Cyber R&D Challenges
advertisement
Research Advancements Towards Protecting Critical Assets Dr. Richard “Rick” Raines Cyber Portfolio Manager Oak Ridge National Laboratory 15 July 2013 The Cyber Defense? The Economist May 9, 2009 The Threat Landscape • National intellectual property is being stolen at alarming rates • National assets are vulnerable to attack and exploitation • Personal Identifiable Information at risk • Competing and difficult national priorities for resources Electric Power Oil & Gas Water Emergency Transportation Communications Financial The Landscape is continually changing Understanding the Challenges • Dynamic environment with a constant churn – A domain of operations—”within” and “through” – Anytime, anywhere access to data and information – Policy and Statutory lanes emerging • Agile adversaries – Cyber and Cyber Physical – Overt and covert attacks/exploits • Data continues to grow – Sensor feeds yield terabytes of raw data – Analyst burdens continue to grow We Continue to Play Catch Up Who Are the Threat Actors ? • Unintended threat actors -- Can be just about anyone?? – Target rich environment—people, processes, machines • Personal gain threat actors -- individual and organized crime – Insiders? • Ideological threat actors – Hacktivists, extremists and terrorists #OpUSA (7 May 13) #OpNorthKorea (25 Jun 13) • Nation-state threat actors – Intelligence gathering, military actions The Sophistication of the Actors Continue to Increase Who “Really” Are the Threat Actors? • Over 90% of threat actors are external to an organization • 55% of the actors associated with organized crime – Predominantly in U.S. and Eastern Europe • ~20% of actors associated with nation-state operations – Over 90% attributable to China • Internal actors: large percentage of events tied to unintentional misconfigurations Source: www.verizonenterprise.com/DBIR/2013 But, sophistication not always needed…. The Targets • 37% of incidents affected financial organizations – Organized crime—virtual and physical methods – Since 9/2012, 46 U.S. institutions in over 200 separate intrusions (FBI) • 24% targeted individuals in retail environments – 40% of data thefts attributed to employees in the direct payment chain • Waiters, cashiers, bank tellers—”skimmers” and like-devices • Organizations will always be targets for who they are and what they do Source: www.verizonenterprise.com/DBIR/2013 Actors will continue to look for the “low hanging fruit” Understanding Your Mission • What does cyber Situational Awareness really mean? – User-defined – Real-time awareness of mission health – Highly relevant information to the decision-maker • What are the “crown jewels” in your mission space? – The critical components that you can’t operate without – Understanding the interdependencies • What are the capabilities needed for success? – Revolutionary advances rather than evolutionary progress – The right talent and enough to ensure success – Partnerships are critical Mission Assurance = Operational Success Long Term Grand Challenges Cyber R&D Challenges Operate Through An Outage/Attack Identify missioncritical capabilities Assess complex attack planning problem Design defense in depth Detect/ block attacks Discover/ mitigate attacks Enable graceful degradation of resilient (self-healing) systems System of systems approach to ensure continuity of operations (COOP) Cyber R&D Challenges Predictive Awareness Near-real-time situational awareness of the battlespace Automated/ user-defined view Network mapping Predictive/ self-healing systems Anticipate failure or attack and react automatically Mission-critical systems available and functional to operate through Cyber R&D Challenges Security in the Cloud Approach: Wholly owned/ cloud service/ public internet Complex attack planning problem Variety of security structures Masking deception Continuous maneuver Graceful degradation of resilient (self-healing) systems Visibility of data and computations without access to specific problem Cyber R&D Challenges Self-Protective Data/Software Resilient data (at rest and in motion) Protocols: Secure, resilient, active Trustworthy computing High-userconfidence check sum Hardwarebacked trust High user confidence in data and software Graceful degradation of missioncritical data to “last known good” Cyber R&D Challenges Security of Mobile Devices Classified/ UNCLAS encryption Power and performance issues addressed Hardware root of trust Self healing Data Validated Leakage/ Transfer contained Biometric security features Bring your own device (disaster?) ORNL Cyber Research Strengths • Observation-based generative models • Control of false positives/negatives • Modeling of adversaries • Photon pair and continuous variable entanglement • Comprehensive source design and simulation • High-performance computing resources • Putting quantum and computing together • Mathematical rigor • Computationally intensive methods • At scale, near real time Computational cyber Evidencesecurity based action Nonclassical light sources • Statistics vs metrics • Repeatability and reproducibility • Trend observation and identification Sciencebased security Protection and control Quantum simulation Data management Information visualization Applicationoriented research • From first principles to real solutions • Quantum for computing, communication, sensing, and security Analytics • • • • Probabilistic modeling Social network analysis Relational learning Heterogeneous data analysis • Online, near-real-time methods • Graph modeling/retrieval • Distributed storage and analysis methods • Geospatial and temporal display methods • Multiple, coordinated visualizations • User-centered design and user testing ORNL Control Systems Security Research Strengths • Observation-based generative models • Control of false positives/negatives • Modeling of adversaries • Vulnerability assessments • Mathematical rigor • Computationally intensive methods • At scale, near real time • Time synchronized data • Fault disturbances recorders, PMUs • Voltage, frequency, phase 3, current Computational cyber Real-time Evidencesecurity Monitoring based action • Industry guidelines • Interoperability • Physics based protection schemes • Cyber physical interface Standards development Resilient control systems Detection, control and wide-area visualization Data management Information visualization Advanced components • Fault current limiters • Saturable reactors • Power electronics Analytics • • • • Probabilistic modeling Social network analysis Relational learning Heterogeneous data analysis • Online, near-real-time methods • Graph modeling/retrieval • Distributed storage and analysis methods • Geospatial and temporal display methods • Multiple, coordinated visualizations • User-centered design and user testing VERDE: Visualizing Energy Resources Dynamically on Earth • Monitoring Capability – Situational awareness of subset of transmission lines (above 65 KV) – Situational awareness of distribution outages (status of approximately 100 Million power customers) – Social-media feeds ingest Wide-Area Power Grid Situational Awareness – Real-time weather overlays • Modeling and Analysis – Predictive and post-event impact modeling and contingency simulation – Automatic forecasts of power recovery – Energy interdependency modeling – Mobile application – Cyber dependency Impact Models and Data Analysis Distribution Outages Analysis Current technology provides no practical means to validate the full behavior of software. Program instructions implement functional semantics that can be precisely defined. Instruction semantics can be mathematically combined to compute the functional effect of programs. HOW IT WORKS: • Hyperion Protocol technology computes the behavior of compiled binaries. • Structure theorem shows how to transform code into standard control structures with no arbitrary branching. • Correctness theorem shows how to express behavior of control structures as nonprocedural specifications. QUANTITATIVE IMPACT Software may contain unknown vulnerabilities and sleeper code that compromise operations. Mathematical Foundations developed at IBM SEI/CMU developed Function Extraction (FX) ORNL developing 2nd Gen FX on HPC • Computed behavior can be compared to semantic signatures of vulnerabilities and malicious operations. GOAL NEW INSIGHTS STATUS QUO Hyperion Protocol Determination of vulnerabilities and malicious content can be carried out at machine speeds. Validation. Software can be analyzed for intended functionality. Readiness. Software can be analyzed for malicious content. System for computing behavior of binaries to identify vulnerabilities sleeper codes and malware. Function and security analysis of compiled binaries through behavior computation Oak Ridge Cyber Analytics: Detecting Zero Day Attacks DoD Warfighter Challenge evaluation of ORNL’s ORCA: • • • Supervised Learner (Tweaked AdaBoost): • Detected 94% of attacks using machine learning methods • False positive rate is only 1.8% Semi-supervised Learner (Linear Laplacian RLS): • Detected 60% of attacks using machine learning methods • No false positives Detecting both previously seen and never before seen attacks. Approach: • Generalize computer communication behaviors using machine learning models. • Classify incoming network data in real-time. • Complement signature-based sensor arrays to focus on attack variants. Advantages: • No signatures – trains on examples of attacks • Detects attacks missed by the most advanced OTS intrusion detectors. • Detect zero day attacks that are variants of existing attack vectors. Moving Ahead • • • • • • • Increased national focus on cyber security Cyber law enforcement capabilities growing – “who” Digital forensics are improving -- “how” Information Sharing and Analysis Centers (ISACs) – “what” Maturing education and training for the professionals Better education for “the masses” Rapidly evolving R&D breakthroughs The Human is still the weakest element in the cyber domain Questions? rainesra@ornl.gov
