Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

Blueprints of a

Blueprints of a Lightweight Automated Experimentation System: A Building Block Towards Experimental Cyber Security ABSTRACT Many research projects studying security threats require realistic network scenarios while dealing with millions of cyber threats (e.g., exploit programs and malware). For instance, studying the execution of malware may require to take into account different network configurations in which malware can propagate, as well as dealing with thousands (or millions) of different malware samples. The same challenge occurs if one wants to evaluate IDSs, study exploit programs or conduct vulnerability assessment using realistic network scenarios. Moreover, cyber threats are highly dynamic. Every day, new vulnerabilities are identified and documented in software commonly used by computers connected to the Internet, and new malware instances and exploit programs are also identified. Consequently, it is not viable to develop (deploy) an environment every time cyber threats or security products (e.g., IDSs and anti-virus) have to be studied from a different perspective. New research methodologies and tools are needed to systematically conduct cyber security research. Automation is required to deal with the increasingly large number of cyber threats. In this paper, we draw the foundations of an experimental approach to cyber security by providing the blueprints of a lightweight Automated Experimentation System (AES). The AES automatically executes experiments based on a specification file. We describe its usage in different network security research projects, from IDS evaluation to static and dynamic malware analysis. The results we derived from these different research projects show that our experimental approach to cyber security, enabled by the AES, enhances the scope (and scale) of research in this field. Consequently, the AES improves our understanding of cyber threats and our assessment of the current state of security products. Frédéric Massicotte and Mathieu Couture Communications Research Centre Canada Ottawa, Canada {Frederic.Massicotte,Mathieu.Couture}@crc.gc.ca 1 17 Categories and Subject Descriptors C.2 [Computer-Communication Networks]: Network Architecture and Design; H.1 [Models and Principles]: Miscellaneous; I.6 [Simulation and Modeling]: Miscellaneous 1. INTRODUCTION Many security products such as intrusion detection systems (IDSs), firewalls and anti-virus systems protect computer networks against attacks and intrusions. Several studies report problems with these systems and propose solutions to address those problems. In the problem investigation and solution assessment phases of cyber security research projects, researchers have to deal with thousands (or millions) of cyber threats (e.g., exploit programs and malware) that affect the thousands of different computer devices, operating systems and applications available today. Moreover, because cyber threats are highly dynamic in nature, the proposed solutions have to be constantly re-assessed. For instance, several vulnerabilities are identified in software commonly used by computer systems connected on the Internet (e.g., NVD 1 SecurityFocus 2 , CVE 3 ) on a daily basis. Software programs that exploit these vulnerabilities are developed. Malware programs are among the most prevalent security threats on the Internet. For instance, McAfee has identified, over a period of 22 years (from 1986 to March 2008), 10 million unique malware samples. 4 From March 2008 to March 2009, the number of malware samples they identified doubled (i.e., it reached 20 millions). Only in the first half of this year, they have catalogued 10 million new pieces of malware for a total of around 43 million unique malware samples (including variants). 5 Given what the Internet has become, with its diversity of computing devices, operating systems and software applications, and the dynamic nature of cyber threats, we argue that cyber security needs to be studied in a systematic manner. In particular, we need a new experimental science hav- 1 nvd.nist.gov 2 www.securityfocus.com 3 cve.mitre.org 4 www.avertlabs.com/research/ blog/index.php/2009/03/10/ avert-passes-milestone-20-million-malware-samples/ 5 www.mcafee.com/us/local_content/reports/q22010_ threats_report_en.pdf

ing cyber security as its subject of interest. This new science would enrich the already established theoretical and practical approaches to cyber security. New research methodologies, metrics and tools are required to build (define) the foundations of experimental cyber security. In this paper, to address this shortage of experimentation tools and to define the foundations of an experimental science approach to cyber security, we present the blueprint for an Automated Experimentation System (AES) that can be used to conduct cyber security experiments. The AES is the control component of our Cyber Observatory, in which cyber threats are the subjects of experiments to derive, among other things, cyber threat analysis and assessment of security products. The AES differentiates itself from other experimentation tools such as DETER [8] and vGround [12] on two aspects. First, it was designed to conduct multiple lightweight experiments (i.e., only using small networks composed of a few nodes) as quickly as possible, to be able to experiment with large numbers of cyber threats. DETER and vGround, on the other hand, are designed to conduct smaller numbers of larger experiments (i.e., using large networks with many nodes). Second, DETER and vGround only automate the construction of the environment where the experiment takes place. In addition to this, the AES automates the experimentation process, making the experimentation process fast, repeatable, and self-documenting. The contributions are two-fold. (1) We propose a new approach, enabled by our Automatic Experimentation System, to conduct cyber security experimentation (e.g., generate IDS test cases, analyze malware and vulnerabilities). (2) We present different studies performed using the AES to illustrate how it can be used to assess proposed solutions to cyber security problems. The remainder of this paper is structured as follows. Section 2 lays out the requirements for an experimentation tool in cyber security. Section 3 presents the AES and the Cyber Observatory. Section 4 describes research projects conducted using the Cyber Observatory. Limitations are presented in Section 5. Conclusions are drawn in Section 6. 2. EXPERIMENTAL CYBER SECURITY Some authors have recognized the need for Experimental Computer Science (ECS) and proposed a definition ([2, 7, 10, 19]). However, what is ECS exactly has yet to be agreed [9]. Nonetheless, each proposed ECS definition is largely inspired from the scientific method used in the natural sciences (e.g., physics, chemistry, and biology). The ECS process entails (step 1) forming a hypothesis, (step 2) constructing a model and making a prediction, (step 3) designing and conducting experiments to collect data and (step 4) analyzing the results of the experiments to support or negate the hypothesis. 6 There are also a few requirements that need to be fulfilled when conducting experimental research. An essential requirement is repeatability (req. 1). This requires proper documentation of the experiments, so that others can re- 6 http://www.jiahenglu.net/course/researchmethod/ slides/lec9.pdf 2 18 produce experiments and obtained results independently to confirm or refute the claims derived from these results. In the case of cyber security, the experimentation subjects are, among other things, malware samples, exploit programs, software having known vulnerabilities, etc. Thus, to conduct experiments in cyber security, a controlled environment is required: (req. 2) for recording the experimentation execution (e.g., network traffic and logs); (req. 3) for controlling the propagation of the experiment subject (e.g., exploit and malware). This controlled environment has (req. 4) to use real and heterogeneous system configurations (e.g., exploiting and attacking real vulnerabilities); (req. 5) to enable recovery to initial state (e.g., recover after a malware infection for executing every experiments in the same initial conditions); and (req. 6) to automate the experimentation process to account for the large number of experimentation scenarios due to the dynamic nature of cyber threats. The AES was designed to automate step 3 of the ECS process and fulfill req. 1 to 6. 3. CYBER OBSERVATORY In this section, we present the Cyber Observatory, which we have been using for five years to obtain meaningful results despite the dynamic nature of cyber threats. The Cyber Observatory is composed of four entities: a software library called the AES Engine (Section 3.1), a collection of more than 200 virtual machine images called the Virtual Laboratory (VLab) (Section 3.2), an array of networked computers located in our labs called the AES Farm (Section 3.3) and a monitoring system called the AES Dashboard (Section 3.4). To create environments for study of computer programs, virtual machines are often used. They are an excellent automation enabler. For the VLab, we selected VMware, 7 among others (e.g. QEMU 8 , VirtualBox 9 and Xen 10 ), as we already had a positive experience with it [6]. The AES Engine was designed to automate step 3 of the ECS process and to fulfill req. 1 and 6. The VLab fulfills req. 2 to 5 (Section 2). The AES Engine uses as input an experiment description file (Section 3.1.1) that specifies (and documents) each experiment, step by step, as well as its results (Section 3.1.3), allowing the same experiment to be conducted many times and to be reproduced (req. 1). Virtualization provides an environment that allows the capture of information produced by the virtual machines during the experiment. Consequently, the captured information (traffic traces and various logs) can then be used to study cyber threats (req. 2). With virtualization 11 the propagation of the studied cyber threats is confined, thus preventing infection of the AES Farm (req. 3). Virtualization also facilitates the creation of template virtual machines having dif- 7 www.vmware.com 8 wiki.qemu.org 9 www.virtualbox.org 10 www.xen.org 11 We are aware that some malware samples are able to detect virtual machines. However, we believe that as virtualization is becoming more commonly used, malware samples would have to execute on those virtual systems to be efficient. If not, using virtualization for your systems could become a way to prevent malware infection.

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International