a stochastic model for intrusions
play

A Stochastic Model for Intrusions Robert P. Goldman - PowerPoint PPT Presentation

Mar 07, 2024 •108 likes •433 views

A Stochastic Model for Intrusions Robert P. Goldman rpgoldman@sift.info Interface 2003 1 Topic Topic area: Computer and Network Intrusion Detection Subject: A technique for stochastic modeling of goal-directed computer network intruders

  1. A Stochastic Model for Intrusions Robert P. Goldman rpgoldman@sift.info Interface 2003 1

  2. Topic Topic area: Computer and Network Intrusion Detection Subject: A technique for stochastic modeling of goal-directed computer network intruders Benefits: Provides for repeatable tests in computer intrusion detection and supports cyber wargaming Approach: Use techniques from Artificial Intelligence to provide simulated attackers that act (somewhat) rationally to achieve their goals Interface 2003 27 September 2003 2

  3. Definition of Intrusion Detection What is intrusion detection? The state of the art? � Current sensors have very high false positive rates (base rate problems, systematic errors); � Many current sensors have difficulties with novel attacks; � No agreement among sensors about the phenomena to be detected. Intrusion detectors (IDSes) are sensors whose sensitivity is very difficult to assess � Difficult to test them in realistic environments; � Difficult to identify features that affect their sensitivity; � Varying frames of reference and fields of vision; � Lack of access to sensors’ internals; � Lack of labeled data. Intrusion detector fusion: Fuse reports from multiple IDSes to overcome blind spots, incorporate context, etc. Interface 2003 27 September 2003 3

  4. Problem We need to be able to carry out repeatable tests with computer intrusions � To evaluate intrusion detection and response research � To train and prepare for intrusions Unfortunately, with the current state of the art, this is too difficult � Requires set-up and destruction of specially-tailored networks Particularly true for research involving coordinated attacks, and exploitation of intrusions � With human attackers, difficult to carry out repeated trials. Interface 2003 27 September 2003 4

  5. Simulations We need simulated attacks on simulated networks. We need simulated attackers � So that we can repeat and replay attacks for experimentation; � So that we can vary attacks in controlled ways; � But our simulated attackers must react to their environments: closed-loop attack controllers. Simulations don’t replace real-world experiments, but they are an invaluable supplement. This work aims to simulate extended, goal- directed attacks , and was originally intended to support intrusion report fusion. Interface 2003 27 September 2003 5

  6. Example Use Attacker Sensor Models Event Stream Simulator IDS Reports IDS Fusion System Enhanced version of function supplied by DARPA CyberPanel Grand Challenge Problem. Interface 2003 27 September 2003 6

  7. Outline Simulation Architecture � Overall structure and what exists in prototype. Event Modeling � What are the building blocks of an intrusion? How do we model them? Attacker Modeling / Attacker Plans � How do we model the process of an attack, composed from the building blocks we’ve developed? � Must incorporate feedback from the environment. Interface 2003 27 September 2003 7

  8. Current Architecture Attacker Plans refers to Simulation Event Model Engine/ feedback Interpreter affects Network Model Interface 2003 27 September 2003 8

  9. Proposed Future Additions Attacker Population Model – What sort of attackers? What are their objectives? � “Ankle-biters,” criminals, terrorists, spies, etc. � Important to assess response and focus on most important threats. Sensor Models Background Traffic Model – What is the authorized traffic on the network? � Important to assess countermeasures. � Important to predict false positive IDS reports. Defender Plans and Defender Actions Interface 2003 27 September 2003 9

  10. Intrusion Event Modeling Model exploits with preconditions and postconditions [Cuppens & Ortalo;Templeton & Levitt; Lindquist et al]. What are semantics of preconditions and postconditions? � E.g., most preconditions are preconditions for successful execution not execution per se. [logs show many unsuccessful attempts at intrusion] To experiment and simulate, we must be able to predict the effects of an action (exploit or other) on a particular network, whether successful or not. Interface 2003 27 September 2003 10

  11. The Frame Problem The (little-F) Frame Problem – When an action is executed, what does not change? � What is independent of my action? The Ramification Problem – What changes are indirectly caused by the action? � E.g., I paint an object; all of its parts are also painted… Qualification Problem – What are all the conditions necessary to make an action feasible? � Relatively easy to name some necessary conditions, but getting all the sufficient conditions is more difficult… Ramification and Qualification problems closely related to database integrity constraints Interface 2003 27 September 2003 11

  12. The Situation Calculus Action representation formalism [McCarthy & Hayes; Reiter; Levesque; etc.] Dialect of First Order Logic Provides solutions to the Frame problem Action representations are decomposed into: � Action Precondition axioms � Successor State axioms With appropriate closure assumptions, the above provide a solution to the frame problem These representations are also relatively natural for modeling An efficient, special-purpose prover can project the effects of a sequence of actions in a given situation Interface 2003 27 September 2003 12

  13. Action Precondition Axioms Poss(login(user, host), s) ≡ atconsole(user,host,s) “A user can login to a host in a situation, if that user is at the console of that host.” Note that possibility of an action is a much weaker notion than the conventional precondition used in other attack modeling languages. Consider the preconditions for attempting a buffer overflow, for example. Interface 2003 27 September 2003 13

  14. Successor State Axioms Poss(a, s) → { loggedin(user, host, do(a,s)) ≡ [a = login(user,host) or (loggedin(user,host,s) and a ≠ logout(user, host)) ] } “A user will be logged in to host after doing an action, if the action is logging in, or the user was logged in and the action is not logging out.” Interface 2003 27 September 2003 14

  15. Practical Matters Precondition and Successor State axioms can be derived from more natural, modular specifications. simple_action(add_oracle_account(Session, Host, UID, Password), [knows_pass(Host, UID, oracle)=true, known_service(Host, oracle)=true, valid_uid(UID, Host, oracle)=true, password(Host, oracle, UID, Password)=true], runs(Host, oracle), root_session(Session,Host)). Interface 2003 27 September 2003 15

  16. Goal-Directed Attack Modeling Now we can project the effects of individual actions but we want extended, goal-directed attacks Two parts to solution: 1. Golog provides methods for embedding situation calculus actions into procedures 2. Goal-directed procedure invocation added to Golog permits us to model rational, goal- directed agents Interface 2003 27 September 2003 16

  17. Golog Need to package actions into procedures Golog extends situation calculus semantics to procedures with � Sequences � Nondeterminism � Conditionals � Variable binding � Concurrency � Loops � Constructs taken from conventional programming language temporal logics Can project effects of executing procedures with augmented situation calculus prover Interface 2003 27 September 2003 17

  18. Sample Procedures proc login(host) if console_access(host) then ( π u)?known_uid(u,host); ( π s)? login(host, u, s) end Variable binding proc ip_spoof(host) ( π t)?trusted(host, t); DoS(t)  spoof_to(host, t) end Parallel composition Interface 2003 27 September 2003 18

  19. Helpful, but Not Sufficient Modeling: � Not enough to model an agent whose objective is to deface a web server and who will use all the methods at his/her disposal to achieve that goal. Engineering: � Not convenient to add new means to, for example, achieve the goal of acquiring root privilege. � We want to be able to add new events and tactics freely and have them used within existing tactics. Dynamically generated attack trees. Interface 2003 27 September 2003 19

  20. Goal-directed Procedure Invocation Need to model agents (attackers) that choose methods appropriate to their goals Goals may employ subgoals Goals are persistent Subgoals should come and go with parent goals Subgoaling gives modularity advantages We have provided constructs for goal-directed procedure invocation within the semantics of Golog (and a Golog prover) We have developed attacker tactics that employ goals and subgoaling Interface 2003 27 September 2003 20

  21. Sample Procedure with Goals KA user_to_root(h) ( π s)? logged_into(h, s); achieve_goal(root_priv(s)) to achieve root_privileged_on(h) when logged_into(h) “To get root privilege on a host, if you are logged into that host, escalate the privilege of that login session.” Note that the attacker may now try multiple means to achieve root privilege on a session, if the first one fails. Or the attacker may back up and try an alternative KA at this level. Method choice and response to failures are stochastic. Interface 2003 27 September 2003 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stochastic six vertex model Ivan Corwin (Columbia University) Stochastic six vertex 1 Page 1

Stochastic six vertex model Ivan Corwin (Columbia University) Stochastic six vertex 1 Page 1

Stochastic six vertex model Ivan Corwin (Columbia University) Stochastic six vertex 1 Page 1 Goals of first hour Physical goal: Uncover nonequilibrium Kardar-Parisi-Zhang (KPZ) universality class behavior in the equilibrium six vertex model

672 views • 40 slides
Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks Suggests need to learn/adapt to new attacks or changes in behavior Detect intrusions in timely fashion May need to be be real-time,

638 views • 29 slides
Limiting Spectral Distribution of Stochastic Block Model Yizhe Zhu University of Washington

Limiting Spectral Distribution of Stochastic Block Model Yizhe Zhu University of Washington

Limiting Spectral Distribution of Stochastic Block Model Yizhe Zhu University of Washington December 30, 2016 SJTU Joint Work with Ioana Dumitriu Overview Semicircle Law 1 Erd os R enyi random graph 2 Stochastic Block Model 3

615 views • 42 slides
System Intrusions Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois

System Intrusions Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois

CS 563 - Advanced Computer Security: System Intrusions Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Survey broad topics in the system intrusions area

730 views • 34 slides
A stochastic model for biological neuronal nets Antonio Galves Eva L ocherbach First Workshop

A stochastic model for biological neuronal nets Antonio Galves Eva L ocherbach First Workshop

The model Correlation of neighboring inter-spike intervals Hydrodynamical limit in a mean field model A stochastic model for biological neuronal nets Antonio Galves Eva L ocherbach First Workshop of FAPESPs center for Neuromathematics,

1.54k views • 84 slides
Lower bounds for the Stock Price density in a Local-Stochastic Volatility Model V. Bally and S.

Lower bounds for the Stock Price density in a Local-Stochastic Volatility Model V. Bally and S.

Lower bounds for the Stock Price density in a Local-Stochastic Volatility Model V. Bally and S. De Marco Vlad Bally Universit de Marne-la-Valle and quipe Math October 2010 Local - Stochastic Volatility models We consider the model

523 views • 14 slides
What If We Only Have Stochastic . . . What if the Stochastic . . . Approximate Stochastic

What If We Only Have Stochastic . . . What if the Stochastic . . . Approximate Stochastic

In Finance, We Need . . . How to Make . . . From a Theoretical . . . How to Make . . . What If We Only Have Stochastic . . . What if the Stochastic . . . Approximate Stochastic Additional Reasonable . . . Dominance? The Assumption 0 < .

550 views • 15 slides
A Fast Mean-Reverting Correction to Hestons Stochastic Volatility Model Jean-Pierre Fouque 1

A Fast Mean-Reverting Correction to Hestons Stochastic Volatility Model Jean-Pierre Fouque 1

Heston Model Multiscale Model Numerical Work A Fast Mean-Reverting Correction to Hestons Stochastic Volatility Model Jean-Pierre Fouque 1 Matthew J Lorig 2 1 Department of Statistics & Applied Probability University of California - Santa

762 views • 35 slides
Stochastic Model Predictive Control for Outline Gust Alleviation during Aircraft Carrier

Stochastic Model Predictive Control for Outline Gust Alleviation during Aircraft Carrier

tugraz Stochastic Model Predictive Control for Outline Gust Alleviation during Aircraft Carrier Motivation Stochastic Landing MPC formulation Aircraft and gust modeling Numerical Gaurav Misra and Xiaoli Bai Results Conclusions

341 views • 20 slides
FX Derivatives: Stochastic-Local-Volatility Model Uwe Wystup Fr ed eric Bossens, Andreas

FX Derivatives: Stochastic-Local-Volatility Model Uwe Wystup Fr ed eric Bossens, Andreas

Review Vanna Volga Stochastic-Local-Volatility Mixture Local Volatility Model Summary FX Derivatives: Stochastic-Local-Volatility Model Uwe Wystup Fr ed eric Bossens, Andreas Weber MathFinance AG uwe.wystup@mathfinance.com July 2020

1.11k views • 68 slides
Part 3 Markov Chain Modeling Markov Chain Model Stochastic model Amounts to sequence of

Part 3 Markov Chain Modeling Markov Chain Model Stochastic model Amounts to sequence of

Part 3 Markov Chain Modeling Markov Chain Model Stochastic model Amounts to sequence of random variables Transitions between states State space 2 Markov Chain Model Stochastic model Amounts to sequence of random variables

500 views • 35 slides
A hierarchical model for micro-level E.A. Valdez stochastic loss reserving joint work with K.

A hierarchical model for micro-level E.A. Valdez stochastic loss reserving joint work with K.

A hierarchical model for micro-level stochastic loss reserving A hierarchical model for micro-level E.A. Valdez stochastic loss reserving joint work with K. Antonio 1 and E.W. Frees 2 Motivation Data 44th Actuarial Research Conference

679 views • 28 slides
What Landowners Need to Know about Intrusions on Surface Use 1 Big Picture Phase 1: Company

What Landowners Need to Know about Intrusions on Surface Use 1 Big Picture Phase 1: Company

What Landowners Need to Know about Intrusions on Surface Use 1 Big Picture Phase 1: Company or agency study Engineering, environmental, etc. Phase 2: Routing Phase 3: Land acquisition (condemnation) Phase 4: Construction 2

765 views • 39 slides
A continuous time stochastic model for biological neural nets Leonardo Nagami Coregliano IME

A continuous time stochastic model for biological neural nets Leonardo Nagami Coregliano IME

A continuous time stochastic model for biological neural nets Leonardo Nagami Coregliano IME Universidade de So Paulo This work was partially supported by CAPES and FAPESP grant no. 2013/23720-9 Our main goals To model mathematically

474 views • 13 slides
Entropy Estimation on the Basis Stochastic Model of a Stochastic Model Werner Schindler Bundesamt

Entropy Estimation on the Basis Stochastic Model of a Stochastic Model Werner Schindler Bundesamt

Entropy Estimation on the Basis of a Entropy Estimation on the Basis Stochastic Model of a Stochastic Model Werner Schindler Bundesamt f ur Sicherheit in der Werner Schindler Informations- technik Bundesamt f ur Sicherheit in der

402 views • 21 slides
Stochastic Processes Will Perkins March 7, 2013 Stochastic Processes Q: What is a Stochastic

Stochastic Processes Will Perkins March 7, 2013 Stochastic Processes Q: What is a Stochastic

Stochastic Processes Will Perkins March 7, 2013 Stochastic Processes Q: What is a Stochastic Process? A: A collection of random variables defined on the same probability space and indexed by a time parameter. { Z t } t T where each Z

1.52k views • 17 slides
Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
Protect Yourself While Conducting Business Virtually In The Time Of COVID-19 What you can do to

Protect Yourself While Conducting Business Virtually In The Time Of COVID-19 What you can do to

Protect Yourself While Conducting Business Virtually In The Time Of COVID-19 What you can do to protect your business and experience uninterrupted productivity during a new work-from-home reality . Agenda da Who is vulnerable Whats

266 views • 13 slides
Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The College of William and Mary Passwords The most common online authentication method Something you know instead of something you have (hardware

559 views • 29 slides
Internet Overview Linking the world one computer at a time Unit Objectives: What is the

Internet Overview Linking the world one computer at a time Unit Objectives: What is the

Internet Overview Linking the world one computer at a time Unit Objectives: What is the Internet How to connect. Define things facilitated on the Internet Describe how to connect to the Internet from your home, and the use

742 views • 17 slides
Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet Server Client Attack vectors MAN DNS LAN Client Internet Back Bone Router Networking WWW overview MITM (Man In The Middle) 3 2 4 5 LAN

244 views • 23 slides
Navigating the New Section 2704 Discount Valuation and Transfer Regulations: What Estate Planners

Navigating the New Section 2704 Discount Valuation and Transfer Regulations: What Estate Planners

Presenting a live 90-minute webinar with interactive Q&A Navigating the New Section 2704 Discount Valuation and Transfer Regulations: What Estate Planners Must Do Now TUESDAY, OCTOBER 11, 2016 1pm Eastern | 12pm Central | 11am

1.02k views • 91 slides
Requirements, IRC 2704 Discounting Regulations Ensuring Current and Future Estate Plans and Trusts

Requirements, IRC 2704 Discounting Regulations Ensuring Current and Future Estate Plans and Trusts

Presenting a live 90-minute webinar with interactive Q&A Massive Estate Planning Changes for 2016 and Beyond: Meeting New IRS Basis Consistency Requirements, IRC 2704 Discounting Regulations Ensuring Current and Future Estate Plans and

717 views • 69 slides
SUSE Manager 174 174 SUSE Manager HEALTH MONITORING Best-in-class open source infrastructure

SUSE Manager 174 174 SUSE Manager HEALTH MONITORING Best-in-class open source infrastructure

SUSE Manager 174 174 SUSE Manager HEALTH MONITORING Best-in-class open source infrastructure management solution designed to help your enterprise DevOps and IT Operations teams to: Asset Management Optimize operations while reducing

260 views • 22 slides

More recommend