Runtime Optimal Semantic Gap-Filling System Security Monitoring via Offline Automated Executable Profile Generation and Dynamic Sensor Development

Abstract

Cyber attacks are typically anonymous, and impacts may be immediate or dormant and subtle, eluding recognition for years causing damage ranges from inconvenient downtime of personal systems to the life-threatening destruction of critical infrastructures. Developing an effective and comprehensive cyber security strategy to counter these threats is paramount. Trustworthy operation of next generation critical naval cyber infrastructures requires not only intrusion preventative security hardening solutions, e.g., stack canaries, to prevent attackers from intruding the critical computer systems but also online optimal system security monitoring to provide semantic security status reports about low-level malicious activities within the systems. The objective of this research is to develop the fundamental theoretical foundations and real-world working practical tools to provide adaptive, semantic gap-filling, cost-optimal, and real-time system security monitoring capabilities in complex and critical computing assets. The proposed automated self-aware and scalable cyber security solution will enable critical systems to survive sophisticated and large-scale attack scenarios with minimum manual intervention and will provide the Navy personnel with meaningful and concise reports about security incidents in real-time. In this project, we are planning to address the involved fundamental challenges through the following proposed novel research program: i) Optimal real-time system security-observability maintenance. We will design novel mathematical system security analysis techniques (e.g., using linear temporal logic formalism) to categorize the detection capabilities of different security sensors that could be installed dynamically during the online system security monitoring. Additionally, we will profile behavioral models of benign application executables (for whitelisting) using advanced binary and taint analysis techniques. We will design, develop and deploy intelligent optimal algorithms using control theory that utilize the system’s current security state information to monitor intra-process address spaces, executions, and inter-process system-wide activities using cost-minimal sufficient subset of sensors; ii) Software compilation enhancement for online security monitoring. We will develop innovative techniques to enhance the compilation process of software source code such that the ultimate generated machine code and the corresponding address space memory will include the required information for maximum use for online security monitoring tools with minimum runtime overhead. The type of incorporated information will be determined through offline analysis of the application intermediate representation source; iii) Semantic context reverse engineering and formal inter-incident causality analysis. We will design new algorithms and working tools to reverse engineer the low-level system incidents for high-level semantic concepts. We will use dynamic execution trace analysis of the corresponding executables that transfer the high-level source code concepts, e.g., inter-class relations, and human perceivable program outputs, e.g., messages on screen displays, to the underlying machine-level incidents and data structures. Additionally, we will work on formal logic-based horizontal inter-process incident correlation and causality analysis to infer the logic behind ongoing multi-process system-wide intrusions; and iv) Low-level actuation and countermeasure deployment. Based on our developed innovative security monitoring tools in this project, we will take fundamental preliminary steps towards automated system-wide intrusion tolerance. We will investigate a comprehensive categorization of possible underlying actuators (dual problem of what SySense solves for sensing) that could be deployed to react against ongoing intrusions.

Document Details

Document Type

DoD Grant Award

Publication Date

Aug 12, 2016

Source ID

N000141512741

Entities

Tags