ARO-MURI on Cyber-Situation Awareness Review Meeting Phoenix AZ, 2013

1. Cyber Situation Awareness from a Cyber Security PerspectiveSushil Jajodia, Massimiliano AlbaneseGeorge Mason UniversityPeng LiuPennsylvania State UniversityDoug Reeves, Peng Ning, Christopher HealeyNorth Carolina State UniversityV. S. SubrahmanianUniversity of Maryland ARO-MURI on Cyber-Situation Awareness Review Meeting Phoenix AZ, 2013

2. Sample Scenario: Enterprise Network Web Server (A) Evolution. How is the situation evolving? Can we track all the steps of an attack? Current situation. Is there any ongoing attack? If yes, where is the attacker? Impact. How is the attack impacting the enterprise or mission? Can we assess the damage? Behavior. How are the attackers expected to behave? What are their strategies? Catalog Server (E) DB Server (G) Forensics. How did the attacker create the current situation? What was he trying to achieve? Local DB Server (B) Internet Mobile App Server (C) Information. What information sources can we rely upon? Can we assess their quality? Order Processing Server (F) Local DB Server (D) Prediction. Can we predict plausible futures of the current situation? Scalability. How can we ensure that solutions scale well for large networks? ARO-MURI on Cyber-Situation Awareness Review Meeting

3. Desired CSA Capabilities ARO-MURI on Cyber-Situation Awareness Review Meeting • Aspects of cyber situational awareness that need to be addressed in order to answers all the previous questions • Be aware of current situation • Identification of past and ongoing attacks • Be aware of the impact of the attack • Damage assessment • Be aware of how situations evolve • Real-time tracking of attacks • Be aware of adversary behavior • Integration of knowledge of the attacker’s behavior into the attack model • Be aware of why and how the current situation is caused • Forensics • Be aware of quality of information • Information sources, data integration, quality measures • Assess plausible futures of the current situations • Predict possible future and recommend corrective actions

4. System Architecture hS, fs hT, fs 10 7 vA Scenario Analysis & Visualization Vulnerability Databases hG hC, fs vC 7 Local DB Server (D) hA,fs Heavy Iron Unexplained Activities Model 8 0.8 Network Hardening Adversarial modeling {(2,7),0.2} CVE NVD OSVD Mobile App Server (C) {(1,3),0.8} fd fs fd fs 1 DB Server (G) Analyst {(3,10),0.7} hB, fd hE, fs hF, fs hD, fd {(1,9),0.3} Topological Vulnerability Analysis Index & Data Structures 0.7 hE hF hD 5 7 7 5 hB 1 vB 0.7 {(1,7),1} Cauldron Switchwall vE 1 0.8 fs fs Graph Processing and Indexing Order Processing Server (F) Stochastic Attack Models Situation Knowledge Reference Model 0.3 vB vC vD Monitored Network {(1,8),1} 0.7 hA vF hC {(1,3),1} hG 0.7 8 No information about the impact on missions of different courses of actions {(3,7),1} 1 fs fs Dependency Analysis Generalized Dependency Graphs vD vE vF Online Shopping Mobile Order Tracking vG NSDMiner Alerts/Sensory Data ARO-MURI on Cyber-Situation Awareness Review Meeting

5. System Architecture – Cyber Security Perspective (Y4)