Transcript EPIC2 Vision
NATO VM3D Conference
at Defense Research Establishment Valcartier
Presented By:
Chet Maciag
DIW In-house Program Manager 8 June 00 Defensive Information Warfare Branch Air Force Research Lab, Rome Research Site (AFRL/IFGB)
Application Domain: Information Warfare
“…information operations conducted to defend one’s own information and information systems or attacking and affecting an adversary’s information and information systems.” (AFDD 2-5) “...information warfare is about the way humans think and, more importantly, the way humans make decisions. The target of information warfare, then, is the human...”
– Prof George Stein, Air War College
Definition - U.S.
(Information Warfare and Information Assurance)
•
Information Assurance -
–
Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. Information assurance includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (DODD S-3600.1)
Information Assurance Operational Needs
•
Provide commanders the capability to defend information flows required to execute assigned missions in both peacetime and crisis/contingency
– 365-day-a year Information Assurance for daily operations and business at all levels – Integrate Information Assurance into AFFOR/JFACC planning & execution
C2
Defend networks in support of ...
Sensors Shooters
… mission critical information flows
Networks
Dynamic Battle Control Concept
Coordinate Information Operations with the ATO and the battlefield situation to provide Airpower and Cyberpower to meet the current situation
Analogous State of Art in IA
Moonlight Maze
“Russian Hackers Steal US Weapons Secrets”
“American officials believe Russia may have stolen some of the nation's most sensitive military secrets, including weapons guidance systems and naval intelligence codes, in a concerted espionage offensive that investigators have called operation Moonlight Maze.
This was so sophisticated and well coordinated that security experts trying to build ramparts against further incursions believe America may be losing the world's first ‘cyber war’.
” 25 July 1999 London Sunday Times (Interview with Mr. John Hamre, Deputy Secretary of Defense)
EPIC’s Defensive Information Warfare (DIW) Components
Detect
Identifying deviations from normal operational states in the enterprise in real time and predictively from network, computer, and open-source indicators.
Protect
Defining the operational computing environment as it exists physically, logically and procedurally. Determine configuration change, site policy violations, and susceptibilities
EPIC AIDE:
Depth in Detection React / Restore
Techniques and methods that might be employed to thwart malicious activity, recover lost data, and gather evidence for possible legal action or Information Operations against the parties involved.
AFED:
AIDE + Protect & React
Defensive Information Warfare ITTP Planning, Awareness and Decision Support Technology
Objective • Develop and demonstrate Defensive Information Operations Planning Tools, Cyberspace Situational Awareness, Cyberspace Visualization, and Information Assurance Decision Support Tools for Course-of-Action Planning Approach • Automated Intrusion Detection Environment ACTD • Extensible Prototype for Information Command & Control (EPIC 2 ) (in-house) • Global Information Assurance Decision Support System (GIADSS) ATD • Air Force Enterprise Defense (6.3b) • Defensive Information Operations Planning Tool • Cyber Command and Control (new DARPA initiative) • Large Scale Intrusion Assessment (new DARPA initiative) • Process control techniques for system modeling Payoffs • Equips JFACC/AFFOR organizations for theater network defense • Identifies & prioritize info assets critical to current operations • Provides Situation awareness across theater, reachback, and garrison networks • Provides Attack Warning & Assessment, sensor cueing • Automatically tasks or executes defensive actions, assesses & reports damage
TTCP TP-11 Year One Demonstration Accomplishments
Successful exchange of intrusion event data between Australian Shapes Vector and AFRL’s EPIC 2 prototypes
EPIC 2 Disparate systems Same Goals - Visualization of ID Events, but….
Differing approaches to Correlation/Understanding Differing approaches to Info Gathering & Categorization Shapes- Vector Visualization Visualisation DB/Expert Sys Ontology/KB Specialized Agents COTS Sensors
Intrusion Detection Event Exchange
Interoperability with coalition partners in sharing IA event data
CACC ITTP
Integrated Technology Thrust Program Partners AFRL/IF & AFRL/HE Core Technologies
AFRL/IFS:
•DataWall •Mobile, Scalable, Adaptive Systems •Component-based Architectures •Computer Supported Collaborative Work
AFRL/IFG:
•Information Attack Mitigation •Intrusion/Malicious Code Detection •Multilevel Security •Network Management & Control DIW ITTP
AFRL/HEC :
Cognitive Displays
•CSE tools/methods/metrics •User modeling •Information visualization
User/System Interfaces
•Speech recognition/generation •3-D audio MCCAT
Air Force Enterprise Defense Objectives
•
Develop the next-generation Enterprise Defense Framework for AF MAJCOMs and Aerospace Expeditionary Forces (AEF)
–
Situational Assessment & Decision Support
•
Improve Network Defender information overload problem
•
Provide a consistent visual environment for information portrayal
•
Fuse Information Assurance (IA) and Network Management data into a Common Enterprise Picture (CEP)
•
Empower the MAJCOM to validate and influence present and future technology so it suitable for transition into NMS/BIP and other acquisition programs
AFED Technology Insertion for NOSC/NCC
• • •
Protect systems
– Automated vulnerability/threat detection with countermeasure recommendations – Automated policy/configuration monitoring & change detection
Detect IW attacks in progress
– Fuse heterogeneous ID sensor data via AIDE ACTD • Integrates ASIM 3.0/CIDDS – Apply knowledge base & advanced algorithms to enterprise susceptibilities, site policies, and ID data to reduce “false-positives” – Correlate with protection data to improve event prioritization and reduce workload
Assess impact of IW attack on mission critical systems
– Automated INFOCON level determination and recommendations – Mission/Situational Assessment resulting from information attacks – Provide Course Of Action (COA) response planning • Maintains mission critical functions without degradation (Network, configuration, QoS analysis)
AFED Technology Insertion for NOSC/NCC (continued)
• Automated incident/trouble ticket reporting to reduce operator workload – (e.g. AFCERT, MAJCOM NOSC, Local ARS, TC 2 CC) •
Common Enterprise Picture for Network Management and IA Situational Awareness
– – –
Visual Basic prototype for task analysis feedback Implement with intuitive thin-client tools (e.g. Web) AFRL/HE designing state-of-the-art interface for final demonstration spiral
Funding Issues
AFRL/IF Cooperation with Government and Industry
•
Government/FFRDC’s
–
AFRL/HECA:
Information Portrayal Expertise, Crew Task Analysis – –
AFRL/IFS:
Master Caution Panel
AFIWC
: CSAP21, MOA –
ESC/DIW - AIA - AC2ISRC:
AFED Tech Transition into IAEDS POM –
ESC/DIG
: NMS-BIP tech transition for AFED –
AF MAJCOMS
: AFED Initiative Participation – –
OSD/DISA
: AIDE ACTD, IMDS
DARPA
: Leverage over $100M/year 6.2 Technology –
NSA-ARL/TX
: Self-Learning Knowledge Algorithms – –
CECOM
: EPIC Transition to ISYSCON
MITRE
: Lighthouse, Common Vulnerabilities and Exposures (CVE) •
Industry
–
Secure Computing Corp
: Sidewinder Firewall Integration (Real-time Alerts, Dynamic Reconfiguration, Mediated DB Access) –
Applied Visions Incorporated
: SBIR/Collaboration to evolve 3D COTS visualization –
Netsquared
: Developed network sensor with concept of “session”. State machine reduces false alarms in pattern matches.
–
MountainWave
: SBIR to develop Common Enterprise Picture (Network Management & IA) –
Syracuse Research Corporation:
Threat, Vulnerabilities & Countermeasures DB integration –
ITT:
CRDA pursued to provide technology training in support of a transitioned/fielded prototype capability –
Motorola:
CRDA pursued in joint exploration of innovative visualization capabilities
Potential IAEDS Components
DB Data via Web DB Data Direct Other Data Cmd/Config AFED Utilities Policy Enforcement CMU W E B Host Based Agents Lighthouse DAWIF Automated Intrusion Response Sidewinder IMDS W E B Cisco Decision Support/COA Low Level NetFlare High Level TBD Visualization/Control RT GUI AVI Web Svrs Svrs Web Srv AFED/AIDE RT DB AFED Trend DB Bridge Intrusion Detection (Remote Hosts) Potentially Preprocessed by CIDDs Sidewinder ASIM/CIDD JIDS Raptor NetRadar ITA Real Secure Cisco NetRanger Reporting Incident Report ARS Hierarchy Automated Vul.Assessment
/Adv. Intrusion Detection TVC ISS BottleNeck Emerald Correlation/Data Mining AIDE NEDAA Forensics FACS
EPIC Integration Architecture
Preemptive Measures & Courses of Action Analyst/Organization Rules
•
Security Policies
•
Complex Attack Methodologies
•
INFOCON Rules
•
Reporting Rules
•
Courses of Action Action/Protection Enterprise Management Reporting Situational Assessment Information Operations Oracle Database
•
Schema/Tables
•
Access Policies
•
Peer-to-Peer Sharing
ALPHA BRAVO CHARLIE DELTA
Normalization, Correlation & Data Storage Algorithms/KB
•
Data Reduction
•
Fusion
•
Correlation
•
Data Mining
•
Trend Analysis
•
Knowledge Base
•
Advanced Intrusion Detection Visualization
•
Analysts GUI Screens
•
System Operation/ Control (WEB) Existing Enterprise Sensors/Feeds
(Inputs & Outputs)
COTS & GOTS Vulnerabilities Risk Analysis Host/Network Intrusion Detection Network/Link Management Network Control (Firewalls, Routers) Open Source (DNS, Whois)
EPIC Integration Architecture
Preemptive Measures & Courses of Action Analyst/Organization Rules
•
Security Policies
•
Complex Attack Methodologies
•
INFOCON Rules
•
Reporting Rules
•
Courses of Action Action/Protection Enterprise Management Reporting Situational Assessment Information Operations Oracle Database
•
Schema/Tables
•
Access Policies
•
Peer-to-Peer Sharing
ALPHA BRAVO CHARLIE DELTA
Normalization, Correlation & Data Storage Algorithms/KB
•
Data Reduction
•
Fusion
•
Correlation
•
Data Mining
•
Trend Analysis
•
Knowledge Base
•
Advanced Intrusion Detection Visualization
•
Analysts GUI Screens
•
System Operation/ Control (WEB) Existing Enterprise Sensors/Feeds
(Inputs & Outputs)
COTS & GOTS Vulnerabilities Risk Analysis Host/Network Intrusion Detection Network/Link Management Network Control (Firewalls, Routers) Open Source (DNS, Whois)
EPIC Integration Architecture
Preemptive Measures & Courses of Action Analyst/Organization Rules
•
Security Policies
•
Complex Attack Methodologies
•
INFOCON Rules
•
Reporting Rules
•
Courses of Action Action/Protection Enterprise Management Reporting Situational Assessment Information Operations Oracle Database
•
Schema/Tables
•
Access Policies
•
Peer-to-Peer Sharing
ALPHA BRAVO CHARLIE DELTA
Normalization, Correlation & Data Storage Algorithms/KB
•
Data Reduction
•
Fusion
•
Correlation
•
Data Mining
•
Trend Analysis
•
Knowledge Base
•
Advanced Intrusion Detection Visualization
•
Analysts GUI Screens
•
System Operation/ Control (WEB) Existing Enterprise Sensors/Feeds
(Inputs & Outputs)
COTS & GOTS Vulnerabilities Risk Analysis Host/Network Intrusion Detection Network/Link Management Network Control (Firewalls, Routers) Open Source (DNS, Whois)
Browser Views
Normal Browser view Filtered Browser view
AVI’s Secure Scope
System Attribute Visualization
•
e.g. Mapping Network Components to Vulnerabilities
System Constraint Visualization (Policy Enforcement)
• e.g. Policy Violations by Multiple Components • VRML 2.0 with behaviours and external interfaces
Event Listing
Signature Summary
Notional IA COP
Trinitron Intel CYBERWATCH INTELLINK WATCHCON NSIRC MID
GCCS IA COP Mission Critical Systems
GCCS JOPES Logistics GTN Personnel SIPRNET NIPRNET This medium is classified
SECRET
US Government property CINCS EUCOM SPACECOM STRATCOM TRANSCOM SOCOM SOUTHCOM PACOM ACOM CENTCOM NMCC DII INFOCON Red Team
What should this look like?
What does a CinC/JTF Commander want?
What does a CinC/JTF Commander need?
Tools . . .
and . . . Processes
Mission Critical Applications Net Services Layer Sensor Grid Layer Non-Intrusive Intrusive Terrestrial Network (IP Routing) Layer SIPRNET Other Physical/Circuit Layer RF Space
Trinitron
GCCS
Intel CYBERWATCH INTELLINK WATCHCON NSIRC MID
IA COP Mission Critical Systems
GCCS JOPES Logistics GTN Personnel SIPRNET NIPRNET DII INFOCON This medium is classified
SECRET
US Government property CINCS EUCOM SPACECO M STRATCO M TRANSCO M SOCOM SOUTHCO M PACOM ACOM CENTCOM Red Team
Trinitron Intell CYBERWATCH INTELLINK WATCHCON NSIRC MID DII
GCCS IA COP Mission Critical Systems
GCCS JOPES Logistics GTN Personnel SIPRNET NIPRNET CINCS EUCOM SPACECOM STRATCOM TRANSCOM SOCOM SOUTHCOM PACOM ACOM CENTCOM This medium is classified
SECRET
Notional IA COP
INFOCON NMCC Red Team
JOPES Mission Critical Applications Net Services Layer Sensor Grid Layer Network (IP Routing) Layer SIPRNET Congestion Physical/Circuit Layer IDNX Switch
IA Architecture Vision
IA Situational Awareness and Decision Spt System Network Level Monitoring (Intrusion Detection) ALERT! We are seeing multiple attacks using similar exploitation techniques! Correlate and report to Global Ctr Host Level Monitoring Regional Global ALERT! We are seeing multiple attacks using similar exploitation techniques! Correlate and report to Global Ctr Regional Base Post
Local Enclaves
Station
Advanced Crew System Interfaces for Information Operations Center (IOC)
Potential Problems for Fusion Engines to Solve
• • • • • • • • •
Problem: Identifying low, slow mapping and probing attempts
– – Issues: Sensor data grows quickly and it is difficult to store, problems with storage and retrieval Current plan: utilize a trend database that saves suspicious events and compressing other data
Problem: Acquiring knowledge from domain experts for data analysis
– Issues: Some data gathering has been done but data is not readily available
Problem: Data correlation (between sensors and events) in real-time to identify attacks and reduce false alarms
– – Issues : Throughput (for real time operation) is biggest problem. Current plan: Implement “rule” in native code
Problem: Goal seeking to determine the intent (or goal) of an attack
– Issues: Need a flexible, backward chaining capability
Problem: Need rule/filter deconfliction between components
– Issues: Need to ensure that all filtering/rules do not conflict with each other and that a filter does not block data needed by a rule.
Problem: Data Mining to identify new attack signatures Problem: Modification of KB knowledge space by non-KB experts Problem: Threat profile/identification extrapolation Problem: Machine learning algorithms that enable the system to anticipate analysts “next move”
Technology Assessment
• • • • • •
COTS/GOTS Speech recognition Large screen displays Multi-media integration Graphics processing chips Scientific data visualization CSCW tools (whiteboards, VTC, etc.)
• • • • • • • •
Current R&D User Modeling
– Information Needs Modeling – Dialog Management
Heterogeneous Data Integration & Fusion Intelligent Push Technology Uncertainty Portrayal Pedigree Capture & Source Characterization Mixed-Initiative Systems Conversational Querying Drill down
• • •
New Development Capturing User Intent/ Intent Inferencing User-Centric Relevance Measures Information Life Cycle Adapted from: AFSAB 1998 report, “Information Management to Support the Warrior” and Information Ops TPIPT
Elicitation + Representation + Portrayal + Interaction
To achieve this...
the at the disseminated in the displayed in the do the at the in the right information right time right way right way right things right time right way
You must understand
the Information Space the Decision Space the Cognitive Space the Task Space the System Space the Physical Space the Group Space the Personnel Space
• • • • •
Functional –examine goals & structural features Cognitive –identify the cognitively demanding aspects tasks of decision makers’ Analyze work domain constraints & task context Supports team decision making and coordination Supports software design (to include visualization)
Machine Learning Algorithms for Auto-Refining Visualisations
• • • • • •
Dynamic IO Field
– ROE, CONOPS
Rapidly Evolving Technology
– Standards, Processing Power
Knowledge elicitation can fail to improve visualization
– Users tend to think only in terms of current process/technology – Cannot specify what they want until they see it
Balance expeditious acquisition with due diligence in knowledge elicitation The “My Yahoo”(.com) concept
– Custom visualizations – Customizable visualizations
Self-arranging menus & drill-downs based on analyst use