Toward the Creation of Synthetic User Environment An Active Network Defence Enabler 1

1
Toward the Creation of Synthetic User
EnvironmentAn Active Network Defence Enabler 1

• Ph.D. Comprehensive Examination Part II
• Depth Research and Proposal Presentation
• by
• Major Sylvain P. Leblanc
• 1 February 2008
• Dry Run for CSL Members

2
Outline 2

• What is the engineering problem to be solved?
• Scenario, Attacker Characteristics, Hypothesis
• In what sense are previous solutions to this
  problem unsatisfactory?
• Background Research Deficiencies
• What is my solution?
• Research Approach Activities
• What evidence is there that my solution is an
  improvement over previous solutions?
• Validation, Conclusion Contribution

3
Illustrative Scenario (1)

• Traditional response to intrusion is to mitigate
  damage by removing access
• Requirement for Active Network Defence has been
  accepted by the research community Leblanc
  Knight 6, Leblanc 7
• Holding contact with the attacker
• Understanding the attacker
• Prepare a response to the attack

4
Illustrative Scenario (2)

• A high fidelity environment is required to
  convince the attacker to continue interacting
  with the compromised system.
• Must include user actions, which means
• leave the user on the compromised system, with or
  without their knowledge (bad thing), or
• diverting precious resources to "act" as the
  user, or
• automating the user activity

5
Illustrative Scenario (3)
NIST
Observation Control
SUE

• The Network Intrusion Surveillance Tool (NIST) to
  include
• tools to allow the covert observation of the
  attacker's activity, and
• tools to control what the attacker can do with
  the compromised system
• a Synthetic User Environment (SUE) which helps
  create a realistic environment with which the
  attacker wants to interact without suspicion of
  being observed
• Mouse and Keyboard Human Interface Device (HID)
  events only

6
Attacker Characteristics

• Basic Abilities
• Clock
• Process List
• Kernel Events
• Statistics Analysis
• Own Processes
• Derived User Work Schedule

• Restrictions on Attackers
• Cannot Stream Interfaces
• No Physical Observation
• Processing Onboard the Compromised System

Characterisation Process

• The attacker's desire to remain undetected will
  impose restrictions on their ability to
  characterize the compromised system 3

7
Characterization of User Activity by Attackers
Mouse Events
Keyboard Events
Attackers Model of User Behaviour
Derive User Activity
Characterise User Activity
8
Hypothesis

• The thesis of the research is that the modelled
  user activity generated by SUE will be classified
  as human activity by the attacker. Specifically,
  the research will investigate the automatic
  generation of user activity, at the level of the
  mouse and keyboard human interfaces devices, in a
  way that is consistent with models of user
  behaviour.

9
Background Research (1) - Honeypots

• Parallels can be drawn with Honeypots (Spitzner
  4),
• Tools to learn about attackers' tools and
  techniques
• Classification expresses relationship between
  risk and potential information gained (Spitzner
  4 Brenton 5)
• Vitality Detection provides strong motivation

10
Deficiencies of Current Research (1) - Honeypots

• Focus on tools and techniques, and not attacker
  motivation and goals inadequate for
  intelligence collection
• Classification does not address the proposed
  deployment environment
• NIST is to be used on compromised production
  systems

11
Background Research (2) - Modelling Mouse
Dynamics

• Ahmed Traore (University of Victoria) 8
• introduce the concept of behavioural biometrics
• Detector based on type of mouse action, duration
  of the action, distance travelled and direction
  of movement
• Pusara Brodley (Purdue) 10
• Use screen coordinates to derive mouse movement
  data
• Profiles are built using 111 features, derived
  from statistics of the movement data
• Typing samples are classified using decision tree
  classifiers

12
Background Research (3) - Modelling Typing
Behaviour

• Ahmed Traore (University of Victoria) 8
• Uses dwell time and flight time of digraphs and
  tri-graphs
• Gunetti Passara (University of Torino) 11
• Models Free Text, representing samples as pairs
• n-graph, n-graph duration
• Uses absolute and relative measures of distance
  between typing samples/profiles

13
Deficiencies of Current Research (2) User
Behaviour Modelling

• Current User Behaviour Modelling efforts are
  aimed at authentication
• Only model subset of interesting characteristics
• Does not model accuracy
• Does not characterize user behaviour across
  profiles

14
Scope of Proposed Research

• Definition and building of models of user
  activity in order to develop a SUE.
• The SUE will simulate believable user activity,
  at the mouse and keyboard interface level, to
  encourage the computer network attacker to
  continue to interact with the compromised system
  without suspicion.

15
Research Activities (1)

• Define the Document Production Meta-Model
• The target document will likely be represented as
  a tree
• The Document Production Model (DPM) will contain
  the productions that will turn an null tree into
  a tree representing the target document

16
HID Event Generation Process
17
User Personality Model
18
HID Event Generation Process
19
Research Activities (2 3)

• Model Syntactic Elements Extraction
• Uses the Target Document
• Uses the Syntactic Element Lexicon
• DPM to contain productions to create a linear
  target document
• Model Editing Actions Selection
• Uses previous DPM
• Uses the Editing Action Lexicon
• Basis of Editing Personality Model
• DPM augmented to include editing action choices

20
Research Activities (5 - 6)

• Model HID Event Stream Generation
• Uses Keyboard and Mouse HID Event Lexicon
• Basis of Typing and Mouse Accuracy Models
• DPM augmented to include specific HID events
• Model Error Introduction
• DPM augmented to include errors based on Typing
  and Mouse Accuracy Models
• Model Event Timing
• DPM augmented to included timing of HID events

21
Experimentation

• Two experiments conducted in support of User
  Personality Model
• User Preference Experiment
• Examine Editing Action
• Types of editing actions
• HID methods used, including their timing
  (duration and latency)
• User Accuracy Experiment
• Examine Typing and Mouse movement errors
• Accuracy what mistakes are made
• Timing (duration and latency)

22
Validation

• The HID Event Generation Process is sufficient to
  argue the Thesis. Success depends on what the
  attacker finds believable.
• The attacker will use models of human behaviour
  the validation approach is therefore
• Define models of human behaviour through extent
  literature and experimentation
• Build an application (SUE-app) to generate user
  activity based on these models of user behaviour
• Validate synthetic user activity against
  detectors from extent literature and validation
  data set from experiments

23
Schedule
24
Conclusions

• There is value in observing attackers, but such
  intelligence collection requires maintenance of
  contact
• Attackers go to great lengths to characterize
  compromised systems behavioural biometrics can
  be used in that characterization
• Current typing and mouse behaviour models are
  insufficient

25
Contributions

• More complete models of HID behaviour
• across profiles
• characterization of HID Errors
• Systematic approach to automatic generation of
  HID events, in the context of a target document
• Proof of concept SUE for use in a NIST

26
Questions
?
27
References (1)

• 1 Leblanc S.P., Toward the Creation of a
  Synthetic Environment An Active Network Defence
  Enable, Depth Research Doctoral Research
  Proposal, Royal Military College of Canada,
  February 2008.
• 2 Phillips G., So What is an engineering
  Masters thesis, anyway?,
• http//phillips.rmc.ca/notes/thesis.html
• 3 R. W. Smith and G. S. Knight, "Predictable
  design of network-based covert communications" in
  Proceedings of the 2008 IEEE Symposium on
  Security and Privacy (SP 2008). Oakland CA, USA
  IEEE, 18-21 May 2008, accepted for publication.
• 4 L. Spitzner, Honeypots Tracking Hackers.
  Addison-Wesley Professional, Sep. 2002.
• 5 C. Brenton, "Honeynets" Proceedings of SPIE,
  vol. 4232, p. 115, 2003.

28
References (2)

• 6 S. P. Leblanc and G. S. Knight, "Engaging the
  adversary as a viable response to network
  intrusion" in Workshop on Cyber Infrastructure -
  Emergency Preparedness Aspects (2005), University
  of Ottawa, Apr. 2005, pp. 85-94.
• 7 S. P. Leblanc, "Enabling active response
  through attacker observation," Privacy, Security
  and Trust (PST'06), October 2006, invited
  Workshop Speaker and Panellist.
• 8 Ahmed and Traore, "A new biometric technology
  based on mouse dynamics," Dependable and Secure
  Computing, IEEE Transactions on, vol. 4, pp. 165
  - 179, 2007.
• 9 A. A. E. Ahmed and I. Traore, \Detecting
  computer intrusions using behavioural
  biometrics," in Third Annual Conference on
  Privacy, Security and Trust (PST'05), St.
  Andrews, NS, Oct. 2005, pp. 9198. Online.
  Available http//www.lib.unb.ca/Texts/PST/2005/

29
References (3)

• 10 M. Pusara and C. E. Brodley, "User
  re-authentication via Mouse movements," in
  Proceedings of the 2004 ACM workshop on
  Visualization and data mining for computer
  security. Washington DC, USA ACM, 2004, pp. 1-8.
• 11 Gunetti and C. Picardi, "Keystroke analysis
  of free text," ACM Trans. Inf. Syst. Secur, vol.
  8, pp. 312-347, 2005.

30
Honeypot Classification Schemes

• Spitzner 4

• Brenton 5
• Deception Services
• Weakened Systems
• Hardened Systems
• User Mode Servers

Most applicable to proposed research
31
Modelling Mouse Dynamics FeaturesAhmed
Traore 8
Features involved in Mouse Activity Signature
32
Modelling Mouse Dynamics Detector Ahmed
Traore 9
Detector Architecture
33
Modelling Mouse Dynamics MouseEvent Categories
- Pusara Brodley 10
Mouse Event Categories
34
Modelling Mouse Dynamics Decision Tree -
Pusara Brodley 10
Number of NC moves
gt21
21
Number of Mouse Events
User Not Recognised
gt60
60
User Not Recognised
User Recognised
Decision Tree Classifier for User 13
35
Modelling Typing Behaviour Task Hierarchy -
Gunetti Pacardi 11
Where U, V are users of the system and O is an
outsider
36
Critical Research Activities
37
Critical User Models
38
Why is this difficult?

• Design of experiments
• Finding the right characteristics to model
• Achieving powerful experimental results
• Little studied area of research
• Relationships between HID events is unclear
• New attack vector
• Attackers have not indicated HID events as a
  means to characterize the compromised system