From Muddle to Model: Modeling and Simulation of Cyber Phenomena

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

From Muddle to Model: Modeling and Simulation of Cyber Phenomena Alexander Kott US Army Research Laboratory February 2016 1 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

The Nation’s Premier Laboratory for Land Forces


Characteristic Problems in Cyber Science and Engineering

The science and engineering of (cyber)security is a study and optimization of relations between policy, attacker, and defender Policy P: a set of assertions about what event should and should not happen. To simplify, focus on incidents I: events that should not happen. Defender D: a model / description of defender’s defensive tools and techniques Td, and operational assets, networks and systems Nd Attacker A: a model / description of attacker’s tools and techniques Ta 2 UNCLASSIFIED UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

The Nation’s Laboratory for Land Forces \\ APPROVEDPremier FOR PUBLIC RELEASE


Characteristic Problems and Models of Cyber

Then, we seek models of relations between I, Td, Nd, Ta:

(I, Td, Nd, Ta) = 0 Note: The above does not mean I expect to see a fundamental equation of this form. It is merely a shorthand for models that relate I, Td, Nd, Ta Similar perspective in: • Schneider, F. B., “Blueprint for a Science of Cybersecurity,” The Next Wave, Vol. 19, No.2, 2012 • Bau, J., and Mitchell, J.C., “Security Modeling and Analysis ,” Security & Privacy, IEEE, MayJune 2011

3 UNCLASSIFIED UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Intrusion Detection

Nd, Ta, I → Td Synthesis & characterization of tools & techniques for incident detection & prevention Including •

Synthesis of IDS & IPS

•

Techniques of intrusion analysis & defense




Cyber Maneuver

• If Td = {STd, BTd(t)}, where BTd(t) is defender’s behavior & actions, •

Then Nd, Ta, I → BTd(t) is the problem of synthesis & control of defenders course of action

• Including • Network operations • Damage control • Cyber maneuver • Moving target defense 5 UNCLASSIFIED UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Vulnerability & Risk Assessment

•

I, Td, Ta → Nd Synthesis, design & assessments of networks

•

Including • Design of “trusted” architectures & systems • Continuous monitoring, risk scoring, certification, etc.




Attack Prediction

•

Td, Nd, Ta → I Anticipation of incidents (their nature, timing, etc.)

•

Including • Assessment of risks • Compromise probability • Propagation & extent of damage




Threat Analysis

•

I, Td, Nd, → Ta Anticipation or reverse engineering of attacker’s tools & techniques

•

Including • Threat analysis • Malware analysis • Reverse engineering • Fuzzing, etc.




Cyber Wargaming

•

Td(t), Nd → Ta(t) Adversarial analysis, wargaming, anticipation of threat actions

•

Including • Course of action development • Effect estimation • Threat analysis




Summary of the Cyber Problems/Models Landscape

Td, Ta, I → Nd – synthesis & assessments of networks • Td, Ta, I → SNd(t) – synthesis & characterization of •

network’s structure Td, Ta, I → BNd(t) – synthesis or anticipation of network behavior

Td, Nd, Ta → I – anticipation of incidents Nd, Ta, I → Td – synthesis of detection & prevention tools • •

& techniques Nd, Ta, I → BTd(t) – synthesis & control of defender’s course of action Nd, Ta, I → STd(t) – synthesis of defensive tools, algorithms

Td, Nd, I → Ta – anticipation of attacker’s tools & techniques • Td, Nd, I → BTa(t) – adversarial analysis, wargaming, anticipation of threat actions 10 UNCLASSIFIED UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Human User Vulnerability to Cyber Attacks: Effect of Psychological and Cognitive Aspects

J.H. Cho, H. Cam, and A. Oltramari, “Effect of Personality Traits on Trust and Risk to Phishing Vulnerability: Modeling and Analysis,” accepted to IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA’2016), 21-25 March 2016, San Diego, USA 11 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Personality Traits vs. Phishing Susceptibility

Motivation: Empirical experiments have shown that an individual’s personality traits affect phishing vulnerability Research Question: Can we predict an individual’s phishing susceptibility, given his/her personality traits?

Goal: Develop a mathematical model to predict an individual’s phishing susceptibility in terms of perceived trust and risk and decision performance Contributions • Investigated the correlations between phishing susceptibility and personality traits • Developed a mathematical model using Stochastic Petri Nets to predict an individual’s vulnerability and resilience to phishing attacks • Demonstrated experimental results on the effect of an individual’s personality traits on perceived trust and risk and decision performance to phishing attacks 12 Cho, Oltramari (CMU), Cam (NSD/ARL) – accepted to CogSIMA16 The Nation’s Premier Laboratory for Land Forces UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE


Big Five Personality Traits

Are there any relationships between personality traits and phishing susceptibility? Openness

Fantasy, Aesthetics, Feelings, Actions, Ideas, Values

Conscientiousness

Competence, Order, Dutifulness, Achievement Striving, Self-Discipline, Deliberation

Extroversion

Warmth, Gregariousness, Assertiveness, Activity, Excitement Seeking, Positive Emotion

Agreeableness

Trust, Straightforwardness, Altruism, Compliance, Modesty, Tender-mindedness

Neuroticism

Anxiety, Hostility, Depression, Self-Consciousness, Impulsiveness, Vulnerability to Stress

Source: http://psytreasure.com/the-big-5-theory-of-personality-the-o-c-e-a-n-of-human-behavior/# 13 Cho, Oltramari (CMU), Cam (NSD/ARL) – accepted to CogSIMA16 The Nation’s Premier Laboratory for Land Forces UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE


Personality Traits vs. Phishing Susceptibility

Humans’ trust and risk assessments are subjective in nature as they depend on personality traits (Loewenstein et al., 2001; Chauvin et al., 2007; Ulleberg et al., 2003; Tupes et al., 1992) • Openness: lower perceived risk • Neuroticism: higher perceived risk • Agreeableness: lower perceived risk; more trust

Cho, Oltramari (CMU), Cam (NSD/ARL) – accepted to CogSIMA16

14 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Personality Traits vs. Phishing Susceptibility Trust, Risk, and Accuracy for C vs. N under Low O & C

• N increases perceived risk while decreasing perceived trust • However, high C can overcome the disadvantage of high N Cho, Oltramari (CMU), Cam (NSD/ARL) – accepted to CogSIMA16 15 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Detection of Malicious Activities: Simulation of Learning and Decisions by a Cyber Analyst

Ben-Asher, N., Oltramari, A, Erbacher, R.F., and Gonzalez, C. (2015). Ontology-based Adaptive Systems of Cyber Defense. The 10th International Conference on Semantic Technology for Intelligence, Defense, and Security (STIDS). Fairfax, VA, USA




Cognitive Modeling and Simulation in Cyber Security

Goal : – Understand the decision making processes of cyber defenders and attackers and predict their decisions Benefits: – Improve training of cyber defenders, develop cognitive-driven decision support tools – Long-term, automate tasks performed by defenders (and attackers?) Methodology: – Cognitive models providing a computational framework for capturing core elements of humans’ decision making processes and learning from experience in dynamic environments




Modeling Detection of Adversarial Reconnaissance

Understand and model the critical components for port scanning detection The defender model includes – Instance-Based Learning model that captures decision making and learning from experience in dynamic environments – Develop and use a Packet-Centric ontology to represent the defender’s information representation

Human holistic cycle


Modeled decision making process



Simulation Experiment

2 cognitive agents (defenders) with the same cognitive mechanisms that differed only in their situation awareness (i.e., availability of information) – Experience Only agent assess one event at a time – Information and Experience agent observes the temporal properties of a sequence of packets by querying the packetcentric ontology

An attacker executes a vertical port scanning using nmap in a network with 16 nodes (i.e., unique IP addresses) The agent’s rewards were based on a payoff matrix:




Scan Detection Results Correct detection of scanning sequence - the proportion of conversations between two IPs that were correctly classified as scans. Answering the question “Does IP X scans IP Y?”

Information and Experience

• Hits – Both Experience Only and Information and Experience agents detected that the malicious IP (192.168.1.8) • False Alarms – The Experience Only agent detected additional 10% of the IPs as malicious


Experience Only



Extracted Decision Rules

What the agent learned? – By looking at the instances in the agent’s memory and their activation, we can deduce the classification rules each model formed Experience Only agent: – Any TCP SYN packet is a scan packet Information and Experience agent: – A TCP packet that is part of a sequence of packets in which: • The packets come from a source that uses a small number of ports • The packets are directed to a large number of destination ports • The ratio between SYN packets and other packets is close to 1 • The common response of the destination to packets coming from this source is an ACK-SYN packet (ratio between ACK-SYN packet and other packets ~ 1) 21 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Situational Awareness in Tactical Ground Battle: Simulation of Cyber Effects for Training

H. Marshall et al., Cyber Operations Battlefield Web Services (COBWebS); Concept for a Tactical Cyber Warfare Effect Training Prototype, Fall SIW 2015, Orlando, FL, 2015 Best Paper Award




Prototype Design

COBWebS Cyber Operations Battlefield Web Service

Definition cob-web 1 a : the network spread by a spider b : tangles of the silken threads of a spiderweb usually covered with accumulated dirt and dust 2 : something that entangles, obscures, or confuses

"Cobweb." Merriam-Webster.com. Merriam-Webster, n.d. Web. 27 May 2014. .


23 The Nation’s Premier Laboratory for Land Forces


Design Overview

FBCB2

AFATDS

DCGS-A

GAP CRITERIA CHECKLIST  Remote mission command of multiple cyber offensive and defensive platforms  Modeling and execution of offensive and defensive cyber activities providing force multiplier effects  Virtualization of offensive/threat and defensive networks Command Web cyber Testtools Driver Interface  Offensive and defensive developed as software services available in secure cloud environments

AMDWS

Tactical Network (JVMF, TADILJ, USMTF, FDL, etc.)

Mission Command Adapter Web Service Configs

Toolss

Messages

The Computer Network Attack Service provides the capability for “Spyders” to get into the Information Interception COBWebS and attack inbound and outbound data to and from the mission command devices. The Information Delay types of attack capabilities are: • Directed Denial of Service • Information Delay • Information Forgery • Information Interception Information Forgery Location:

Clientc

Latitude: 38.441212

Longitude: -78.088818

Radius (km): 8

Draw From Map

URN Code

Launch II Attack

COBWebS

Messagec

Originator: 1511089

Clients

Select From Map

Intercepted Information:

Recipient: 1511090

Select From Map

Duration(s): 15

Simple Object Access Protocol (SOAP)

CNAs

Launch ID Attack

URN Code

Messages

Clientc

Originator: 1511089

Select From Map

Select From Map of Service Distributed Denial

Recipient: 1511090 Free Text Message:

Configc

Toolsc

Messagec

Clients

Simulation Client

Location:

URN Code

Originator: 1511089

Select From Map

Recipient: 1511090

Select From Map

Offest:

Latitude: 38.441212

100m

Longitude: -78.088818

120m

Launch DDOS Attack

Launch IF Attack

Simulation Network (DIS, HLA, etc.)

LEGEND c s


Note : URNs are Fictional Web service – client side Web service – server side



COBWebS Capabilities •

Provide the ability for trainer to incorporate cyber warfare elements into their exercises to meet training objectives • Train the trainees to recognize symptoms of cyber attacks • Develop contingencies, based on what has been compromised • Develop workarounds • Alternative Courses of Action (COAs) • Help develop cyber doctrine based on detecting, responding, and recovery to a cyber attack.

•

Provides an Information Assurance (IA) safe environment without corrupting the network infrastructure • Typical in cyber range exercises • Can be integrated with cyber test ranges

•

Software solution only – no special hardware required




Potential Use Case Examples

Change all Opposing Force (OPFOR) (observation reports) to Blue Force (BLUFOR) (position reports) 1. Intercept all entity position reports and observation reports (via II) 2. Deny original position reports from sender (via DoS) 3. Use the location information to generate observation reports (via IF) 4. Deny original observation reports from sender (via DoS) 5. Use the observed location information to generate position reports (via IF) Postponement of critical information 1. Intercept to identify target units (via II) 2. Delay observation reports on receiving target (via ID)




Potential Use Case Examples (cont’d)

Man-in-the-middle attack 1. Discovery, searching, probing for vulnerabilities (via II) 2. Denial of Service on sender (via DoS) 3. Send fake message to specified receiver on original sender’s behalf (via IF)

Use IF to send Nuclear/Biological/Chemical (NBC) report to move to Mission Oriented Protective Posture (MOPP) level 4 1. Discovery, searching, probing for vulnerabilities (via II) 2. Send fake NBC report (via IF)




Potential Use Case Examples (cont’d) Using COBWebS’s II, DoS, ID, and IF capabilities to deceive and disrupt BLUFOR’s SA as reflected on their Mission Command (MC) systems

BLUFOR killed

Observation Reports (ObsRpts) sent by BLUFOR were denied thus not reflected

Forged BLUFOR locations

X X X X X

Ground Truth simulated by Constructive Simulation

Perceived Truth as seen on MC systems as a result of cyber attacks Note : Units and graphics are fictional




Cyber Expertise

Development of a Distributed Cyber Operations Modeling and Simulation Framework

Development of a Cyber Warfare Training Prototype for Current Simulations

Won SIWzie Award at 2012 Fall SIW!

Cyber Operations Battlefield Web Services (COBWebS); Concept for a Tactical Cyber Warfare Training Prototype

Won Outstanding paper Award at 2014 & 2015 Fall SIW!

SIW = Simulation Interoperability Workshop 29 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Tactical Communication Network: Effects of Cyber Maneuvers, Mission and Environment on the Survival of Network

Marvel, L. M., Brown, S., Neamtiu, I., Harang, R., Harman, D., & Henz, B. (2015, October). A framework to evaluate cyber agility. In Military Communications Conference, MILCOM 2015-2015 IEEE (pp. 31-36). IEEE.




Goal

Develop a framework to help evaluate the cost and utility of cyber agility maneuvers within networks that have constrained resources such as bandwidth and energy (e.g., MANETs). – Introduce notional measures of health, security and capability and their interrelationship – Consider mission goals (e.g., maximizing capability while securing a critical path), operating conditions, cost and maneuver selection to construct evaluation metrics




Framework Preliminaries Node States and Notional Measures for Potential Agility Maneuvers

Patched




Consider the Mission … Primary Mission Goal Secure a critical communication path through a network for some time duration to transfer vital information.

Secondary Mission Goal The secondary goal is to secure the entire network in minimal time while maximizing capability of network nodes and minimizing energy consumption. While we are securing this critical path/network, we have the option of selecting agility maneuvers that will maximize the capability of nodes on critical path while minimizing energy consumption expended to perform the maneuvers in a resource constrained environment.




Applying Framework We consider two operating scenarios: Scenario 1: In the presence of a known vulnerability for which a patch is present within the network

Scenario 2: In the presence of a detected infection that propagates through the network exploiting a known vulnerability for which a patch exists and is present within the network




Scenario 2: Health There are 505 possible maneuver sequence selection in the set; P(infection) = 0.8 for each communication exchange with the infected node.

Best Health Heatmap (Scenario 2: Infection)

Comparison of all maneuver sequences: Satisfying first primary then secondary mission goals 35 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Scenario 2: Capability

Best Capability Heatmap (Scenario 2: Infection)

Comparison of all maneuver sequences: Satisfying first primary then secondary mission goals and prioritizing capability




Scenario 2: Security

Best Security Heatmap (Scenario 2: Infection)

Comparison of all maneuver sequences: Satisfying first primary then secondary mission goals and prioritizing security




Conclusions/Future Work

Evaluation framework that can provide metric comparisons for future agility maneuver and operating scenarios Simulations can help to calculate costs in a dynamic network environment where terrain, communication links, communication volume, energy constraints and routing protocols can be varied Future: Consider multiple vulnerability and infections of varying the severity Vary propagation rates Competing mission goals Add node mobility scenarios Replacement of the notional measure of health, security and capability with quantifiable metrics




Simulated Network and Real Applications: Simulation of Stealthy Software Migration and its Detection

http://www.appcomsci.com/research/tools/cybervan




CyberVAN Concept: Run Real Applications over a Simulated Network The network is represented in a Discrete Event Simulator (DES) such as ns3, OPNET, QualNet, or ns-2 • • •

Applications run on virtual machines (VMs) in their native environments Each VM is mapped to a node in the simulated network Applications on VMs communicate with each other over the simulated network VIRTUAL MACHINE

VIRTUAL MACHINE

APPLICATIONS

VIRTUAL MACHINE

APPLICATIONS

APPLICATIONS

Simulated node

SIMULATED Simulated node NETWORK

Simulated node

Simulated node

Simulated node

VIRTUAL MACHINE APPLICATIONS

Simulated node Simulated node

VIRTUAL MACHINE APPLICATIONS

VIRTUAL MACHINE VIRTUAL MACHINE APPLICATIONS

CYBERVAN TESTBED

APPLICATIONS




Why use a simulated network?

Several existing testbeds provide large-scale, real-time, wired network emulation for cyber experimentation, e.g., DETER – These testbeds make use of wired networks emulating large-scale cyber environments

Drawback: No ability to model wireless networking environments with any level of fidelity In contrast, a simulated network provides: – Very high fidelity reproduction of network effects like propagation, interference, loss – Node mobility – High fidelity simulation of MAC layer and network layer protocols – Ability to leverage existing simulation models of wireless networks, e.g., JTN models of JTRS waveforms

The use of a simulated network in a cyber testbed enables high fidelity representation of tactical networks – a critical need for the Army 41 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



CyberVAN Key Innovations

Transparent Packet Forwarding – Send network traffic generated by real applications over a simulated network in a manner transparent to the applications • Currently, simulators like OPNET and QualNet provide custom solutions for this, requiring use of OPNET/QualNet-specific APIs to enable such a capability; CyberVAN capability is generic and independent of simulator type

TimeSync: Network Scalability – Developed capability to synchronize time across the simulated network and applications running outside of the simulation to enable very large scale experiments • Can run experiments slower or faster than real time




Problem Statement

Motivation: – Migrating VMs from one physical machine to another is a frequently performed operation in data centers, for many reasons such as moving target defense, load balancing, hardware upgrades, performance optimization, etc. – Virtually all attacks on live VM migration over a network require that the attacker be able to detect that a VM migration is in progress

Problem addressed: Secure VM migration against traffic analysis attacks – High-level approach: Develop several camouflaging techniques to make a VM migration flow indistinguishable from normal traffic, by changing its distinct traffic pattern and statistical characteristics




VM migration is typically easily detectable

Traffic analysis can: – – – –

Detect >90% of VM migrations on the network Determine migration duration Determine migration endpoints Calculate migration transmission rate and migrated memory

• Encryption and tunneling do not prevent traffic analysis from detecting VM migrations with high accuracy




Solution: Stealthy Migration System

Shape network traffic using dynamic hierarchy token bucket Introduce chaffing traffic that balances migration and chaffing traffic Dynamically vary migration rate in a pseudo-random way within normal statistical traffic bounds to camouflage migration traffic




Experimentation Approach

Use CyberVAN scenario to run high fidelity experiments: – – – –

Run baseline scenario without evasive maneuvers Run scenario with evasive maneuver and traffic conditioning Experiment with libvirt-based migration and native migration Experiment with different network speeds & latencies, different background traffic – Collect and analyze data at attacker and migration destination – Determine whether attacker can detect VM migration

Use of TimeSync: – Needed to simulate large volumes of traffic with very high fidelity, resulting in DES running slower than real time RESULTS: Stealth System makes VM migration undetectable




Enterprise-Wide Model Effect of Cyber Attacks on Enterprise Control

S. Noel, J. Ludwig, P. Jain, D. Johnson, R. Thomas, J. McFarland, B. King, S. Webster and B. Tello, "Analyzing Mission Impacts of Cyber Actions," in Proceedings of the NATO IST-128 Workshop on Cyber Attack Detection, Forensics and Attribution for Assessment of Mission Impact, Istanbul, 2015. 47 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Example 1: Model-Driven Mission Impact Assessment

Analyzing Mission Impacts of Cyber Actions (AMICA) Mission is Joint Targeting Process MITRE, MIT-LL, IDA, CMU SEI Questions it can answer: • How long of an attack can the mission withstand without impact? • How long does it take the mission to recover from an attack? • What is more damaging to the mission; loss reach back availability or degradation of Air & Space Operations Center (AOC) system assets? • How many targets can be impacted by confidentiality/integrity before impacting mission?




AMICA Connects Kinetic Mission to Cyber Actions

Outputs Inputs

Mission Scenario

Mission Metrics

Visualization

Cyber Scenario Attacker Cap’s

Defender Cap’s


Events Logs Adapted by permission from the paper by S. Noel et. al., “Analyzing Mission Impacts of Cyber Actions,” presented at the NATO IST-128 Workshop on Assessment of Mission Impact, Istanbul, Turkey, June 15-17 2015



Extensible M&S Libraries to Quickly Create the Needed Analysis Environment

Library of Mission Models Library of Infrastructure Models (Covering multiple missions) (Targeting, BMD, etc)

Developing parameterized libraries of models Each piece of AMICA is designed to be modular and extensible to support future mission areas, cyber dependencies, attack patterns, defenses Well defined interfaces 50 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

Library of Defender Models (workflows)

Malicious Malicious Malicious Malicious

Library of Attacker Models (attack graphs)



Mission Model

Process model capturing workflow, timing, and resources for the DoD kinetic targeting process (from CJCSI 3370.01) Originally developed for EUCOM as part of Austere Challenge 10 & selected due to pedigree and maturity – 200+ steps with timing & resources (dependent on target complexity) – Covers targeting process from basic targeting development through MAAP/ATO & BDA Modified for AMICA by breaking into modules and connecting to CyCS nodes




Attacker Model

Modeled as process simulation that captures the steps the attacker follows

getTargets()

No

Between(15,45)m

getTargets() Gate By Time:AttackTime Hours

– Assumes attacker has some knowledge of mission and access on secure network – Responsive to defense actions – Adjust sophistication through probability of success/detection on attack steps

Between(1,3)d Get Spear Phishing Targets

No

getNextTarget()

Targets Available ?

Targets Available ?

No

Between(30,90)m

getNextTarget()

Yes

Yes Infect Target

Goal Node Reachable ?

Target Infected ?

launchAttack()

No

Yes

Choose & Infect Target

launchAttack()

Yes

Compromise Goal Node

No

launchAttack()

Goal Node Compromised ?

Yes

0m launchAttack() Gate By Time:2 Hours ConfidentialityAttack

isInfected()

Goal Node Still Compromised ?

Yes

Perform Attack 0m launchAttack()

Attack Type ?

IntegrityAttack Perform Attack 0m

0m

launchAttack()

AvailabilityAttack

Initial Foothold

Lateral Movement

- Initial access via spear phishing campaign

- Scan network for goal node (e.g. database) reachability

- Includes time for research to find targets

- Infect laterally until target node is reachable


No

isReachable()

Wait for desired time to affect Mission

– Cyber:14 study (ARCYBER, defense of Dept. of Defense Information Network (DODIN)) – Contains 1000s of nodes (mainly system-steps) of integrated attacker and defender/sensor actions for server-, host-, and email-based attacks

Target Infected ?

Between(30,90)m

No

Conceptually follows ‘Cyber:14’ threat models

Yes Between(30,90)m

Perform Network Scan

Perform Attack

Perform Attack

CyCS-createTicket() No 0m CyCS() - check status

Gate By Time:30 Minutes Mission Still affected ?

Affect Mission

Yes

Attack Successfull ?

Periodically check for detection Yes Create Alert

Achieve Goal - Realize an effect on confidentiality, integrity, or availability on goal node - Maintain presence and re-infect as necessary


No


Defender Model

Process simulation of reactive defender (not proactive) actions Multi-tiered incident response model – Defender can impact mission (by alerts, taking down machines) – Includes defender resource/personnel constraints Conceptually follows ‘Cyber:14’ defense models

restoreHost()

Create Alert

malwareDetected()

Between(1,3)h AvailabilityAlert

Restore Functionality

Malicious Activity Discovered ?

Yes Submit Alert

CyCS-deleteTicket() No getNextAlert()

Get Next Alert

Alert Type ?

takeHostOffline()

wipeHost()

5m

Between(1,3)h

5m

Take offline

Wipe and Restore

Put online

WipeAlert

CyCS-deleteTicket() CyCS-createTicket()

Submit Alert InfectedAlert IntegrityAlert ConfidentialityAlert getInfectionSource()

ForensicAlert

None

putHostOnline()

CyCS-deleteTicket()

Create Alert

submitAlert()

getAllInfected()

Between(1,3)h

0m

Between(2,6)h

Between(3,9)h

Trace Attack Source

Issue New Alert

Get Signature

Find other infections

No 0m Targets Available ?

Yes

Issue New Alerts

Release Resource

No alert present

Create Alert getWait()

submitAlert()

Wait to Issue Alert

Issue Alert

Start Defender

Reboot, Restore, Rebuild

Triage - Defender response triggered by IT alert - IT alerts prioritized by expected impact

- Mitigation based on alert type (crash, infection, corruption) - More aggressive responses may impose greater mission impact


Forensics - For more serious threats - Trace attack to source, build signatures - Submit new alerts for all compromised machines



Enterprise-level Simulation of Cyber-physical impacts: Automated Learning of Enterprise Model

M. Lange, R. Moeller, G. Lang and F. Kuhr, "Event Prioritization and Correlation based on Pattern Mining Techniques," in 14th International Conference on Machine Learning and Applications, Miami, 2015.




PANOPTESEC

PANOPTESEC project -- the Seventh Framework Programme for Research (FP7) of the European Commission, 2013-2016 PANOPTESEC integrates and normalizes heterogeneous events, correlates them with the infrastructure, evaluates their operational impact, and calculates the risk an event poses to the monitored infrastructure PANOPTESEC consortium set up a testbed - authentic replication of an Italian water and energy distribution company’s corporate enterprise systems and supervisory control and data acquisition (SCADA) system







The Challenge of Manual Model Construction

Manual modeling of dependencies – capturing the network's intended workflow and links to physical assets – is prohibitively expensive in complex enterprises We focus on development of an automated approach: • Use network traffic; • Automatically learn network dependencies; • Deduce higher-level information about a network's mission based on network services and applications




An example for a high level view of an automatically derived mission models. Swim lanes represent sub networks, network devices are represented by tasks and a human silhouette marks client network devices




Advantage in Large-Scale Cyber Warfare as a Function of Strategy and Network Properties

J.H. Cho and J. Gao, “Cyber War Game in Temporal Networks,” accepted to PLOS ONE, 2016




Cyber War Strategies in Temporal Networks

Current State-of-the-Art •

•

Cyber war strategies often require resource efficiency solution under highly distributed, resource constrained networks Little prior work investigates heuristic cyber strategies studying the impact of network characteristics on performance

Goal:

Identify near-optimal strategies by attackers or defenders to minimize resource consumption and maximize a win probability; the problem is formulated as:

Node i’s resource level is defined as:

where resource consumption by taking an action is:

Cho (ARL), Gao(NEU, NS CTA) – accepted to PLOS ONE Journal 60 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



Optimality Analysis of Cyber Strategies BFA: Brute-Force Attack with solution search in O (N 2N) RF-A: Resource First – Attack with solution search in O(N2) IF-A: Influence First – Attack with solution search in O(N3) Influence is measured based on k-hop reachability as:

Heuristic cyber strategies perform close to optimal solution(s) with significantly less complexity; under a sparse network, influence-first-attack strategy outperforms resource-first counterpart.




Performance Analysis: Win Probability & Resource Consumption

Current State-of-the-Art •

Little existing work considers network temporality and density that may affect optimal cyber war strategies by attackers or defenders Network density reduces win probability in a highly temporal network

Network temporality differently affect the performance of cyber strategies under different network density; overall influence-first is preferred in terms of winning and resource consumption; Influence-first attack incurs less resource consumption in a dense network; there exists a critical node degree maximizing resource consumption




Performance Analysis: System Vulnerability

System vulnerability is highly sensitive to network temporality and density. • Less system failure occurs under a sparse network; • High temporality introduces high system vulnerability or system failure in an earlier time than under low temporality




REFERENCES Schneider, F. B., “Blueprint for a Science of Cybersecurity,” The Next Wave, Vol. 19, No.2, 2012 Bau, J., and Mitchell, J.C., “Security Modeling and Analysis ,” Security & Privacy, IEEE, May-June 2011 J.H. Cho, H. Cam, and A. Oltramari, “Effect of Personality Traits on Trust and Risk to Phishing Vulnerability: Modeling and Analysis,” accepted to IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA’2016), 21-25 March 2016, San Diego, USA Ben-Asher, N., Oltramari, A, Erbacher, R.F., and Gonzalez, C. (2015). Ontology-based Adaptive Systems of Cyber Defense. The 10th International Conference on Semantic Technology for Intelligence, Defense, and Security (STIDS). Fairfax, VA, USA H. Marshall et al., Cyber Operations Battlefield Web Services (COBWebS); Concept for a Tactical Cyber Warfare Effect Training Prototype, Fall SIW 2015, Orlando, FL, 2015 Marvel, L. M., Brown, S., Neamtiu, I., Harang, R., Harman, D., & Henz, B. (2015, October). A framework to evaluate cyber agility. In Military Communications Conference, MILCOM 2015-2015 IEEE (pp. 31-36). IEEE. Chadha, Ritu, et al. "CyberVAN: A Cyber Security Virtual Assured Network Testbed." Military Communications Conference, MILCOM 2016-2016 IEEE. IEEE, 2016. S. Noel, J. Ludwig, P. Jain, D. Johnson, R. Thomas, J. McFarland, B. King, S. Webster and B. Tello, "Analyzing Mission Impacts of Cyber Actions," in Proceedings of the NATO IST-128 Workshop on Cyber Attack Detection, Forensics and Attribution for Assessment of Mission Impact, Istanbul, 2015. 64 UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE



REFERENCES M. Lange, R. Moeller, G. Lang and F. Kuhr, "Event Prioritization and Correlation based on Pattern Mining Techniques," in 14th International Conference on Machine Learning and Applications, Miami, 2015.

J.H. Cho and J. Gao, “Cyber War Game in Temporal Networks,” accepted to PLOS ONE, 2016 Ganin, A. A., Massaro, E., Gutfraind, A., Steen, N., Keisler, J. M., Kott, A., ... & Linkov, I. (2016). Operational resilience: concepts, design and analysis. Scientific reports, 6. Kott, Alexander, David S. Alberts, and Cliff Wang. "Will Cybersecurity Dictate the Outcome of Future Wars?." Computer 48.12 (2015): 98-101.

Kott, Alexander. "Towards fundamental science of cyber security." Network Science and Cybersecurity. Springer New York, 2014. 1-13. arXiv:1512.00407 Kott, Alexander, Nikolai Stoianov, Nazife Baykal, Alfred Moller, Reginald Sawilla, Pram Jain, Mona Lange, and Cristian Vidu. "Assessing Mission Impact of Cyberattacks: Report of the NATO IST-128 Workshop." arXiv preprint arXiv:1601.00912 (2016). Gil, Santiago, Alexander Kott, and Albert-László Barabási. "A genetic epidemiology approach to cyber-security." Scientific reports 4 (2014).




REFERENCES

Kott, Alexander, and Gary Citrenbaum, eds. Estimating Impact: A Handbook of Computational Methods and Models for Anticipating Economic, Social, Political and Security Effects in International Interventions. Springer Science & Business Media, 2010.



From Muddle to Model: Modeling and Simulation of Cyber Phenomena

From Muddle to Model: Modeling and Simulation of Cyber Phenomena

Suggest Documents

Cyber Defense: Mathematical Modeling and Simulation - International ...

Cyber Defense: Mathematical Modeling and Simulation - ijapm

Mathematical Modeling and Computer Simulation of Fire Phenomena

Qualitative modeling and simulation of socio {economic phenomena

A Semantic Framework for Modeling and Simulation of Cyber ... - Umd

Modeling and simulation of botnet based cyber-threats

agent-based modeling and simulation of cyber-warfare between ...

A Semantic Framework for Modeling and Simulation of Cyber-Physical ...

Untangling the model muddle: Empirical tumour ...

Introduction to Modeling and Simulation

simulation of micromagnetic phenomena - CiteSeerX

simulation of congestion phenomena and strategic ...

Contributions to modeling and simulation of

Measuring and modeling of hazardous weather phenomena to ...

Measuring and modeling of hazardous weather phenomena to ...

from value chains to value networks: modeling and simulation - Hal

From Continuum Modeling, to Geometric Simulation, to Mean-Field

From Modeling to Simulation of Multi-Agent ... - Semantic Scholar

Simulation Model for Correction and Modeling of Probe Head ... - MDPI

Modeling and simulation of a complex ThermoSysPro model with ...

Simulation Modeling and Analysis of a New Mixed Model Production

Introduction to Modeling and Simulation - AcqNotes

A Modeling and Simulation-based Methodology to

Introduction to Modeling and Simulation - AcqNotes