Adap%ve Cybersecurity Technologies: Impact
Ulf Lindqvist, Ph.D.
Program Director, Infrastructure Security Research Computer Science Laboratory
SRI Interna%onal
Presented at the Belfast 2013 Summit, March 15, 2013
The work by SRI International was funded by U.S. Department of Homeland Security’s Science and Technology Directorate. The views and conclusions contained herein are those of the author and should not be interpreted as necessarily
representing the official policies or endorsements, either expressed or implied, of the U.S. Department of Homeland Security or the U.S. government.
About SRI Interna%onal
SRI is a world-‐leading R&D organiza%on
• An independent, nonprofit corpora%on
– CommiQed to discovery and to the applica%on of science
and technology for knowledge, commerce, prosperity, and peace
– Founded by Stanford University in 1946
– Independent in 1970; changed name from
Stanford Research Ins%tute to SRI Interna%onal in 1977
• More than 2,100 staff members
• More than 20 loca%ons worldwide
Princeton, New Jersey
Silicon Valley -‐ Headquarters Harrisonburg, Virginia
Tokyo, Japan
Washington, D.C.
State College, Pennsylvania
Adap%ve Cybersecurity Technologies
• Also known as
– Moving target – Moving defense – Dynamic defense • No standard defini%ons yet • General idea: – Increase uncertainty,
complexity, and cost for the aQacker
Sta%c Systems and Defenses Allow AQackers to Prac%ce
Current Status of Adap%ve Cybersecurity R&D R&D Post-‐R&D • Assessments • Experiments • Outreach Pre-‐R&D • Research agendas • Solicita%ons Priori%zed Requirements
Cybersecurity R&D execution model from: D. Maughan, D. Balenson, U. Lindqvist, Z. Tudor, Crossing the “Valley of Death”: Transitioning Cybersecurity Research into Practice, in IEEE Security & Privacy Magazine, March/April 2013, to appear
Current Status of Adap%ve Cybersecurity R&D
Post-‐R&D
• Assessments
• Experiments
• Outreach
Cybersecurity R&D execution model from: D. Maughan, D. Balenson, U. Lindqvist, Z. Tudor, Crossing the “Valley of Death”: Transitioning Cybersecurity Research into Practice, in IEEE Security & Privacy Magazine, March/April 2013, to appear Pre-‐R&D • Research agendas • Solicita%ons R&D Priori%zed Requirements
Overview of Current R&D in Adap%ve Cybersecurity
• Moving Target
– Na%onal Symposium on
Moving Target Research
– DHS S&T Moving Target
Defense Program • Dynamic Defense Workshop • Socware-‐defined networking enabling adap%ve techniques • Common approaches noted – Randomiza%on – Decep%on – Detec%on – Deflec%on/Quaran%ne
Moving Target Research Symposium, June 11, 2012
DHS S&T: Moving Target Defense Program
DHS S&T: Moving Target Defense Program contd.
• Projects awarded under DHS S&T BAA11-‐02, TTA 12
– Moving Target Defense for Secure Hardware Design (Princeton University)
• Develop hardware solu%on that applies moving target defense to processor cache
mapping, preven%ng informa%on leakage from cache side-‐channel aQacks – Appliance for Ac%ve Reposi%oning in Cyberspace (Northrop Grumman
Informa%on Systems)
• Develop network edge hardware device that will change IP addresses across mul%ple
separate enclaves at a sub-‐second frequency over a 10Gb/s network connec%on, to prevent adversary mapping of the aQack surface
• SBIR Phase I projects funded by DHS S&T
1) Framework managing con%nuous deployment of randomized socware
2) IP hopping system u%lizing IPv6
3) System that removes sta%c aQributes and con%nuously refreshes
4) Binary randomiza%on tool, comprehensively randomizing binary programs
Dynamic Defense Workshop at Sandia, Sept. 5-‐6, 2012 • Discussion topics
– Taxonomies and structures
– Challenges and opportuni%es
Socware-‐Defined Networking
Enabling Adap%ve Techniques
Source: R. Sherwood, S. Das, Y. Yiakoumis, AT&T Tech Talks October 2010 www.openflow.org/wk/images/1/17/OpenFlow_in_SPnetworks.ppt
Windows (OS) Windows (OS) Linux Mac OS x86 (Computer) Windows (OS) App App Linux
Linux Mac OS Mac OS
Virtualiza%on layer App Controller 1 App App Controller 2
Virtualiza%on or “Slicing” App OpenFlow Controller 1 NOX (Network OS) Controller 2 Network OS
FRESCO: Modular Composable Security Services for Socware-‐Defined Networks (NDSS 2013)
• FRESCO: an OpenFlow security applica%on framework for rapid design and
modular composi%on of OpenFlow-‐enabled detec%on and mi%ga%on modules
Detec%on and Quaran%ne 1: BotHunter and FRESCO
Detec%on and Quaran%ne 2:
Machine Biometrics and Cocooning
• Project: Machine-‐Oriented
Biometrics and Cocooning for Dynamic Network Defense (J. J. Haas, J. Hamlet, J.Doak, Sandia Na%onal Laboratories)
• Cocoon an affected host when an
anomaly or event is detected
• Use socware-‐defined networking to
redirect a subset of suspicious network traffic from real to emulated services with sani%zed data to deceive the aQacker
Advanced Adap%ve Detec%on
• Signature-‐based detec%on/ preven%on will always be behind the curve
• SRI has developed
– A suite of detec%on
mechanisms that are based on higher-‐level models
– Specialized detec%on
mechanisms for protocols used in cri%cal infrastructures
– Advanced model-‐based
detec%on technologies that reduce false posi%ves and the need for pris%ne training data
Summary
• There are ongoing ac%ve pre-‐R&D and R&D efforts in
Adap%ve Cybersecurity
• Discussions around metrics and evalua%on have
started
• Frameworks and tools are currently being developed
• Expect real impact within 2-‐3 years, when the first
tools will have been transi%oned to commercializa%on and deployment
Headquarters: Silicon Valley
SRI Interna8onal
333 Ravenswood Avenue Menlo Park, CA 94025-‐3493 650.859.2000 Washington, D.C. SRI Interna8onal 1100 Wilson Blvd., Suite 2800 Arlington, VA 22209-‐3915 703.524.2053
Princeton, New Jersey
SRI Interna8onal Sarnoff 201 Washington Road Princeton, NJ 08540 609.734.2553
AddiHonal U.S. and internaHonal locaHons www.sri.com
