NATO VM3D Conference at Defense Research Establishment Valcartier Defensive Information Warfare Branch Air Force Research Lab, Rome Research Site (AFRL/IFGB)

NATO VM3D ConferenceNATO VM3D Conferenceatat

Defense Research Establishment Valcartier Defense Research Establishment Valcartier

Defensive Information Warfare BranchDefensive Information Warfare BranchAir Force Research Lab, Rome Research Site (AFRL/IFGB)Air Force Research Lab, Rome Research Site (AFRL/IFGB)

Presented By:Presented By:

Chet MaciagChet Maciag

DIW In-house Program ManagerDIW In-house Program Manager8 June 008 June 00

Application Domain: Information Application Domain: Information WarfareWarfare

“...information warfare is about the way humans think and, more importantly, the way humans make decisions. The target of information warfare, then, is the human...”

– Prof George Stein, Air War College

“…information operations conducted to defend one’s own information and information systems or attacking and affecting an adversary’s

information and information systems.” (AFDD 2-5)

• Information Assurance -

– Information operations that protect and defend information

and information systems by ensuring their availability,

integrity, authentication, confidentiality, and non-repudiation.

Information assurance includes providing for restoration of

information systems by incorporating protection, detection,

and reaction capabilities. (DODD S-3600.1)

Definition - U.S.(Information Warfare and Information Assurance)

Information Assurance Information Assurance Operational NeedsOperational Needs

• Provide commanders the capability to defend information flows required to execute assigned missions in both peacetime and crisis/contingency

– 365-day-a year Information Assurance for daily operations and business at all levels– Integrate Information Assurance into AFFOR/JFACC planning & execution

Defend networks in support of ...

… mission criticalinformation flows

SensorsShooters

Networks

C2C2

Coordinate Information Operations with the ATO and the battlefield situation to provide Airpower and Cyberpower to meet the current situation

Dynamic Battle Control ConceptDynamic Battle Control Concept

Analogous State of Art in IAAnalogous State of Art in IA

Moonlight MazeMoonlight Maze“Russian Hackers Steal US Weapons Secrets”“Russian Hackers Steal US Weapons Secrets”

“American officials believe Russia may have stolen some of the

nation's most sensitive military secrets, including weapons

guidance systems and naval intelligence codes, in a concerted

espionage offensive that investigators have called operation

Moonlight Maze.

This was so sophisticated and well coordinated that security experts trying to build ramparts against further incursions believe

America may be losing the world's first ‘cyber war’.”

25 July 1999London Sunday Times

(Interview with Mr. John Hamre, Deputy Secretary of Defense)

EPIC’s Defensive Information Warfare EPIC’s Defensive Information Warfare (DIW) Components(DIW) Components

EPIC

ProtectDefining the operational computingenvironment as it exists physically,logically and procedurally. Determineconfiguration change, site policyviolations, and susceptibilities

Techniques and methods that might beemployed to thwart malicious activity,recover lost data, and gather evidencefor possible legal action or InformationOperations against the parties involved.

React / Restore

Detect

Identifying deviations fromnormal operational states in theenterprise in real time andpredictively from network,computer, and open-sourceindicators.

AIDE: Depth in Detection AFED: AIDE + Protect & React

Objective•Develop and demonstrate Defensive

Information Operations Planning Tools, Cyberspace Situational Awareness, Cyberspace Visualization, and Information Assurance Decision Support Tools for Course-of-Action Planning

Payoffs•Equips JFACC/AFFOR organizations for

theater network defense•Identifies & prioritize info assets critical to current operations•Provides Situation awareness across theater, reachback, and garrison networks•Provides Attack Warning & Assessment, sensor cueing•Automatically tasks or executes defensive actions, assesses & reports damage

Approach•Automated Intrusion Detection Environment ACTD•Extensible Prototype for Information Command & Control (EPIC2) (in-house)•Global Information Assurance Decision Support System (GIADSS) ATD•Air Force Enterprise Defense (6.3b)•Defensive Information Operations Planning Tool •Cyber Command and Control (new DARPA

initiative)•Large Scale Intrusion Assessment (new DARPA

initiative)•Process control techniques for system modeling

Defensive Information Warfare ITTP Defensive Information Warfare ITTP Planning, Awareness and Decision Support Planning, Awareness and Decision Support

TechnologyTechnology

Coalition Defense-in-DepthCoalition Defense-in-DepthCollaborationCollaboration

• Objective– Share network security event data relevant to

coalition partners

– Utilize partner sensors for coalition centricconcerns

– Supply technology elements to otherframeworks (e.g., visualization methods,additional sensors, security fusion agents)

– Focuses on interoperability of partner networksecurity commands while retaining sovereigntyof country-specific assets

• Payoff– Provides Global Situation Assessment of

Coalition Enterprise

– Allows Indications and Warnings to take placebeyond National boundaries

• Participants/Technology– Australia: Shapes Vector

– Canada: Ironman

– United States: EPIC/EPIC2/AIDE

– United Kingdom: Intrusion DetectionAlgorithms

• Future Activities– ID Event Sharing Demonstration 2QCY00

– IA Event Interchange Demonstration 2QCY01

– Common Coalition IA Picture 4QCY02

Australia Canada U.S.

AustralianOperations Center Canadian Operation Center U.S. Operations Center

Coalition Wide Area Network

Knowledge Bases Bridges Shared Agents Event DatabaseData Exchangers

Encryption

Sensors

Coalition NetworkSecurity

Event/VulnerabilityDatabase

Coalition Information Infrastructure Components

Coalition Operations Center

Sensors

Encryption

TTCP TP-11 Year One Demonstration AccomplishmentsTTCP TP-11 Year One Demonstration Accomplishments

Successful exchange of intrusion event data between

Australian Shapes-Vector and AFRL’s EPIC2 prototypes

Interoperability with coalition partners in sharing IA event data

Disparate systems

Same Goals - Visualization of ID Events, but….

Differing approaches to Correlation/Understanding

Differing approaches to Info Gathering & Categorization

EPIC2

Visualization

DB/Expert Sys

COTS Sensors

Shapes- Vector

Visualisation

Ontology/KB

Specialized AgentsIntrusion Detection

Event Exchange

AFRL/IFS:•DataWall•Mobile, Scalable, Adaptive Systems•Component-based Architectures•Computer Supported Collaborative Work

Integrated Technology Thrust Program Integrated Technology Thrust Program PartnersPartners

AFRL/IF & AFRL/HE Core TechnologiesAFRL/IF & AFRL/HE Core Technologies

AFRL/IFG: •Information Attack

Mitigation •Intrusion/Malicious

Code Detection •Multilevel Security

•Network Management& Control

AFRL/HEC:Cognitive Displays•CSE tools/methods/metrics•User modeling•Information visualizationUser/System Interfaces•Speech recognition/generation•3-D audio

DIW ITTPCACC ITTP

MCCAT

Air Force Enterprise DefenseAir Force Enterprise DefenseObjectivesObjectives

• Develop the next-generation Enterprise Defense Framework for AF MAJCOMs and Aerospace Expeditionary Forces (AEF)– Situational Assessment & Decision Support

• Improve Network Defender information overload problem

• Provide a consistent visual environment for information portrayal

• Fuse Information Assurance (IA) and Network Management data into a Common Enterprise Picture (CEP)

• Empower the MAJCOM to validate and influence present and future technology so it suitable for transition into NMS/BIP and other acquisition programs

AFED Technology Insertion AFED Technology Insertion for NOSC/NCCfor NOSC/NCC

• Protect systems – Automated vulnerability/threat detection with countermeasure

recommendations

– Automated policy/configuration monitoring & change detection

• Detect IW attacks in progress– Fuse heterogeneous ID sensor data via AIDE ACTD

• Integrates ASIM 3.0/CIDDS

– Apply knowledge base & advanced algorithms to enterprise susceptibilities, site policies, and ID data to reduce “false-positives”

– Correlate with protection data to improve event prioritization and reduce workload

• Assess impact of IW attack on mission critical systems– Automated INFOCON level determination and recommendations

– Mission/Situational Assessment resulting from information attacks

– Provide Course Of Action (COA) response planning• Maintains mission critical functions without degradation (Network, configuration, QoS analysis)

AFED Technology Insertion AFED Technology Insertion for NOSC/NCC for NOSC/NCC (continued)(continued)

• Automated incident/trouble ticket reporting to reduce operator workload– (e.g. AFCERT, MAJCOM NOSC, Local ARS, TC2CC)

• Common Enterprise Picture for Network Management and IA Situational Awareness– Visual Basic prototype for task analysis feedback

– Implement with intuitive thin-client tools (e.g. Web)

– AFRL/HE designing state-of-the-art interface for final demonstration spiral

Funding IssuesFunding Issues

AFRL/IF Cooperation with AFRL/IF Cooperation with Government and IndustryGovernment and Industry

• Government/FFRDC’s– AFRL/HECA: Information Portrayal

Expertise, Crew Task Analysis

– AFRL/IFS: Master Caution Panel

– AFIWC: CSAP21, MOA

– ESC/DIW - AIA - AC2ISRC: AFED Tech Transition into IAEDS POM

– ESC/DIG: NMS-BIP tech transition for AFED

– AF MAJCOMS: AFED Initiative Participation

– OSD/DISA: AIDE ACTD, IMDS

– DARPA: Leverage over $100M/year 6.2 Technology

– NSA-ARL/TX: Self-Learning Knowledge Algorithms

– CECOM: EPIC Transition to ISYSCON

– MITRE: Lighthouse, Common Vulnerabilities and Exposures (CVE)

• Industry– Secure Computing Corp: Sidewinder Firewall

Integration (Real-time Alerts, Dynamic Reconfiguration, Mediated DB Access)

– Applied Visions Incorporated: SBIR/Collaboration to evolve 3D COTS visualization

– Netsquared: Developed network sensor with concept of “session”. State machine reduces false alarms in pattern matches.

– MountainWave: SBIR to develop Common Enterprise Picture (Network Management & IA)

– Syracuse Research Corporation: Threat, Vulnerabilities & Countermeasures DB integration

– ITT: CRDA pursued to provide technology training in support of a transitioned/fielded prototype capability

– Motorola: CRDA pursued in joint exploration of innovative visualization capabilities

AFED UtilitiesAFED Utilities

CMUCMU

Policy Policy EnforcementEnforcement

Visualization/ControlVisualization/Control

RT GUIRT GUI WebWeb

AVIAVI

ForensicsForensics

FACSFACS

Decision Support/COADecision Support/COA

Low LevelLow LevelNetFlareNetFlare

High LevelHigh LevelTBDTBD

ReportingReporting

Incident Incident ReportReport

ARSARS

HierarchyHierarchy

Host Based AgentsHost Based Agents

LighthouseLighthouse

DAWIFDAWIF

Intrusion DetectionIntrusion Detection(Remote Hosts)(Remote Hosts)

Potentially Preprocessed by CIDDsPotentially Preprocessed by CIDDsSidewinderSidewinder

RaptorRaptor

ASIM/CIDDASIM/CIDD

NetRadarNetRadar

JIDSJIDS

ITAITA

Real SecureReal Secure CiscoCisco NetRangerNetRanger

Automated Vul.AssessmentAutomated Vul.Assessment/Adv. Intrusion Detection/Adv. Intrusion Detection

ISSISS

TVCTVC BottleNeckBottleNeck

EmeraldEmerald

Potential IAEDS ComponentsPotential IAEDS Components

AFEDAFEDTrend DBTrend DB

AFED/AIDEAFED/AIDERT DBRT DB

Automated Intrusion Automated Intrusion ResponseResponse

SidewinderSidewinder

IMDSIMDS

CiscoCisco

Web SrvWeb Srv

DB Data via Web

Cmd/Config

WEB

DB Data Direct

App App SvrsSvrsApp App SvrsSvrsApp App

SvrsSvrs

Other Data

WEB

BridgeBridge Correlation/Data MiningCorrelation/Data Mining

AIDEAIDE

NEDAANEDAA

EPIC Integration ArchitectureEPIC Integration Architecture

Oracle Database

Normalization,Correlation &Data Storage

Preemptive Measures

&

Courses of Action

Network/LinkManagement

VulnerabilitiesRisk Analysis

Host/NetworkIntrusion Detection

•Data Reduction•Fusion•Correlation•Data Mining•Trend Analysis•Knowledge Base•Advanced Intrusion Detection

•Security Policies

•Complex Attack Methodologies

•INFOCON Rules

•Reporting Rules

•Courses of Action

•Analysts GUI Screens

•System Operation/ Control (WEB)

Algorithms/KB

Action/Protection

Open Source(DNS, Whois)

Network Control(Firewalls, Routers)

Software Bridges

< 100 Lines of Code

InformationOperations

EnterpriseManagement Situational

AssessmentALPHA

BRAVO

CHARLIE

DELTA

Analyst/Organization Rules

Existing Enterprise

Sensors/Feeds(Inputs & Outputs)

COTS & GOTS

Visualization

•Schema/Tables•Access Policies•Peer-to-Peer Sharing

Reporting


Oracle Database


Preemptive Measures

&

Courses of Action







•INFOCON Rules

•Reporting Rules




Algorithms/KB

Action/Protection



Software Bridges

< 100 Lines of Code



AssessmentALPHA

BRAVO

CHARLIE

DELTA


Existing Enterprise


COTS & GOTS

Visualization


Reporting


Oracle Database


Preemptive Measures

&

Courses of Action







•INFOCON Rules

•Reporting Rules




Algorithms/KB

Action/Protection



Software Bridges

< 100 Lines of Code



AssessmentALPHA

BRAVO

CHARLIE

DELTA


Existing Enterprise


COTS & GOTS

Visualization


Reporting

Browser ViewsBrowser Views

Normal Browser view

Filtered Browser view

AVI’s Secure Scope

System Attribute System Attribute VisualizationVisualization

System Attribute System Attribute VisualizationVisualization

• e.g. Mapping Network Components to Vulnerabilities

System Constraint System Constraint VisualizationVisualization

(Policy Enforcement)(Policy Enforcement)

System Constraint System Constraint VisualizationVisualization

(Policy Enforcement)(Policy Enforcement)• e.g. Policy Violations by Multiple Components

• VRML 2.0 with behaviours and external interfaces

Event Listing

Signature Summary

Notional IA COPNotional IA COP

This medium is classifiedSECRET

US Government property

Trinitron GCCSGCCSIA COPIA COP

DII INFOCON Red Team

CINCS

EUCOMSPACECOMSTRATCOMTRANSCOM

SOCOMSOUTHCOM

PACOMACOM

CENTCOM

CYBERWATCH

Intel

INTELLINK

NSIRC

MID

WATCHCON

NMCC

What should this look like?

What does a CinC/JTF Commander want?

What does a CinC/JTF Commander need?

MissionCritical

Systems

GCCS

JOPES

Logistics

GTN

Personnel

SIPRNET

NIPRNET

Tools . . .Tools . . .

MissionCritical

Applications

Net Services Layer

Sensor Grid LayerNon-Intrusive Intrusive

Network (IP Routing) Layer

NIPRNET SIPRNET Other

Physical/Circuit Layer

Terrestrial SpaceRF

This medium is classified

SECRETUS

Government property

TrinitronGCCSGCCS

IA COPIA COP


CINCS

EUCOMSPACECO

MSTRATCO

MTRANSCO

MSOCOM

SOUTHCOM

PACOMACOM

CENTCOM

CYBERWATCH

Intel

INTELLINK

NSIRC

MID

WATCHCON

NMCC

MissionCritical

Systems

GCCS

JOPES

Logistics

GTN

Personnel

SIPRNET

NIPRNET

NAVY

NE

TW

OR

K

VIG

ILA

NC

E

Identify

Identify

InformInform R

espon

d

Resp

ond

Assess

Assess

and . . . Processes

Notional IA COPNotional IA COPThis medium is classifiedSECRET

US Government property

Trinitron GCCSGCCSIA COPIA COP


CINCS

EUCOMSPACECOMSTRATCOMTRANSCOM

SOCOMSOUTHCOM

PACOMACOM

CENTCOM

MissionCritical

SystemsCYBERWATCH

Intell

INTELLINK

NSIRC

MID

WATCHCON

NMCC

MissionCritical

Applications

Net Services Layer

Sensor Grid Layer

Network (IP Routing) Layer

Physical/Circuit Layer IDNXSwitch

GCCS

JOPES

Logistics

GTN

Personnel

SIPRNET

NIPRNET

MissionCritical

Applications

SIPRNETCongestion

JOPES

IA Architecture VisionIA Architecture Vision

Global

Base StationPost

Local Enclaves

Ensures consistent technology and reportingConsistent ThresholdsGlobal IA Situational Awareness

RegionalRegional

ALERT! We are seeing multiple attacks using similar exploitation techniques! Correlate and report to Global Ctr

ALERT! We are seeing multiple attacks using similar exploitation techniques! Correlate and report to Global Ctr

SensorSensor

Sensor

SensorNetwork Level Monitoring

(Intrusion Detection)

Host Level Monitoring

IA Situational Awareness and Decision Spt System

Advanced Crew System InterfacesAdvanced Crew System Interfacesfor Information Operations Center (IOC)for Information Operations Center (IOC)

Potential ProblemsPotential Problems for Fusion Engines to Solve for Fusion Engines to Solve

• Problem: Identifying low, slow mapping and probing attempts– Issues: Sensor data grows quickly and it is difficult to store, problems with storage and retrieval– Current plan: utilize a trend database that saves suspicious events and compressing other data

• Problem: Acquiring knowledge from domain experts for data analysis– Issues: Some data gathering has been done but data is not readily available

• Problem: Data correlation (between sensors and events) in real-time to identify attacks and reduce false alarms

– Issues: Throughput (for real time operation) is biggest problem. – Current plan: Implement “rule” in native code

• Problem: Goal seeking to determine the intent (or goal) of an attack– Issues: Need a flexible, backward chaining capability

• Problem: Need rule/filter deconfliction between components– Issues: Need to ensure that all filtering/rules do not conflict with each other and that a filter does not block data

needed by a rule.

• Problem: Data Mining to identify new attack signatures • Problem: Modification of KB knowledge space by non-KB experts• Problem: Threat profile/identification extrapolation• Problem: Machine learning algorithms that enable the system to anticipate

analysts “next move”

Technology AssessmentTechnology Assessment

Current R&D• User Modeling

– Information Needs Modeling

– Dialog Management• Heterogeneous Data

Integration & Fusion• Intelligent Push

Technology• Uncertainty Portrayal• Pedigree Capture &

Source Characterization• Mixed-Initiative Systems• Conversational Querying• Drill down

New Development• Capturing User Intent/

Intent Inferencing• User-Centric Relevance

Measures• Information Life Cycle

COTS/GOTS• Speech recognition• Large screen displays• Multi-media integration• Graphics processing

chips• Scientific data

visualization• CSCW tools

(whiteboards, VTC, etc.)

Adapted from: AFSAB 1998 report, “Information Managementto Support the Warrior” and Information Ops TPIPT

ElicitationElicitation + Representation + + Representation + Portrayal + InteractionPortrayal + Interaction

• Functional–examine goals & structural features• Cognitive–identify the cognitively demanding aspects of decision makers’

tasks• Analyze work domain constraints & task context• Supports team decision making and coordination• Supports software design (to include visualization)

the right information at the right timedisseminated in the right way displayed in the right way do the right things at the right time in the right way

To achieve this...the Information Space

the Decision Spacethe Cognitive Space

the Task Spacethe System Space

the Physical Spacethe Group Space

the Personnel Space

You must understand

Machine Learning Algorithms for Machine Learning Algorithms for Auto-Refining VisualisationsAuto-Refining Visualisations

• Dynamic IO Field– ROE, CONOPS

• Rapidly Evolving Technology– Standards, Processing Power

• Knowledge elicitation can fail to improve visualization– Users tend to think only in terms of current process/technology– Cannot specify what they want until they see it

• Balance expeditious acquisition with due diligence in knowledge elicitation

• The “My Yahoo”(.com) concept– Custom visualizations– Customizable visualizations

• Self-arranging menus & drill-downs based on analyst use

Documents

NATO VM3D Conference at Defense Research Establishment Valcartier Defensive Information Warfare Branch Air Force Research Lab, Rome Research Site (AFRL/IFGB)