DARPA PI Meeting Santa Fe New Mexico

Download Report

Transcript DARPA PI Meeting Santa Fe New Mexico

DARPA OASIS Meeting
Santa Fe New Mexico
July 26, 2001
Joseph E. Johnson, PhD
Vladimir Gudkov, PhD
Not for Public Release
Overview of Our Work
• IRIS
– A C4I Emergency Management System in operation
for four years for SC. IRIS requires maximum
invulnerability.
• Part I: Complete System Replication
– Addresses site specific threats
• Part II: Network Security
– Threats to networks– Vladimir Gudkov
Not for Public Release
IRIS – Background
• Our team developed the Internet Routed Information System (IRIS)
to manage all threat events and response tracking for SC.
• IRIS consists of a central Oracle 8i database running on an IBM
Unix (RS/6000 H70) multiprocessor with Java, GIS mapping, with all
data interfacing by standard web browsers. Soon we will implement
voice recognition interfacing.
• IRIS is a Command Control Communication Computer & Information
C4I type system and very pertinent to DARPA security efforts.
• The system has been fully operational for 4 years managing all
emergency events & threats, resource requests, messages, and
logs. New additions include databases for critical facilities, donated
goods, damage tracking, and personnel tracking.
• Specifically, IRIS manages threats of BCN terrorism, and specifically
tracks Information Infrastructure and computer attacks.
• We anticipate new funding in Oct 2001 explicitly to build a biological
terrorism module.
Not for Public Release
IRIS Threats – DARPA Initiatives
• Threats:
– Acts of nature (hurricanes, epidemics, power & IP loss..)
– Unintentional Acts of Man (including hardware failures &
software bugs),
– Intentional Acts of Man (including network attacks and viruses
and all forms of crime and terrorism).
• Our DARPA efforts are designed to make the
IRIS system as robust and invulnerable as
possible:
– For Site Specific Threats use System Replication
– For Network Threats – Today's talk
Not for Public Release
System Replication
• We utilize three identical dual processor IBM
H70 Unix systems located at USC, UU, and
Maui HPCC in secure environments linked by
Internet II.
• We continue to study optimal means of program
and data replication (from SC EPD) so that full
operations can be recovered and continued from
any of the three sites within minutes.
• We reported on our progress in this area at the
last PI meeting and we will give a final report at
the next appropriate meeting.
Not for Public Release
Network as a Complex
System: Information Flow
Analysis
Santa Fe, July 25, 2001
Vladimir Gudkov & Joseph E. Johnson
University of South Carolina
Not for Public Release
Project Goals
Real time network monitoring for:

Automatic detection of known attacks

Detection of UNKOWN attack in wide
time range (from msec to months)
on reconnaissance stage of the attack
Not for Public Release
Approach

To describe the information traffic for the host-to-host
communication as a trajectory in multi-dimensional
parameter-time space

To understand the properties of the Information Flow

Use fast pattern recognition methods (Wavelet Analysis) for
network analysis and for detection of possible intrusions
Not for Public Release
Information traffic description



To understand the structure of the variables for
internet host-to-host communications we used
dumped output of network traffic.
Parameters encapsulated in the data flow
packages have been divided into two separated
classes: dynamical and static (MAC[Router] % IP address)
The information traffic for the host-to-host
communication can be described as a trajectory
in multi-dimensional static parameter-time space
Not for Public Release
A Package Header
Frame 1 (161 on wire, 161 captured)
Arrival Time: Nov 8, 2000 10:49:08.2032
Time delta from previous packet: 0.000000 seconds
Frame Number: 1
Packet Length: 161 bytes
Capture Length: 161 bytes
Ethernet II
Destination: 00:60:08:9b:e7:56 (00:60:08:9b:e7:56)
Source: 00:10:5a:19:01:ee (asgnet2.psc.sc.edu)
Type: IP (0x0800)
Internet Protocol
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Currently Unused: 0
Total Length: 147
Identification: 0x7302
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x2f0c (correct)
Source: asgnet2.psc.sc.edu (129.252.170.50)
Destination: ivispbx2.asg.sc.edu (129.252.170.43)
Transmission Control Protocol, Src Port: nbsession (139), Dst
Port: 1309 (1309), Seq: 34966149, Ack: 519891016
Source port: nbsession (139)
Destination port: 1309 (1309)
Sequence number: 34966149
Acknowledgement number: 519891016
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 8360
Checksum: 0x0dbd
NetBIOS Session Service
Message Type: Session message
Flags: 0x00
.... ...0 = Add 0 to length
Length: 103
SMB (Server Message Block Protocol)
Message Type: 0xFF
Server Component: SMB
SMB Command: SMBntcreateX (0xa2)
Error Class: Success
Reserved: 0
Error Code: No Error
Flags: 0x98
.... ...0 = Lock&Read, Write&Unlock not supported
.... ..0. = Receive buffer not posted
.... 1... = Path names caseless
...1 .... = Pathnames canonicalized
..0. .... = OpLocks not requested/granted
.0.. .... = Notify open only
1... .... = Response to client/redirector
Flags2: 0x8003
.... .... .... ...1 = Long file names supported
.... .... .... ..1. = Extended attributes supported
.... .... .... .0.. = Security signatures not supported
.... 0... .... .... = Extended security negotiation not supported
...0 .... .... .... = Don't resolve pathnames with DFS
..0. .... .... .... = Don't permit reads if execute-only
.0.. .... .... .... = Error codes are DOS error codes
1... .... .... .... = Strings are Unicode
Reserved: 6 WORDS
Network Path/Tree ID (TID): 12292 (3004)
Process ID (PID): 53280 (d020)
User ID (UID): 14339 (3803)
Multiplex ID (MID): 17792 (4580)
Data (71 bytes)
Not for Public Release
Information Flow Representation

We can describe (online) the complete
structure of the package
header in terms of
MATHEMATICAL
FUNCTIONS

The basis for theoretical
and numerical analysis
Not for Public Release
Questions to answer on the first
stage of experiments
1.
What is a characteristic dimension of the
network parameter space?
2.
How many nodes are needed to consider the
network as "complex enough" system?
3.
How dimension of the space depends on the
network topology and on the number of nodes?
Not for Public Release
Method: Chaotic Data Analysis*
  
dx  F ( x(t ))
dt
 
 dynamical variables g ( x(t ))
and
 observed scalar quantity
 
s( g ( x(n)))  s(n)
Let construct
y(n) [s(n), s(n  T),s(n  2T), ... ,s(n  T(d -1)) ]
* e.g. H.D.I. Abarbanel et al., Rev. Mod. Phys. 65 (1993) 1331 and references therein
Not for Public Release
Method: (continue)
To solve the equation :
(m)
d
s
 (s(t ), s(t ), ... )
m
dt
s(t ) : [s(t ), s(t ),s(t ), ... ]
ds(t)  s(t  T )  s(t )
T
dt
d 2s(t )  s(t  2T )  2s(t  T )  s(t )
dt 2
2T 2
Not for Public Release
Dimension of Information flow
Not for Public Release
Structure of “Information” space



Dimension (number of independent parameters)
is about 10 – 12
It does not depend on the network topology, size,
operating systems …
Therefore, one can study a structure of network
traffic and the possible network intrusion in terms
of that parameters.
Not for Public Release
Fourier Transform
Not for Public Release
Wavelet (local cosine)
Not for Public Release
What we’ve got?



Method to describe (in real time) information
traffic and the possible network intrusion in terms
of well defined the network parameters
Understanding some aspects of basic
(fundamental) structure of the information flow
the ability to detect intrusions on reconnaissance
stage of the attacks
Not for Public Release
What we are working on?



Understanding of the normal network behavior
a quantitative method for detecting and
classification of the dangerous level of the
possible attacks
a model independent way to obtain the best
possible (optimized) level for the detection of an
intrusion for a given class of intrusions
Not for Public Release
How do we plan to do this?



Correlations of the parameters using pattern
recognition in multi-dimensional space (Wavelet
analysis, Fast Fourier Transform, Statistical
Methods…)
Time-scale signal separation and noise
reduction (wavelets, random matrices, …)
On-line analysis (to test methods, hypotheses
etc)
Not for Public Release