Defence Research and Development Canada Online cyber surveillance of information systems Overview of current and next DRDC projects Mario Couture Defence R&D Canada (DRDC Valcartier) August 30 th, 2011
Content 1. Definitions and domain of work 2. Cyber domain Important facts 3. Cyber surveillance of ISs Overview 4. The on-going DRDC project 5. The next DRDC project 6. Concluding remarks (I) and (II) 1 IS: Information system
Definitions and domain of work Information system (IS): A computerised system allowing the processing and sharing of data and information With this definition, a cell phone can be considered as an IS Surveillance of ISs: The use of specialised software systems (AV, HIDS, software tracers, etc.) for the online observation and analysis of ISs states and behaviours Detect and report appropriately: any undesired software anomalies, low false positives Domains of work: DRDC Valcartier online host surveillance DRDC Ottawa online network surveillance Complementary work 2 AV: Anti-virus HIDS: Host intrusion detection system US: User space KS: Kernel space
Cyber domain Important facts Some important facts [Charpentier & Lefebvre, 2010]: Critical national critical infrastructures involve the use of increasingly complex ISs Fielded ISs will always contain unresolved design flaws & bugs (vulnerabilities) Nowadays malicious hackers are very well organised and they have easy access to advanced hacking technologies (which are often cheap) The ability of current surveillance systems (AV, HIDS, ) to detect undesired software states and behaviours within hosts is dramatically limited: ~30% [Bell, 2010]. Advanced Persistent Threats (APT) remain undetected, they represent a serious threat The development of the next generation of surveillance systems is not an easy to solve problem. Sustained iterative and incremental collaborative R&D efforts are needed 3 AV: Anti-virus HIDS: Host intrusion detection system IS: Information system
Cyber surveillance of ISs Overview In the case of cyber warfare: Cyber warfare involves two well organised entities: DND and bad hackers OODA Loop as applied to online host surveillance: -Observe: observation deep within the IS -Orient: fast/advanced detection analysis, reporting -Decide: automatic/manual decision making -Act: automatic/manual reactions and pro-actions Some important technological needs: -Better advanced techniques and models: -for adaptive observation of hosts -for adaptive detection analysis -lower the number of false positives -Better reporting of: -IS s health states -detected undesired anomalies -Suggest the best courses of actions (proactive, reactive) -The smallest overall delta-t for the whole blue OODA Loop DND activities Bad hackers activities -They are well organised -Easy access to advanced hacking technology -( ) 4 IS: Information system OODA: Observe, Orient, Decide, Act DND: Department of national defence
The on-going project: Poly-Tracing (Observe) Main R&D threads (Poly-Tracing project) For example: Automatic/manual deep monitoring of ISs Data synchronisation Data abstraction Automated fault identification IS Data (traces) abstraction LTTng tracer (US, KS) Data (traces) synchronisation Feedback-directed Health monitoring and corrective measures Fault identification Trace directed modelling 5 Impacts prediction (of monitoring) Redundancy and diversity for security purposes Observed states, behaviours, faults (UML diagrams) IS s health states & control Documentation, software & demos: (http://dmct.dorsal.polymtl.ca) IS: Information system US: User space KS: Kernel space
Next DRDC project (Orient) Title: Online surveillance of critical information systems through advanced host-based anomaly detection Currently under definition The main goals: 1. Improve significantly the efficiency, accuracy and timeliness of online host-based anomaly detection 2. Ensure interoperability with network-level surveillance systems 3. Save the relevant data for offline analysis (forensic analysis, continual improvement of systems) 6
Next DRDC project (Orient) Strategies: Make use (and merge) of the available online system data Alerts, software events/states from AV, HIDS, software tracers, profilers, etc. Store this enhanced data into a harmonized Centralized data store, make it available Concurrently run many complementary leading-edge detection techniques (user and kernel spaces) Use a specialized Linux kernel Knowledge Base to support detection analysis Make the Surveillance infrastructure feedback-directed (more adaptable online) Ability to select and control the focus & resolution of the observations Ability to reconfigure detection modules Interoperability with network-level surveillance systems (for national-level cyber operations) The ability to save data online for further offline analysis (forensics, software improvement) 7 KS: kernel space, US: user space
The next DRDC project (Orient) Feedback-directed Surveillance infrastructure 8 AV: Anti-virus HIDS: Host intrusion detection system KS: kernel space US: user space
The next DRDC project (Orient) Threads 1 & 2 (Polytechnique Montreal) Prof. M. Dagenais (PI) + 2 PhD students 1 RA (*) Thread 3 (Concordia university) Prof. A. Hamou-Lhadj + 2 PhD students 1 PostDoc (**) Thread 4 (Toronto university) Prof. A. Goel + 1 PhD student 9 (*) Research associate (RA): development, integration (Threads 1, 2, 3, and 4) (**) PostDoc: -development, integration (Threads 3 and 4) -feedback-directed aspects of the Surveillance infrastructure KS: kernel space, US: user space PI: Principal investigator
The next DRDC project Approaches Adapt and make use of technologies that are already mature and available Develop new technologies to fill technological gaps Scalability is very important Interoperability is very important Use an iterative/incremental approach (for R&D efforts and POC) Sustained active collaboration among involved participants 10 R&D: Research and development POC: Proof of concept
Concluding remarks (I) Observe Poly-Tracing project (the on-going DRDC project): Type: 4-year DND-NSERC project (2.6 M$) Currently at the end of year 3 Partners: Ericsson Canada, NSERC, DRDC Valcartier 4 Canadian universities: 5 PhDs, more than 15 grad. students Open source Documentation, software & demos: http://dmct.dorsal.polymtl.ca 11 DND: Department of national defence NSERC: Natural Sciences and Engineering Research Council of Canada
Concluding remarks (II) Orient Next project: to be submitted to DRDC/DND October 2011 Type: DND-NSERC project (strong interest: mil. clients) Partners: Ericsson Canada, NSERC, DRDC Valcartier DND: Department of national defence NSERC: Natural Sciences and Engineering Research Council of Canada 3 Canadian universities: 4 PhDs supervising 5 PhD students Size: similar to the Poly-Tracing project Open source has proved to be a very good approach Ultimate goals: Improve host-based online anomaly detection (malicious origin or not) Help operators on duty build and maintain a full HSA of their ISs during operations Provide more relevant data for offline forensic investigations 12 Interoperate with network-level cyber surveillance operations (national level) HSA: Host-based situational awareness IS: Information system
Contact: Mario Couture, Defence scientist DRDC Valcartier Mario.Couture@DRDC-RDDC.GC.CA (418) 844-4000 4285 13