Embed Size (px)
Citation preview
1
INTRUSION TOLERANT SYSTEMSKICK-OFF MEETING
Overview of Information Assurance & Survivability Programs
3 August 1999
Jaynarayan H. LalaITS Project Manager
Information Systems Office5 Jul 99
2
Challenging questions Commander’s attack triage questions
Am I under attack ?What is the nature of the attack ?
Class, mechanism, from where ? What is mission impact ?
Urgency, damage assessment & control, initial responseWhen did attack start ?
Follow-on damage assessment, what have I done wrong ?Who is attacking
What are they trying to do, what is their next step ?What can I do about it ?
Course of action analysis, collateral damage risk, reversibility of action Can I survive the attack?Long term solution
Currently, we are Blind and Powerless at all echelons
3
Information Assurance Science & Engineering
Defensive Mechanisms
Strategic cyber defense - a map history
Information Assurance Base Program - Composable Trust
Trustworthy SystemsScience & Engineering Tools
NSA Crypto
Cyber Command & Control
Cyber Situation Awareness
Cyber Defense Strategy
Cyber Sensors & Exploitation
Information SurvivabilityInformation
Survivability
Survivable Dynamic Coalitions
Intrusion Tolerant Systems & NetworksStrategic Intrusion
Assessment
Cyber Command & Control
Autonomic Information Assurance
4
Information Assurance & SurvivabilityOverview
Science
1999 2000 2001 2002 2003 2004 2005
Command & Control
Action Fabric
5
Correction Function
Algorithms
Actuators
Autonomic Information Assurance (AIA)
System
Control systems for directing adaptive defenseModeling is imperativeCorrection FunctionMultidimensional PolicyState Estimation
Policy Specification
Policy Projection
Multidimensional Policy
State Projection
Attack
6
Cyber Command and Control (CC2)
Networks and Hosts
Applications and Information
Decisions
Kinetic actions
Information is the foundation on which we fight, yet...We are BLIND to the information situation
We are POWERLESS to defend it
Develop effective IA visualization frameworks
Model information flow and mission dependencies
Assess damage to own information and functions
Fuse external situation and system state information
Identify information gaps and task cyber sensors
Infer and project adversary intent
Develop mission-based utility models
Construct IA tactics and strategies from mechanisms
Isolate new attack mechanisms and create countermeasures
Determine possible plans and game out against adversary moves
Model IA behavior with adaptive and autonomous elements
Execute courses of action conditioned on monitoring of outcomes
7
Cyber command and control rationale
Traditional C2 domainsIntuitive
Cyber C2 domainNot Intuitive
• Kinetic munitions effects are well understood
• Nonlinear effects (e.g., area/sphere of influence, persistence, “yield”)
• Interdependencies generally understood
• Complexities of information use complicate interdependency issues
• 3D mission space • Multi-dimensional mission space
• Most attacks exist at perceptible speeds
• Attacks may aggregate too slowly to be perceived, while others occur in milliseconds
• Most attacks have physical manifestations
• Often no physical manifestations until it is too late
• Overrun & compromise easily detectable
• Compromise may not be detected at all
8
Strategic Intrusion Assessment (SIA)
Detector Coordination Build on CIDF to allow sharing of events
and analysis Exploit global information at local detector
Filter false alarms, focus local detection Correlation & Inference
Algorithms to correlate and analyze sensor information
Automated planning techniques to track attack
Hypothesize adversary goals and predict actions
Attack Forensics Damage Determination
Exploit automated learning techniques for damage assessment
Evidence Collection
Goal: Discern and assess coordinated attacks from analysis of observed/reported activities, enabling response at appropriate level - autonomic or human command & control - through
International/Allied Reporting Centers
National Reporting Centers
DoD Reporting Centers
Regional Reporting Centers (CERTs)
Organizational Security Centers
Local Intrusion Detectors
9
IA Science & Engineering Tools (IASET)
Problem area definition
Approach
Math & models• new ways to calculate and model IA relationships
• model where no closed solution
• logic, reasoning, IA bounds• need decision points, transformations, visualizations
Cyberscience• IA equivalents to physics, geometry, biology, etc.
• consider convergence of existing sciences to develop new
• information theory, risk analysis, attack graphs, causality
We don’t understand the science of IA in systems.
IA metrics• create IA metric ontology• create methodology for generating and using IA metrics
• generate benchmarks for qualitative metric comparison
• hold experiments to validate
Math & models• primarily utilize metrics &cyberscience discoveries
• develop cyber-real space transforms for AIA & CC2
• e.g., develop stochastic model for worm behavior on network
Cyberscience• survey existing related IA research
• identify candidate dark spaces in IA; apply existing science
• e.g., trust modeling could use majority encryption techniques
IA metrics• for design, assessment, operations, test
• no process for creating IA metrics, methods for using them
• no unified understanding, no consistent measures for design
10
IA Science & Engineering Tools (IASET)
Problem area definition
Approach
Common environment• publish IA design/assess high-level ontology & methodology
• identify then select mechanics for software integration platform
• demonstrate environment with real programs, DARPA & others
Methods• survey existing tools, adopt complete methods, adapt others
• combine in self-consistent library of methods for IA
• experiment to validate; modify to improve; transition to users
Tools• identify existing tools,make science-based
• create common ontology for interaction between tools
•e.g., risk assessment cost trade off to help make decisions
Common environment• to model system and implicit IA knowledge of designers
• maintain and distribute wisdom gained - don’t repeat mistakes
• change fundamental approach to IA design and assessment
Methods• create science-based, reliable ways to approach IA design and assessment
• develop, demonstrate utilize IA measures, risk, red teaming, IA specification and testing
Tools• identify and develop“IA CAD” software (databases, models taxonomies, etc.)
• capture and apply wisdom• make CAD for trust, complexity issues, composition rules
We don’t know how to design and assess IA in systems.
11
INTRUSION TOLERANT SYSTEMS
Premise Attacks will happen; some will be successful Attacks may be coordinated across multiple sites
Hypothesis Attacks can be detected, contained, and tolerated,
enabling continued correct progress of mission critical applications
1212
INTRUSION TOLERANT SYSTEMS
Programmatic/Technical Approach Identify processing system and network vulnerabilities Develop innovative technologies to solve well-defined
portion of vulnerabilities Apply systems engineering discipline rigorously
Borrow heavily from practices and principles used successfully to engineer fault tolerant computers for mission- and life-critical applications
Support DARPA’s Strategic Cyber Defense vision Transition to commercial practice
13
INTRUSION TOLERANT SYSTEMS
Definition: An intrusion tolerant system is one that can continue to function correctly and provide the intended services to the user in a timely manner even in the face of an attack.
Goal: To conceive, design, develop, implement, demonstrate, and validate tools and techniques that would allow fielding of intrusion tolerant systems.
