Systems and attacks are becoming more sophisticated; classical security methods are failing to protect and secure those systems. We believe that systems should be built to be resilient to attacks. Cyber Resiliency is the protection strategy that will secure modern systems that control our critical infrastructure. Instead of perfectly protecting the system, a resilient system survives a cyber incident by detecting and containing attacks while maintaining service.
In this talk, we describe our proposed resiliency architecture that uses a model of the system to deploy monitors, estimate the state of the system using monitor data, and selects responses to maintain service during attacks. Then we design the essential components of the said resiliency architecture for a multitude of systems including operating systems and hosts and enterprise networks. The components we build are monitor design, monitor view generation, fusion, and response. However, several practical and theoretical challenges hinder a cyber-resilient architecture. In particular, the architecture needs to deal with the plethora of monitoring with different semantics and time scales. Moreover, the system is dependent on the integrity of the monitoring data when estimating the state of the system. The integrity of the monitoring data is critical to making ``correct'' decisions that are not influenced by the attacker. Finally, the response mechanisms need to be proven effective in maintaining the resilience of the system. Proving such properties is particularly challenging because of the complexity of the systems. Our pieces address the challenges that face the cyber resiliency architecture.
First, we designed a host-level monitor, Kobra, that combines the various views of application behaviors into a signal, then learns the baseline of acceptable behaviors. We use the baseline for anomaly detection. Since our cyber resiliency architecture depends on the integrity of the monitoring data, we designed PowerAlert, an out-of-box integrity checker. PowerAlert uses CPU power measurements, measured using an external probe, to verify that the machine executed the check as expected. To prevent an attacker from evading PowerAlert, we use random initiation times and random integrity checking programs. Finally, we use Kobra's host-level views to correlate events that happen in a network. First, we propose a fusion framework that enables us to fuse monitoring events for different sources. Then using the framework, we collect lateral movement chains across the network. We form the chain using network causation events. Those causations are inferred using Kobra's process communications view.