Fall Extension Project

Fall Extension ProjectInitial Brief Meeting

August 28, 2010Martin Q. Zhao

Summer Research – An OverviewTitle:

Knowledge Representation & Reasoning for Impact/ Threat Assessment in Cyber Situation Awareness Systems

Objective: Enhancing the SITA systemFind ways to model domain knowledgeDevelop a tool for VT creation/modification

Collaborators: Dr. John SalernoMike Manno Jimmy SwistakWarren Geiler

Cyber SA Model

JDL model:Level 0: Source Preprocessing/subobject refinementLevel 1: Object refinementLevel 2: Situation refinementLevel 3: Impact AssessmentLevel 4: Process Refinement

Endsley’s model:-Perception-Comprehension-Projection

Virtual TerrainThe virtual terrain is a graphical representation of a computer network containing information relevant for a securityanalysis of a computer network, including:

-Mission-Hosts & Subnets-Services & exposures-Routers, sensors & firewalls-Physical & wireless links-Users

TIA Procedures Using VT

Attack detection using IDS

Tracking relevant attack events

Assessing impacts on missions

Projecting promising futures & assessing threats

Core SITA Subsystems

Problems to Solve•Amount of data is huge

A computer network can have hundreds of machines, thousands of software applications and user accounts

Known vulnerabilities are in the thousands, and the number is ever growing.

•XML files are used: they can contain redundant

dataHarm efficiencyCause well-known anomalies

o Insertiono Deletiono Update

•Tools need to be developed to feed SITA with data

Conceptual Data Model

Relational Data Model-VT

H/W

S/W

ExposureLink &Policy

Relational Data Model-Mission

Relational Data Model-Exposure

Mission Map Editor-Requirements

• (Type of) User:

SA Operator

• System Functions: Access data in file/DB Display a mission tree Modify a mission tree Save changes to

file/DB Create a mission tree

Requirements modeling w/ a use-case diagram

Mission Map Editor-Tree creation

1

2

34

5

6File | New

Top mission

Add more Set

criticality

Assign assets

File | Save

Mission Map Editor-Architecture

DBVT

Model

Mission Map

Model

XML

Mission Map Editor-Dynamics

Vulnerability Lookup-Overview

• What is a vulnerability?

• What is an exposure?

• How is it stored in NVD?

• What is CVE?

• What is CPE?

• How are they related to

SITA?

National Vulnerability Database (NVD) contains

CVE Vulnerabilities

43054

CPE Names 22181

Common Platform Enumeration (CPE)

<cpe-item name="cpe:/o:microsoft:windows_7"> <title xml:lang="en-US">Microsoft Windows 7</title> … … </cpe-item>

Common Vulnerabilities and Exposures (CVE)

<entry id="CVE-2010-0278"> … … <cpe-lang:logical-test negate="false" operator="OR"> <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_7"/> <cpe-lang:fact-ref name="cpe:/o:microsoft:windows_vista"/> … … </entry>

Vulnerability Lookup-Prototype

0 Load files

A CVSS Rating

BApps

affected

C Exposure

Vulnerability Lookup-Ideal ways

Type

Application : a

Hardware : h

O/S : o

Vendor

Alcatel

Apple

… …

IBM

… …

Microsoft

… …

cpe:/o:microsoft:windows_7

Prod. Line

MS-DOS

Windows

Product

Windows 98

Windows 2000

Windows XP

Windows Vista

Windows 7

CVE Entry

CVE-2010-0278

CVE-2010-0018

CVE-2010-0249

CVE-2010-0232

… …

Future R&D•MissionMapEditor: Thorough testing and refactoring

•VulnerabilityTracker:Research the processes of checking/updating CVE and

CPE data feedsDesign a layered system architectureDesign and implement GUI that organizes products by

category (such as OS, apps, HW), vendor, product family, version, etc

•IDS (e.g. Snort) alerts specifics and mapping with CVE, as well as with SITA

•VT model generation using automatic scanning data

•Cyber situation visualization