Skip to main content
SpringerLink
Log in

Enterprise-Level Cyber Situation Awareness

  • Chapter
  • First Online:
Theory and Models for Cyber Situation Awareness

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10030))

Abstract

This chapter begins with a literature review of situation awareness (SA) concepts, and a study on how to apply SA to the cyber field for enterprise-level network security diagnosis. With the finding that an isolation problem exists between the individual perspectives of different technologies, this chapter introduces a cyber SA model named SKRM, which is proposed to integrate the isolated perspectives into a framework. Based on one of the SKRM layers, called Operating System Layer, this chapter presents a runtime system named Patrol, that reveals zero-day attack paths in the enterprise-level networks. To overcome the limitation of Patrol and achieve better accuracy and efficiency, this chapter further illustrates the usage of Bayesian Networks at the low level of Operating System to reveal zero-day attack paths in a probabilistic way.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 16.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Dominguez, C.: Can SA be defined. Situation awareness: Papers and annotated bibliography, pp. 5–15 (1994)

    Google Scholar 

  2. Fracker, M.L.: A theory of situation assessment: implications for measuring situation awareness. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 32. No. 2. SAGE Publications (1988)

    Google Scholar 

  3. Endsley, M.R.: Toward a theory of situation awareness in dynamic systems. Hum. Factors J. Hum. Factors Ergon. Soc. 37(1), 32–64 (1995)

    Article  Google Scholar 

  4. Salerno, J.J., Hinman, M.L., Boulware, D.M.: A situation awareness model applied to multiple domains. In: Defense and Security, pp. 65–74. International Society for Optics and Photonics (2005)

    Google Scholar 

  5. McGuinness, B., Foy, L.: A subjective measure of SA: the Crew Awareness Rating Scale (CARS). In: Proceedings of the First Human Performance, Situation Awareness, and Automation Conference, Savannah, Georgia (2000)

    Google Scholar 

  6. Alberts, D.S., Garstka, J.J., Hayes, R.E., Signori, D.A.: Understanding information age warfare. Assistant secretary of defense. (C3I/Command Control Research Program) Washington DC (2001)

    Google Scholar 

  7. Endsley, M.R.: Theoretical underpinnings of situation awareness: a critical review. In: Situation Awareness Analysis and Measurement, pp. 3–32 (2000)

    Google Scholar 

  8. Boyd, J.R.: The essence of winning and losing. Unpublished lecture notes (1996)

    Google Scholar 

  9. Witten, I.H., Frank, E.: Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, San Francisco (2005)

    MATH  Google Scholar 

  10. Tadda, G.P., Salerno, J.S.: Overview of cyber situation awareness. Cyber Situational Awareness 46(1), 15–35 (2010)

    Article  Google Scholar 

  11. Barford, P., Dacier, M., Dietterich, T.G., Fredrikson, M., Giffin, J., Jajodia, S., Jha, S., et al.: Cyber SA: situational awareness for cyber defense. In: Jajodia, S., et al. (eds.) Cyber Situational Awareness, pp. 3–13. Springer, US (2010)

    Chapter  Google Scholar 

  12. Xiaoyan, J.D., Liu, P.: SKRM: Where security techniques talk to each other. In: 2013 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), pp. 163–166. IEEE (2013)

    Google Scholar 

  13. Wireshark. Wireshark Foundation. http://www.wireshark.org

  14. Ntop. http://www.ntop.org

  15. Tcpdump/Libpcap. http://www.tcpdump.org/

  16. The Bro Project. https://www.bro.org/

  17. Snort. Sourcefire, Inc. http://www.snort.org

  18. Nessus. Tenable Network Security. http://www.tenable.com

  19. Oval. MITRE. http://oval.mitre.org

  20. GFI LanGuard. GFI software. http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard

  21. QualysGuard. Qualys, Inc. http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard

  22. McAfee Foundstone. http://www.mcafee.com/us/services/mcafee-foundstone-practice.aspx

  23. Lumeta IPsonar. http://www.lumeta.com/

  24. SteelCentral NetCollector (formerly OPNET NetMapper). Riverbed Technology. http://www.riverbed.com/products/performance-management-control/network-performance-management/network-data-management.html

  25. NMAP. https://nmap.org/

  26. JANASSURE. Intelligent Automation, Inc. http://www.i-a-i.com/?core/cyber-security.html

  27. King, S.T., Chen, P.M.: Backtracking intrusions. In: ACM SIGOPS Operating Systems Review (2003)

    Google Scholar 

  28. Xiong, X., Jia, X., Liu, P.: Shelf: preserving business continuity and availability in an intrusion recovery system. In: Computer Security Applications Conference (ACSAC) (2009)

    Google Scholar 

  29. Dai, J., Sun, X., Liu, P.: Patrol: revealing zero-day attack paths through network-wide system object dependencies. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 536–555. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40203-6_30

    Chapter  Google Scholar 

  30. Malwarebytes Anti-Exploit. https://www.malwarebytes.org/antiexploit/index.html

  31. AVG AntiVirus. http://free.avg.com/us-en/homepage

  32. McAfee AntiVirus. http://www.mcafee.com/us/

  33. OSSEC. Trend Micro Security. http://www.ossec.net/

  34. Tripwire. Tripwire, Inc. http://www.tripwire.com

  35. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 120–128 (1996)

    Google Scholar 

  36. Lee, W., Stolfo, S.J., Chan, P.K.: Learning patterns from unix process execution traces for intrusion detection. In: AI Approaches to Fraud Detection and Risk Management (1997)

    Google Scholar 

  37. Kosoresow, A.P., Hofmeyer, S.A.: Intrusion detection via system call traces. IEEE Softw. 14, 35–42 (1997)

    Article  Google Scholar 

  38. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6, 151–180 (1998)

    Article  Google Scholar 

  39. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of 2001 IEEE Symposium on Security and Privacy (S&P), pp. 156–168 (2001)

    Google Scholar 

  40. Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Computer Security ESORICS (2003)

    Google Scholar 

  41. Tandon, G., Chan, P.: Learning rules from system call arguments and sequences for anomaly detection. In: ICDM DMSEC (2003)

    Google Scholar 

  42. Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow anomaly detection. In: Proceedings of 2006 IEEE Symposium on Security and Privacy (S&P) (2006)

    Google Scholar 

  43. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Recent Advances in Intrusion Detection (RAID) (2001)

    Google Scholar 

  44. Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Recent Advances in Intrusion Detection (RAID) (2001)

    Google Scholar 

  45. Bahl, P., et al.: Towards highly reliable enterprise network services via inference of multi-level dependencies. In: ACM SIGCOMM Computer Communication Review (2007)

    Google Scholar 

  46. Kandula, S., et al.: What’s going on?: learning communication rules in edge networks. In: ACM SIGCOMM Computer Communication Review (2008)

    Google Scholar 

  47. Chen, X., et al.: Automating network application dependency discovery: experiences, limitations, and new solutions. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (2008)

    Google Scholar 

  48. ArcSight. HP Enterprise Security. http://www.hpenterprisesecurity.com/

  49. NIRVANA. Intelligent Automation, Inc. http://www.i-a-i.com/?core/cyber-security.html

  50. Barham, P., Donnelly, A., Isaacs, R., Mortier, R.: Using Magpie for request extraction and workload modelling. In: Proceedings of the 6th Conference on Symposium on Opearting Systems Design and Implementation, vol. 6 (2004)

    Google Scholar 

  51. Chen, Y.-Y.M., Accardi, A., Kiciman, E., Lloyd, J., Patterson, D., Fox, A., Brewer, E.: Path-based failure and evolution management. In: Proceeding of the International Symposium on Networked System Design and Implementation (NSDI) (2004)

    Google Scholar 

  52. Fonseca, R., Porter, G., Katz, R.H., Shenker, S., Stoica, I.: X-trace: a pervasive network tracing framework. In: USENIX Association Proceedings of the 4th USENIX Conference on Networked Systems Design and Implementation (2007)

    Google Scholar 

  53. Barham, P., Black, R., Goldszmidt, M., Isaacs, R., MacCormick, J., Mortier, R., Simma, A.: Constellation: automated discovery of service and host dependencies in networked systems. In: TechReport MSR-TR-2008-67 (2008)

    Google Scholar 

  54. King, S.T., Mao, Z.M., Lucchetti, D.G., Chen, P.M.: Enriching intrusion alerts through multi-host causality. In: NDSS (2005)

    Google Scholar 

  55. Zhai, Y., Ning, P., Xu, J.: Integrating IDS alert correlation and OS-Level dependency tracking. In: IEEE Intelligence and Security Informatics (2006)

    Google Scholar 

  56. Popa, L., Chun, B.-G., Stoica, I., Chandrashekar, J., Taft, N.: Macroscope: end-point approach to networked application dependency discovery. In: ACM Proceedings of the 5th International Conference on Emerging Networking Experiments and Technologies (2009)

    Google Scholar 

  57. Keller, A., Blumenthal, U., Kar, G.: Classification and computation of dependencies for distributed management. In: Proceedings of Fifth IEEE Symposium on Computers and Communications (2000)

    Google Scholar 

  58. Bahl, P.V., Barham, P., Black, R., Chandra, R., Goldszmidt, M., Isaacs, R., Kandula, S., Li, L., MacCormick, J., Maltz, D., Mortier, R., Wawrzoniak, M., Zhang, M.: Discovering dependencies for network management. In: 5th ACM Workshop on Hot Topics in Networking (HotNets) (2006)

    Google Scholar 

  59. Dechouniotis, D., Dimitropoulos, X., Kind, A., Denazis, S.: Dependency detection using a fuzzy engine. In: Clemm, A., Granville, L.Z., Stadler, R. (eds.) DSOM 2007. LNCS, vol. 4785, pp. 110–121. Springer, Heidelberg (2007). doi:10.1007/978-3-540-75694-1_10

    Chapter  Google Scholar 

  60. Natarajan, A., Ning, P., Liu, Y., Jajodia, S., Hutchinson, S.E.: NSDMiner: automated discovery of Network Service Dependencies. In: Proceeding of IEEE International Conference on Computer Communications (2012)

    Google Scholar 

  61. Peddycord III, B., Ning, P., Jajodia, S.: On the accurate identification of network service dependencies in distributed systems. In: USENIX Association Proceedings of the 26th International Conference on Large Installation System Administration: Strategies, Tools, and Techniques (2012)

    Google Scholar 

  62. Sheyner, O.M.: Scenario graphs and attack graphs. Ph.D. diss, US Air Force Research Laboratory (2004)

    Google Scholar 

  63. Sheyner, O., Wing, J.: Tools for generating and analyzing attack graphs. In: Formal Methods for Components and Objects (2004)

    Google Scholar 

  64. Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Computer Security Foundations Workshop (2002)

    Google Scholar 

  65. Swiler, L.P., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: DARPA Information Survivability Conference & Exposition II (2001)

    Google Scholar 

  66. Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (2004)

    Google Scholar 

  67. Jajodia, S., Noel, S.: Topological vulnerability analysis. In: Cyber Situational Awareness, pp. 139–154 (2010)

    Google Scholar 

  68. Noel, S., Elder, M., Jajodia, S., Kalapa, P., O’Hare, S., Prole, K.: Advances in Topological Vulnerability Analysis, pp. 124–129 (2009)

    Google Scholar 

  69. Jajodia, S., Noel, S., Kalapa, P., Albanese, M., Williams, J.: Cauldron: mission-centric cyber situational awareness with defense in depth. In: Military Communications Conference (MILCOM) (2011)

    Google Scholar 

  70. Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: Proceedings of Annual Computer Security Applications Conference (ACSAC) (2003)

    Google Scholar 

  71. Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-Zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secure Comput. 11(1), 30–44 (2014)

    Article  Google Scholar 

  72. Albanese, M., Jajodia, S., Singhal, A., Wang, L.: An efficient approach to assessing the risk of zero-day vulnerabilities. In: SECRYPT (2013)

    Google Scholar 

  73. Dai, J., Sun, X., Liu, P.: Gaining big picture awareness through an interconnected cross-layer situation knowledge reference model. In: Proceedings of ASE/IEEE International Conference on Cyber Security (2012)

    Google Scholar 

  74. Yu, M., et al.: Self-healing workflow systems under attacks. In: Proceedings of 24th International Conference on Distributed Computing Systems (2004)

    Google Scholar 

  75. Agrawal, R., et al.: Mining process models from workflow logs. In: Advances in Database Technology-EDBT (1998)

    Google Scholar 

  76. De Medeiros, A., et al.: Workflow mining: current status and future directions. In: On The Move to Meaningful Internet Systems 2003: CoopIS, DOA, and ODBASE (2003)

    Google Scholar 

  77. Van Der Aalst, W.M.P., et al.: Workflow mining: a survey of issues and approaches. Data Knowl. Eng. 47(2), 237–267 (2003)

    Article  Google Scholar 

  78. Gaaloul, W., et al.: Mining workflow patterns through event-data analysis. In: Applications and the Internet Workshops (2005)

    Google Scholar 

  79. Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Technical report (2000)

    Google Scholar 

  80. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23), 2435–2463 (1999)

    Article  Google Scholar 

  81. Jiang, X., et al.: Stealthy malware detection and monitoring through VMM-based “out-of-the-box" semantic view reconstruction. ACM Trans. Inform. Syst. Secur. (TISSEC) (2010)

    Google Scholar 

  82. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (2005)

    Google Scholar 

  83. Zhang, S., et al.: Cross-layer comprehensive intrusion harm analysis for production workload server systems. In: Proceedings of the 26th Annual Computer Security Applications Conferences (2010)

    Google Scholar 

  84. Czerwinski, S.E., et al.: An architecture for a secure service discovery service. In: Proceedings of the 5th Annual ACM/IEEE International Conference on Mobile Computing and Networking (1999)

    Google Scholar 

  85. Dai. J.: Gaining Big Picture Awareness in Enterprise Cyber Security Defense. Ph.D. Dissertation, College of IST, Penn State University, July 2014

    Google Scholar 

  86. Bilge, L., Dumitras, T.: An empirical study of zero-day attacks in the real world. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 833–844. ACM (2012)

    Google Scholar 

  87. Sekar, R., Gupta, A., Frullo, J., Shanbhag, T.: Specification-based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of the 2002 ACM Conference on Computer and Communications Security (2002)

    Google Scholar 

  88. Ko, C., Ruschitzka, M., Levitt, K.: Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In: Proceedings of 1997 IEEE Symposium on Security and Privacy (S&P) (1997)

    Google Scholar 

  89. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: 2002 Symposium on Security and Privacy (S&P) (2002)

    Google Scholar 

  90. Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Managing Cyber Threats: Issues, Approaches and Challanges, pp. 247–266 (2003)

    Google Scholar 

  91. Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: USENIX Security Symposium (2005)

    Google Scholar 

  92. Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 2006 ACM Conference on Computer and Communications Security (2006)

    Google Scholar 

  93. Sawilla, R., Ou, X.: Identifying critical attack assets in dependency attack graphs. In: Computer Security ESORICS (2006)

    Google Scholar 

  94. Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The taser intrusion recovery system. In: ACM SIGOPS Operating Systems Review, vol. 39, no. 5, pp. 163–176. ACM (2005)

    Google Scholar 

  95. Knuth, D.E.: The Art Of Computer Programming (1997)

    Google Scholar 

  96. CWE. MITRE. http://cwe.mitre.org

  97. CAPEC. MITRE. http://capec.mitre.org

  98. Graphviz. http://www.graphviz.org

  99. NVD. MITRE. http://nvd.nist.gov

  100. McVoy, L.W., Staelin, C.: lmbench: portable tools for performance analysis. In: USENIX Annual Technical Conference, pp. 279–294 (1996)

    Google Scholar 

  101. Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms (1998)

    Google Scholar 

  102. Ramakrishnan, C.R., Sekar, R.: Model-based analysis of configuration vulnerabilities. J. Comput. Secur. 10(1/2), 189–209 (2002)

    Article  Google Scholar 

  103. Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS) (2002)

    Google Scholar 

  104. Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proceedings of 22nd Annual Computer Security Applications Conference (ACSAC) (2006)

    Google Scholar 

  105. Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. In: 19nd Annual Computer Security Applications Conference (ACSAC) (2003)

    Google Scholar 

  106. Xie, P., Li, J., Ou, X., Liu, P., Levy, R.: Using Bayesian networks for cyber security analysis. In: Dependable Systems and Networks (DSN), IEEE/IFIP (2010)

    Google Scholar 

  107. Sun, X., Dai, J., Singhal, A., Liu, P.: Inferring the stealthy bridges between enterprise network islands in cloud using cross-layer Bayesian networks. In: 10th International Conference on Security and Privacy in Communication Networks (SecureComm) (2014)

    Google Scholar 

Download references

Acknowledgements

This work was supported by ARO W911NF-09-1-0525 (MURI), ARO W911NF-15-1-0576, NSF CNS-1422594, and NIETP CAE Cybersecurity Grant (BAA-003-15).

Author information

Authors and Affiliations

  1. California State University, Sacramento, CA, 95819, USA

    Xiaoyan Sun & Jun Dai

  2. National Institute of Science and Technology, Gaithersburg, MD, 20899, USA

    Anoop Singhal

  3. Penn State University, University Park, PA, 16802, USA

    Peng Liu

Authors
  1. Xiaoyan Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jun Dai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anoop Singhal
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Peng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peng Liu .

Editor information

Editors and Affiliations

  1. Pennsylvania State University, University Park, Pennsylvania, USA

    Peng Liu

  2. George Mason University, Fairfax, Virginia, USA

    Sushil Jajodia

  3. Army Research Office, Research Triangle Park, North Carolina, USA

    Cliff Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Sun, X., Dai, J., Singhal, A., Liu, P. (2017). Enterprise-Level Cyber Situation Awareness. In: Liu, P., Jajodia, S., Wang, C. (eds) Theory and Models for Cyber Situation Awareness. Lecture Notes in Computer Science(), vol 10030. Springer, Cham. https://doi.org/10.1007/978-3-319-61152-5_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-61152-5_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-61151-8

  • Online ISBN: 978-3-319-61152-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation