Reasoning Elements and Informa2on Flow Architecture STRATUS’ Strategic loop determines the most likely targets of mul9-­‐step a3acks before they are fully realized. Mission Models Rapid A:ack Plan Path Analysis (RAPPA) Known A@ack Plan Elements Model Library Host & Cluster Connec;vity So0ware Models Component Vulnerability Models Current Missions Expected A3ack Plans Probabilis2c A:ack Plan Recognizer (PAPR) Based on Geib’s ELEXIR system RAPPA computes diverse set of possible a3acker goals and plans against mission for PAPR a3ack recognizer. Converts this into an a3ack plan library for plan recogni9on. -­‐-­‐ at mission declara9on -­‐-­‐ SQRL creates a set of candidate configura9ons for the mission soOware components, assigning them to hosts and proscribing communica9on pathways. PAPR uses detected intrusion events and an a3ack plan library to an9cipate a3acker targets and pathways that are threatened. Based on ELEXIR plan recogni9on technology. MIFD uses issue detec9on report fusion technology developed in SCYLLARUS to iden9fy events with significant evidence and suppor9ng explana9ons. STRATUS’ Tac9cal loop tries to respond quickly to evidence of corrup9on to exis9ng systems and create backups for the nearest neighbors that are threatened. Applica;on Communica;ons Policies Probable Intrusion Events Corrup9on, Anomaly and Failure Observa9ons Distributed A:ack Diagnosis (DAD) Trust Models DAD uses reports of intrusion events to diagnose sources of an a3ack and build a trust model that specifies the rela9ve likelihood that mission elements have been compromised or are threatened. By Adven2um Alterna9ve Resource Alloca9on Plans Mission-­‐Oriented Threat Hypothesis Evalua2on and Response (MOTHER) Configura9on Control Messages MOTHER uses trust model to con9nuously decide what configura9ons of components make the mission most survivable given available resources. Directs CSE to make changes and monitors for comple9on. CSE Network Control Elements •  Uses combina;on of planning techniques to iden;fy a@ack vectors on mission components and intermediate products. •  Generates an a@ack plan library for PAPR plan recognizer •  Iden;fies diagnos;c ac;ons that predict possible targets. SQRL plans reconfigura;ons of components to new hosts/
channels to thwart access to likely targets -­‐-­‐ during execu9on – 1. MIFD iden;fies likely intrusion events from sensor informa;on 2. DAD diagnoses level of distrust in components 3. PAPR uses ELEXIR plan recognizer to assess probability of different a@ack plans occurring given the evidence. •  Goal is to iden;fy likely mission threats from recognized par;ally executed plans 4. MOTHER selects reconfigura;on that will most improve mission survivability. Resource Monitoring STRATUS Internal Communica;ons Network Sensor Reports CSE and STRATUS share informa9on using objects defined in a common ontology using OWL as the interlingua. AMBORO Expected Future Threat Events Resource alloca2on and preposi2oning (SQRL) Strategic Threat An.cipa.on Tac.cal Event Detec.on and Response Model-­‐based Intrusion Detec2on (MIFD) SQRL uses RAPPA iden;fies possible threats to components/channels of current mission, plans ways a@acks might occur to effect those threats Start/Stop Components, Change Communica9ons Pa3erns Mission Component CSE Network Communica.ons Security Enforcement (CSE) Infrastructure CSE manages all mission soOware components and their communica9ons pathways using an object-­‐
oriented publish and subscribe protocol. CSE developed by: Balzer & colleagues