Overview of UA Ongoing Cybersecurity Projects The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you Salim Hariri, UA-Site-Director NSF Cloud and Autonomic Computing Center hariri@email.arizona.edu nsfcac.arizona.edu (520) 621-4378 First Franco-American Workshop October 17-18, 2013, Lyon France
On Going UA CAC Projects Supported by: NSF, AFOSR, ARL, AFRL, Intel, IBM, Microsoft, Raytheon, Imaginestics, ISCA Corp, AVIRTEK and Rubio Pharma • Intrusion Resilient Cloud Services • AuDIT: Automated Detection of Insider Threat • 4.2 Million NSF Award for Cybersecurity Scholarship for Service Project at The University of Arizona • 1.2 Million NSF Award – Hacker Web: Securing Cyber Space: Understanding the Cyber Attackers and Attacks via Social Media Analytics • Ask CyPert about Cybersecurity Education and Training Programs • Autonomic Software Protection System (ASPS), and Critical Infrastructure Protection (ACIP) System • Smart Buildings and Environments • Anomaly based Detection of Attacks on Wireless Ad Hoc Networks • Autonomic Management of Data Center and Cloud Resources • Autonomic Programming Paradigm First Franco-American Workshop October 17-18, 2013, Lyon France
Cyber Security Challenges • Cyberspace complexity and dynamism make it infeasible for humans to effectively secure and protect • Current techniques are manual driven, mainly signature base, reactive, and not robust or resilient • Autonomic Cyber Security (ACS) is a promising paradigm to address current and future cybersecurity challenges First Franco-American Workshop October 17-18, 2013, Lyon France 3
Autonomic Cyber Security (ACS) . Need Biological Like Cyber Nervous System (CNS) that we refer to as ACS. ACS can secure and protect software systems, hardware - without requiring resources and our conscious effort information services when we run, it without conscious increases our heart involvement of users or system administrators and breathing rate First Franco-American Workshop www.ece.arizon October 17-18, 2013, Lyon France aledu/~hpdc
ACS Development Methodology Close Ports Change Policies Monitoring Isolate router Automated Feature Semi Selection Automated Actions Cyberinfr astructure Risk and Aggregate Impact and Correlate Analysis Anomaly Behavior Analysis First Franco-American Workshop October 17-18, 2013, Lyon France
ACS Capabilities Developing an innovative technology to build Autonomic � Cyber Security (ACS) with capabilities similar to the human nervous system , – Software systems, computers, and networks that can self- manage and proactively protect themselves in real-time with little or no involvement of users or system administrators . – These systems just focus on functions they provide while the ACS performs what is necessary to self-protect their operations and services. First Franco-American Workshop October 17-18, 2013, Lyon France
ACS Key Components Automated and Integrated Management (AIM) � Methodology Appflow: A data structure that captures the current � state of the system Anomaly Behavior Analysis (ABA) Methodology – low � false alarms, and successfully implemented to TCP, UPD, IP, MAC, DNS, HTTP, WiFi, Modbus, etc. Self-Management: It is a software engine to provide � automated and adaptive management services for hardware/software resources Software Behavior Encryption (SBE) � – Based on Moving Target Defense (MTD) technique First Franco-American Workshop October 17-18, 2013, Lyon France
CAC Cybersecurity Test-beds Wireless Test-bed Private Cloud Smart Grid ! Smart Building GPU Cluster Hos GPU t Multiprocessor 1 Multiprocessor N Shared Memory Mac Shared Memory hine Regist Regist Regist Regist ers ers ers ers … … Process Processo Processo Process or 1 r 8 r 1 or 8 Host Constant Memory Main Texture Memory Mem Global Memory ory First Franco-American Workshop October 17-18, 2013, Lyon France
Application Flow (Appflow) A data structure used for holding the monitored features associated with all resources used by an application at runtime Similar to the biological measurements (heart rate, body temperature, blood pressure, cholesterol, etc. First Franco-American Workshop October 17-18, 2013, Lyon France
AppFlow Behavior at Runtime transient AppFlow behaviour = f ( SysCall ) steady-state behaviour t safe operating zone d z anomalous operating zone d z ss decision t d z d z t ss ss t AppFlow = f ( Cpu, Mem, IO, Net ) Time First Franco-American Workshop October 17-18, 2013, Lyon France
Anomaly Behavior Analysis (ABA) ABA performs fine-grained � behavior analysis of applications, software Application Layer Application Layer Payload Payload Behavior Analysis Behavior Analysis systems, and protocols to DB DB determine whether they are Transport Layer Transport Layer operating normally or not Behavior Analysis Behavior Analysis Decision Fusion The only assumption it � Network Layer Network Layer makes that we know how Behavior Analysis Behavior Analysis Flow Flow the analyzed component DB DB behaves when it is operating Link Layer Link Layer Behavior Analysis Behavior Analysis normally This allows us to detect any � - Analysis Multi-Level Behavior NetFlow & AppFlow unknown attacks (zero Online Monitoring : attack detection) First Franco-American Workshop October 17-18, 2013, Lyon France
Application Behavior Analysis: AppFlow based Methodology Features Application Application Application Aggregation Execution Features Monitoring and Environment Selection Correlation Application Flow Repository First Franco-American Workshop October 17-18, 2013, Lyon France
Application Behavior Analysis Run Time Environment Training Current Application Next State State Knowledge Flow prediction Detection Repository Decision Application Behavior Analysis and Resources Allocation Engine First Franco-American Workshop October 17-18, 2013, Lyon France
TCP Behavior Analysis Training 2 ¡ 2/18 ¡ 2 ¡ 2/18 ¡ 16 ¡ 18/16 ¡ 1 ¡ 1/16 ¡ 1 ¡ 1 ¡ 16 ¡ 1/16 ¡ ( ¡ Normal ¡/ ¡ Abnormal) ¡ 16 ¡ 16 ¡ N-‑gram ¡ Database ¡ 1/16 ¡ First Franco-American Workshop October 17-18, 2013, Lyon France
Statistical Distribution of System Calls (Normal vs Abnormal) Fault Injection Time Point SysCall Abnormal Transaction Normal Transaction First Franco-American Workshop 11/12/13 15 October 17-18, 2013, Lyon France
Automated and Integrated Management (AIM) Engine First Franco-American Workshop October 17-18, 2013, Lyon France
ANOMALY BEHAVIOR ANALYSIS (ABA) OF DNS PROTOCOL First Franco-American Workshop October 17-18, 2013, Lyon France
Anomaly Behavior Analysis (ABA) Methodology Application Layer Application Layer Payload Payload Behavior Analysis Behavior Analysis DB DB Transport Layer Transport Layer Behavior Analysis Behavior Analysis Decision Fusion Network Layer Network Layer Behavior Analysis Behavior Analysis Flow Flow DB DB Link Layer Link Layer Behavior Analysis Behavior Analysis - Analysis Multi-Level Behavior NetFlow & AppFlow Online Monitoring : First Franco-American Workshop October 17-18, 2013, Lyon France
DNS Behavior Analysis Unit First Franco-American Workshop October 17-18, 2013, Lyon France
DNS Attacks Cache Poisoning � DNS Hijacking � DNS Amplification � DDoS � Origination Modification � Zone Transfer � First Franco-American Workshop October 17-18, 2013, Lyon France
DNS Behavior Analysis Unit First Franco-American Workshop 11/12/13 21 October 17-18, 2013, Lyon France
DNS BAU Results The anomaly score distribution for different type of attack traffic First Franco-American Workshop October 17-18, 2013, Lyon France
DNS Results ROC (Receiver Operating Characteristics) for different n-gram sizes. First Franco-American Workshop October 17-18, 2013, Lyon France
ABA for WiFi (802.11) Protocol ! First Franco-American Workshop October 17-18, 2013, Lyon France
Recommend
More recommend
