A Quantitative Framework for Cyber Moving Target Defenses

Size: px

Start display at page:

Download "A Quantitative Framework for Cyber Moving Target Defenses"

Darcy Campbell
5 years ago
Views:

1 A Quantitative Framework for Cyber Moving Target Defenses Warren Connell 29 Aug 17 Massimiliano Albanese, co-director Daniel Menascé, co-director Sushil Jajodia Rajesh Ganesan 7/6/2017 1

2 Outline Introduction Background Problem Statement Thesis Contributions MTD Quantification Framework Performance Modeling of Moving Target Defenses Conclusion and Future Work 7/6/2017 2

Moving Target Defenses Current state of cyber defense: attackers have natural advantage Near-unlimited time for reconnaissance / preparation Access to 0-day vulnerabilities Attacker only needs to

3 Moving Target Defenses Current state of cyber defense: attackers have natural advantage Near-unlimited time for reconnaissance / preparation Access to 0-day vulnerabilities Attacker only needs to find a single vulnerable entry point Moving Target Defenses (MTDs): change properties of a system Introduces asymmetric uncertainty that favors defender over attacker Attackers do not have adequate time to find vulnerabilities / create exploits 7/6/2017 Jajodia, Sushil, AnupK. Ghosh, VipinSwarup, Cliff Wang, and X. Sean Wang, eds.moving target defense: creating 3 asymmetric uncertainty for cyber threats. Vol. 54. Springer Science & Business Media, 2011.

4 Background 2013 Survey: 39 MTDs organized across 5 categories Taxonomy Dynamic Platforms Dynamic Runtime Environments Dynamic Software Dynamic Data Dynamic Networks Okhravi, Hamed, M. A. Rabe, T. J. Mayberry, W. G. Leonard, T. R. Hobson, D. Bigelow, and W. W. Streilein.Survey of cyber moving target techniques. No. MIT/LL-TR MASSACHUSETTS INST OF TECH LEXINGTON LINCOLN LAB, 2013.

A., and George Cybenko. "Quantification of moving target cyber defenses.

5 2015 Expert Survey: Several recommended methods for measurement Qualitative estimations of effectiveness / cost Background 7/6/ Farris, Katheryn A., and George Cybenko. "Quantification of moving target cyber defenses."spie Defense+ Security. International Society for Optics and Photonics, 2015.

6 MTD Analysis / Tradeoff Example Reconfigure a percentage of network addresses per cycle Analysis using probabilistic models Static case: Pr >0 =1 Pr =0 =1 Dynamic case: Pr >0 =1 Pr =0 =1 (1 ) Tradeoffs between attacker success and connection loss Shuffle rate 7/6/2017 Carroll, Thomas E., Michael Crouse, ErrinW. Fulp, and Kenneth S. Berenhaut. "Analysis of network address shuffling as a moving target 6 defense." 2014 IEEE International Conference on Communications (ICC). IEEE, Probability

7 Problem Statement Existing MTDs are very diverse Often specialized against specific attack vectors No uniform / accepted way to quantify MTDs Objective: Develop a unified framework to comparatively measure Moving Target Defenses Quantification measures should be uniform across MTDs Must measure effectiveness against known and unknown attack paths Must uniformly measure cost 7/6/2017 7

8 Thesis It is possible to quantify the performance of MTDs by analytically predicting their effectiveness and cost in response time, and to use this quantification to determine the optimal configuration for any combination of varying MTDs. 7/6/2017 8

9 Contributions MTD Quantification Framework: Captures the relationships between available MTDsand the knowledgesuch MTDs may affect using probabilistic measures Captures the relationships between services, their software weaknesses, and the knowledge required to exploit such weaknesses Probabilistically determines the effectiveness of any given technique or set of techniques, regardless of how they operate Analytic Model: Use of Continuous Time Markov Chainsto predict MTD security and performance Method to determine optimal reconfiguration rate to maximize utility 7/6/2017 9

10 Outline Introduction MTD Quantification Framework Attack Model Model Overview Basic Example Detailed Example / Solution Method Performance Modeling of Moving Target Defenses Conclusion and Future Work 7/6/

11 Attack Model Static defenses give attackers virtually unlimited time to plan / execute attacks Attacks can be thwarted / delayed by introducing uncertainty Attackers can exploit any known or unknown vulnerabilities in target system Most MTDs only protect against a narrow subset of possible attacks Multiple MTDs will be required for complete coverage 7/6/

MTD Quantification Model Can measure a wide variety of MTDs Uses single measure of effectiveness based on knowledge disruption Uses probabilistic calculations Inspired by attack graphs Computes

12 MTD Quantification Model Can measure a wide variety of MTDs Uses single measure of effectiveness based on knowledge disruption Uses probabilistic calculations Inspired by attack graphs Computes utility Based on additional provided security & cost Inspired by autonomic systems MTD 1 Service Rotation P 1 = 0.25 P 2 = 0.75 (1,service) SQL Injection MTD 2 IP Rotation (1,IP) Buffer Overflow MTD 3 ASLR (1,memory) P 3 = 0.5 P SQL = P buf = U = Service 1 (SQL DB) 7/6/

13 Model Overview 4-layer model Layer 1: defines the servicesto be protected It is time and MTD invariant Assumption: services are independent Service 1 (SQL DB) Service 2 (Web Server) 7/6/

14 Model Overview Layer 2: defines classes of weaknesses / vulnerabilities for each service Avoids modeling specific vulnerabilities / exploits Instead, uses Common Weakness Enumeration (CWE) E.g., 2011 CWE/SANS Top 25 Most Dangerous Software Errors ( Also time and MTD invariant SQL Injection Buffer Overflow Buffer Overflow Cross-site scripting Service 1 (SQL DB) Service 2 (Web Server) 7/6/

15 Model Overview Layer 3: defines required knowledge to exploit each vulnerability (1,service) (1,IP) (1,memory) SQL Injection Buffer Overflow Buffer Overflow Cross-site scripting Service 1 (SQL DB) Service 2 (Web Server) 7/6/

16 Model Overview Layer 4: models the relationship between available MTDs and knowledge blocks Assumption: When no MTDs are deployed, the probability of an attacker acquiring knowledge = 1 P(attack success) = 1 MTDs will reduce this probability MTD 1 Service Rotation (1,service) SQL Injection MTD 2 IP Rotation (1,IP) Buffer Overflow MTD 3 Dynamic ASLR (1,memory) Buffer Overflow Cross-site scripting Assume MTDs are independent Service 1 (SQL DB) Service 2 (Web Server) 7/6/

17 Model Overview MTDs affect weights of edges leading to knowledge blocks The weight P i of an edge from MTD i to a knowledge block can be computed as the attacker s success rate P i = 0 perfect protection P i = 1 no effect MTD 1 Service Rotation MTD 2 IP Rotation MTD 3 Dynamic ASLR P 1 P 2 P 3 (1,service) (1,IP) (1,memory) SQL Injection Buffer Overflow Buffer Overflow Cross-site scripting Service 1 (SQL DB) Service 2 (Web Server) 7/6/

18 MTD 1 : Service rotation 4 different versions of DB service P 1 = 0.25 MTD 2 : IP rotation Perfect shuffling: ~0.63 P 2 = 0.75 Joint probability P SQL = 0.75 * 0.25 = Basic Example P 1 = 0.25 MTD 1 Service Rotation (1,service) P SQL = SQL Injection P 2 = 0.75 MTD 2 IP Rotation (1,IP) Buffer Overflow MTD 3 Dynamic ASLR (1,memory) Buffer Overflow Cross-site scripting Accuracy of the model is dependent upon the accuracy of P i for each MTD Service 1 (SQL DB) Service 2 (Web Server) 7/6/

19 Basic Example MTD 2 : IP rotation Perfect shuffling: ~0.63 P 2 = 0.75 MTD 3 : Dynamic ASLR Reduces probability by a factor of 2 compared to static ASLR P 3 = 0.5 Joint probability P buf = 0.75 * 0.5 = MTD 1 Service Rotation P 1 = 0.25 P 2 = 0.75 (1,service) P SQL = SQL Injection MTD 2 IP Rotation (1,IP) Buffer Overflow MTD 3 Dynamic ASLR P 3 = 0.5 (1,memory) P buf = Buffer Overflow Cross-site scripting Service 1 (SQL DB) Service 2 (Web Server) 7/6/

20 Basic Example Define utility as P(0 attacks succeed) = 1 (P SQL + P buf P SQL buf ) P SQL buf = P 1 P 2 P 3 Emphasizes some protection against all weaknesses MTD 1 Service Rotation P 1 = 0.25 P 2 = 0.75 (1,service) MTD 2 IP Rotation (1,IP) MTD 3 Dynamic ASLR P 3 = 0.5 (1,memory) SQL Injection Buffer Overflow Buffer Overflow Cross-site scripting P SQL = P buf = U = Service 1 (SQL DB) Service 2 (Web Server) 7/6/

21 Detailed Example MTD8 ASLR P 8 MTD9 TALENT P 91 P 92 MTD2 Intrusion- Tolerant Sys MTD5 OS Rotation MTD7 Multivariant Systems P 21 P 22 P 23 P 5 P 71 P 72 MTD1 Service Rotation MTD4 IP Rotation (MOTAG) MTD6 Mutable Networks MTD10 Reverse Stack Execution P 1 P 4 MTD3 SQLRand P 61 P 62 P 10 MTD11 Distraction Cluster P 31 P 32 P 11 (1,application) (1,keyword) (1,DBschema) (1,IP) (1,OS) (1, syscall_mapping) (1, Mem_Address) (1,stack_dir) (1,instr_set) (1,path) SQL OS Buffer W 1 Injection W 2 Injection W 3 Overflow W 4 Eavesdropping Service 1 (SQL DB) 7/6/

22 Detailed Example MTD8 ASLR P 8 MTD9 TALENT P 91 P 92 MTD2 Intrusion- Tolerant Sys MTD5 OS Rotation MTD7 Multivariant Systems P 21 P 22 P 23 P 5 P 71 P 72 MTD1 Service Rotation MTD4 IP Rotation (MOTAG) MTD6 Mutable Networks MTD10 Reverse Stack Execution P 1 P 4 MTD3 SQLRand P 61 P 62 P 10 MTD11 Distraction Cluster P 31 P 32 P 11 (1,application) (1,keyword) (1,DBschema) (1,IP) (1,OS) (1, syscall_mapping) (1, Mem_Address) (1,stack_dir) (1,instr_set) (1,path) SQL OS Buffer W 1 Injection W 2 Injection W 3 Overflow W 4 Eavesdropping Maximize,,, s.t. ( ) 0,1 Service 1 (SQL DB) 7/6/

23 Example Solution Method Maximize,,, s.t. ( ) 0,1 MTDs expressed as binary variables If MTD present: MTD effect applied to knowledge MTD cost applied to budget Solve using optimization method of your choice e.g., Generalized Reduced Gradient, heuristic methods MTD Px attack success rate C (cost) Active? P(effective) C(effective) MTD1 P MTD2 P P P MTD3 P P MTD4 P MTD5 P MTD6 P P MTD7 P P MTD8 P MTD9 P P MTD10 P MTD11 P Knowledge: Total Cost 0 (1,application) Total Budget 120 (1,keyword) (1,DBschema) Cost: (1,IP) High 25 (1,OS) Medium 15 (1, syscall_mapping) Low 5 (1, Mem_Address) (1,stack_dir) Effectiveness: (1,instr_set) High 0.3 (1,path) Medium 0.5 Low 0.9 Chance of attack success: SQL Injection OS Injection Buffer Overflow Easvesdropping Chance of attacker success: Utility

24 Example Solution Selected 6 out of 11 MTDs At least 1 MTD per weakness Cost within budget constraints MTD Px attack success rate C (cost) Active? P(effective) C(effective) MTD1 P MTD2 P P P MTD3 P P MTD4 P MTD5 P MTD6 P P MTD7 P P MTD8 P MTD9 P P MTD10 P MTD11 P Knowledge: Total Cost 110 (1,application) Total Budget 120 (1,keyword) (1,DBschema) Cost: (1,IP) High 25 (1,OS) Medium 15 (1, syscall_mapping) Low 5 (1, Mem_Address) (1,stack_dir) Effectiveness: (1,instr_set) High 0.3 (1,path) Medium 0.5 Low 0.9 Chance of attack success: SQL Injection OS Injection Buffer Overflow Easvesdropping Chance of attacker success: Utility /6/

25 Example Solution MTD8 ASLR P 8 MTD9 TALENT P 91 P 92 MTD2 Intrusion- Tolerant Sys MTD5 OS Rotation MTD7 Multivariant Systems P 21 P 22 P 23 P 5 P 71 P 72 MTD1 Service Rotation MTD4 IP Rotation (MOTAG) MTD6 Mutable Networks MTD10 Reverse Stack Execution P 1 P 4 MTD3 SQLRand P 61 P 62 P 10 MTD11 Distraction Cluster P 31 P 32 P 11 (1,application) (1,keyword) (1,DBschema) (1,IP) (1,OS) (1, syscall_mapping) (1, Mem_Address) (1,stack_dir) (1,instr_set) (1,path) SQL OS Buffer W 1 Injection W 2 Injection W 3 Overflow W 4 Eavesdropping Service 1 (SQL DB) 7/6/

26 Example Solution MTD8 ASLR P 8 MTD9 TALENT P 91 P 92 MTD2 Intrusion- Tolerant Sys MTD5 OS Rotation MTD7 Multivariant Systems P 21 P 22 P 23 P 5 P 71 P 72 MTD1 Service Rotation MTD4 IP Rotation (MOTAG) MTD6 Mutable Networks MTD10 Reverse Stack Execution P 1 P 4 MTD3 SQLRand P 61 P 62 P 10 MTD11 Distraction Cluster P 31 P 32 P 11 (1,application) (1,keyword) (1,DBschema) (1,IP) (1,OS) (1, syscall_mapping) (1, Mem_Address) (1,stack_dir) (1,instr_set) (1,path) SQL OS Buffer W 1 Injection W 2 Injection W 3 Overflow W 4 Eavesdropping How to calculate values of P i? How to better compute cost? Service 1 (SQL DB) 7/6/

27 Outline Introduction MTD Quantification Framework Performance Modeling of Moving Target Defenses Model Overview Reconfiguration / Performance Models Simulation / Experiments Conclusion and Future Work 7/6/

28 Model Overview α c resources available Reconfiguration requests Arrival rate α Reconfiguration time S Arrive independently for each resource Incoming service requests Arrival rate λ Service time T Queued if no resource available Reconfiguring reduces availability, increases response time λ being reconfigured in use by a service request available for use c 7/6/

29 Analytic Reconfiguration and Performance Models Reconfiguration Model Determines reconfiguration probability distribution and availability Performance Model Determines response time based on reconfiguration probability distribution 7/6/

30 Reconfiguration Model (Markov Chain) At any given time, k resources are reconfiguring αc α(c-1) α(c-k+1) α(c-k) 2 α α k... c-2 c-1 c 1/S 2/S k/s (k+1)/s (c-1)/s c/s General birth-death equations for Markov Chains ( =1 7/6/

31 Managing Server Overload on Response Time Determine maximum # of resources c*that can be reconfiguring at one time Server utilization = Select c* s.t. < 1 at all times 2 Possible policies: Drop: If c* resources are reconfiguring, drop the request Wait: If c* resources are reconfiguring, wait until k < c* Response Time (sec) α(rec/sec) Simulation Analytic /6/

32 Drop and Wait Policies Modified Markov Chains for Drop and Wait Polices: Drop Policy: Wait Policy: 7/6/

33 Determining Attacker Success Rate No MTD: attacker has unlimited time to plan and execute attack Represent attacker s success rate as function of resource age Assumes attacker has increasing probability of success over time Reconfigurations disrupt that probability E.g.: linear probes, malware infections that spread exponentially Ps Time (sec) Linear Ps Exponential Ps 7/6/

34 Average Resource Age Based on probability distribution, we can compute: % dropped reconfiguration requests Average reconfiguration delay Average age is (1/α) + delay Age (sec) α(rec/sec) Drop Wait 7/6/

35 Analytic Reconfiguration and Performance Models Reconfiguration Model Determines reconfiguration probability distribution and availability Performance Model Determines response time based on reconfiguration probability distribution 7/6/

36 Performance Model (Markov Chain) λ: arrival rate of service requests μδ k : average departure rate of service requests μ: departure rate of service requests (1/T) δ k : # of resources available (weighted sum of probabilities from distribution) = π j : probability there are j resources available λ λ λ λ λ c... k k+1... µδ 1 µδ 2 µδ c µδ c µδ c 7/6/

37 Performance Model (Calculations) Use generalized Birth-Death equations to calculate average # of requests in system: = = Response Time (sec) α(rec/sec) Drop Wait Response time R = N s / λ(little s Law) 7/6/

38 Experimental Setup SimPy library for Python Discrete event generator to run simulations or control system in real time XenServer open-source VM platform Multiple concurrent processes: a) c independent processes to generate reconfiguration requests (arrival rate α) b) 1 process to generate independent service requests (arrival rate λ) c) Monitor process # of requests in system # of queued requests Average VM age VM Management console 7/6/ c) a) b)... VM 1 VM 2 VM c

39 Implementation Resource locking / queuing: a) incoming requests (both service and reconfiguration) b) service request queue c) resource lock on VM pool Synchronizes multiple processes E.g.: reconfiguration request to busy VM Flag it for reconfiguration Reconfigure before returning to idle pool a) b) c) Idle pool Shuffle pool VM Pools Use pool Goal: Make reconfiguration as transparent as possible without affecting response times VM Movement Requests 7/6/

40 Analytic vs. Simulation Results Drop Policy α(rec/sec) Analytic Simulation 7/6/ Availability Age (sec) Availability: Average VM Age: Response Time: Response Time (sec) α(rec/sec) α(rec/sec) Analytic Simulation Analytic Simulation

41 Experimental vs. Simulation Results Further validation of simulation results by implementing MTD in XenServer to reconfigure VMs Availability Response Time α Simulation Experimental Error Simulation Experimental Error ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % ± ± % 7/6/

42 Computing Utility Choose sigmoid parameters and weight factors for user goals β R = 0.55 sec, β S = 0.2, σ= 10, W R = 0.5, W S = US(Ps) Ug α(rec/sec) α(rec/sec) α(rec/sec) 7/6/ UR(tr) US

43 Utility Values for Various Weight Combinations Utility α(rec/sec) wr = 0.5, ws = 0.5 wr = 0.75, ws = 0.25 wr = 0.25, ws = /6/

44 Outline Introduction MTD Quantification Framework Performance Modeling of Moving Target Defenses Model Overview Reconfiguration / Response time Models Simulation / Experiments Conclusion and Future Work Conclusions Future Work Publications 7/6/

45 Conclusions Introduced framework for quantifying MTDs Single probability-based utility measure Can accommodate any existing or future MTD Captures relationship between MTDs, knowledge, weaknesses, and services Introduced analytic model to assess performance Optimized reconfiguration rate that maximizes effectiveness and minimizes response time 7/6/

46 Future Work Experiments with multiple MTDs Further validate model / capture interactions between MTDs Experimental proof-of-concept already built Application to multiple cyber attack phases Reconnaissance important, but need defense-in-depth Application to multiple services w/ dependencies E.g. attacker needs to compromise service A before service B Autonomic Controllers Change reconfiguration rate to adapt to changing conditions 7/6/

47 Publications Published: Connell, Warren, Albanese, Massimiliano, and Sridhar Venkatesan. "A Framework for Moving Target Defense Quantification."IFIP International Information Security and Privacy Conference.Springer International Publishing, Under review: Connell, Warren, Menasce, Daniel, and Albanese, Massimiliano. Performance Modeling of Moving Target Defenses with Reconfiguration Limits. IEEE Transactions on Information Forensics and Security. Connell, Warren, Menasce, Daniel, and Albanese, Massimiliano. Performance Modeling of Moving Target Defenses. FourthACM Workshop on Moving Target Defense(MTD), October /6/

48 Questions? MTD 1 Service Rotation P 1 = 0.25 P 2 = 0.75 MTD 2 IP Rotation MTD 3 Dynamic ASLR P 3 = 0.5 (1,service) (1,IP) (1,memory) K 1 = 0.25 K 2 = 0.75 K 3 = 0.5 P SQL = SQL Injection Buffer Overflow P buf = U = Service 1 (SQL DB) 7/6/

A Framework for Moving Target Defense Quantification

A Framework for Moving Target Defense Quantification Warren Connell, Massimiliano Albanese (B), and Sridhar Venkatesan George Mason University, Fairfax, VA 22030, USA {wconnel2,malbanes,svenkate}@gmu.edu