Joshua W. Haines

Automated generation and analysis of attack graphs

An integral part of modeling the global view of network security is constructing attack graphs. Manual attack graph construction is tedious, error-prone, and impractical for attack graphs larger than a hundred nodes. In this paper we present an automated technique for generating and analyzing attack graphs. We base our technique on symbolic model checking algorithms, letting us construct attack graphs automatically and efficiently. We also describe two analyses to help decide which attacks would be most cost-effective to guard against. We implemented our technique in a tool suite and tested it on a small network example, which includes models of a firewall and an intrusion detection system.

The 1999 DARPA off-line intrusion detection evaluation

An important goal of the ongoing DARPA intrusion detection evaluations is to promote development of intrusion detection systems that can detect stealthy attacks which might be launched by well-funded hostile nations or terrorists organizations. This goal can only be reached if such stealthy attacks are included in the DARPA evaluations. This report describes new and known approaches and strategies that were used to make attacks stealthy for the 1999 DARPA Intrusion Detection Evaluation. It explains why some attacks used in the initial 1998 evaluation were easy to detect, presents general guidelines that were followed for the 1999 evaluation, includes many examples of stealthy scripts, and includes perl and shell scripts that can be use to implement stealthy procedures.

Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation

An intrusion detection evaluation test bed was developed which generated normal traffic similar to that on a government site containing 100s of users on 1000s of hosts. More than 300 instances of 38 different automated attacks were launched against victim UNIX hosts in seven weeks of training data and two weeks of test data. Six research groups participated in a blind evaluation and results were analyzed for probe, denial-of-service (DoS) remote-to-local (R2L), and user to root (U2R) attacks. The best systems detected old attacks included in the training data, at moderate detection rates ranging from 63% to 93% at a false alarm rate of 10 false alarms per day. Detection rates were much worse for new and novel R2L and DoS attacks included only in the test data. The best systems failed to detect roughly half these new attacks which included damaging access to root-level privileges by remote users. These results suggest that further research should focus on developing techniques to find new attacks instead of extending existing rule-based approaches.

Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation

Eight sites participated in the second DARPA off-line intrusion detection evaluation in 1999. Three weeks of training and two weeks of test data were generated on a test bed that emulates a small government site. More than 200 instances of 58 attack types were launched against victim UNIX and Windows NT hosts. False alarm rates were low (less than 10 per day). Best detection was provided by network-based systems for old probe and old denial-of-service (DoS) attacks and by host-based systems for Solaris user-to-root (U2R) attacks. Best overall performance would have been provided by a combined system that used both host- and network-based intrusion detection. Detection accuracy was poor for previously unseen new, stealthy, and Windows NT attacks. Ten of the 58 attack types were completely missed by all systems. Systems missed attacks because protocols and TCP services were not analyzed at all or to the depth required, because signatures for old attacks did not generalize to new attacks, and because auditing was not available on all hosts.

Validation of sensor alert correlators

The authors describe the first experimental validation of correlation systems with the goal of assessing the overall progress in the field. Their experiment set out to measure the collective ability of correlators to recognize cyber attacks and designate their targets.

LARIAT: Lincoln adaptable real-time information assurance testbed

The Lincoln adaptable real-time information assurance testbed, LARIAT, is an extension of the testbed created for DARPA 1998 and 1999 intrusion detection (ID) evaluations. LARIAT supports real-time, automated and quantitative evaluations of ID systems and other information assurance (IA) technologies. Components of LARIAT generate realistic background user traffic and real network attacks, verify attack success or failure, score ID system performance, and provide a graphical user interface for control and monitoring. Emphasis was placed on making LARIAT easy to adapt, configure and run without requiring a detailed understanding of the underlying complexity. LARIAT is currently being exercised at four sites and is undergoing continued development and refinement.

SARA: Survivable Autonomic Response Architecture

This paper describes the architecture of a system being developed to defend information systems using coordinated autonomic responses. The system will also be used to test the hypothesis that an effective defense against fast, distributed information attacks requires rapid, coordinated, network-wide responses. The core components of the architecture are a run-time infrastructure (RTI), a communication language, a system model, and defensive components. The RTI incorporates a number of innovative design concepts and provides fast, reliable, exploitation-resistant communication and coordination services to the components defending the network, even when challenged by a distributed attack. The architecture can be tailored to provide scalable information assurance defenses for large, geographically distributed, heterogeneous networks with multiple domains, each of which uses different technologies and requires different policies. The architecture can form the basis of a field-deployable system. An initial version is being developed for evaluation in a testbed that will be used to test the autonomic coordination and response hypothesis.

Creating a cyber moving target for critical infrastructure applications using platform diversity

Abstract Despite the significant effort that often goes into securing critical infrastructure assets, many systems remain vulnerable to advanced, targeted cyber attacks. This paper describes the design and implementation of the Trusted Dynamic Logical Heterogeneity System (TALENT), a framework for live-migrating critical infrastructure applications across heterogeneous platforms. TALENT permits a running critical application to change its hardware platform and operating system, thus providing cyber survivability through platform diversity. TALENT uses containers (operating-system-level virtualization) and a portable checkpoint compiler to create a virtual execution environment and to migrate a running application across different platforms while preserving the state of the application (execution state, open files and network connections). TALENT is designed to support general applications written in the C programming language. By changing the platform on-the-fly, TALENT creates a cyber moving target and significantly raises the bar for a successful attack against a critical application. Experiments demonstrate that a complete migration can be completed within about one second.

Creating a Cyber Moving Target for Critical Infrastructure Applications

Despite the significant amount of effort that often goes into securing critical infrastructure assets, many systems remain vulnerable to advanced, targeted cyber attacks. This paper describes the design and implementation of the Trusted Dynamic Logical Heterogeneity System (TALENT), a framework for live-migrating critical infrastructure applications across heterogeneous platforms. TALENT permits a running critical application to change its hardware platform and operating system, thus providing cyber survivability through platform diversity. TALENT uses containers (operating-system-level virtualization) and a portable checkpoint compiler to create a virtual execution environment and to migrate a running application across different platforms while preserving the state of the application (execution state, open files and network connections). TALENT is designed to support general applications written in the C programming language. By changing the platform on-the-fly, TALENT creates a cyber moving target and significantly raises the bar for a successful attack against a critical application. Experiments demonstrate that a complete migration can be completed within about one second.

Towards net-centric cyber survivability for ballistic missile defense

The United States Department of Defense (DoD) is engaged in a mission to unify its software systems towards a “net-centric” vision—where commanders gain advantage by rapidly producing, consuming, and sharing information using service oriented architectures (SOAs). In this paper, we study the cyber survivability of mission-critical net-centric systems, focusing on Ballistic-Missile-Defense (BMD) systems. We propose a net-centric architecture for augmenting the survivability of critical DoD net-centric systems. Our architecture draws inspiration from several theories of warfare, focusing on the goal of giving cyber commanders “decision superiority.” Our architecture prescribes a net-centric decision-support system that implements the Cyber OODA loop (the cycle of observing, orienting, deciding, and acting within the cyber domain). We present an illustration-of-concept prototype implementation, and describe its role in a ballistic-missile exercise. We relate our experiences from this exercise and suggest future directions towards achieving net-centric cyber survivability.