LINK EPA Requirements, audit & Safety

Transcription

1 2008 Visualization and Controls Peer Review NSTB Program Washington, DC October 21-22, 2008 Anomaly Detection and Distributed Active Response for Proce Control Systems Oak Ridge National Laboratory

2 Summary Slide: Silent Storm Outcomes: Actively monitor network; Use advanced statistical methods; Perform anomaly detection Correlate and Share information; Actively respond to threats; and Self-heal NSTB Goal: Deploying next-generation control systems that include capabilities for intrusion detection, prevention, and event correlation Approach: Extend present intrusion protection capability Use advanced statistical methods Leverage existing distributed network sensing framework Collect network traffic at the protocol level Perform anomaly detection analysis and actively respond Progre/accomplishments: Developed program and security plans; Documented architecture and API; Developed: detection sensor, secure communications, active response algorithms, and self-healing subsystem; Performed spiral testing; and Initiated the deployment of a test system. Silent Storm Distributed Architecture Schedule: Prototype demonstration by 1-Dec Funding: $250K Image Performers: ORNL Louis Wilder PI, Dr. Chris Griffin CoPI, Bob Schlicher SW SME, Dr. James Nutaro M&S, Joe Gracia PM Partners: Siemens, TVA, & EnerNex

3 Technology Transfer/Collaboration Cooperative Research and Development Agreement (CRADA) Nondisclosure Agreement Licensing Agreement Nondisclosure Agreement Collaboration Siemens Energy & Automation Tenneee Valley Authority (TVA) EnerNex of Tenneee

4 Next Steps Follow-up Work Enhance methods of attack detection Establish normal traffic patterns Collaborate with Siemens develop traffic profiles Develop heuristic identification and attack correlation Apply existing pattern recognition and data fusion techniques on attack scenarios Collaborate with Siemens and TVA Deliverables: Demonstrate and Report capability Perform anomaly detection and active response

5 Simple Silent Storm Deployment Alerts and Detection Correlation Sunspot (SS) Configurable Plug-in Architecture Secure Communications Multi-Node Deployment Secure Communications Allows Alert Analysis for Detection Correlation Host and Network based detection Configurable based-on plug-in Architecture In-Line Appliance: Sun SPOT platform- SOC w/180 mhz ARM proceor

6 Architectural Overview Each SS node, extensible framework miion controller built-in plug-in cyber adapter custom payload Ubiquitous Network Transient Autonomous Miion Entity (UNTAME) Framework Heuristic Identification and Tracking of Insider Threat (HIT-IT)

7 Response Screen 3D Graphics Situational Awarene Active Response

8 Response Screen Alert: Unknown Attack Detected Auto-response: Router x-1 is blocking the traffic stream Device is isolated from network 3D Graphics Situational Awarene Active Response Undo this Auto-response Indicate as False Positive Take Additional Actions Accept

9 Normality Learning A multi-layer statistical model identify models locally stationary behaviors masked jumps between behavior. Construct Models from data stream multi-spatial-temporal resolution Results optimal multi-layer model of normal behavior. Extensions to this approach multi-layer transfer function models use upper-layer Symbolic Transfer Functions and lower level non-linear Box- Jenkins (r,s,k) models. η X=f x Y=f y Z=f z α X=f x Y=f y Z=f z Local fit X=f x Y=f y Z=f z X=g x Y=g y Z=g z

10 Anomaly Detection (2) Derived models will be used to predict future behaviors and will provide confidence intervals on those behaviors. Similar to dynamic control chart Expected behavior will not lie outside predicting confidence regions Abnormal behaviors will lie outside of predicted regions and will cause alerts. This approach can be extended to multi-level transfer functions.

11 Anomaly Detection Proce Off-Line Learning Traffic/Symbolization Model Building Normality Learning

12 On-Line Learning Traffic/Symbolization Model Building Anomaly Detection Anomaly Detection Proce(2)

13 Research Differentiators Current models of network traffic (e.g., NetFlo) are not robust enough Our approach analyzes data at multiple levels of resolution and is robust to non-stationarity High false-positive rate Learned normal behaviors to avoid false positives Too much data and too many low-level alerts for human operators Distributed analysis helps eliminate operator s burden Current Manual Responses are not fast enough Distributed proceing improves speed Lag-time between new exploits and response Active response via plug-in framework

14 Key Capability at Conclusion Key step toward eiroadmap challenge Control system networks that will automatically provide contingency and remedial actions in response to attempted intrusions A distributed, intelligent, self-healing intrusion detection and prevention system capable of active response Unique statistical learning approach for anomaly detection Unique, distributed approach Attack detection and claification that considers temporal dynamics and non-stationary sum-of-behaviors approach. Active, near-real-time response and defense Operator Situational Awarene and Event Correlation

15 Oak Ridge National Laboratory: Meeting the challenges of the 21st century Official Use Only Louis Wilder Project Investigator Cyberspace Sciences & Information Intelligence Research (CSIIR) Phone: (865)

16 Anomaly Detection Statistical Architecture Preproceor Vector R n Symbol A Build Model of Normal Vector R n Symbol A Compare to Prediction from Model Yes, predicted or inbound No, more analysis

17 Current State of Intrusion Detection/Protection Systems (IDPS) IDPSs monitors network or system activities for malicious behavior and reacts in near real-time to prevent the unwanted behavior.. Host-based Heuristic analysis Network-based Rule-based (signatures) IDPS Limitations Cannot discover novel attacks Poor detection performance Cannot survive while under attack No correlation of Sophisticated attacks

18 Other Intrusion Detection System FEATURE EMERALD Prelude IDS D-WARD COSSACK CATS Host OR Network-Based Host Both Net Net Net Knowledge-based (KB) OR Anomaly Detection (AD) Both KD AD AD Both Autonomous OR Interdependent OR Cooperative Interdep. Interdep. Autonon. Coop. Coop.

19 ORNL Can Make Key Contributions FEATURE EMERALD Prelude IDS D-WARD COSSACK CATS ORNL Host/Network-based Host Both Net Net Net Both Knowledge-based (KB) Anomaly Detection (AD) Both KD AD AD Both Both Autonomous Interdependent Cooperative Interdep. Interdep. Autonon. Coop. Coop. Autonon. Coop. Novel improvements: Addre insider threat via host-based analysis Lower false positive via learned normal behavior Active, near-real-time response via distributed approach

20 Silent Storm Distributed System Silent Storm is a computational intelligence framework capable of self-healing, communication that can be extended by plug-ins and controlled by miion scripts. Its core architecture is designed to enable it to organically add capabilities through the use of code plug-ins. The miion-oriented nature of the framework allows it to be remotely controlled via communications bursts, rather than continuously streaming instructions. Establish Anomaly Detection SS => Silent Storm WS => Web Services CS => Collection Services C => Communications relay Proce Rules Silent Storm µdaemon Establish Secure Comm Operator Console Do Network Survey ws Proce Rules determines the selection, order, and timing for the surveys, executions, scans, and reports c cs Silent Storm Nodes Proce Rules Silent Storm µdaemon Proce rules with no operations

21 Anomaly Detection Proce On-Line Learning Traffic/Symbolization Model Building/Detection