Xiaoqi Jia,et al.  SHELF: Preserving Business Continuity and Availability in an Intrusion Recovery System , 2009, 2009 Annual Computer Security Applications Conference.

[13]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[14]  Peng Liu,et al.  SKRM: Where security techniques talk to each other , 2013, 2013 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA).

[15]  R. Sekar,et al.  Dataflow anomaly detection , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[16]  Ben Y. Zhao,et al.  An architecture for a secure service discovery service , 1999, MobiCom.

[17]  Randy H. Katz,et al.  X-Trace: A Pervasive Network Tracing Framework , 2007, NSDI.

[18]  John Yen,et al.  Cyber SA: Situational Awareness for Cyber Defense , 2010, Cyber Situational Awareness.

[19]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[20]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[21]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[22]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[23]  Sushil Jajodia,et al.  Topological Vulnerability Analysis , 2010, Cyber Situational Awareness.

[24]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[25]  Xu Chen,et al.  Automating Network Application Dependency Discovery: Experiences, Limitations, and New Solutions , 2008, OSDI.

[26]  Jeannette M. Wing,et al.  Tools for Generating and Analyzing Attack Graphs , 2003, FMCO.

[27]  Sushil Jajodia,et al.  Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[28]  Spyros G. Denazis,et al.  Dependency Detection Using a Fuzzy Engine , 2007, DSOM.

[29]  Boudewijn F. van Dongen,et al.  Workflow mining: A survey of issues and approaches , 2003, Data Knowl. Eng..

[30]  Xiaoqi Jia,et al.  Cross-layer comprehensive intrusion harm analysis for production workload server systems , 2010, ACSAC '10.

[31]  John R. Boyd,et al.  The Essence of Winning and Losing , 2012 .

[32]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[33]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[34]  Sushil Jajodia,et al.  An efficient approach to assessing the risk of zero-day vulnerabilities , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[35]  John J. Salerno,et al.  A situation awareness model applied to multiple domains , 2005, SPIE Defense + Commercial Sensing.

[36]  Christopher Krügel,et al.  Bayesian event classification for intrusion detection , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[37]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[38]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[39]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[40]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[41]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[42]  Richard Mortier,et al.  Using Magpie for Request Extraction and Workload Modelling , 2004, OSDI.

[43]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[44]  Peng Ning,et al.  Integrating IDS Alert Correlation and OS-Level Dependency Tracking , 2006, ISI.

[45]  Xiaoyan Sun,et al.  Patrol: Revealing Zero-Day Attack Paths through Network-Wide System Object Dependencies , 2013, ESORICS.

[46]  Jeannette M. Wing,et al.  Scenario graphs and attack graphs , 2004 .

[47]  Christopher Krügel,et al.  On the Detection of Anomalous System Call Arguments , 2003, ESORICS.

[48]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[49]  Salvatore J. Stolfo,et al.  Learning Rules from System Call Arguments and Sequences for Anomaly 20 Detection , 2003 .

[50]  Peng Liu,et al.  Using Bayesian networks for cyber security analysis , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[51]  Anna Gavling,et al.  The ART at , 2008 .

[52]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[53]  Uri Blumenthal,et al.  Classification and computation of dependencies for distributed management , 2000, Proceedings ISCC 2000. Fifth IEEE Symposium on Computers and Communications.

[54]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[55]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[56]  Dimitrios Gunopulos,et al.  Mining Process Models from Workflow Logs , 1998, EDBT.

[57]  Ranveer Chandra,et al.  What's going on?: learning communication rules in edge networks , 2008, SIGCOMM '08.

[58]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[59]  Wil M. P. van der Aalst,et al.  Workflow Mining: Current Status and Future Directions , 2003, OTM.

[60]  Richard E. Hayes,et al.  Understanding Information Age Warfare , 2001 .

[61]  George P. Tadda,et al.  Overview of Cyber Situation Awareness , 2010, Cyber Situational Awareness.

[62]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[63]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[64]  Xiaoyan Sun,et al.  Gaining Big Picture Awareness through an Interconnected Cross-Layer Situation Knowledge Reference Model , 2012, 2012 International Conference on Cyber Security.

[65]  Xuxian Jiang,et al.  Stealthy malware detection and monitoring through VMM-based “out-of-the-box” semantic view reconstruction , 2010, TSEC.

[66]  Sushil Jajodia,et al.  NSDMiner: Automated discovery of Network Service Dependencies , 2012, 2012 Proceedings IEEE INFOCOM.

[67]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[68]  David A. Patterson,et al.  Path-Based Failure and Evolution Management , 2004, NSDI.

[69]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[70]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[71]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[72]  Paramvir Bahl,et al.  Towards highly reliable enterprise network services via inference of multi-level dependencies , 2007, SIGCOMM.

[73]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[74]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[75]  Richard Mortier,et al.  Constellation: automated discovery of service and host dependencies in networked systems , 2008 .

[76]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[77]  Sushil Jajodia,et al.  Advances in Topological Vulnerability Analysis , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.