ABERDEEN PROVING GROUND, Md. -- Army researchers along with their academic partners are pioneering a novel cyber security framework that will thwart future attacks on military systems by changing network dynamics thus enhancing network modernization efforts.
Dr. Terrence Moore and Dr. Frederica Nelson from the U.S. Army Combat Capabilities Development Command’s Army Research Laboratory, along with researchers from University of Queensland, Gwangju Institute of Science and Technology and Virginia Tech, developed a novel attack graph model to inform a moving target defense scheme, thereby better managing network vulnerabilities.
The team published their research in a paper, Attack Graph-based Moving Target Defense in Software-Defined Networks, in IEEE Xplore, a peer-reviewed journal.
This fundamental research addresses the Army Modernization Priorities for Network/C3I, as it contributes toward the vision of a network strategy that dynamically changes the network to manage performance and security.
“We have developed a new attack graph model, a three-tiered attack graph or “TAG,” to better manage vulnerabilities at the network, remote and local/root levels,” Moore said. “Attack graphs are used to model the paths, or network routes, component exploitation options, etc., an attacker might take to achieve their objective of compromising a particular network resource such as a database.”
The model, which is research funded by the CCDC International Technology Center-Pacific, leverages software defined network, or SDN, technology to implement a moving target defense, or MTD, framework that can provide a solution to determine how often each host’s network configuration can be shuffled to provide adaptive, proactive and affordable security services.
“The TAG helps generate the attack paths that identify the critical components in the system,” Moore said. “This identifies their probability of being exploited depending on their role in the network, i.e., the importance of the service they provide, and their influence on other system component roles, i.e., how they facilitate the delivery of services in the network. We then use that knowledge gained to inform the MTD scheme in such a way that allows an administrator to control the overhead, which is the cost to implement and degradation of system performance, in managing the security.”
MTD seeks to thwart cyberattackers’ traditional planning and timing advantages by frequently changing the attack surface (network or system configurations) invalidating attacker’s intelligence and wasting their resources.
MTD is a proactive approach that is a radical departure from traditional security approaches. The typical approach is reactive waiting until a new attack method has occurred to identify their patterns and update operating systems and software with security patches to prevent future attacks using the same or similar method.
“The typical attack graph construction can ignore the forest for the trees,” Moore said. “By separating the network, remote and local/root levels, our TAG approach simplifies this calculation conceptually and we further simplify the problem by considering a subset of the most vulnerable attack paths to critical resources.”
Easing the burden of these computations is important since networks are not getting smaller or less complex, he said.
“Our TAG model enhances the traditional model by separating the vulnerabilities into remote and local vulnerabilities, which enables simpler handling of user versus root privilege to determine compromise probabilities for different attack paths,” Moore said. “In addition, we introduce the concept of asset criticality, both roles and influence, to determine where to change the attack surface informed by the TAG generated paths.”
The researchers stated that in order to provide highly cost-effective security services, the proposed approach focuses on shuffling network configurations (reassigning virtual IPs, randomizing packet header information and changing the application environment) of highly critical, vulnerable hosts that are identified by the TAG paths as potentially exploit-worthy or valuable targets by attackers.
"The MTD shuffling scheme selects a single host (computer or server) to change their configuration in every time interval,” Moore said. “This host is selected at random based on the value of their asset criticality. The more important the host is, the more often it will be selected. That offers more protection to hosts with higher value.”
In addition, he said, the researchers allow the administrator to dynamically control the shuffling time interval to manage the security-performance tradeoff. This is necessary since each time a host configuration is shuffled there is a chance of service interruption.
This collaborative effort has produced MTD protocols, evaluation methodologies of the security and performance trade-offs of general MTD schemes, application approaches to scalability and applicability to new domains such as in-vehicle network systems. It also adapts attack graph information to inform an MTD scheme.
MTD research has potentially broad applicability, Moore said.
“Work in this area has been designed or tested for enterprise networks, Internet of Things-type networks, cyber-physical systems, SDNs, cloud services and vehicular networks,” Moore said. “Continuing to demonstrate the applicability and utility of MTD to more network types, particularly tactical network environments, is of significant interest to the Army and the greater cyber security community.”
There is also potential for connections with the laboratory’s Internet of Battlefield Things Collaborative Research Alliance program.
As for the future of this research, the team is currently developing several machine learning approaches to incorporate into MTD, specifically in the context of in-vehicle networks.
It may be possible to incorporate these approaches into this attack-graph-informed approach or vice-versa, Moore said.
Factors that the research team will consider moving forward include the requirement of large amounts of data for training, and complexity and convergence time. From the MTD perspective, Moore said, these contribute to the defense cost.
“Studying this cost, as well as the effect on network performance/reliability due to the degradation from MTD actions, is just as important as studying the benefits from the security side,” Moore said.
Securing Army systems in the current multi-domain environment is of critical importance to this team, Moore said, as they continue to collaborate to further mature this research until it is in the ever-evolving toolkit of American Soldiers.