Transcript EPIC2 Vision

NATO VM3D Conference
at
Defense Research Establishment Valcartier
Presented By:
Chet Maciag
DIW In-house Program Manager
8 June 00
Defensive Information Warfare Branch
Air Force Research Lab, Rome Research Site (AFRL/IFGB)
Application Domain: Information
Warfare
“…information operations conducted to defend one’s own information
and information systems or attacking and affecting an adversary’s
information and information systems.” (AFDD 2-5)
“...information warfare is about the way humans think and, more
importantly, the way humans make decisions. The target of
information warfare, then, is the human...”
–
Prof George Stein, Air War College
Definition - U.S.
(Information Warfare and Information Assurance)
• Information Assurance – Information operations that protect and defend information
and information systems by ensuring their availability,
integrity, authentication, confidentiality, and non-repudiation.
Information assurance includes providing for restoration of
information systems by incorporating protection, detection,
and reaction capabilities. (DODD S-3600.1)
Information Assurance
Operational Needs
• Provide commanders the capability to defend information flows
required to execute assigned missions in both peacetime and
crisis/contingency
– 365-day-a year Information Assurance for daily operations and business at all levels
– Integrate Information Assurance into AFFOR/JFACC planning & execution
C2
Defend networks
in support of ...
Shooters
Sensors
… mission critical
information flows
Networks
Dynamic Battle Control Concept
Coordinate Information Operations with the ATO
and the battlefield situation to provide Airpower
and Cyberpower to meet the current situation
Analogous State of Art in IA
Moonlight Maze
“Russian Hackers Steal US Weapons Secrets”
“American officials believe Russia may have stolen some of the
nation's most sensitive military secrets, including weapons
guidance systems and naval intelligence codes, in a concerted
espionage offensive that investigators have called operation
Moonlight Maze.
This was so sophisticated and well coordinated that security experts
trying to build ramparts against further incursions believe
America may be losing the world's first ‘cyber war’.”
25 July 1999
London Sunday Times
(Interview with Mr. John Hamre, Deputy Secretary of Defense)
EPIC’s Defensive Information Warfare
(DIW) Components
Protect
Detect
Defining the operational computing
environment as it exists physically,
logically and procedurally. Determine
configuration change, site policy
violations, and susceptibilities
Identifying deviations from
normal operational states in the
enterprise in real time and
predictively from network,
computer, and open-source
indicators.
EPIC
React / Restore
Techniques and methods that might be
employed to thwart malicious activity,
recover lost data, and gather evidence
for possible legal action or Information
Operations against the parties involved.
AIDE: Depth in Detection
AFED: AIDE + Protect & React
Defensive Information Warfare ITTP
Planning, Awareness and Decision Support
Technology
Objective
• Develop and demonstrate Defensive Information
Operations Planning Tools, Cyberspace Situational
Awareness, Cyberspace Visualization, and
Information Assurance Decision Support Tools for
Course-of-Action Planning
Approach
• Automated Intrusion Detection Environment ACTD
• Extensible Prototype for Information Command &
Control (EPIC2) (in-house)
• Global Information Assurance Decision Support
System (GIADSS) ATD
• Air Force Enterprise Defense (6.3b)
• Defensive Information Operations Planning Tool
• Cyber Command and Control (new DARPA
initiative)
• Large Scale Intrusion Assessment (new DARPA
initiative)
• Process control techniques for system modeling
Payoffs
• Equips JFACC/AFFOR organizations for
theater network defense
• Identifies & prioritize info assets critical to
current operations
• Provides Situation awareness across theater,
reachback, and garrison networks
• Provides Attack Warning & Assessment, sensor
cueing
• Automatically tasks or executes defensive
actions, assesses & reports damage
TTCP TP-11 Year One Demonstration Accomplishments
Successful exchange of intrusion event data between
Australian Shapes-Vector and AFRL’s EPIC2 prototypes
Disparate systems
Same Goals - Visualization of
ID Events, but….
Differing approaches to
Correlation/Understanding
EPIC2
Differing approaches to Info
Gathering & Categorization
Shapes- Vector
Visualization
Visualisation
DB/Expert Sys
Ontology/KB
COTS Sensors
Specialized Agents
Intrusion Detection
Event Exchange
Interoperability with coalition partners in sharing IA event data
Integrated Technology Thrust Program
Partners
AFRL/IF & AFRL/HE Core Technologies
AFRL/IFS:
AFRL/IFG:
•DataWall
•Mobile, Scalable,
Adaptive Systems
•Component-based
Architectures
•Computer Supported
Collaborative Work
•Information Attack
Mitigation
•Intrusion/Malicious
Code Detection
•Multilevel Security
•Network Management
& Control
CACC ITTP
DIW ITTP
AFRL/HEC:
Cognitive Displays
•CSE tools/methods/metrics
•User modeling
•Information visualization
User/System Interfaces
•Speech recognition/generation
•3-D audio
MCCAT
Air Force Enterprise Defense
Objectives
• Develop the next-generation Enterprise Defense Framework for AF
MAJCOMs and Aerospace Expeditionary Forces (AEF)
– Situational Assessment & Decision Support
• Improve Network Defender information overload problem
• Provide a consistent visual environment for information
portrayal
• Fuse Information Assurance (IA) and Network Management
data into a Common Enterprise Picture (CEP)
• Empower the MAJCOM to validate and influence present and
future technology so it suitable for transition into NMS/BIP
and other acquisition programs
AFED Technology Insertion
for NOSC/NCC
• Protect systems
– Automated vulnerability/threat detection with countermeasure
recommendations
– Automated policy/configuration monitoring & change detection
• Detect IW attacks in progress
– Fuse heterogeneous ID sensor data via AIDE ACTD
• Integrates ASIM 3.0/CIDDS
– Apply knowledge base & advanced algorithms to enterprise susceptibilities, site
policies, and ID data to reduce “false-positives”
– Correlate with protection data to improve event prioritization and reduce
workload
• Assess impact of IW attack on mission critical systems
– Automated INFOCON level determination and recommendations
– Mission/Situational Assessment resulting from information attacks
– Provide Course Of Action (COA) response planning
•
Maintains mission critical functions without degradation (Network, configuration, QoS analysis)
AFED Technology Insertion
for NOSC/NCC (continued)
• Automated incident/trouble ticket reporting to reduce operator
workload
– (e.g. AFCERT, MAJCOM NOSC, Local ARS, TC2CC)
• Common Enterprise Picture for Network Management and
IA Situational Awareness
– Visual Basic prototype for task analysis feedback
– Implement with intuitive thin-client tools (e.g. Web)
– AFRL/HE designing state-of-the-art interface for final
demonstration spiral
Funding Issues
AFRL/IF Cooperation with
Government and Industry
•
Government/FFRDC’s
–
–
–
–
–
–
–
–
–
–
–
AFRL/HECA: Information Portrayal
Expertise, Crew Task Analysis
AFRL/IFS: Master Caution Panel
AFIWC: CSAP21, MOA
ESC/DIW - AIA - AC2ISRC: AFED Tech
Transition into IAEDS POM
ESC/DIG: NMS-BIP tech transition for
AFED
AF MAJCOMS: AFED Initiative
Participation
OSD/DISA: AIDE ACTD, IMDS
DARPA: Leverage over $100M/year 6.2
Technology
NSA-ARL/TX: Self-Learning Knowledge
Algorithms
CECOM: EPIC Transition to ISYSCON
MITRE: Lighthouse, Common
Vulnerabilities and Exposures (CVE)
•
Industry
–
–
–
–
–
–
–
Secure Computing Corp: Sidewinder
Firewall Integration (Real-time Alerts,
Dynamic Reconfiguration, Mediated DB
Access)
Applied Visions Incorporated:
SBIR/Collaboration to evolve 3D COTS
visualization
Netsquared: Developed network sensor
with concept of “session”. State machine
reduces false alarms in pattern matches.
MountainWave: SBIR to develop Common
Enterprise Picture (Network Management &
IA)
Syracuse Research Corporation: Threat,
Vulnerabilities & Countermeasures DB
integration
ITT: CRDA pursued to provide technology
training in support of a transitioned/fielded
prototype capability
Motorola: CRDA pursued in joint
exploration of innovative visualization
capabilities
Potential IAEDS Components
DB Data via Web
DB Data Direct
Other Data
Cmd/Config
AFED Utilities
Policy
Enforcement W
E
CMU
B
Host Based Agents
Lighthouse
DAWIF
Automated Intrusion
Response
Sidewinder W
E
IMDS
B
Cisco
Decision Support/COA
Visualization/Control
Low Level
NetFlare
High Level
TBD
RT GUI
Web
AVI
Reporting
Incident
Report
ARS
Hierarchy
Web Srv
App
App
Svrs
App
Svrs
Svrs
AFED/AIDE
RT DB
Automated Vul.Assessment
/Adv. Intrusion Detection
AFED
Trend DB
Bridge
TVC
BottleNeck
ISS
Emerald
Correlation/Data Mining
Intrusion Detection
(Remote Hosts)
Potentially Preprocessed by CIDDs
Sidewinder ASIM/CIDD
AIDE
NEDAA
JIDS
Raptor
NetRadar
ITA
Forensics
Real Secure
Cisco
NetRanger
FACS
EPIC Integration Architecture
Preemptive
Measures
&
Courses of
Action
Action/Protection
Analyst/Organization
Rules
•Security Policies
Enterprise
Management
Reporting
Situational
Assessment
•Complex Attack
Methodologies
•INFOCON Rules
ALPHA CHARLIE
BRAVO DELTA
Information
Operations
•Reporting Rules
•Courses of Action
Oracle Database
•Schema/Tables
•Access Policies
•Peer-to-Peer Sharing
Algorithms/KB
Normalization,
Correlation &
Data Storage
Existing
Enterprise
Sensors/Feeds
(Inputs & Outputs)
COTS & GOTS
Visualization
•Data Reduction
•Fusion
•Correlation
•Data Mining
•Trend Analysis
•Knowledge Base
•Advanced Intrusion Detection
•Analysts GUI Screens
•System Operation/
Control (WEB)
Open Source
(DNS, Whois)
Vulnerabilities
Risk Analysis
Host/Network
Intrusion Detection
Network/Link
Management
Network Control
(Firewalls, Routers)
EPIC Integration Architecture
Preemptive
Measures
&
Courses of
Action
Action/Protection
Analyst/Organization
Rules
•Security Policies
Enterprise
Management
Reporting
Situational
Assessment
•Complex Attack
Methodologies
•INFOCON Rules
ALPHA CHARLIE
BRAVO DELTA
Information
Operations
•Reporting Rules
•Courses of Action
Oracle Database
•Schema/Tables
•Access Policies
•Peer-to-Peer Sharing
Algorithms/KB
Normalization,
Correlation &
Data Storage
Existing
Enterprise
Sensors/Feeds
(Inputs & Outputs)
COTS & GOTS
Visualization
•Data Reduction
•Fusion
•Correlation
•Data Mining
•Trend Analysis
•Knowledge Base
•Advanced Intrusion Detection
•Analysts GUI Screens
•System Operation/
Control (WEB)
Open Source
(DNS, Whois)
Vulnerabilities
Risk Analysis
Host/Network
Intrusion Detection
Network/Link
Management
Network Control
(Firewalls, Routers)
EPIC Integration Architecture
Preemptive
Measures
&
Courses of
Action
Action/Protection
Analyst/Organization
Rules
•Security Policies
Enterprise
Management
Reporting
Situational
Assessment
•Complex Attack
Methodologies
•INFOCON Rules
ALPHA CHARLIE
BRAVO DELTA
Information
Operations
•Reporting Rules
•Courses of Action
Oracle Database
•Schema/Tables
•Access Policies
•Peer-to-Peer Sharing
Algorithms/KB
Normalization,
Correlation &
Data Storage
Existing
Enterprise
Sensors/Feeds
(Inputs & Outputs)
COTS & GOTS
Visualization
•Data Reduction
•Fusion
•Correlation
•Data Mining
•Trend Analysis
•Knowledge Base
•Advanced Intrusion Detection
•Analysts GUI Screens
•System Operation/
Control (WEB)
Open Source
(DNS, Whois)
Vulnerabilities
Risk Analysis
Host/Network
Intrusion Detection
Network/Link
Management
Network Control
(Firewalls, Routers)
Browser Views
Normal Browser view
Filtered Browser view
AVI’s Secure Scope
System Attribute
Visualization
•
e.g. Mapping Network Components to Vulnerabilities
System Constraint
Visualization
(Policy Enforcement)
• e.g. Policy Violations by Multiple Components
• VRML 2.0 with behaviours and external interfaces
Event Listing
Signature Summary
Notional IA COP
GCCS
IA COP
Trinitron
Intel
CYBERWATCH
INTELLINK
WATCHCON
NSIRC
MID
Mission
Critical
Systems
GCCS
JOPES
Logistics
GTN
Personnel
SIPRNET
NIPRNET
This medium is classified
SECRET
US Government property
CINCS
EUCOM
SPACECOM
STRATCOM
TRANSCOM
SOCOM
SOUTHCOM
PACOM
ACOM
CENTCOM
NMCC
DII
INFOCON
What should this look like?
What does a CinC/JTF Commander want?
What does a CinC/JTF Commander need?
Red Team
and . . . Processes
Tools . . .
Mission
Critical
Applications
Trinitron
This medium
is classified
SECRET
US
Government
property
GCCS
IA COP
Intel
CYBERWATCH
Net Services Layer
INTELLINK
WATCHCON
NSIRC
MID
Sensor Grid Layer
Non-Intrusive
DII
Intrusive
Network (IP Routing) Layer
NIPRNET
NAVY
Terrestrial
SIPRNET
Physical/Circuit Layer
RF
Other
Space
Mission
Critical
Systems
GCCS
JOPES
Logistics
GTN
Personnel
SIPRNET
NIPRNET
INFOCON
CINCS
EUCOM
SPACECO
M
STRATCO
M
TRANSCO
M
SOCOM
SOUTHCO
M
PACOM
NMCC
ACOM
CENTCOM
Red Team
GCCS
IA COP
Trinitron
Intell
CYBERWATCH
INTELLINK
WATCHCON
NSIRC
MID
Mission
Critical
Systems
GCCS
JOPES
Logistics
GTN
Personnel
SIPRNET
NIPRNET
Notional IA COP
This medium is classified
SECRET
US Government property
CINCS
EUCOM
SPACECOM
STRATCOM
TRANSCOM
SOCOM
SOUTHCOM
PACOM
ACOM
CENTCOM
NMCC
DII
INFOCON
Red Team
JOPES
Mission
Critical
Applications
Net Services Layer
Sensor Grid Layer
Network (IP Routing) Layer
Physical/Circuit Layer
SIPRNET
Congestion
IDNX
Switch
IA Architecture Vision
Ensures
Global
consistent
Consistent
IA Situational
technology
Thresholds
Awareness
and reporting
IA Situational Awareness
and Decision Spt System
Network Level Monitoring
(Intrusion Detection)
ALERT! We are seeing
multiple attacks using
similar exploitation
techniques! Correlate and
report to Global Ctr
ALERT! We are seeing
multiple attacks using
similar exploitation
techniques! Correlate
and report to Global Ctr
Global
Host Level Monitoring
Regional
Regional
Base
Post
Station
Local Enclaves
Advanced Crew System Interfaces
for Information Operations Center (IOC)
Potential Problems
for Fusion Engines to Solve
•
Problem: Identifying low, slow mapping and probing attempts
–
–
•
Problem: Acquiring knowledge from domain experts for data analysis
–
•
Issues: Need a flexible, backward chaining capability
Problem: Need rule/filter deconfliction between components
–
•
•
•
•
Issues: Throughput (for real time operation) is biggest problem.
Current plan: Implement “rule” in native code
Problem: Goal seeking to determine the intent (or goal) of an attack
–
•
Issues: Some data gathering has been done but data is not readily available
Problem: Data correlation (between sensors and events) in real-time to identify
attacks and reduce false alarms
–
–
•
Issues: Sensor data grows quickly and it is difficult to store, problems with storage and retrieval
Current plan: utilize a trend database that saves suspicious events and compressing other data
Issues: Need to ensure that all filtering/rules do not conflict with each other and that a filter does not block data
needed by a rule.
Problem: Data Mining to identify new attack signatures
Problem: Modification of KB knowledge space by non-KB experts
Problem: Threat profile/identification extrapolation
Problem: Machine learning algorithms that enable the system to anticipate
analysts “next move”
Technology Assessment
COTS/GOTS
•
•
•
•
•
•
Speech recognition
Large screen displays
Multi-media integration
Graphics processing
chips
Scientific data
visualization
CSCW tools
(whiteboards, VTC, etc.)
Current R&D
•
•
•
•
•
•
•
•
User Modeling
– Information Needs
Modeling
– Dialog Management
Heterogeneous Data
Integration & Fusion
Intelligent Push
Technology
Uncertainty Portrayal
Pedigree Capture &
Source Characterization
Mixed-Initiative Systems
Conversational Querying
Drill down
New Development
•
•
•
Capturing User Intent/
Intent Inferencing
User-Centric Relevance
Measures
Information Life Cycle
Adapted from: AFSAB 1998 report, “Information Management
to Support the Warrior” and Information Ops TPIPT
Elicitation + Representation +
Portrayal + Interaction
To achieve this...
at
disseminated in
displayed in
do
at
in
•
•
•
•
•
the
the
the
the
the
the
the
right information
right time
right way
right way
right things
right time
right way
You must understand
the Information Space
the Decision Space
the Cognitive Space
the Task Space
the System Space
the Physical Space
the Group Space
the Personnel Space
Functional–examine goals & structural features
Cognitive–identify the cognitively demanding aspects of decision makers’
tasks
Analyze work domain constraints & task context
Supports team decision making and coordination
Supports software design (to include visualization)
Machine Learning Algorithms for
Auto-Refining Visualisations
• Dynamic IO Field
– ROE, CONOPS
• Rapidly Evolving Technology
– Standards, Processing Power
• Knowledge elicitation can fail to improve visualization
– Users tend to think only in terms of current process/technology
– Cannot specify what they want until they see it
• Balance expeditious acquisition with due diligence in
knowledge elicitation
• The “My Yahoo”(.com) concept
– Custom visualizations
– Customizable visualizations
• Self-arranging menus & drill-downs based on analyst use