Vigilance and High Confidence Control Theory for Information Assurance

1
Vigilance and High ConfidenceControl Theory for
Information Assurance

• Anup Ghosh, Hassan Saidi, Patrick Lincoln, Vern
  Paxson, Jim Horning, Jeff Voas, Alex Snoeren,
  Michalis Faloutsos, James Denny, Srikanth
  Krishnamurthy, Prasanta Bose

2
Vigilance Idea

• Distributed eyes constantly monitoring system for
  deviation
• If you do have a model, then you might be able to
  leverage dynamic programming to control it.
• To build a model, reinforcement learning could
  build that model.
• Need really good observables for learning

3
Ontology

• Observables (what can a vigilant monitoring
  system see?)
• Controllables
• Metrics (models parameterized in terms of these)
• Root cause (what got us here, eg fault)
• Trustworthiness of system
• Scale of system (pinpoint vs distributed vs
  internet)
• Models are the key

4
Models and Abstraction

• Objective functions
• Look for deviation what signatures recognize
  what behaviors
• Consider a routing protocol
• What are those signatures
• Kalman filtering estimate deviation
• Example power drainage
• Model predictive control
• Model checking with statistical approaches

5
What Are We Trying To Do

• If models have certain strong stability critieria
• Then systems of components meeting those criteria
  exhibit good global behavior
• If we deploy 12 laptops at DefCon
• Robocupbattlebots where you give a robot to the
  other team
• Try to move toward a model where an attacker is
  not fundamental to our success
• Abstract what an adversary does?

6
What are the observables (for trustworthy systems)

• In classic control, you have an objective
  function determined by observables
• To control some property for reliability need to
  know what is observable and what actuators are
  available

7
Network Observation

• Once you have a network, recovery activity is
  reflected in other nodes
• Want to show that this is damped, rather than
  amplified as an effect propagates across a network

8
Two Points

• What are the observables
• What are the models
• Current state of the art modeling?
• Distributed systems bring their own issues
• One machine sees an attack over a service
• Another machines sees related behavior over
  different attack channel
• At network level view, network level
  understanding of what is going on
• Network themes.

9
Terebytes of Observations

• The problem is what is your model of trustworthy
  behavior
• Reinforce your model
• Sheds doubt on model
• Challenge real specs for specification-based-IDS
• Need to develop techniques to derive and update
  models from observed behavior
• Reinforcement learning?
• Automated technique gives candidates, which
  humans filter
• Automatically detect similarites of candidates
  with previously approved

10
Learning hot stuff

• Reinforcement learning plus dynamic programming
• Used to be just probabilistic correlation learn
  the weight function
• Now give value function, search for optimal
  weights for that value function

11
Large System Behaviors

• Collective behaviors may be easier to identify
• Might enable getting around difficult
  fine-grained discrete behavior detection
• Adaptive routing in ad-hoc networks
• Signature is delays

12
Layer-specific behaviors

• Byzantine behaviors of malicious nodes can be
  detected at higher than networking layer
• Networking layer may be on-spec to protocols, but
  higher levels bad things are happening

13
Response Can Dependent on System

• Bad network node might be needed for forwarding
• But can rekey end-to-end (or whole rest of
  network) to protect content or service

14
What Are Models at Different Levels

• Need to fuse information from different levels
• But not lose the benefits of hierarchy
• Must filter or abstract

15
Grand Challenges

• Deriving models
• What are the metrics
• Fusing information from different levels
• Make adding vigilance easy

16
Grand Challenge Problem

• Take 1 given complex system, under successful
  attack, system fails mission
• Take 2 with vigilance enabled, same threats,
  system succeeds mission
• Done where vigilance is added not as a one-off
  hard-wired add-on, but done with limited
  knowledge of target system

17
END
18
Other Notes
19
Consensus-Based Reasoning

• Harness the heterogeneity of a system
• But minefield and ISP have different behaviors

20
When do we use which model?

• Metrics and observables are not the same thing
• Observables can be task or application specific
• Putting observables together into metrics
• One levels observables are another levels metrics

21
Control

• State relative to the environment
• Only if a control systems understands the
  environment can it reliably take action
• But this cannot be allowed to induce delay
• Challenge how much information from the outside
  world must be reflected to the controllers

22
Hierarchical Control

• Output of a sublayer becomes an objective for the
  next layer
• Local control what is the impact of control at a
  local node on global behavior
• Emergent behavior of local decisions could lead
  to instabilty
• Stability

23
Adversary Model

• Take action at different levels
• Goal is accomplish mission
• Enable strategies at the lower level, fine grain
  detection and response,
• Also enable higher level strategies, collective
  responses,