A Biologically Inspired Approach to Network Vulnerability Identification

Transcription

1 A Biologically Inspired Approach to Network Vulnerability Identification Evolving CNO Strategies for CND Todd Hughes, Aron Rubin, Andrew Cortese,, Harris Zebrowitz Senior Member, Engineering Staff Advanced Technology Laboratories

2 Presentation Outline 1. Cyber Attack Workstation 2. Problem Description 3. Rule Discovery Engine 4. Virtual Network Simulator 5. Approach 6. Experiment 7. Results 8. Conclusion and Future Work 10/30/03 2

3 Cyber Attack Workstation Reconnaissance Reconnaissance and Attack Tool Automation Automates the process of monitoring and attacking network Provides library of intelligence gathering, penetration, and denial of service tools for use through single interface Allows user with little experience in hacking to test attack mechanisms Tool Options Account for for Risk Exploit Options Defense through Understanding of the Offense 10/30/03 3

4 Cyber Attack Workstation Is it possible to learn robust cyber reconnaissance campaigns? 10/30/03 4

5 Problem Description Learn robust cyber reconnaissance campaigns Use genetic algorithm and network simulation to evolve reconnaissance campaigns Facilitate automated covert reconnaissance of unknown network Benefit Automate discovery of vulnerabilities of known network Leveraged technology Virtual Network Simulator Rule Discovery Engine 10/30/03 5

6 Virtual Network Simulator Developed by ATL and Atlantic Consulting Services for US Army CECOM Information assurance specialist training Operational planning and vulnerability assessment Exercise support and situation awareness Capabilities Provides real-time, interactive, visual simulation to exhibit attack effects and user reconfigurations Simulates up to 50,000 node networks Faster than and equal to real-time Easy to configure and operate Simulates actual security management systems Logs, reports, and allows after action review 10/30/03 6

7 VNS Overall Architecture SQL Database Attack, software, OS, etc. descriptions Selects and initiates attacks Instructor VNS Attack Launcher Configures scenario Student Configures and monitors network Responds to attacks VNS Network Simulator Runtime Infrastructure (RTI) Rapidly configures and simulates tactical network scenarios Capable of modeling operationally specific layouts and displays 10/30/03 7

8 VNS Models Hosts Routers Bridges Relays Services Ports Firewalls IDS Attacks Wired Wireless Traffic 10/30/03 8

9 Rule Discovery Engine Uses genetic algorithms to evolve rules that define a control strategy Given a pool of sensory inputs and elementary behavior units, generates and catalogs behavior rules for complex situations Rules are then arbitrated and used depending on the conditions of a simulated environment Rules evolve over a series of generations, guided by a fitness function Based on ECJ (Java-based Evolutionary Computation and Genetic Programming Research System) from George Mason University 10/30/03 9

10 RDE-VNS Framework Behavior Pool VNS Attack Launcher RDE VNS Network Simulator Evolved Recon Strategies RDE interfaced with VNS Filled instructor role Runtime Infrastructure (RTI) RDE selected behavior rules, calculated fitness for rules, evolved subsequent rules 10/30/03 10

11 Approach For genetic algorithm, we developed a novel representation and sequential macro replacement scheme Each individual rule contained a series of actions Port scan Traceroute Fingerprint Time delay Network Discovered Initial IP GA Data Actions Detection Rate VNS As campaign progressed, macros dynamically replaced with network data as it was discovered 10/30/03 11

12 Representation Technique Each individual represented a series of action types, including time delays Use 4-bit opcodes (16 possible values) to represent each action An individual is then simply a bit string made up of a series of opcodes Each action contained macros that were dynamically replaced with data specific to the current individual i.e., network data already discovered 10/30/03 12

13 Fitness Assumptions Less time for an individual is better Lower detection rate is better More network information is better Higher score given for port than node information Fitness = Network Discovered Time of Run + Detection 10/30/03 13

14 Experiment 180 trials Two variables Three simulated networks Three intrusion detection sensitivity levels Trained GA on each network individually Trained on one, tested on other two 10/30/03 14

15 Results TBD 10/30/03 15

16 Conclusion and Future Work Conclusion Successfully demonstrated an architecture which can automatically generate an effective reconnaissance campaign Future Work Experiment with penetration attack campaigns exploiting vulnerabilities on victim network Experiment with alternative fitness function 10/30/03 16

17