Partially Observable Games for Secure Autonomy

Technology development efforts in autonomy and cyber-defense have been evolving independently of each other, over the past decade. In this paper, we report our ongoing effort to integrate these two presently distinct areas into a single framework. To this end, we propose the two-player partially observable stochastic game formalism to capture both high-level autonomous mission planning under uncertainty and adversarial decision making subject to imperfect information. We show that synthesizing sub-optimal strategies for such games is possible under finite-memory assumptions for both the autonomous decision maker and the cyber-adversary. We then describe an experimental testbed to evaluate the efficacy of the proposed framework

Partially Observable Games for Secure Autonomy

Technology development efforts in autonomy and cyber-defense have been evolving independently of each other, over the past decade. In this paper, we report our ongoing effort to integrate these two presently distinct areas into a single framework. To this end, we propose the two-player partially observable stochastic game formalism to capture both high-level autonomous mission planning under uncertainty and adversarial decision making subject to imperfect information. We show that synthesizing sub-optimal strategies for such games is possible under finite-memory assumptions for both the autonomous decision maker and the cyber-adversary. We then describe an experimental testbed to evaluate the efficacy of the proposed framework

Partially Observable Games for Secure Autonomy

Technology development efforts in autonomy and cyber-defense have been evolving independently of each other, over the past decade. In this paper, we report our ongoing effort to integrate these two presently distinct areas into a single framework. To this end, we propose the two-player partially observable stochastic game formalism to capture both high-level autonomous mission planning under uncertainty and adversarial decision making subject to imperfect information. We show that synthesizing sub-optimal strategies for such games is possible under finite-memory assumptions for both the autonomous decision maker and the cyber-adversary. We then describe an experimental testbed to evaluate the efficacy of the proposed framework

The Application Of Neural Networks to UNIX Computer Security

Computer security can be divided into two distinct areas, preventive security and the detection of security violations. Of the two, a greater degree of research and emphasis has been applied to prevention, while detection has been relatively overlooked. This is a costly oversight as preventive measures are never infallible. To date the detection of intruder violation on computer systems is a field heavily dominated by expert systems. However, the major drawbacks attributed to these systems including their heavy demand on system resources and their poor handling of the dynamic nature of user behaviour [10, 11], have made their use infeasible. In practice, the effectiveness of intruder detection is heavily reliant upon the skills of the presiding system administrators and their knowledge of the behaviour of their users. The present study approaches the problem from a pattern recognition point of view, where a neural network is used to capture user behaviour patterns. It proposes that neural networks are not only capable of outperforming its heavier expert systems counterparts but in many ways better suits the demands and dynamic nature of the problem. In exploiting the strengths of neural networks in recognition, classification and generalisation this research illustrates the effectiveness of the neural network contribution to the application of intruder detection. 1

Defining the operational limits of sequence-based anomaly detectors

© 2002 Dr. Kymie Mei Chen TanA desirable, if not essential, component in the intrusion detection arsenal is the anomaly detector. Anomaly detection may be the only technique with the potential to address two serious security problems: the masquerader and novel attacks. Although the advantages of applying anomaly detection to intrusion detection have been well documented, less well researched are evaluation methods that can be used to determine the operational effectiveness of an anomaly detector. The problems that have plagued the application of anomaly detection to intrusion detection have made the use of anomaly detectors as intrusion detectors almost entirely impractical in real-world, working environments. Examples of such problems are high false alarm rates and the inability to clearly articulate exactly what constitutes detection coverage for an anomaly detector. To have confidence in the detection results requires precise knowledge of the detector's characteristics. These characteristics include identifying the conditions under which the detector fails, as well as those under which it works well. This thesis addresses the issue of evaluating anomaly detectors commonly used in detecting intrusions into computer systems. A comprehensive framework for anomalies, and a fault-injection methodology for introducing those anomalies into categorical data, has been developed. Using these, the operating space for different anomaly detectors is mapped, facilitating identification of the conditions that would cause an anomaly detector to exhibit detection strength, blindness or weakness. It is demonstrated that the ability to detect simple and unequivocally anomalous events, ones that should be detectable under any circumstance, differs significantly amongst anomaly detectors. The results of this thesis refute the hypothesis that all anomaly detectors are equally capable of detecting anomalies that arise as manifestations of attacks or intrusions

A defense-centric taxonomy based on attack manifestations

Many classifications of attacks have been tendered, often in taxonomic form. A common basis of these taxonomies is that they have been framed from the perspective of an attacker – they organize attacks with respect to the attacker’s goals, such as privilege elevation from user to root (from the well known Lincoln taxonomy). Taxonomies based on attacker goals are attack-centric; those based on defender goals are defense-centric. Defenders need a way of determining whether or not their detectors will detect a given attack. It is suggested that a defense-centric taxonomy would suit this role more effectively than an attack-centric taxonomy. This paper presents a new, defense-centric attack taxonomy, based on the way that attacks manifest as anomalies in monitored sensor data. Unique manifestations, drawn from 25 attacks, were used to organize the taxonomy, which was validated through exposure to an intrusion-detection system, confirming attack detectability. The taxonomy’s predictive utility was compared against that of a well-known extant attack-centric taxonomy. The defense-centric taxonomy is shown to be a more effective predictor of a detector’s ability to detect specific attacks, hence informing a defender that a given detector is competent against an entire class of attacks

Cyber Threat Assessment of Uplink and Commanding System for Mission Operation

Most of today's Mission Operations Systems (MOS) rely on Ground Data System (GDS) segment to mitigate cyber security risks. Unfortunately, IT security design is done separately from the design of GDS' mission operational capabilities. This incoherent practice leaves many security vulnerabilities in the system without any notice. This paper describes a new way to system engineering MOS, to include cyber threat risk assessments throughout the MOS development cycle, without this, it is impossible to design a dependable and reliable MOS to meet today's rapid changing cyber threat environment

Security Bulletins

Practical software security measurements and metrics are critical to the improvement of software security. We propose a metric to determine whether one software system is more secure than another similar system with respect to their attack surface. We use a system’s attack surface measurement as an indicator of the system’s security; the larger the attack surface, the more insecure the system. We measure a system’s attack surface in terms of three kinds of resources used in attacks on the system: methods, channels, and data. We demonstrate the use of our attack surface metric by measuring the attack surfaces of two open source IMAP servers and two FTP daemons. We validated the attack surface metric by conducting an expert user survey and by performing statistical analysis of Microsoft Security Bulletins. Our metric can be used as a tool by software developers in the software development process and by software consumers in their decision making process.