Visualizing Time Patterns and Visualizing Time Patterns and Mission Impact of Cyber Mission Impact of Cyber

Security BreachesSecurity Breaches

Visualizing Time Patterns and Visualizing Time Patterns and Mission Impact of Cyber Mission Impact of Cyber

Security BreachesSecurity Breaches

Contract # DAAH01-01-C-R044 20 February 2001 through 20 March 2003

Anita D’Amico

Stephen Salas

A Division of Applied Visions, Inc.

Background

3

DARPA Visualization ProjectDARPA Visualization Project Contract # DAAH01-01-C-R044Contract # DAAH01-01-C-R044

Phase 2 Small Business Innovative Research (SBIR) contract

Cathy McCollum of DARPA ATO (formerly ISO) is program manager

Effort is part of Cyber Panel (formerly Cyber C2) Contract commenced February 20, 2001 and will

run for 20 months

4

Key Objectives of Phase II SBIRKey Objectives of Phase II SBIR

1. Field a prototype system that will visually represent time patterns in IA “events”

Enhance discovery of time trends in events Show progression of an attack Show activity patterns of attackers

2. Field a prototype system that will visually represent the mission impact of IA events

Effect of security breaches on mission-critical tasks Effect on mission-critical tasks of taking a cyber

asset off line

5

IA Analysts Want to Know …IA Analysts Want to Know …

About temporal patterns in probes and attacks Do certain types of security events* occur more frequently at

specific times of day, week, month or year? Are certain adversaries more active at specific times of day,

week, month or year? Do certain events occur in a specific sequence? Do certain host devices get attacked in a specific sequence?

*A security event can be a vulnerability, an incident that precedes an attack (e.g. a probe), or an attack.

About the progress of a security breach over time What has changed since the last time I monitored the status? When did the attack really start? How rapidly is the attack progressing? How long does it take a new vulnerability to be exploited?

6

Historical

Data

IA Analysts Want to Relate Historical InfoIA Analysts Want to Relate Historical Infoto Current Information About Security Eventsto Current Information About Security Events

IDS

Scanner

Firewall

SensorsSensors

• Management Consoles

• Visualization Aids

• Data Mining

Pattern Pattern DetectionDetection

IntrusionsIntrusions

VulnerabilitiesVulnerabilities

Access eventsAccess events

Integrated RDBMS of Security Events

Collection of Collection of Sensor DataSensor Data

Data Data RepositoryRepository

10 year old technology

< 5 year old technology

7

IA Analysts Want to Know …IA Analysts Want to Know …

* A cyber asset can be a hardware device, software applications running on that device, data files or databases, or connectivity

If a particular cyber asset* is breached, what mission-critical task won’t get done?

For a particular mission-critical task to be completed successfully, which cyber assets must be secured?

If I defensively shut down a cyber asset in order to protect it or the network from breaches, what mission-critical tasks will be impaired?

8

Analysts Grapple with AssessingAnalysts Grapple with Assessingthe Mission Impact of Cyber Security Eventsthe Mission Impact of Cyber Security Events

IA analysts in military and commercial settings want to know the mission impact or business impact of cyber security events

Currently, security officers make educated guesses about the mission impact of security breaches and of removing certain cyber services to ensure security

Almost no one currently documents the importance of a specific cyber asset to the organization’s mission-critical tasks. Exceptions: Y2K analyses Disaster recovery departments

9

IDS

Scanner

Firewall

SensorsSensors

• Management Consoles

• Visualization Aids

• Data Mining

Pattern Pattern DetectionDetection

IntrusionsIntrusions

VulnerabilitiesVulnerabilities

Access eventsAccess events

Integrated RDBMS of Security Events

Collection of Collection of Sensor DataSensor Data

Data Data RepositoryRepository

IDS

Scanner

Firewall

SensorsSensors

IDS

Scanner

Firewall

SensorsSensors

• Management Consoles

• Visualization Aids

• Data Mining

Pattern Pattern DetectionDetection

• Management Consoles

• Visualization Aids

• Data Mining

Pattern Pattern DetectionDetection

IntrusionsIntrusions

VulnerabilitiesVulnerabilities

Access eventsAccess events

Integrated RDBMS of Security Events

Collection of Collection of Sensor DataSensor Data

Data Data RepositoryRepository

IntrusionsIntrusions

VulnerabilitiesVulnerabilities

Access eventsAccess events

Integrated RDBMS of Security Events

Collection of Collection of Sensor DataSensor Data

Data Data RepositoryRepository

Historical

Data

Historical

Data

Future Systems Should Be Able To AccessFuture Systems Should Be Able To Accessand Visualize Mission Dependency Dataand Visualize Mission Dependency Data

COA Simulation &

Modeling

Mission Dependency

Tables

Progress on Temporal Displays

11

Requirements for Temporal ScenesRequirements for Temporal Scenes

1. User-selectable time gradations (e.g. seconds, minutes, hours, days, months)

2. User-selectable time range (e.g. from May 1 through June 15)

3. User ability to annotate time grid (e.g. “June 13 – Checkpoint firewall vulnerability becomes public.”)

4. Relate security events and their characteristics to time

5. Relate attack sources and their characteristics to time

6. Relate targeted assets and their characteristics to time

7. Simultaneously relate events, attack sources and target characteristics to time

12

Requirements for Temporal ScenesRequirements for Temporal Scenes

8. Depict frequencies of specific classes of events (e.g. number of probes on each day for period of May 1 - May 7)

9. View sequence of events irrespective of absolute time (e.g. at Hanscom site #125, these events occurred in sequence from May 1-7)

10. Depict duration of events (length of a DOS attacks on February 6-12; length of a telnet session or FTP session)

11. Simultaneously compare patterns of events over multiple user-specified time ranges (e.g. compare number of probes during April 1-7, May 1-7, June 1-7)

12. Show time lapse between exposure (I.e. insertion of a vulnerability) and a related exploit

13. Show differences between two user-selected times (e.g. show differences in vulnerabilities on a specific network on April 1 and June 1)

13

Additional Reqts for Temporal ScenesAdditional Reqts for Temporal Scenes

14. Show the time patterns of general level of security-related activity, irrespective of type of attack

15. Show observed time trends against a “normal” profile of time trends16. Show security events over time in comparison to typical measures

of network traffic (e.g. FTPs)17. Show time vs events vs a third variable (e.g. location) (e.g. put

location on wall and event classes on the floor)18. Show geographical movement of an attack from one location to

another vs time19. User should be able to input a sequence of events and then ask the

system to match to that sequence 20. System should suggest scenes of interest to the analyst, based on

previously identified combinations of data in the database or sequences of events

21. User should be able to apply filters to what is presented on the temporal wall (e.g. show me only events on mission-critical devices)

14

Temporal Event Wall Can Display Event Temporal Event Wall Can Display Event Frequencies, Sequences & DurationsFrequencies, Sequences & Durations

Frequencies of Each Event Over Time

Event Class (Vulnerabilities

& Attacks)

Time

User can click on frequency bar to see

which hosts were the targets of the events

Days in May

Provisional Patent Filed by Applied Visions, Inc.

15

 

Classes of Vulnerabilities

& Attacks

(Can be listed hierarchically)

Specific time of each event is associated to the targeted host

Event Wall Scene Links Events, Event Wall Scene Links Events, Targets & Attackers in TimeTargets & Attackers in Time

Time can be shown as a specific point in time or relative sequence

Provisional Patent Filed by Applied Visions, Inc.

16

Rear Plane Can Show Attacker Rear Plane Can Show Attacker Characteristics or Sensor SourcesCharacteristics or Sensor Sources

Attack Sources and the Times

That They Strike or

Sensors Reporting the

Events

Provisional Patent Filed by Applied Visions, Inc.

17

Top View Allows Simultaneous ViewingTop View Allows Simultaneous Viewingof Activities Related to Timeof Activities Related to Time

Time (in hours)

Target Hosts

Lines Show Times That

Target Hosts Were Hit

Attacker Information

(Could Also be Reporting Sensors)

Provisional Patent Filed by Applied Visions, Inc.

18

Comparison of Several User-SelectedComparison of Several User-SelectedTime RangesTime Ranges

Time (in hours)

Sun

Mon

Tues

Wed

Thur

Fri

Sat

Provisional Patent Filed by Applied Visions, Inc.

.

19

Status of Work on Temporal DisplaysStatus of Work on Temporal Displays

Software will be completed October 2001 Test installation of temporal displays at

Army’s Land Information Warfare Agency (LIWA) at Fort Belvoir in December 2001

Progress on Mission Impact Displays

21

Approach to Mission Impact DisplaysApproach to Mission Impact Displays

Starting Points We have good list of requirements We have two concepts for visualization

Mission association scene Mission dependency ring

Requirements have to be modified to align with mission model work to date

Visualization concepts will have to be modified after requirements are refined

22

Requirements for Mission Impact SceneRequirements for Mission Impact Scene

1. Illustrate all dependencies between cyber assets and mission-critical tasks

2. For a specific mission, highlight cyber assets that must be secured (I.e. top down view)

3. For a specific cyber asset, highlight the mission-critical tasks that depend on it (I.e. bottom up view)

4. Show strength of dependencies (low, medium, high) between cyber assets and mission critical tasks

5. Show “and/or” dependencies between cyber assets and mission critical tasks, I.e. substitutability (e.g. to perform ATO generation I need the Joint mapping application, the imagery database and either access to a e-mail, or access to a printer and a secure fax machine)

6. Depict the sequence in specific cyber assets are needed for a mission-critical task

23

More Requirements for Mission SceneMore Requirements for Mission Scene

7. Latest time that a critical asset can be used.

8. Show broad status of a mission-critical task (red, yellow, green)

24

Mission Association Scene Relates MissionMission Association Scene Relates Mission to Security Events or Devices to Security Events or Devices That Have Experienced EventsThat Have Experienced Events

Line thickness indicates strength of dependency

25

Mission Dependency Rings Show Dependencies Mission Dependency Rings Show Dependencies Between Cyber Resources and MissionsBetween Cyber Resources and Missions

Network Devices

Simple Cyber Resources

(hosted on devices)

Compound Cyber Resources

Mission Critical Tasks/FunctionsMissions

Provisional Patent Filed by Applied Visions, Inc.

26

Mission Dependency Rings Scene Can Mission Dependency Rings Scene Can Relate Critical Mission Function to Relate Critical Mission Function to

Specific Device CharacteristicsSpecific Device Characteristics

A specific device is selected by the user, based on its

characteristics (e.g. location, OS, organization)

Missions associated with selected device

Mission-critical tasks dependent on that

deviceCompound cyber resources to which that device contributes (e.g. e-mail)

Resource hosted by device

Provisional Patent Filed by Applied Visions, Inc.

27

Requirements for Populating Requirements for Populating Current Mission Impact ScenesCurrent Mission Impact Scenes

Type of information that needs to be stored in a database Network devices and their characteristics (type of platform; location;

OS; organization to which they are assigned) Resources (e.g. services, data, communications) hosted by devices

(resource x device dependency) Critical tasks and missions dependent on those resources (mission task

x resource dependency) Strength of each dependency (none, low, medium, high) Specific time and sequence requirements for each resource needed for

a mission critical task Substitutability of cyber assets

User should be able to enter mission date manually Capture network data from a network manager (e.g. CA Unicenter

stores “business process” information)

28

Status of Work on Status of Work on Mission Impact DisplaysMission Impact Displays

Additional requirements are being gathered To be completed in December 2001

Display concepts will be modified to conform to new requirements and human factors principles

Software development will commence in February 2002

Test sites are being sought for installation in October 2002

Technologies Underlying

Temporal and Mission Impact

Visual Scenes

30

SecureScope Console and Server Have Been SecureScope Console and Server Have Been Modified So That Temporal & Mission Impact Modified So That Temporal & Mission Impact

Scenes Can Interface Easily to Customer RDBMSScenes Can Interface Easily to Customer RDBMS

Console Server

Java RMI JDBC

Windows 32-bit client, C++,

Cortona 3-D Viewer

Central repository for security event data

Receives scene data requests from console and fetches necessary data from database.

Handles complexity of data storage.

Responsible for building and rendering of 3D visualizations.

User interface

Customer’s Relational Database

Java Oracle 7.3, 8i, Access, etc…

31

Technology Needed to Run Temporal and Technology Needed to Run Temporal and Mission Impact Scenes At Customer SiteMission Impact Scenes At Customer Site

Secure Decisions Provides Proprietary SecureScope visualization software that includes

association, temporal and mission impact scenes Parallel Graphics’ Cortona 3-D Viewer licensed software Sun Microsystems and Microsoft XML parsers JDBC driver for the customer’s relational database Sun Microsystems Java Runtime Environment (JRE)

Customer Provides Pentium III hardware platform with 256 MB RAM and 100 MB

free hard disk space Windows 2000 (or NT 4.0 for older version) Microsoft Internet Explorer Commercial RDBMS Database schema

Additional Program Information

33

Project ScheduleProject Schedule

Schedule for VisRep2

Task Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Deliverables

1. Implement temporal displays Month 9 - Standalone demo

2. Integrate temporal displays at test site Mo 11 - Integrated demo

3. Adopt a mission impact database schema Mo 11 - Draft schema interface

4. Modify mission impact displays Mo 13 Static display designs

5. Implement mission impact displays Mo 18 - Standalone demo

6. Integrate mission displays at test site Mo 20 - Integrated demo

7. Document results Mo 6, 12 - Interim Reports; Mo 21 - Final

8. Prepare commercialization report Mo 22 - Commercialization report

9. Manage project Mos 4, 9, 13, 20 - Program ReviewsJ F M A M J J A S O N D J F M A M J J A S O N D J F M

FY01 FY02 FY03

2001 2002 2003

34

Recent Publications & ConferencesRecent Publications & Conferences

D’Amico, A. “Cyber Defense Situational Awareness.” Computer Security in a Collaborative Research Environment, Brookhaven National Laboratory Symposium, Brookhaven, NY, June 27, 2000.

D’Amico, A. “Cyber Defense Situational Awareness.” InfoWarCon, Washington, DC, September 13, 2000.

D’Amico, A. and Larkin, M. “Methods of Visualizing Temporal Patterns in and Mission Impact of Computer Security Breaches”, Accepted for DISCEX conference, June 2001

35

Key StaffKey Staff

Anita D’Amico, P.I. Manages program; Provides overall direction; Gathers user

requirements; Guides changes to display designs

Stephen Salas, Project Engineer Directs software implementation and installation of prototype

system; Develops software

John O’Hara, Sub-Contractor Provides access to human factors requirements for 3-D displays

from other industries

David Spector, Sub-Contractor Provides commercial information security expertise as input into

user requirements

36

Visualization of Temporal Patterns inVisualization of Temporal Patterns inand Mission Impact of Cyber Security Breachesand Mission Impact of Cyber Security Breaches

• Implement visualization aids to the discovery and analysis of time patterns in cyber security breaches

• Implement visualization aids to understanding the impact of cyber security breaches on mission-critical tasks

• Develop methods for easily interfacing visualization aids to most database schema containing temporal & mission impact data

New Ideas

Frequencies of Each Event Over Time

Event Class (Vulnerabilities

& Attacks)

Time

User can click on frequency bar to see

which hosts were the targets of the events

User can click on frequency bar to see

which hosts were the targets of the events

Days in May

Provisional Patent Filed by Applied Visions, Inc.

• Speeds IA analysts’ access to information about the progression, sequence and time urgency of an impending cyber attack

• Improves speed of comprehending the impact of cyber threats to critical missions

• Improves maintenance of critical mission operations in the presence of cyber threats

ImpactTASK

1. Implement temporal displays

2. Integrate temporal displays at test site

3. Cooperate with mission model programs

4. Modify mission impact displays

5. Implement mission impact displays

6. Integrate mission displays at test site

7. Document results

8. Prepare commercialization report

9. Manage project

FY 01 FY 02 FY 03

Quarterly ReportsProgram Reviews

Schedule

A Division of Applied Visions, Inc. www.SecureDecisions.com

37