Evolutionary Strategies for Secure Moving Target Configuration Discovery

Résumé du livre

Defense against many cyber security threats can be implemented with existing software on the machine, without requiring patches for current programs or the installation of specialized security software. There are certain operating system or program parameters which, if set properly, can close security vulnerabilities. Learning a way to securely configure computers to prevent attacks potentially allows organizations to defend their machines with a relatively low cost. Regular machine reconfiguration could also be used to implement another concept in computer security: the moving target defense. In this strategy, the resource being defended is regularly modified in the hopes of spoiling the attacker's reconnaissance efforts. Reconnaissance is an important part of a cyber-attack. If a modification happens between reconnaissance and the attack, it is likely that the exploits based on the attacker's outdated information will no longer be effective. It is also possible to protect many similar objects at once. In this case, the security changes across all objects should be diverse. This way, even if an attacker can successfully compromise one machine, the same strategy will only be effective against a small portion of the others. Both these ideas, learning secure parameters and moving target defense, can be implemented through the use of a genetic algorithm. A genetic algorithm naively mimics the process of evolution. For this problem, a network of computers is modeled as a genetic population of organisms. In place of DNA, a computer's genetic code is described by the settings of all of its parameters. The model then simulates the breeding of these computers using the operators of selection, in which computers decide on mating partners based on their measured fitness; crossover, in which the parents pass some of each of their genes to the child; and mutation, which in which random changes are applied to the child's genes. Once all the child configurations have been created, they can be implemented on the managed computers. Attackers are imagined as predators for this population, regularly stalking the machines configured by the current generation and attacking the vulnerable computers within it. These attacks reduce the fitness of the targeted computers, reducing their probability of being chosen during selection. Thus, over many generations of breeding, the population will become more resistant to attacks, as the genes of computers which were not vulnerable to attack spread throughout the population. In this thesis, a genetic algorithm achieving both the goals stated above was developed. The genetic algorithm has been shown to evolve more secure computer configurations which when used with an automated reconfiguration system immunize the machines to attacks. This population of configurations is diverse and changes with every generation, creating a moving target defense as a consequence of its operation, using no additional resources. The system was demonstrated to work using only 40 generations, a much smaller number of generations than is normal for use with genetic algorithms but is reasonable given the time constraints of this problem. Evolutionary strategies other than genetic algorithms have also been considered. Beam search is a greedy algorithm, accepting only the highest scoring configurations of the current generation into the next. In this thesis, a beam search based system prototype was developed. It was also more successful than the genetic algorithm in increasing average configuration fitness, while still maintaining a high amount of diversity. This thesis also introduces the novel approach of using the artificial intelligence strategies support vector machines and classification and regression trees to supervise the evolutionary strategy. In the naive implementation, this was done by recording the changes in computers' observed security and correlating this information to changes between parents and children over many generations. This allowed for the classification of some settings as insecure. These insecure settings were forcibly removed from the population and the genetic algorithm modified so that they could not be reintroduced. In this thesis, an implementation of this artificial intelligence based idea was added to both the genetic algorithm and beam search based systems. In both cases, it resulted in significant increases in the amount of total fitness gain, with very little impact on diversity. A more complex implementation of this idea addressed the fact that, in the real world, only a small number of possible exploits will be used in any generation. This problem would normally prevent accurate fitness evaluation, as, in each generation, chromosomes are only graded based on the subset of attacks used against them. This separate classification scheme compared chromosomes within a single generation, searching for commonalities which would explain which traits the exploit required to succeed. A more complex classification scheme can achieve results in only a single generation. Instead of measuring at score changes over many generations, it compares attacked and uncompromised computers in the same generation. Commonalities within these groups will allow for the classification of traits responsible for opening the exploited vulnerability. Once such traits were identified, they were used to create a profile describing what sort of chromosome is vulnerable to that exploit. Chromosomes matching that profile were no longer allowed into the population. This approach has the added benefit of aiding in the understanding of why the system created certain kinds of configurations and not others, providing clues to help understand the exploit used against the managed computers. A prototype system making use of these strategies was developed. Experimentation has shown that, for small numbers of attacks per generation, it was often successful in creating a new generation of chromosomes which is immune to the attacks from the previous generation. These results demonstrated that this technique has merit for improving computer security and providing greater understanding of the cyber security landscape.