NATO VM3D Conference

at Defense Research Establishment Valcartier

Presented By:

Chet Maciag

DIW In-house Program Manager 8 June 00 Defensive Information Warfare Branch Air Force Research Lab, Rome Research Site (AFRL/IFGB)

Application Domain: Information Warfare

“…information operations conducted to defend one’s own information and information systems or attacking and affecting an adversary’s information and information systems.” (AFDD 2-5) “...information warfare is about the way humans think and, more importantly, the way humans make decisions. The target of information warfare, then, is the human...”

– Prof George Stein, Air War College

Definition - U.S.

(Information Warfare and Information Assurance)

•

Information Assurance -

–

Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. Information assurance includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (DODD S-3600.1)

Information Assurance Operational Needs

•

Provide commanders the capability to defend information flows required to execute assigned missions in both peacetime and crisis/contingency

– 365-day-a year Information Assurance for daily operations and business at all levels – Integrate Information Assurance into AFFOR/JFACC planning & execution

C2

Defend networks in support of ...

Sensors Shooters

… mission critical information flows

Networks

Dynamic Battle Control Concept

Coordinate Information Operations with the ATO and the battlefield situation to provide Airpower and Cyberpower to meet the current situation

Analogous State of Art in IA

Moonlight Maze

“Russian Hackers Steal US Weapons Secrets”

“American officials believe Russia may have stolen some of the nation's most sensitive military secrets, including weapons guidance systems and naval intelligence codes, in a concerted espionage offensive that investigators have called operation Moonlight Maze.

This was so sophisticated and well coordinated that security experts trying to build ramparts against further incursions believe America may be losing the world's first ‘cyber war’.

” 25 July 1999 London Sunday Times (Interview with Mr. John Hamre, Deputy Secretary of Defense)

EPIC’s Defensive Information Warfare (DIW) Components

Detect

Identifying deviations from normal operational states in the enterprise in real time and predictively from network, computer, and open-source indicators.

Protect

Defining the operational computing environment as it exists physically, logically and procedurally. Determine configuration change, site policy violations, and susceptibilities

EPIC AIDE:

Depth in Detection React / Restore

Techniques and methods that might be employed to thwart malicious activity, recover lost data, and gather evidence for possible legal action or Information Operations against the parties involved.

AFED:

AIDE + Protect & React

Defensive Information Warfare ITTP Planning, Awareness and Decision Support Technology

Objective • Develop and demonstrate Defensive Information Operations Planning Tools, Cyberspace Situational Awareness, Cyberspace Visualization, and Information Assurance Decision Support Tools for Course-of-Action Planning Approach • Automated Intrusion Detection Environment ACTD • Extensible Prototype for Information Command & Control (EPIC 2 ) (in-house) • Global Information Assurance Decision Support System (GIADSS) ATD • Air Force Enterprise Defense (6.3b) • Defensive Information Operations Planning Tool • Cyber Command and Control (new DARPA initiative) • Large Scale Intrusion Assessment (new DARPA initiative) • Process control techniques for system modeling Payoffs • Equips JFACC/AFFOR organizations for theater network defense • Identifies & prioritize info assets critical to current operations • Provides Situation awareness across theater, reachback, and garrison networks • Provides Attack Warning & Assessment, sensor cueing • Automatically tasks or executes defensive actions, assesses & reports damage

TTCP TP-11 Year One Demonstration Accomplishments

Successful exchange of intrusion event data between Australian Shapes Vector and AFRL’s EPIC 2 prototypes

EPIC 2 Disparate systems Same Goals - Visualization of ID Events, but….

Differing approaches to Correlation/Understanding Differing approaches to Info Gathering & Categorization Shapes- Vector Visualization Visualisation DB/Expert Sys Ontology/KB Specialized Agents COTS Sensors

Intrusion Detection Event Exchange

Interoperability with coalition partners in sharing IA event data

CACC ITTP

Integrated Technology Thrust Program Partners AFRL/IF & AFRL/HE Core Technologies

AFRL/IFS:

•DataWall •Mobile, Scalable, Adaptive Systems •Component-based Architectures •Computer Supported Collaborative Work

AFRL/IFG:

•Information Attack Mitigation •Intrusion/Malicious Code Detection •Multilevel Security •Network Management & Control DIW ITTP

AFRL/HEC :

Cognitive Displays

•CSE tools/methods/metrics •User modeling •Information visualization

User/System Interfaces

•Speech recognition/generation •3-D audio MCCAT

Air Force Enterprise Defense Objectives

•

Develop the next-generation Enterprise Defense Framework for AF MAJCOMs and Aerospace Expeditionary Forces (AEF)

–

Situational Assessment & Decision Support

•

Improve Network Defender information overload problem

•

Provide a consistent visual environment for information portrayal

•

Fuse Information Assurance (IA) and Network Management data into a Common Enterprise Picture (CEP)

•

Empower the MAJCOM to validate and influence present and future technology so it suitable for transition into NMS/BIP and other acquisition programs

AFED Technology Insertion for NOSC/NCC

• • •

Protect systems

– Automated vulnerability/threat detection with countermeasure recommendations – Automated policy/configuration monitoring & change detection

Detect IW attacks in progress

– Fuse heterogeneous ID sensor data via AIDE ACTD • Integrates ASIM 3.0/CIDDS – Apply knowledge base & advanced algorithms to enterprise susceptibilities, site policies, and ID data to reduce “false-positives” – Correlate with protection data to improve event prioritization and reduce workload

Assess impact of IW attack on mission critical systems

– Automated INFOCON level determination and recommendations – Mission/Situational Assessment resulting from information attacks – Provide Course Of Action (COA) response planning • Maintains mission critical functions without degradation (Network, configuration, QoS analysis)

AFED Technology Insertion for NOSC/NCC (continued)

• Automated incident/trouble ticket reporting to reduce operator workload – (e.g. AFCERT, MAJCOM NOSC, Local ARS, TC 2 CC) •

Common Enterprise Picture for Network Management and IA Situational Awareness

– – –

Visual Basic prototype for task analysis feedback Implement with intuitive thin-client tools (e.g. Web) AFRL/HE designing state-of-the-art interface for final demonstration spiral

Funding Issues

AFRL/IF Cooperation with Government and Industry

•

Government/FFRDC’s

–

AFRL/HECA:

Information Portrayal Expertise, Crew Task Analysis – –

AFRL/IFS:

Master Caution Panel

AFIWC

: CSAP21, MOA –

ESC/DIW - AIA - AC2ISRC:

AFED Tech Transition into IAEDS POM –

ESC/DIG

: NMS-BIP tech transition for AFED –

AF MAJCOMS

: AFED Initiative Participation – –

OSD/DISA

: AIDE ACTD, IMDS

DARPA

: Leverage over $100M/year 6.2 Technology –

NSA-ARL/TX

: Self-Learning Knowledge Algorithms – –

CECOM

: EPIC Transition to ISYSCON

MITRE

: Lighthouse, Common Vulnerabilities and Exposures (CVE) •

Industry

–

Secure Computing Corp

: Sidewinder Firewall Integration (Real-time Alerts, Dynamic Reconfiguration, Mediated DB Access) –

Applied Visions Incorporated

: SBIR/Collaboration to evolve 3D COTS visualization –

Netsquared

: Developed network sensor with concept of “session”. State machine reduces false alarms in pattern matches.

–

MountainWave

: SBIR to develop Common Enterprise Picture (Network Management & IA) –

Syracuse Research Corporation:

Threat, Vulnerabilities & Countermeasures DB integration –

ITT:

CRDA pursued to provide technology training in support of a transitioned/fielded prototype capability –

Motorola:

CRDA pursued in joint exploration of innovative visualization capabilities

Potential IAEDS Components

DB Data via Web DB Data Direct Other Data Cmd/Config AFED Utilities Policy Enforcement CMU W E B Host Based Agents Lighthouse DAWIF Automated Intrusion Response Sidewinder IMDS W E B Cisco Decision Support/COA Low Level NetFlare High Level TBD Visualization/Control RT GUI AVI Web Svrs Svrs Web Srv AFED/AIDE RT DB AFED Trend DB Bridge Intrusion Detection (Remote Hosts) Potentially Preprocessed by CIDDs Sidewinder ASIM/CIDD JIDS Raptor NetRadar ITA Real Secure Cisco NetRanger Reporting Incident Report ARS Hierarchy Automated Vul.Assessment

/Adv. Intrusion Detection TVC ISS BottleNeck Emerald Correlation/Data Mining AIDE NEDAA Forensics FACS

EPIC Integration Architecture

Preemptive Measures & Courses of Action Analyst/Organization Rules

•

Security Policies

•

Complex Attack Methodologies

•

INFOCON Rules

•

Reporting Rules

•

Courses of Action Action/Protection Enterprise Management Reporting Situational Assessment Information Operations Oracle Database

•

Schema/Tables

•

Access Policies

•

Peer-to-Peer Sharing

ALPHA BRAVO CHARLIE DELTA

Normalization, Correlation & Data Storage Algorithms/KB

•

Data Reduction

•

Fusion

•

Correlation

•

Data Mining

•

Trend Analysis

•

Knowledge Base

•

Advanced Intrusion Detection Visualization

•

Analysts GUI Screens

•

System Operation/ Control (WEB) Existing Enterprise Sensors/Feeds

(Inputs & Outputs)

COTS & GOTS Vulnerabilities Risk Analysis Host/Network Intrusion Detection Network/Link Management Network Control (Firewalls, Routers) Open Source (DNS, Whois)

EPIC Integration Architecture

Preemptive Measures & Courses of Action Analyst/Organization Rules

•

Security Policies

•

Complex Attack Methodologies

•

INFOCON Rules

•

Reporting Rules

•

Courses of Action Action/Protection Enterprise Management Reporting Situational Assessment Information Operations Oracle Database

•

Schema/Tables

•

Access Policies

•

Peer-to-Peer Sharing

ALPHA BRAVO CHARLIE DELTA

Normalization, Correlation & Data Storage Algorithms/KB

•

Data Reduction

•

Fusion

•

Correlation

•

Data Mining

•

Trend Analysis

•

Knowledge Base

•

Advanced Intrusion Detection Visualization

•

Analysts GUI Screens

•

System Operation/ Control (WEB) Existing Enterprise Sensors/Feeds

(Inputs & Outputs)

COTS & GOTS Vulnerabilities Risk Analysis Host/Network Intrusion Detection Network/Link Management Network Control (Firewalls, Routers) Open Source (DNS, Whois)

EPIC Integration Architecture

Preemptive Measures & Courses of Action Analyst/Organization Rules

•

Security Policies

•

Complex Attack Methodologies

•

INFOCON Rules

•

Reporting Rules

•

Courses of Action Action/Protection Enterprise Management Reporting Situational Assessment Information Operations Oracle Database

•

Schema/Tables

•

Access Policies

•

Peer-to-Peer Sharing

ALPHA BRAVO CHARLIE DELTA

Normalization, Correlation & Data Storage Algorithms/KB

•

Data Reduction

•

Fusion

•

Correlation

•

Data Mining

•

Trend Analysis

•

Knowledge Base

•

Advanced Intrusion Detection Visualization

•

Analysts GUI Screens

•

System Operation/ Control (WEB) Existing Enterprise Sensors/Feeds

(Inputs & Outputs)

COTS & GOTS Vulnerabilities Risk Analysis Host/Network Intrusion Detection Network/Link Management Network Control (Firewalls, Routers) Open Source (DNS, Whois)

Browser Views

Normal Browser view Filtered Browser view

AVI’s Secure Scope

System Attribute Visualization

•

e.g. Mapping Network Components to Vulnerabilities

System Constraint Visualization (Policy Enforcement)

• e.g. Policy Violations by Multiple Components • VRML 2.0 with behaviours and external interfaces

Event Listing

Signature Summary

Notional IA COP

Trinitron Intel CYBERWATCH INTELLINK WATCHCON NSIRC MID

GCCS IA COP Mission Critical Systems

GCCS JOPES Logistics GTN Personnel SIPRNET NIPRNET This medium is classified

SECRET

US Government property CINCS EUCOM SPACECOM STRATCOM TRANSCOM SOCOM SOUTHCOM PACOM ACOM CENTCOM NMCC DII INFOCON Red Team

What should this look like?

What does a CinC/JTF Commander want?

What does a CinC/JTF Commander need?

Tools . . .

and . . . Processes

Mission Critical Applications Net Services Layer Sensor Grid Layer Non-Intrusive Intrusive Terrestrial Network (IP Routing) Layer SIPRNET Other Physical/Circuit Layer RF Space

Trinitron

GCCS

Intel CYBERWATCH INTELLINK WATCHCON NSIRC MID

IA COP Mission Critical Systems

GCCS JOPES Logistics GTN Personnel SIPRNET NIPRNET DII INFOCON This medium is classified

SECRET

US Government property CINCS EUCOM SPACECO M STRATCO M TRANSCO M SOCOM SOUTHCO M PACOM ACOM CENTCOM Red Team

Trinitron Intell CYBERWATCH INTELLINK WATCHCON NSIRC MID DII

GCCS IA COP Mission Critical Systems

GCCS JOPES Logistics GTN Personnel SIPRNET NIPRNET CINCS EUCOM SPACECOM STRATCOM TRANSCOM SOCOM SOUTHCOM PACOM ACOM CENTCOM This medium is classified

SECRET

Notional IA COP

INFOCON NMCC Red Team

JOPES Mission Critical Applications Net Services Layer Sensor Grid Layer Network (IP Routing) Layer SIPRNET Congestion Physical/Circuit Layer IDNX Switch

IA Architecture Vision

IA Situational Awareness and Decision Spt System Network Level Monitoring (Intrusion Detection) ALERT! We are seeing multiple attacks using similar exploitation techniques! Correlate and report to Global Ctr Host Level Monitoring Regional Global ALERT! We are seeing multiple attacks using similar exploitation techniques! Correlate and report to Global Ctr Regional Base Post

Local Enclaves

Station

Advanced Crew System Interfaces for Information Operations Center (IOC)

Potential Problems for Fusion Engines to Solve

• • • • • • • • •

Problem: Identifying low, slow mapping and probing attempts

– – Issues: Sensor data grows quickly and it is difficult to store, problems with storage and retrieval Current plan: utilize a trend database that saves suspicious events and compressing other data

Problem: Acquiring knowledge from domain experts for data analysis

– Issues: Some data gathering has been done but data is not readily available

Problem: Data correlation (between sensors and events) in real-time to identify attacks and reduce false alarms

– – Issues : Throughput (for real time operation) is biggest problem. Current plan: Implement “rule” in native code

Problem: Goal seeking to determine the intent (or goal) of an attack

– Issues: Need a flexible, backward chaining capability

Problem: Need rule/filter deconfliction between components

– Issues: Need to ensure that all filtering/rules do not conflict with each other and that a filter does not block data needed by a rule.

Problem: Data Mining to identify new attack signatures Problem: Modification of KB knowledge space by non-KB experts Problem: Threat profile/identification extrapolation Problem: Machine learning algorithms that enable the system to anticipate analysts “next move”

Technology Assessment

• • • • • •

COTS/GOTS Speech recognition Large screen displays Multi-media integration Graphics processing chips Scientific data visualization CSCW tools (whiteboards, VTC, etc.)

• • • • • • • •

Current R&D User Modeling

– Information Needs Modeling – Dialog Management

Heterogeneous Data Integration & Fusion Intelligent Push Technology Uncertainty Portrayal Pedigree Capture & Source Characterization Mixed-Initiative Systems Conversational Querying Drill down

• • •

New Development Capturing User Intent/ Intent Inferencing User-Centric Relevance Measures Information Life Cycle Adapted from: AFSAB 1998 report, “Information Management to Support the Warrior” and Information Ops TPIPT

Elicitation + Representation + Portrayal + Interaction

To achieve this...

the at the disseminated in the displayed in the do the at the in the right information right time right way right way right things right time right way

You must understand

the Information Space the Decision Space the Cognitive Space the Task Space the System Space the Physical Space the Group Space the Personnel Space

• • • • •

Functional –examine goals & structural features Cognitive –identify the cognitively demanding aspects tasks of decision makers’ Analyze work domain constraints & task context Supports team decision making and coordination Supports software design (to include visualization)

Machine Learning Algorithms for Auto-Refining Visualisations

• • • • • •

Dynamic IO Field

– ROE, CONOPS

Rapidly Evolving Technology

– Standards, Processing Power

Knowledge elicitation can fail to improve visualization

– Users tend to think only in terms of current process/technology – Cannot specify what they want until they see it

Balance expeditious acquisition with due diligence in knowledge elicitation The “My Yahoo”(.com) concept

– Custom visualizations – Customizable visualizations

Self-arranging menus & drill-downs based on analyst use