Defence Research and Development Canada. Online cyber surveillance of information systems. Overview of current and next DRDC projects

Similar documents
Defence Research and Development Canada. Cyber surveillance of information systems

TotalADS: Automated Software Anomaly Detection System

Cyber Security Technologies

Defining cybersecurity.

Cyber Espionage A proactive approach to cyber security

An Improved Hidden Markov Model for Anomaly Detection Using Frequent Common Patterns

Collaboration networks and innovation in Canada s ICT Hardware Cluster. Catherine Beaudry and Melik Bouhadra Polytechnique Montréal

Hacker Academy UK. Black Suits, White Hats!

Protecting productivity with Industrial Security Services

Critical Information Infrastructure Protection Law

Modelling Security in UML/OCL for C2IS

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

French Research in Comp. Virology and Operational Cryptology

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Designing and Building a Cybersecurity Program

Panel 1 National CSIRT Experience

COMPUTER FORENSICS (CFRS)

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

align security instill confidence

Trusted Free and Open Source Software (FOSS) FOSS Hardening

CIRT: Requirements and implementation

Symantec Security Monitoring Services

Eventpad : a visual analytics approach to network intrusion detection and reverse engineering Cappers, B.C.M.; van Wijk, J.J.; Etalle, S.

Cyber Analyst Academy. Closing the Cyber Security Skills Gap.

Cyber Security and Cyber Fraud

CYBER RESILIENCE & INCIDENT RESPONSE

Case Study. Encode helps University of Aberdeen strengthen security and reduce false positives with advanced security intelligence platform

ANATOMY OF AN ATTACK!

CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) Securing Virtual Environments

Cyber Defence Situational Awareness

Nebraska CERT Conference

Put an end to cyberthreats

BUILDING AND MAINTAINING SOC

HSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort

Cyber Security Maturity Model

Security

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

Security by Default: Enabling Transformation Through Cyber Resilience

PALANTIR CYBERMESH INTRODUCTION

E-guide Getting your CISSP Certification

to Enhance Your Cyber Security Needs

ITU-IMPACT Capacity Building for Least Developed & Developed Countries

WA Govt Changing Cyber Security Landscape

The Perfect Storm Cyber RDT&E

Continuous protection to reduce risk and maintain production availability

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

PREEMPTIVE PREventivE Methodology and Tools to protect utilities

Will you be PCI DSS Compliant by September 2010?

Proactive Defense with Automated First Responder (AFR) Anuj Soni Jason Losco

Intrusion Detection Systems (IDS)

Governance Ideas Exchange

CyberSecurity Situational Awareness Monitoring & Reporting Platform Pharos. Cyber Security Showcase Wednesday, 29 February 2012 Brussels, Belgium

Reserve Bank of India Cyber Security Framework

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Wireless e-business Security. Lothar Vigelandzoon

ETSI All rights reserved

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Implementation Strategy for Cybersecurity Workshop ITU 2016

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Global Response Centre (GRC) & CIRT Lite. Regional Cyber security Forum 2009, Hyderabad, India 23 rd to 25 th September 2009

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Cyber Security. Our part of the journey

Trend Micro and IBM Security QRadar SIEM

AN ANALYSIS OF CYBER CRIME AND INTERNET SECURITY

LAB2 R12: Optimize Your Supply Chain Cyber Security

Cyber-Threats and Countermeasures in Financial Sector

HOSTED SECURITY SERVICES

Master of Cyber Security, Strategy and Risk Management. CECS PG Information Session April 17, 2018

Venusense UTM Introduction

Detection and Analysis of Threats to the Energy Sector (DATES)

The threat landscape is constantly

The Evolution of Computer Generated Forces (CGF) Architectures to Support Information Warfare Effects

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

locuz.com SOC Services

CHIEF INFORMATION OFFICER

SECURITY SERVICES SECURITY

Reduce the Breach Detection Gap to Minutes. What is Forensic State Analysis (FSA)?

Chapter 1 B: Exploring the Network

Threat Hunting and Killing in the Modern Network

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

Cybersecurity & Risks Analysis

CipherCloud CASB+ Connector for ServiceNow

Towards checking Stateflow models with mcrl2

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Cybersecurity Overview

Detect Fraud & Financial Crime

Building a Threat-Based Cyber Team

MASP Chapter on Safety and Security

Compliance: How to Manage (Lame) Audit Recommendations

Capturing and Formalizing SAF Availability Management Framework Configuration Requirements

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Implementing Executive Order and Presidential Policy Directive 21

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Industrial control systems

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Cybersecurity for Health Care Providers

Designated Cyber Security Protection Solution for Medical Devices

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Transcription:

Defence Research and Development Canada Online cyber surveillance of information systems Overview of current and next DRDC projects Mario Couture Defence R&D Canada (DRDC Valcartier) August 30 th, 2011

Content 1. Definitions and domain of work 2. Cyber domain Important facts 3. Cyber surveillance of ISs Overview 4. The on-going DRDC project 5. The next DRDC project 6. Concluding remarks (I) and (II) 1 IS: Information system

Definitions and domain of work Information system (IS): A computerised system allowing the processing and sharing of data and information With this definition, a cell phone can be considered as an IS Surveillance of ISs: The use of specialised software systems (AV, HIDS, software tracers, etc.) for the online observation and analysis of ISs states and behaviours Detect and report appropriately: any undesired software anomalies, low false positives Domains of work: DRDC Valcartier online host surveillance DRDC Ottawa online network surveillance Complementary work 2 AV: Anti-virus HIDS: Host intrusion detection system US: User space KS: Kernel space

Cyber domain Important facts Some important facts [Charpentier & Lefebvre, 2010]: Critical national critical infrastructures involve the use of increasingly complex ISs Fielded ISs will always contain unresolved design flaws & bugs (vulnerabilities) Nowadays malicious hackers are very well organised and they have easy access to advanced hacking technologies (which are often cheap) The ability of current surveillance systems (AV, HIDS, ) to detect undesired software states and behaviours within hosts is dramatically limited: ~30% [Bell, 2010]. Advanced Persistent Threats (APT) remain undetected, they represent a serious threat The development of the next generation of surveillance systems is not an easy to solve problem. Sustained iterative and incremental collaborative R&D efforts are needed 3 AV: Anti-virus HIDS: Host intrusion detection system IS: Information system

Cyber surveillance of ISs Overview In the case of cyber warfare: Cyber warfare involves two well organised entities: DND and bad hackers OODA Loop as applied to online host surveillance: -Observe: observation deep within the IS -Orient: fast/advanced detection analysis, reporting -Decide: automatic/manual decision making -Act: automatic/manual reactions and pro-actions Some important technological needs: -Better advanced techniques and models: -for adaptive observation of hosts -for adaptive detection analysis -lower the number of false positives -Better reporting of: -IS s health states -detected undesired anomalies -Suggest the best courses of actions (proactive, reactive) -The smallest overall delta-t for the whole blue OODA Loop DND activities Bad hackers activities -They are well organised -Easy access to advanced hacking technology -( ) 4 IS: Information system OODA: Observe, Orient, Decide, Act DND: Department of national defence

The on-going project: Poly-Tracing (Observe) Main R&D threads (Poly-Tracing project) For example: Automatic/manual deep monitoring of ISs Data synchronisation Data abstraction Automated fault identification IS Data (traces) abstraction LTTng tracer (US, KS) Data (traces) synchronisation Feedback-directed Health monitoring and corrective measures Fault identification Trace directed modelling 5 Impacts prediction (of monitoring) Redundancy and diversity for security purposes Observed states, behaviours, faults (UML diagrams) IS s health states & control Documentation, software & demos: (http://dmct.dorsal.polymtl.ca) IS: Information system US: User space KS: Kernel space

Next DRDC project (Orient) Title: Online surveillance of critical information systems through advanced host-based anomaly detection Currently under definition The main goals: 1. Improve significantly the efficiency, accuracy and timeliness of online host-based anomaly detection 2. Ensure interoperability with network-level surveillance systems 3. Save the relevant data for offline analysis (forensic analysis, continual improvement of systems) 6

Next DRDC project (Orient) Strategies: Make use (and merge) of the available online system data Alerts, software events/states from AV, HIDS, software tracers, profilers, etc. Store this enhanced data into a harmonized Centralized data store, make it available Concurrently run many complementary leading-edge detection techniques (user and kernel spaces) Use a specialized Linux kernel Knowledge Base to support detection analysis Make the Surveillance infrastructure feedback-directed (more adaptable online) Ability to select and control the focus & resolution of the observations Ability to reconfigure detection modules Interoperability with network-level surveillance systems (for national-level cyber operations) The ability to save data online for further offline analysis (forensics, software improvement) 7 KS: kernel space, US: user space

The next DRDC project (Orient) Feedback-directed Surveillance infrastructure 8 AV: Anti-virus HIDS: Host intrusion detection system KS: kernel space US: user space

The next DRDC project (Orient) Threads 1 & 2 (Polytechnique Montreal) Prof. M. Dagenais (PI) + 2 PhD students 1 RA (*) Thread 3 (Concordia university) Prof. A. Hamou-Lhadj + 2 PhD students 1 PostDoc (**) Thread 4 (Toronto university) Prof. A. Goel + 1 PhD student 9 (*) Research associate (RA): development, integration (Threads 1, 2, 3, and 4) (**) PostDoc: -development, integration (Threads 3 and 4) -feedback-directed aspects of the Surveillance infrastructure KS: kernel space, US: user space PI: Principal investigator

The next DRDC project Approaches Adapt and make use of technologies that are already mature and available Develop new technologies to fill technological gaps Scalability is very important Interoperability is very important Use an iterative/incremental approach (for R&D efforts and POC) Sustained active collaboration among involved participants 10 R&D: Research and development POC: Proof of concept

Concluding remarks (I) Observe Poly-Tracing project (the on-going DRDC project): Type: 4-year DND-NSERC project (2.6 M$) Currently at the end of year 3 Partners: Ericsson Canada, NSERC, DRDC Valcartier 4 Canadian universities: 5 PhDs, more than 15 grad. students Open source Documentation, software & demos: http://dmct.dorsal.polymtl.ca 11 DND: Department of national defence NSERC: Natural Sciences and Engineering Research Council of Canada

Concluding remarks (II) Orient Next project: to be submitted to DRDC/DND October 2011 Type: DND-NSERC project (strong interest: mil. clients) Partners: Ericsson Canada, NSERC, DRDC Valcartier DND: Department of national defence NSERC: Natural Sciences and Engineering Research Council of Canada 3 Canadian universities: 4 PhDs supervising 5 PhD students Size: similar to the Poly-Tracing project Open source has proved to be a very good approach Ultimate goals: Improve host-based online anomaly detection (malicious origin or not) Help operators on duty build and maintain a full HSA of their ISs during operations Provide more relevant data for offline forensic investigations 12 Interoperate with network-level cyber surveillance operations (national level) HSA: Host-based situational awareness IS: Information system

Contact: Mario Couture, Defence scientist DRDC Valcartier Mario.Couture@DRDC-RDDC.GC.CA (418) 844-4000 4285 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback