Detecting - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Detecting

Description:

Hijacks, overprivledged scripts, trap doors, faults. PMOP. Detecting misbehaving operators ... Saves & Restores partially built Air Transport Plans ... – PowerPoint PPT presentation

Number of Views:46
Avg rating:3.0/5.0
Slides: 36
Provided by: robert942
Category:
Tags: detecting | save | script | the

less

Transcript and Presenter's Notes

Title: Detecting


1
Detecting PreventingMisuse of Privilege(PMOP)
  • PI Meeting 7/13/05
  • Bob Balzer (Teknowledge)
  • Howie Shrobe (MIT)
  • Updates since Kickoff
  • Updates since January

2
Harmful Operator Action
Benign Operator Action
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
3
Harmful Operator Action
Benign Operator Action
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
MIT Teknowledge
4
Distinguishing AWDRAT PMOP
  • AWDRAT
  • Detecting misbehaving software
  • Hijacks, overprivledged scripts, trap doors,
    faults
  • PMOP
  • Detecting misbehaving operators
  • Malicious intent, operator error

5
Progress Since 1/05 PI Meeting
  • End-to-End working system
  • Instrumentation of Operator Actions
  • Expanded Scope
  • Originally, application harm by application
    operator
  • Now, system harm by application operator
  • System harm ? harm to OS objects (files,
    registry, etc.)
  • Integration of OS level Wrappers into PMOP
    architecture
  • Next, system harm by OS operator

6
Operator ActionMonitoringDemo
7
What are we trying to do?
Harmful Operator Action
Benign Operator Action
  • Block Harmful Operations
  • Differentiate
  • Operator Error
  • Malicious Intent

Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
8
Technical Challenges
  • Modeling system to predict effect
  • Modeling Operator to differentiate
  • Operator Error
  • Malicious Intent
  • Applying security to the application layer
  • Creating application specific rule framework for
    defining harm
  • Harm expressed orthogonally from OS objects
  • Finding points in application to apply it
  • NOT complete coverage of application semantics
  • gt to be handled in Phase II for a specific high
    value system

9
JBI DemVal Dataflow(via Publish/Subscribe)
The Good The Bad The Ugly
External
AODB
Proposed MI
AS
MAF
CAF
Approved MI
LOC
JW
SPI
JEES
EDC
TAP
ATO
Chem Hazard
CHW
CHI
Targeting
TNL
EDC
CHW
WLC
Chem Hazard
Weather Hazard
CHA
WH
Combat Ops
10
Applying Security toApplication Layer
  • CAF DemVal component
  • Builds Air Transport Plans
  • Publishes completely built Air Transport Plans
  • Edits partially built Air Transport Plans
  • Saves Restores partially built Air Transport
    Plans
  • Creating application specific rule framework for
    defining harm
  • Harm expressed orthogonally from OS objects
  • For CAF DemVal component
  • Harm publishing semantically malformed Air
    Transport Plan
  • What semantic knowledge and data is required to
    determine malformedness
  • Finding points in application to apply it
  • For CAF DemVal component
  • Commit Publish Air Transport Plan

11
Limitations of Approach
  • Harm defined as a Boolean
  • No comparison metric
  • no comparison of alternatives (either predefined
    or generated)
  • lesser of two or more evils not detected as
    beneficial
  • suboptimal actions not detected as harmful
  • Benefit is not defined
  • Doing nothing or delaying action not detected as
    harmful
  • Possible Phase II Improvements
  • Define Harm and Benefit as quantified dimensions
  • Provide operator performance model (generate
    alternatives)
  • Minimal acceptable performance model enables
  • Detecting suboptimal choice Harm Malicious
    Intent in such choices
  • Detecting delay/do-nothing as harmful Malicious
    Intent in such choices

12
Insider Threat
  • Space of Insider Attacks
  • Attacks through Application Software
  • Attacks through OS GUI (Insider as OS user)
  • Attacks through Insiders software
  • Physical attacks

13
Insider Threat
  • Space of Insider Attacks
  • Attacks through Application Software
  • General Framework
  • Detect Harm (before it happens) Block It
  • Harm defined by application specific rules
  • For JBI it was publishing malformed object
  • ? Built a framework for applying malformed
    rule to published object
  • ? Built a few exemplar malformed object
    rules
  • ? Limited by lack of domain knowledge
    engineering funds
  • For SaveAs GUI it was harm to JBI or System
    resources
  • ? Used SafeFamily wrapper rule language
  • gt Coverage equals Rule Coverage

14
Insider Threat
  • Space of Insider Attacks
  • Attacks through Application Software
  • Attacks through OS GUI (Insider as OS user)
  • General Framework
  • Detect Harm (before it happens) Block It
  • Harm defined by application specific rules
  • For OS GUI (Explorer process) it is harm to JBI
    or System resources
  • ? Used SafeFamily wrapper rule language
  • gt Coverage equals Rule Coverage

15
Insider Threat
  • Space of Insider Attacks
  • Attacks through Application Software
  • Attacks through OS GUI (Insider as OS user)
  • Attacks through Insiders software
  • Problem for our approach because generic rule set
    must be used
  • Planned for Option
  • Physical attacks
  • Out of bounds

16
Insider Threat Coverage
Coverable 80 80 0
Space 50 25 25
Thwartable 40 20
0
  • Space of Insider Attacks
  • Attacks through Application Software
  • Coverage equals Rule Coverage
  • Attacks through OS GUI (Insider as OS user)
  • Coverage equals Rule Coverage
  • Attacks through Insiders software
  • Planned for Option
  • Physical attacks
  • Out of bounds

60
?10
17
Metrics Issues
  • How can we show rule framework is generic without
    covering all of application semantics?
  • Use red team experiment
  • Red team rules of engagement
  • Jointly define application semantics to be
    defended
  • Require 100 coverage of that semantics

18
Red Team Experiment
  • Force experiment to determine ability to thwart
    insider attack
  • Three (proposed) Flags
  • Harm application using only application
    GUI(SaveAs GUI excluded)Using jointly defined
    subset of application semantics
  • Harm application using only SaveAs GUI
  • Harm application using OS GUI (Explorer
    process)(running other programs excluded)

19
How will you show success?
Harmful Operator Action
Benign Operator Action
  • Block Harmful Operations
  • Differentiate
  • Operator Error
  • Malicious Intent
  • Red-TeamExperiment

Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
20
What are implications of success?
Harmful Operator Action
Benign Operator Action
  • Systems can be protected
  • from insider attacks
  • from operator error
  • from zero-day attacks

Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
21
What is technical approach?
Harmful Operator Action
Benign Operator Action
  • Observe effect of operatoraction in system model
  • Match harmful actions against
  • Errorful Operator Plans
  • Attack Plans

Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
22
What is new?
Harmful Operator Action
Benign Operator Action
  • Observe effect of operatoraction in system model
  • Match harmful actions against
  • Errorful Operator Plans
  • Attack Plans

Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
23
What is hard?
Harmful Operator Action
Benign Operator Action
  • Modeling Systemto predict effect
  • Modeling Operatorto differentiate
  • Operator Error
  • Malicious Intent

Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
24
What Were Missing
The Good The Bad The Ugly
  • Realistic Rules (Domain Knowledgeable)
  • Would be created by SMEs in real deployment
  • Comprehensive Rule Set
  • Would be created by SMEs in real deployment
  • Instrumentation of the GUI actions
  • Just Mission Building/Editing methods currently
    instrumented
  • GUI actions will be instrumented by 4/1/05

25
Technology for SRS Integration
  • Behavior Monitor/Authorizer
  • What code is doing
  • What human operator is doing
  • Operational Models
  • Software Components
  • Harm Detectors
  • Rule driven
  • Application-Level
  • OS-Level
  • Intent Determination

26
Backup (old slides)
27
Determining Malicious Intent
  • Can the operator action be performed legally
  • Does the operator action cause harm
  • Is there an alternative that doesnt cause harm
  • Is this the minimial harm alternative
  • Does the operator action satisfy a
    requirement/goal
  • Is there a better way to accomplish the goal
  • Should the operator have found this better way

28
JBI DemVal Dataflow(via Publish/Subscribe)
External
AODB
Proposed MI
AS
MAF
CAF
Approved MI
LOC
JW
SPI
JEES
EDC
TAP
ATO
Chem Hazard
CHW
CHI
Targeting
TNL
EDC
CHW
WLC
Chem Hazard
Weather Hazard
CHA
WH
Combat Ops
29
What Weve Got
The Good The Bad The Ugly
  • End-To-End Demonstration (demo shortly)
  • Working Prototypes of MOP components
  • Working models rules of target application
  • Working integration of MOP components

30
Harmful Operator Action
Benign Operator Action
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
JBI DemVal
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
31
What Weve Got
The Good The Bad The Ugly
  • End-To-End Demonstration (demo shortly)
  • Working Prototypes of MOP components
  • Working models rules of target application
  • Working integration of MOP components
  • Architecture Visualizer (demo shown in AWDRAT)
  • Event-Sequence diagrams
  • Architecture dataflow

32
Accommodations
The Good The Bad The Ugly
  • Java code base
  • Ported wrapper infrastructure
  • Planning Application (harm is in future)
  • Defined Harm as publishing harmful plan
  • Available JBI components to wrap
  • Detailed on next slide

33
Event DiagramDemo
34
First SRS Tech Transition
  • Architecture Visualizer used in HURT (IXO)
  • Animated Event Sequence Diagram
  • Animated Dataflow Architecture

35
MOP Execution Architecture
JBI Server
36
DetectingHarmful ActionsDemo
37
Howie Slides Here
38
DetectingMalicious IntentDemo
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Detecting" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!