View
217
Download
2
Tags:
Embed Size (px)
Citation preview
NATO VM3D ConferenceNATO VM3D Conferenceatat
Defense Research Establishment Valcartier Defense Research Establishment Valcartier
Defensive Information Warfare BranchDefensive Information Warfare BranchAir Force Research Lab, Rome Research Site (AFRL/IFGB)Air Force Research Lab, Rome Research Site (AFRL/IFGB)
Presented By:Presented By:
Chet MaciagChet Maciag
DIW In-house Program ManagerDIW In-house Program Manager8 June 008 June 00
Application Domain: Information Application Domain: Information WarfareWarfare
“...information warfare is about the way humans think and, more importantly, the way humans make decisions. The target of information warfare, then, is the human...”
– Prof George Stein, Air War College
“…information operations conducted to defend one’s own information and information systems or attacking and affecting an adversary’s
information and information systems.” (AFDD 2-5)
• Information Assurance -
– Information operations that protect and defend information
and information systems by ensuring their availability,
integrity, authentication, confidentiality, and non-repudiation.
Information assurance includes providing for restoration of
information systems by incorporating protection, detection,
and reaction capabilities. (DODD S-3600.1)
Definition - U.S.(Information Warfare and Information Assurance)
Information Assurance Information Assurance Operational NeedsOperational Needs
• Provide commanders the capability to defend information flows required to execute assigned missions in both peacetime and crisis/contingency
– 365-day-a year Information Assurance for daily operations and business at all levels– Integrate Information Assurance into AFFOR/JFACC planning & execution
Defend networks in support of ...
… mission criticalinformation flows
SensorsShooters
Networks
C2C2
Coordinate Information Operations with the ATO and the battlefield situation to provide Airpower and Cyberpower to meet the current situation
Dynamic Battle Control ConceptDynamic Battle Control Concept
Moonlight MazeMoonlight Maze“Russian Hackers Steal US Weapons Secrets”“Russian Hackers Steal US Weapons Secrets”
“American officials believe Russia may have stolen some of the
nation's most sensitive military secrets, including weapons
guidance systems and naval intelligence codes, in a concerted
espionage offensive that investigators have called operation
Moonlight Maze.
This was so sophisticated and well coordinated that security experts trying to build ramparts against further incursions believe
America may be losing the world's first ‘cyber war’.”
25 July 1999London Sunday Times
(Interview with Mr. John Hamre, Deputy Secretary of Defense)
EPIC’s Defensive Information Warfare EPIC’s Defensive Information Warfare (DIW) Components(DIW) Components
EPIC
ProtectDefining the operational computingenvironment as it exists physically,logically and procedurally. Determineconfiguration change, site policyviolations, and susceptibilities
Techniques and methods that might beemployed to thwart malicious activity,recover lost data, and gather evidencefor possible legal action or InformationOperations against the parties involved.
React / Restore
Detect
Identifying deviations fromnormal operational states in theenterprise in real time andpredictively from network,computer, and open-sourceindicators.
AIDE: Depth in Detection AFED: AIDE + Protect & React
Objective•Develop and demonstrate Defensive
Information Operations Planning Tools, Cyberspace Situational Awareness, Cyberspace Visualization, and Information Assurance Decision Support Tools for Course-of-Action Planning
Payoffs•Equips JFACC/AFFOR organizations for
theater network defense•Identifies & prioritize info assets critical to current operations•Provides Situation awareness across theater, reachback, and garrison networks•Provides Attack Warning & Assessment, sensor cueing•Automatically tasks or executes defensive actions, assesses & reports damage
Approach•Automated Intrusion Detection Environment ACTD•Extensible Prototype for Information Command & Control (EPIC2) (in-house)•Global Information Assurance Decision Support System (GIADSS) ATD•Air Force Enterprise Defense (6.3b)•Defensive Information Operations Planning Tool •Cyber Command and Control (new DARPA
initiative)•Large Scale Intrusion Assessment (new DARPA
initiative)•Process control techniques for system modeling
Defensive Information Warfare ITTP Defensive Information Warfare ITTP Planning, Awareness and Decision Support Planning, Awareness and Decision Support
TechnologyTechnology
Coalition Defense-in-DepthCoalition Defense-in-DepthCollaborationCollaboration
• Objective– Share network security event data relevant to
coalition partners
– Utilize partner sensors for coalition centricconcerns
– Supply technology elements to otherframeworks (e.g., visualization methods,additional sensors, security fusion agents)
– Focuses on interoperability of partner networksecurity commands while retaining sovereigntyof country-specific assets
• Payoff– Provides Global Situation Assessment of
Coalition Enterprise
– Allows Indications and Warnings to take placebeyond National boundaries
• Participants/Technology– Australia: Shapes Vector
– Canada: Ironman
– United States: EPIC/EPIC2/AIDE
– United Kingdom: Intrusion DetectionAlgorithms
• Future Activities– ID Event Sharing Demonstration 2QCY00
– IA Event Interchange Demonstration 2QCY01
– Common Coalition IA Picture 4QCY02
Australia Canada U.S.
AustralianOperations Center Canadian Operation Center U.S. Operations Center
Coalition Wide Area Network
Knowledge Bases Bridges Shared Agents Event DatabaseData Exchangers
Encryption
Sensors
Coalition NetworkSecurity
Event/VulnerabilityDatabase
Coalition Information Infrastructure Components
Coalition Operations Center
Sensors
Encryption
TTCP TP-11 Year One Demonstration AccomplishmentsTTCP TP-11 Year One Demonstration Accomplishments
Successful exchange of intrusion event data between
Australian Shapes-Vector and AFRL’s EPIC2 prototypes
Interoperability with coalition partners in sharing IA event data
Disparate systems
Same Goals - Visualization of ID Events, but….
Differing approaches to Correlation/Understanding
Differing approaches to Info Gathering & Categorization
EPIC2
Visualization
DB/Expert Sys
COTS Sensors
Shapes- Vector
Visualisation
Ontology/KB
Specialized AgentsIntrusion Detection
Event Exchange
AFRL/IFS:•DataWall•Mobile, Scalable, Adaptive Systems•Component-based Architectures•Computer Supported Collaborative Work
Integrated Technology Thrust Program Integrated Technology Thrust Program PartnersPartners
AFRL/IF & AFRL/HE Core TechnologiesAFRL/IF & AFRL/HE Core Technologies
AFRL/IFG: •Information Attack
Mitigation •Intrusion/Malicious
Code Detection •Multilevel Security
•Network Management& Control
AFRL/HEC:Cognitive Displays•CSE tools/methods/metrics•User modeling•Information visualizationUser/System Interfaces•Speech recognition/generation•3-D audio
DIW ITTPCACC ITTP
MCCAT
Air Force Enterprise DefenseAir Force Enterprise DefenseObjectivesObjectives
• Develop the next-generation Enterprise Defense Framework for AF MAJCOMs and Aerospace Expeditionary Forces (AEF)– Situational Assessment & Decision Support
• Improve Network Defender information overload problem
• Provide a consistent visual environment for information portrayal
• Fuse Information Assurance (IA) and Network Management data into a Common Enterprise Picture (CEP)
• Empower the MAJCOM to validate and influence present and future technology so it suitable for transition into NMS/BIP and other acquisition programs
AFED Technology Insertion AFED Technology Insertion for NOSC/NCCfor NOSC/NCC
• Protect systems – Automated vulnerability/threat detection with countermeasure
recommendations
– Automated policy/configuration monitoring & change detection
• Detect IW attacks in progress– Fuse heterogeneous ID sensor data via AIDE ACTD
• Integrates ASIM 3.0/CIDDS
– Apply knowledge base & advanced algorithms to enterprise susceptibilities, site policies, and ID data to reduce “false-positives”
– Correlate with protection data to improve event prioritization and reduce workload
• Assess impact of IW attack on mission critical systems– Automated INFOCON level determination and recommendations
– Mission/Situational Assessment resulting from information attacks
– Provide Course Of Action (COA) response planning• Maintains mission critical functions without degradation (Network, configuration, QoS analysis)
AFED Technology Insertion AFED Technology Insertion for NOSC/NCC for NOSC/NCC (continued)(continued)
• Automated incident/trouble ticket reporting to reduce operator workload– (e.g. AFCERT, MAJCOM NOSC, Local ARS, TC2CC)
• Common Enterprise Picture for Network Management and IA Situational Awareness– Visual Basic prototype for task analysis feedback
– Implement with intuitive thin-client tools (e.g. Web)
– AFRL/HE designing state-of-the-art interface for final demonstration spiral
AFRL/IF Cooperation with AFRL/IF Cooperation with Government and IndustryGovernment and Industry
• Government/FFRDC’s– AFRL/HECA: Information Portrayal
Expertise, Crew Task Analysis
– AFRL/IFS: Master Caution Panel
– AFIWC: CSAP21, MOA
– ESC/DIW - AIA - AC2ISRC: AFED Tech Transition into IAEDS POM
– ESC/DIG: NMS-BIP tech transition for AFED
– AF MAJCOMS: AFED Initiative Participation
– OSD/DISA: AIDE ACTD, IMDS
– DARPA: Leverage over $100M/year 6.2 Technology
– NSA-ARL/TX: Self-Learning Knowledge Algorithms
– CECOM: EPIC Transition to ISYSCON
– MITRE: Lighthouse, Common Vulnerabilities and Exposures (CVE)
• Industry– Secure Computing Corp: Sidewinder Firewall
Integration (Real-time Alerts, Dynamic Reconfiguration, Mediated DB Access)
– Applied Visions Incorporated: SBIR/Collaboration to evolve 3D COTS visualization
– Netsquared: Developed network sensor with concept of “session”. State machine reduces false alarms in pattern matches.
– MountainWave: SBIR to develop Common Enterprise Picture (Network Management & IA)
– Syracuse Research Corporation: Threat, Vulnerabilities & Countermeasures DB integration
– ITT: CRDA pursued to provide technology training in support of a transitioned/fielded prototype capability
– Motorola: CRDA pursued in joint exploration of innovative visualization capabilities
AFED UtilitiesAFED Utilities
CMUCMU
Policy Policy EnforcementEnforcement
Visualization/ControlVisualization/Control
RT GUIRT GUI WebWeb
AVIAVI
ForensicsForensics
FACSFACS
Decision Support/COADecision Support/COA
Low LevelLow LevelNetFlareNetFlare
High LevelHigh LevelTBDTBD
ReportingReporting
Incident Incident ReportReport
ARSARS
HierarchyHierarchy
Host Based AgentsHost Based Agents
LighthouseLighthouse
DAWIFDAWIF
Intrusion DetectionIntrusion Detection(Remote Hosts)(Remote Hosts)
Potentially Preprocessed by CIDDsPotentially Preprocessed by CIDDsSidewinderSidewinder
RaptorRaptor
ASIM/CIDDASIM/CIDD
NetRadarNetRadar
JIDSJIDS
ITAITA
Real SecureReal Secure CiscoCisco NetRangerNetRanger
Automated Vul.AssessmentAutomated Vul.Assessment/Adv. Intrusion Detection/Adv. Intrusion Detection
ISSISS
TVCTVC BottleNeckBottleNeck
EmeraldEmerald
Potential IAEDS ComponentsPotential IAEDS Components
AFEDAFEDTrend DBTrend DB
AFED/AIDEAFED/AIDERT DBRT DB
Automated Intrusion Automated Intrusion ResponseResponse
SidewinderSidewinder
IMDSIMDS
CiscoCisco
Web SrvWeb Srv
DB Data via Web
Cmd/Config
WEB
DB Data Direct
App App SvrsSvrsApp App SvrsSvrsApp App
SvrsSvrs
Other Data
WEB
BridgeBridge Correlation/Data MiningCorrelation/Data Mining
AIDEAIDE
NEDAANEDAA
EPIC Integration ArchitectureEPIC Integration Architecture
Oracle Database
Normalization,Correlation &Data Storage
Preemptive Measures
&
Courses of Action
Network/LinkManagement
VulnerabilitiesRisk Analysis
Host/NetworkIntrusion Detection
•Data Reduction•Fusion•Correlation•Data Mining•Trend Analysis•Knowledge Base•Advanced Intrusion Detection
•Security Policies
•Complex Attack Methodologies
•INFOCON Rules
•Reporting Rules
•Courses of Action
•Analysts GUI Screens
•System Operation/ Control (WEB)
Algorithms/KB
Action/Protection
Open Source(DNS, Whois)
Network Control(Firewalls, Routers)
Software Bridges
< 100 Lines of Code
InformationOperations
EnterpriseManagement Situational
AssessmentALPHA
BRAVO
CHARLIE
DELTA
Analyst/Organization Rules
Existing Enterprise
Sensors/Feeds(Inputs & Outputs)
COTS & GOTS
Visualization
•Schema/Tables•Access Policies•Peer-to-Peer Sharing
Reporting
EPIC Integration ArchitectureEPIC Integration Architecture
Oracle Database
Normalization,Correlation &Data Storage
Preemptive Measures
&
Courses of Action
Network/LinkManagement
VulnerabilitiesRisk Analysis
Host/NetworkIntrusion Detection
•Data Reduction•Fusion•Correlation•Data Mining•Trend Analysis•Knowledge Base•Advanced Intrusion Detection
•Security Policies
•Complex Attack Methodologies
•INFOCON Rules
•Reporting Rules
•Courses of Action
•Analysts GUI Screens
•System Operation/ Control (WEB)
Algorithms/KB
Action/Protection
Open Source(DNS, Whois)
Network Control(Firewalls, Routers)
Software Bridges
< 100 Lines of Code
InformationOperations
EnterpriseManagement Situational
AssessmentALPHA
BRAVO
CHARLIE
DELTA
Analyst/Organization Rules
Existing Enterprise
Sensors/Feeds(Inputs & Outputs)
COTS & GOTS
Visualization
•Schema/Tables•Access Policies•Peer-to-Peer Sharing
Reporting
EPIC Integration ArchitectureEPIC Integration Architecture
Oracle Database
Normalization,Correlation &Data Storage
Preemptive Measures
&
Courses of Action
Network/LinkManagement
VulnerabilitiesRisk Analysis
Host/NetworkIntrusion Detection
•Data Reduction•Fusion•Correlation•Data Mining•Trend Analysis•Knowledge Base•Advanced Intrusion Detection
•Security Policies
•Complex Attack Methodologies
•INFOCON Rules
•Reporting Rules
•Courses of Action
•Analysts GUI Screens
•System Operation/ Control (WEB)
Algorithms/KB
Action/Protection
Open Source(DNS, Whois)
Network Control(Firewalls, Routers)
Software Bridges
< 100 Lines of Code
InformationOperations
EnterpriseManagement Situational
AssessmentALPHA
BRAVO
CHARLIE
DELTA
Analyst/Organization Rules
Existing Enterprise
Sensors/Feeds(Inputs & Outputs)
COTS & GOTS
Visualization
•Schema/Tables•Access Policies•Peer-to-Peer Sharing
Reporting
System Attribute System Attribute VisualizationVisualization
System Attribute System Attribute VisualizationVisualization
• e.g. Mapping Network Components to Vulnerabilities
System Constraint System Constraint VisualizationVisualization
(Policy Enforcement)(Policy Enforcement)
System Constraint System Constraint VisualizationVisualization
(Policy Enforcement)(Policy Enforcement)• e.g. Policy Violations by Multiple Components
• VRML 2.0 with behaviours and external interfaces
Notional IA COPNotional IA COP
This medium is classifiedSECRET
US Government property
Trinitron GCCSGCCSIA COPIA COP
DII INFOCON Red Team
CINCS
EUCOMSPACECOMSTRATCOMTRANSCOM
SOCOMSOUTHCOM
PACOMACOM
CENTCOM
CYBERWATCH
Intel
INTELLINK
NSIRC
MID
WATCHCON
NMCC
What should this look like?
What does a CinC/JTF Commander want?
What does a CinC/JTF Commander need?
MissionCritical
Systems
GCCS
JOPES
Logistics
GTN
Personnel
SIPRNET
NIPRNET
Tools . . .Tools . . .
MissionCritical
Applications
Net Services Layer
Sensor Grid LayerNon-Intrusive Intrusive
Network (IP Routing) Layer
NIPRNET SIPRNET Other
Physical/Circuit Layer
Terrestrial SpaceRF
This medium is classified
SECRETUS
Government property
TrinitronGCCSGCCS
IA COPIA COP
DII INFOCON Red Team
CINCS
EUCOMSPACECO
MSTRATCO
MTRANSCO
MSOCOM
SOUTHCOM
PACOMACOM
CENTCOM
CYBERWATCH
Intel
INTELLINK
NSIRC
MID
WATCHCON
NMCC
MissionCritical
Systems
GCCS
JOPES
Logistics
GTN
Personnel
SIPRNET
NIPRNET
NAVY
NE
TW
OR
K
VIG
ILA
NC
E
Identify
Identify
InformInform R
espon
d
Resp
ond
Assess
Assess
and . . . Processes
Notional IA COPNotional IA COPThis medium is classifiedSECRET
US Government property
Trinitron GCCSGCCSIA COPIA COP
DII INFOCON Red Team
CINCS
EUCOMSPACECOMSTRATCOMTRANSCOM
SOCOMSOUTHCOM
PACOMACOM
CENTCOM
MissionCritical
SystemsCYBERWATCH
Intell
INTELLINK
NSIRC
MID
WATCHCON
NMCC
MissionCritical
Applications
Net Services Layer
Sensor Grid Layer
Network (IP Routing) Layer
Physical/Circuit Layer IDNXSwitch
GCCS
JOPES
Logistics
GTN
Personnel
SIPRNET
NIPRNET
MissionCritical
Applications
SIPRNETCongestion
JOPES
IA Architecture VisionIA Architecture Vision
Global
Base StationPost
Local Enclaves
Ensures consistent technology and reportingConsistent ThresholdsGlobal IA Situational Awareness
RegionalRegional
ALERT! We are seeing multiple attacks using similar exploitation techniques! Correlate and report to Global Ctr
ALERT! We are seeing multiple attacks using similar exploitation techniques! Correlate and report to Global Ctr
SensorSensor
Sensor
SensorNetwork Level Monitoring
(Intrusion Detection)
Host Level Monitoring
IA Situational Awareness and Decision Spt System
Advanced Crew System InterfacesAdvanced Crew System Interfacesfor Information Operations Center (IOC)for Information Operations Center (IOC)
Potential ProblemsPotential Problems for Fusion Engines to Solve for Fusion Engines to Solve
• Problem: Identifying low, slow mapping and probing attempts– Issues: Sensor data grows quickly and it is difficult to store, problems with storage and retrieval– Current plan: utilize a trend database that saves suspicious events and compressing other data
• Problem: Acquiring knowledge from domain experts for data analysis– Issues: Some data gathering has been done but data is not readily available
• Problem: Data correlation (between sensors and events) in real-time to identify attacks and reduce false alarms
– Issues: Throughput (for real time operation) is biggest problem. – Current plan: Implement “rule” in native code
• Problem: Goal seeking to determine the intent (or goal) of an attack– Issues: Need a flexible, backward chaining capability
• Problem: Need rule/filter deconfliction between components– Issues: Need to ensure that all filtering/rules do not conflict with each other and that a filter does not block data
needed by a rule.
• Problem: Data Mining to identify new attack signatures • Problem: Modification of KB knowledge space by non-KB experts• Problem: Threat profile/identification extrapolation• Problem: Machine learning algorithms that enable the system to anticipate
analysts “next move”
Technology AssessmentTechnology Assessment
Current R&D• User Modeling
– Information Needs Modeling
– Dialog Management• Heterogeneous Data
Integration & Fusion• Intelligent Push
Technology• Uncertainty Portrayal• Pedigree Capture &
Source Characterization• Mixed-Initiative Systems• Conversational Querying• Drill down
New Development• Capturing User Intent/
Intent Inferencing• User-Centric Relevance
Measures• Information Life Cycle
COTS/GOTS• Speech recognition• Large screen displays• Multi-media integration• Graphics processing
chips• Scientific data
visualization• CSCW tools
(whiteboards, VTC, etc.)
Adapted from: AFSAB 1998 report, “Information Managementto Support the Warrior” and Information Ops TPIPT
ElicitationElicitation + Representation + + Representation + Portrayal + InteractionPortrayal + Interaction
• Functional–examine goals & structural features• Cognitive–identify the cognitively demanding aspects of decision makers’
tasks• Analyze work domain constraints & task context• Supports team decision making and coordination• Supports software design (to include visualization)
the right information at the right timedisseminated in the right way displayed in the right way do the right things at the right time in the right way
To achieve this...the Information Space
the Decision Spacethe Cognitive Space
the Task Spacethe System Space
the Physical Spacethe Group Space
the Personnel Space
You must understand
Machine Learning Algorithms for Machine Learning Algorithms for Auto-Refining VisualisationsAuto-Refining Visualisations
• Dynamic IO Field– ROE, CONOPS
• Rapidly Evolving Technology– Standards, Processing Power
• Knowledge elicitation can fail to improve visualization– Users tend to think only in terms of current process/technology– Cannot specify what they want until they see it
• Balance expeditious acquisition with due diligence in knowledge elicitation
• The “My Yahoo”(.com) concept– Custom visualizations– Customizable visualizations
• Self-arranging menus & drill-downs based on analyst use