Adap%ve Cybersecurity Technologies: Impact

Transcription

1 Adap%ve Cybersecurity Technologies: Impact Ulf Lindqvist, Ph.D. Program Director, Infrastructure Security Research Computer Science Laboratory SRI Interna%onal Presented at the Belfast 2013 Summit, March 15, 2013 The work by SRI International was funded by U.S. Department of Homeland Security s Science and Technology Directorate. The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the U.S. Department of Homeland Security or the U.S. government.

2 About SRI Interna%onal SRI is a world- leading R&D organiza%on An independent, nonprofit corpora%on CommiQed to discovery and to the applica%on of science and technology for knowledge, commerce, prosperity, and peace Founded by Stanford University in 1946 Independent in 1970; changed name from Stanford Research Ins%tute to SRI Interna%onal in 1977 More than 2,100 staff members More than 20 loca%ons worldwide Silicon Valley - Headquarters Washington, D.C. Princeton, New Jersey Harrisonburg, Virginia St. Petersburg, Florida State College, Pennsylvania Arecibo, Puerto Rico Tokyo, Japan

3 Adap%ve Cybersecurity Technologies Also known as Moving target Moving defense Dynamic defense No standard defini%ons yet General idea: Increase uncertainty, complexity, and cost for the aqacker Image credit: NIST Baxley/JILA

4 Sta%c Systems and Defenses Allow AQackers to Prac%ce Image credit: GoogleEarth/GeoEye and Bing

5 Current Status of Adap%ve Cybersecurity R&D Priori%zed Requirements Post- R&D Assessments Experiments Outreach Pre- R&D Research agendas Solicita%ons R&D Cybersecurity R&D execution model from: D. Maughan, D. Balenson, U. Lindqvist, Z. Tudor, Crossing the Valley of Death : Transitioning Cybersecurity Research into Practice, in IEEE Security & Privacy Magazine, March/April 2013, to appear

6 Current Status of Adap%ve Cybersecurity R&D Priori%zed Requirements Post- R&D Assessments Experiments Outreach Pre- R&D Research agendas Solicita%ons R&D Cybersecurity R&D execution model from: D. Maughan, D. Balenson, U. Lindqvist, Z. Tudor, Crossing the Valley of Death : Transitioning Cybersecurity Research into Practice, in IEEE Security & Privacy Magazine, March/April 2013, to appear

7 Overview of Current R&D in Adap%ve Cybersecurity Moving Target Na%onal Symposium on Moving Target Research DHS S&T Moving Target Defense Program Dynamic Defense Workshop Socware- defined networking enabling adap%ve techniques Common approaches noted Randomiza%on Decep%on Detec%on Deflec%on/Quaran%ne

8 Moving Target Research Symposium, June 11, 2012 cps- vo.org/group/mtrs

9 DHS S&T: Moving Target Defense Program target- defense/

10 DHS S&T: Moving Target Defense Program contd. Projects awarded under DHS S&T BAA11-02, TTA 12 Moving Target Defense for Secure Hardware Design (Princeton University) Develop hardware solu%on that applies moving target defense to processor cache mapping, preven%ng informa%on leakage from cache side- channel aqacks Appliance for Ac%ve Reposi%oning in Cyberspace (Northrop Grumman Informa%on Systems) Develop network edge hardware device that will change IP addresses across mul%ple separate enclaves at a sub- second frequency over a 10Gb/s network connec%on, to prevent adversary mapping of the aqack surface SBIR Phase I projects funded by DHS S&T 1) Framework managing con%nuous deployment of randomized socware 2) IP hopping system u%lizing IPv6 3) System that removes sta%c aqributes and con%nuously refreshes 4) Binary randomiza%on tool, comprehensively randomizing binary programs 5) Self- cleaning intrusion tolerance integra%ng IDS, IPS, forensics and SIEM

11 Dynamic Defense Workshop at Sandia, Sept. 5-6, 2012 Discussion topics Taxonomies and structures Challenges and opportuni%es Experimenta%on and evalua%on

12 Socware- Defined Networking Enabling Adap%ve Techniques App App App App App App Windows Windows Windows (OS) (OS) (OS) Linux Linux Linux Mac Mac Mac OS OS OS NOX Controller Controller 1 1 (Network OS) Controller Controller Network 22 OS Virtualiza%on layer x86 (Computer) Virtualiza%on or Slicing OpenFlow Computer Industry Network Industry Source: R. Sherwood, S. Das, Y. Yiakoumis, AT&T Tech Talks October

13 FRESCO: Modular Composable Security Services for Socware- Defined Networks (NDSS 2013) FRESCO: an OpenFlow security applica%on framework for rapid design and modular composi%on of OpenFlow- enabled detec%on and mi%ga%on modules

14 Detec%on and Quaran%ne 1: BotHunter and FRESCO

15 Detec%on and Quaran%ne 2: Machine Biometrics and Cocooning Project: Machine- Oriented Biometrics and Cocooning for Dynamic Network Defense (J. J. Haas, J. Hamlet, J.Doak, Sandia Na%onal Laboratories) Cocoon an affected host when an anomaly or event is detected Use socware- defined networking to redirect a subset of suspicious network traffic from real to emulated services with sani%zed data to deceive the aqacker Source:

16 Advanced Adap%ve Detec%on Signature- based detec%on/ preven%on will always be behind the curve SRI has developed A suite of detec%on mechanisms that are based on higher- level models Specialized detec%on mechanisms for protocols used in cri%cal infrastructures Advanced model- based detec%on technologies that reduce false posi%ves and the need for pris%ne training data

17 Summary There are ongoing ac%ve pre- R&D and R&D efforts in Adap%ve Cybersecurity Discussions around metrics and evalua%on have started Frameworks and tools are currently being developed Expect real impact within 2-3 years, when the first tools will have been transi%oned to commercializa%on and deployment

18 Thank You Headquarters: Silicon Valley Ulf Lindqvist SRI Interna8onal 333 Ravenswood Avenue Menlo Park, CA Washington, D.C. SRI Interna8onal 1100 Wilson Blvd., Suite 2800 Arlington, VA Princeton, New Jersey SRI Interna8onal Sarnoff 201 Washington Road Princeton, NJ AddiHonal U.S. and internahonal locahons