Toward the Creation of Synthetic User Environment An Active Network Defence Enabler 1 - PowerPoint PPT Presentation

1 / 38
About This Presentation

Toward the Creation of Synthetic User Environment An Active Network Defence Enabler 1


Ph.D. Comprehensive Examination Part II. Depth Research and Proposal Presentation ... and Trust (PST'06), October 2006, invited Workshop Speaker and Panellist. ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 39
Provided by: phil7


Transcript and Presenter's Notes

Title: Toward the Creation of Synthetic User Environment An Active Network Defence Enabler 1

Toward the Creation of Synthetic User
EnvironmentAn Active Network Defence Enabler 1
  • Ph.D. Comprehensive Examination Part II
  • Depth Research and Proposal Presentation
  • by
  • Major Sylvain P. Leblanc
  • 1 February 2008
  • Dry Run for CSL Members

Outline 2
  • What is the engineering problem to be solved?
  • Scenario, Attacker Characteristics, Hypothesis
  • In what sense are previous solutions to this
    problem unsatisfactory?
  • Background Research Deficiencies
  • What is my solution?
  • Research Approach Activities
  • What evidence is there that my solution is an
    improvement over previous solutions?
  • Validation, Conclusion Contribution

Illustrative Scenario (1)
  • Traditional response to intrusion is to mitigate
    damage by removing access
  • Requirement for Active Network Defence has been
    accepted by the research community Leblanc
    Knight 6, Leblanc 7
  • Holding contact with the attacker
  • Understanding the attacker
  • Prepare a response to the attack

Illustrative Scenario (2)
  • A high fidelity environment is required to
    convince the attacker to continue interacting
    with the compromised system.
  • Must include user actions, which means
  • leave the user on the compromised system, with or
    without their knowledge (bad thing), or
  • diverting precious resources to "act" as the
    user, or
  • automating the user activity

Illustrative Scenario (3)
Observation Control
  • The Network Intrusion Surveillance Tool (NIST) to
  • tools to allow the covert observation of the
    attacker's activity, and
  • tools to control what the attacker can do with
    the compromised system
  • a Synthetic User Environment (SUE) which helps
    create a realistic environment with which the
    attacker wants to interact without suspicion of
    being observed
  • Mouse and Keyboard Human Interface Device (HID)
    events only

Attacker Characteristics
  • Basic Abilities
  • Clock
  • Process List
  • Kernel Events
  • Statistics Analysis
  • Own Processes
  • Derived User Work Schedule
  • Restrictions on Attackers
  • Cannot Stream Interfaces
  • No Physical Observation
  • Processing Onboard the Compromised System

Characterisation Process
  • The attacker's desire to remain undetected will
    impose restrictions on their ability to
    characterize the compromised system 3

Characterization of User Activity by Attackers
Mouse Events
Keyboard Events
Attackers Model of User Behaviour
Derive User Activity
Characterise User Activity
  • The thesis of the research is that the modelled
    user activity generated by SUE will be classified
    as human activity by the attacker. Specifically,
    the research will investigate the automatic
    generation of user activity, at the level of the
    mouse and keyboard human interfaces devices, in a
    way that is consistent with models of user

Background Research (1) - Honeypots
  • Parallels can be drawn with Honeypots (Spitzner
  • Tools to learn about attackers' tools and
  • Classification expresses relationship between
    risk and potential information gained (Spitzner
    4 Brenton 5)
  • Vitality Detection provides strong motivation

Deficiencies of Current Research (1) - Honeypots
  • Focus on tools and techniques, and not attacker
    motivation and goals inadequate for
    intelligence collection
  • Classification does not address the proposed
    deployment environment
  • NIST is to be used on compromised production

Background Research (2) - Modelling Mouse
  • Ahmed Traore (University of Victoria) 8
  • introduce the concept of behavioural biometrics
  • Detector based on type of mouse action, duration
    of the action, distance travelled and direction
    of movement
  • Pusara Brodley (Purdue) 10
  • Use screen coordinates to derive mouse movement
  • Profiles are built using 111 features, derived
    from statistics of the movement data
  • Typing samples are classified using decision tree

Background Research (3) - Modelling Typing
  • Ahmed Traore (University of Victoria) 8
  • Uses dwell time and flight time of digraphs and
  • Gunetti Passara (University of Torino) 11
  • Models Free Text, representing samples as pairs
  • n-graph, n-graph duration
  • Uses absolute and relative measures of distance
    between typing samples/profiles

Deficiencies of Current Research (2) User
Behaviour Modelling
  • Current User Behaviour Modelling efforts are
    aimed at authentication
  • Only model subset of interesting characteristics
  • Does not model accuracy
  • Does not characterize user behaviour across

Scope of Proposed Research
  • Definition and building of models of user
    activity in order to develop a SUE.
  • The SUE will simulate believable user activity,
    at the mouse and keyboard interface level, to
    encourage the computer network attacker to
    continue to interact with the compromised system
    without suspicion.

Research Activities (1)
  • Define the Document Production Meta-Model
  • The target document will likely be represented as
    a tree
  • The Document Production Model (DPM) will contain
    the productions that will turn an null tree into
    a tree representing the target document

HID Event Generation Process
User Personality Model
HID Event Generation Process
Research Activities (2 3)
  • Model Syntactic Elements Extraction
  • Uses the Target Document
  • Uses the Syntactic Element Lexicon
  • DPM to contain productions to create a linear
    target document
  • Model Editing Actions Selection
  • Uses previous DPM
  • Uses the Editing Action Lexicon
  • Basis of Editing Personality Model
  • DPM augmented to include editing action choices

Research Activities (5 - 6)
  • Model HID Event Stream Generation
  • Uses Keyboard and Mouse HID Event Lexicon
  • Basis of Typing and Mouse Accuracy Models
  • DPM augmented to include specific HID events
  • Model Error Introduction
  • DPM augmented to include errors based on Typing
    and Mouse Accuracy Models
  • Model Event Timing
  • DPM augmented to included timing of HID events

  • Two experiments conducted in support of User
    Personality Model
  • User Preference Experiment
  • Examine Editing Action
  • Types of editing actions
  • HID methods used, including their timing
    (duration and latency)
  • User Accuracy Experiment
  • Examine Typing and Mouse movement errors
  • Accuracy what mistakes are made
  • Timing (duration and latency)

  • The HID Event Generation Process is sufficient to
    argue the Thesis. Success depends on what the
    attacker finds believable.
  • The attacker will use models of human behaviour
    the validation approach is therefore
  • Define models of human behaviour through extent
    literature and experimentation
  • Build an application (SUE-app) to generate user
    activity based on these models of user behaviour
  • Validate synthetic user activity against
    detectors from extent literature and validation
    data set from experiments

  • There is value in observing attackers, but such
    intelligence collection requires maintenance of
  • Attackers go to great lengths to characterize
    compromised systems behavioural biometrics can
    be used in that characterization
  • Current typing and mouse behaviour models are

  • More complete models of HID behaviour
  • across profiles
  • characterization of HID Errors
  • Systematic approach to automatic generation of
    HID events, in the context of a target document
  • Proof of concept SUE for use in a NIST

References (1)
  • 1 Leblanc S.P., Toward the Creation of a
    Synthetic Environment An Active Network Defence
    Enable, Depth Research Doctoral Research
    Proposal, Royal Military College of Canada,
    February 2008.
  • 2 Phillips G., So What is an engineering
    Masters thesis, anyway?,
  • http//
  • 3 R. W. Smith and G. S. Knight, "Predictable
    design of network-based covert communications" in
    Proceedings of the 2008 IEEE Symposium on
    Security and Privacy (SP 2008). Oakland CA, USA
    IEEE, 18-21 May 2008, accepted for publication.
  • 4 L. Spitzner, Honeypots Tracking Hackers.
    Addison-Wesley Professional, Sep. 2002.
  • 5 C. Brenton, "Honeynets" Proceedings of SPIE,
    vol. 4232, p. 115, 2003.

References (2)
  • 6 S. P. Leblanc and G. S. Knight, "Engaging the
    adversary as a viable response to network
    intrusion" in Workshop on Cyber Infrastructure -
    Emergency Preparedness Aspects (2005), University
    of Ottawa, Apr. 2005, pp. 85-94.
  • 7 S. P. Leblanc, "Enabling active response
    through attacker observation," Privacy, Security
    and Trust (PST'06), October 2006, invited
    Workshop Speaker and Panellist.
  • 8 Ahmed and Traore, "A new biometric technology
    based on mouse dynamics," Dependable and Secure
    Computing, IEEE Transactions on, vol. 4, pp. 165
    - 179, 2007.
  • 9 A. A. E. Ahmed and I. Traore, \Detecting
    computer intrusions using behavioural
    biometrics," in Third Annual Conference on
    Privacy, Security and Trust (PST'05), St.
    Andrews, NS, Oct. 2005, pp. 9198. Online.
    Available http//

References (3)
  • 10 M. Pusara and C. E. Brodley, "User
    re-authentication via Mouse movements," in
    Proceedings of the 2004 ACM workshop on
    Visualization and data mining for computer
    security. Washington DC, USA ACM, 2004, pp. 1-8.
  • 11 Gunetti and C. Picardi, "Keystroke analysis
    of free text," ACM Trans. Inf. Syst. Secur, vol.
    8, pp. 312-347, 2005.

Honeypot Classification Schemes
  • Spitzner 4
  • Brenton 5
  • Deception Services
  • Weakened Systems
  • Hardened Systems
  • User Mode Servers

Most applicable to proposed research
Modelling Mouse Dynamics FeaturesAhmed
Traore 8
Features involved in Mouse Activity Signature
Modelling Mouse Dynamics Detector Ahmed
Traore 9
Detector Architecture
Modelling Mouse Dynamics MouseEvent Categories
- Pusara Brodley 10
Mouse Event Categories
Modelling Mouse Dynamics Decision Tree -
Pusara Brodley 10
Number of NC moves
Number of Mouse Events
User Not Recognised
User Not Recognised
User Recognised
Decision Tree Classifier for User 13
Modelling Typing Behaviour Task Hierarchy -
Gunetti Pacardi 11
Where U, V are users of the system and O is an
Critical Research Activities
Critical User Models
Why is this difficult?
  • Design of experiments
  • Finding the right characteristics to model
  • Achieving powerful experimental results
  • Little studied area of research
  • Relationships between HID events is unclear
  • New attack vector
  • Attackers have not indicated HID events as a
    means to characterize the compromised system
Write a Comment
User Comments (0)