Misconfigurations in cyber elements such as applications, devices, hosts, firewalls, and networks could cause grave damages by exposing private data, allowing breaches, and facilitating attacks. LGS Innovations and Vanderbilt University propose SOCCER, a Secure Optimal Configurator with Cross-Component Examination and Reasoning, to remedy misconfigurations and improve defensive cyber operations. SOCCER uses artificial intelligence (AI)-aligned machine reasoning to automatically generate human-traceable configurations that satisfy security policies and minimize attack surfaces while achieving system functional and performance requirements.
SOCCER’s approach comprises the following steps: 1) build and maintain real-time situational understanding (SU) and operational contexts of the target system using machine learning; 2) use domain specific modeling languages (DSML) to model the target system or network based on our SU. Specify and incorporate the target’s attack surfaces, configuration space (sets of all possible configurations, e.g., the personal data access settings on a server), functional requirements, as well as security policies and metrics as logical overlays into the model; 3) automatically solve the model mathematically to explore and prune the potentially large configuration space using constraints (i.e. configurations that do not pass constraints are discarded or constraints are relaxed) to arrive at a manageable number of feasible target system configurations; 4) evaluate the post-pruning feasible configurations using Pareto Efficiency to select optimal candidates that simultaneously minimize attack surfaces, satisfy system functional requirements, and achieve security metrics defined by policies; 5) use back annotation to mark up the analyzed models so as to explain to the human operators why the configurations were chosen, thereby providing confidence and trust in our automatic solutions; 6) generate and implement on the target system the secure configurations by auto-selecting the optimal configuration candidates.
For Step 1, we propose to scan and survey the target system periodically to build and track awareness including network topologies and the constituent devices and hosts. We apply natural language processing (NLP) to continually extract knowledge on attack surfaces from external vulnerability knowledge-bases such as Cyber Vulnerability Enumeration (CVE) and Common Weakness Enumeration (CWE) and apply it to our target system. Additionally, we propose to use machine learning (both support vector and deep learning techniques) to identify and prioritize for protection, the high value target system nodes, using labeled samples, network conditions, usage patterns, and topological changes. For Step 2, we propose to use Vanderbilt’s DARPA-proven Generic Modeling Environment (GME) tool to model and analyze the target as a composed system, as well as represent human operator behaviors as business process models (BPM). For Step 3, we propose to apply automatic constraint-guided design space exploration techniques to provide computationally efficient inference without enumerating all possible configurations. For Step 4, we propose to treat configuration selection as a multi-objective optimization problem in which we use Satisfiability Modulo Theories (SMT) solvers to reason over the post-pruning space and identify Pareto-optimal solutions that are optimized against attack surfaces, security metrics, and functional requirements.
We envision SOCCER providing a long-needed critical capability that uses modeling and machine-based reasoning to securely configure cyber systems and enable their autonomous defense.