Tool Development for a Cyber SA System Martin Q. Zhao October 1, 2010 VFRP when and where Applied for SFFP (summer faculty fellowship program) jointly sponsored by ASEE (American Society of Engineering Education) and AFRL Application submitted: December, 2009 Accepted (through VFRP): March, 2010 Thanks to Drs. Allen, Cozart and Digh for their help Worked at AFRL’s Rome Research Site for 10 weeks (May 24 – July 30) Griffiss Business and Technology Park http://www.griffissbusinesspark.com/ AFRL/RI an overview US Air Force Research Laboratory Information Directorate in Rome, NY. AFRL/RI is the component responsible for command, control, communication and computers and intelligence (C4I) research and development. Core Technology Competencies (CTCs): -Information Exploitation -Information Fusion & Understanding -Information Management -Advanced Computing Architectures -Cyber Operations -Connectivity -Command and Control Information Fusion Data fusion is a formal framework in which are expressed the means and tools for the alliance of data originating from different sources. Data fusion aims at obtaining information of greater quality; the exact definition of 'greater quality' will depend upon the application. In the context of military applications, it emphasizes collecting and processing raw data from various sensory sources and tracking and identifying activities of interest, so as to enable situation awareness (SA) for the decision maker to take appropriate actions. Unified SA Model by Salerno et al ['05] Dr. Endsley’s model['95] : -Perception -Comprehension -Projection Dr. Salerno also co-chaired a Social Computing conference for 3 times JDL (joint director of labs) model['91, revised '98]: Level 0: Source Preprocessing/subobject refinement Level 1: Object refinement Level 2: Situation refinement Level 3: Impact Assessment Level 4: Process Refinement Cyber SA Virtual Terrain The virtual terrain is a graphical representation of a computer network containing information relevant for a security analysis of a computer network, including: -Hosts & Subnets -Routers, sensors & firewalls -Physical & wireless links -Services & exposures -Users and accounts -Mission & criticality scores Sample Virtual Terrain cs.mercer.edu Internet xxx.xxx.xxx.xxx Lab 100 168.15.2.1 -.21 Main Switch Lab 204 168.15.1.1 168.15.4.1 -.21 Cobra Raptor Intruder 168.15.1.2 168.15.1.4 168.15.1.6 Eagle Apache Zeus 168.15.1.3 168.15.1.5 168.15.1.7 Faculty - 1 2nd Flr. Switch 168.15.5.1 - .8 Lab 200 168.15.6.1 - .17 168.15.3.2 Lab 306 168.15.8.1 -.21 3rd Flr. Switch 168.15.7.2 Faculty - 2 168.15.9.1 - .4 Lab 304 168.15.10.1 - .15 Sample Mission Tree cs.mercer.edu mission Submission_1 App_1_1 … Asset Submission_n … App_1_m … Asset Cyber SA Tracking Attack Events (1) ICMP Ping NMAP (62.34.46.54 45.34.12.1) (2) SCAN nmap fingerprint attempt (38.244.61.9 45.34.12.2) (3) x86 mountd overflow (62.34.46.54 45.34.12.1) (4) gobbles SSH overflow (62.34.46.54 45.34.12.1) (5) SCAN cybercop os SFU12 probe (38.244.61.9 45.34.12.2) (6) WEB-MISC windmail.exe access (38.244.61.9 45.34.12.2) (7) ICMP Ping NMap (45.34.12.1 45.34.13.1) (8) EXPLOIT RADIUS MSID overflow attempt (45.34.12.2 45.34.12.2) (9) chown command attempt (62.34.46.54 45.34.12.1) (10) MS-SQL:PROCEDURE-DUMP (45.34.12.2 45.34.12.2) IDS alerts Cyber SA Attack Method Categories Cyber SA Attack Guidance Template SITA situation identification & threat assessment Summer Research An Overview Title of the proposal: Knowledge Representation & Reasoning for Impact/ Threat Assessment in Cyber Situation Awareness Systems Objective: Enhancing the SITA system Find ways to model domain knowledge Develop a tool for VT creation/modification Collaborators: Dr. John Salerno Mike Manno Jimmy Swistak Warren Geiler Problems to Solve •Tools need to be developed to feed SITA with data •Amount of data is huge A computer network can have hundreds of machines, thousands of software applications and user accounts Known vulnerabilities are in the thousands, and the number is ever growing. •XML files are used: they can contain redundant data Harm efficiency Hard to change anything: due to well-known anomalies oInsertion oDeletion oUpdate Conceptual Data Model Relational Data Model-VT S/W H/W Link & Policy Exposure Relational Data Model-Mission Relational Data Model-Exposure Mission Map Editor-Requirements • (Type of) User: SA Operator • System Functions: Access data in file/DB Display a mission tree Modify a mission tree Save changes to file/DB Create a mission tree Requirements modeling w/ a use-case diagram Mission Map Editor-Tree creation 1 File | New 2 3 6 File | Save 5 Assign assets Top mission Add more 4 Set criticality Mission Map Editor-Architecture XML Mission Map Model VT Model DB Mission Map Editor-Dynamics Vulnerability Lookup-Overview • What is a vulnerability? National Vulnerability Database (NVD) contains CVE Vulnerabilities 43054 CPE Names • What is an exposure? • How is it stored in NVD? • What is CVE? • What is CPE? • How are they related to SITA? 22181 Common Vulnerabilities and Exposures (CVE) <entry id="CVE-2010-0278"> …… <cpe-lang:logical-test negate="false" operator="OR"> <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_7"/> <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_vista"/> …… </entry> Common Platform Enumeration (CPE) <cpe-item name="cpe:/o:microsoft:windows_7"> <title xml:lang="en-US">Microsoft Windows 7</title> …… </cpe-item> Vulnerability Lookup-Prototype 0 Load files C A CVSS Rating B Apps affected Exposure Vulnerability Lookup-Ideal ways Type Vendor Prod. Line Product Application : a Alcatel MS-DOS Windows 98 Hardware : h Apple Windows Windows 2000 O/S : o …… Windows XP IBM Windows Vista …… Windows 7 Microsoft …… CVE Entry CVE-2010-0278 cpe:/o:microsoft:windows_7 CVE-2010-0018 CVE-2010-0249 CVE-2010-0232 …… Future R&D •MissionMapEditor: Thorough testing and refactoring •VulnerabilityTracker: Research the processes of checking/updating CVE and CPE data feeds Design a layered system architecture Design and implement GUI that organizes products by category (such as OS, apps, HW), vendor, product family, version, etc •IDS (e.g. Snort) alerts specifics and mapping with CVE, as well as with SITA •VT model generation using automatic scanning data •Cyber situation visualization Q&A Fall Extension Updates – Vul’Tracker Fall Extension Updates – Vul’Tracker Fall Extension Updates – Vul’Tracker The data feed file download and DB loading/update functions have been tested with •CVE data feed files for •2010 (two versions, one from July [15 MB] and another from December revision [39 MB]) and •2009 [34 MB]; and •CPE file from July 2010 [6.8 MB]. Table 1 – Vendor Counts by Platform Types Year(s) 2009 2010 2009~10 Type Table 2 – Count of Vulnerable Software by Year Count of Vulnerabilities Vendor Count S/W Count Count of Vul. Software Count of CPE-CVE Mapping Entries 4,082 3,054 5,511 35,833 24,999 60,832 4,606 1,993 6,599 a: Application 403 h: Hardware 75 15,581 1,944 o: OS 38 4,621 Total -22,146 Total Distinct Vendor Count 432
© Copyright 2026 Paperzz