1 / 39

NATO VM3D Conference at Defense Research Establishment Valcartier

NATO VM3D Conference at Defense Research Establishment Valcartier. Presented By: Chet Maciag DIW In-house Program Manager 8 June 00. Defensive Information Warfare Branch Air Force Research Lab, Rome Research Site (AFRL/IFGB). Application Domain: Information Warfare.

mave
Download Presentation

NATO VM3D Conference at Defense Research Establishment Valcartier

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NATO VM3D Conferenceat Defense Research Establishment Valcartier Presented By: Chet Maciag DIW In-house Program Manager 8 June 00 Defensive Information Warfare BranchAir Force Research Lab, Rome Research Site (AFRL/IFGB)

  2. Application Domain: Information Warfare “…information operations conducted to defend one’s own information and information systems or attacking and affecting an adversary’s information and information systems.” (AFDD 2-5) “...information warfare is about the way humans think and, more importantly, the way humans make decisions. The target of information warfare, then, is the human...” • Prof George Stein, Air War College

  3. Definition - U.S. (Information Warfare and Information Assurance) • Information Assurance - • Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. Information assurance includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (DODD S-3600.1)

  4. Information Assurance Operational Needs • Provide commanders the capability to defend information flows required to execute assigned missions in both peacetime and crisis/contingency • 365-day-a year Information Assurance for daily operations and business at all levels • Integrate Information Assurance into AFFOR/JFACC planning & execution C2 Defend networks in support of ... Shooters Sensors … mission critical information flows Networks

  5. Dynamic Battle Control Concept Coordinate Information Operations with the ATO and the battlefield situation to provide Airpower and Cyberpower to meet the current situation FLOT FSCL

  6. Analogous State of Art in IA

  7. Moonlight Maze“Russian Hackers Steal US Weapons Secrets” “American officials believe Russia may have stolen some of the nation's most sensitive military secrets, including weapons guidance systems and naval intelligence codes, in a concerted espionage offensive that investigators have called operation Moonlight Maze. This was so sophisticated and well coordinated that security experts trying to build ramparts against further incursions believe America may be losing the world's first ‘cyber war’.” 25 July 1999 London Sunday Times (Interview with Mr. John Hamre, Deputy Secretary of Defense)

  8. EPIC’s Defensive Information Warfare (DIW) Components EPIC AIDE: Depth in Detection AFED: AIDE + Protect & React

  9. Defensive Information Warfare ITTP Planning, Awareness and Decision Support Technology Objective • Develop and demonstrate Defensive Information Operations Planning Tools, Cyberspace Situational Awareness, Cyberspace Visualization, and Information Assurance Decision Support Tools for Course-of-Action Planning Approach • Automated Intrusion Detection Environment ACTD • Extensible Prototype for Information Command & Control (EPIC2) (in-house) • Global Information Assurance Decision Support System (GIADSS) ATD • Air Force Enterprise Defense (6.3b) • Defensive Information Operations Planning Tool • Cyber Command and Control (new DARPA initiative) • Large Scale Intrusion Assessment (new DARPA initiative) • Process control techniques for system modeling Payoffs • Equips JFACC/AFFOR organizations for theater network defense • Identifies & prioritize info assets critical to current operations • Provides Situation awareness across theater, reachback, and garrison networks • Provides Attack Warning & Assessment, sensor cueing • Automatically tasks or executes defensive actions, assesses & reports damage

  10. Disparate systems Same Goals - Visualization of ID Events, but…. Differing approaches to Correlation/Understanding Differing approaches to Info Gathering & Categorization TTCP TP-11 Year One Demonstration Accomplishments Successful exchange of intrusion event data between Australian Shapes-Vector and AFRL’s EPIC2prototypes EPIC2 Visualization DB/Expert Sys COTS Sensors Shapes- Vector Visualisation Ontology/KB Specialized Agents Intrusion Detection Event Exchange Interoperability with coalition partners in sharing IA event data

  11. Integrated Technology Thrust Program PartnersAFRL/IF & AFRL/HE Core Technologies AFRL/IFS: • DataWall • Mobile, Scalable, Adaptive Systems • Component-based Architectures • Computer Supported Collaborative Work AFRL/IFG: • Information Attack Mitigation • Intrusion/Malicious Code Detection • Multilevel Security • Network Management& Control AFRL/HEC: Cognitive Displays • CSE tools/methods/metrics • User modeling • Information visualization User/System Interfaces • Speech recognition/generation • 3-D audio CACC ITTP DIW ITTP MCCAT

  12. Air Force Enterprise DefenseObjectives • Develop the next-generation Enterprise Defense Framework for AF MAJCOMs and Aerospace Expeditionary Forces (AEF) • Situational Assessment & Decision Support • Improve Network Defender information overload problem • Provide a consistent visual environment for information portrayal • Fuse Information Assurance (IA) and Network Management data into a Common Enterprise Picture (CEP) • Empower the MAJCOM to validate and influence present and future technology so it suitable for transition into NMS/BIP and other acquisition programs

  13. AFED Technology Insertion for NOSC/NCC • Protect systems • Automated vulnerability/threat detection with countermeasure recommendations • Automated policy/configuration monitoring & change detection • Detect IW attacks in progress • Fuse heterogeneous ID sensor data via AIDE ACTD • Integrates ASIM 3.0/CIDDS • Apply knowledge base & advanced algorithms to enterprise susceptibilities, site policies, and ID data to reduce “false-positives” • Correlate with protection data to improve event prioritization and reduce workload • Assess impact of IW attack on mission critical systems • AutomatedINFOCON level determination and recommendations • Mission/Situational Assessment resulting from information attacks • Provide Course Of Action (COA) response planning • Maintains mission critical functions without degradation (Network, configuration, QoS analysis)

  14. AFED Technology Insertion for NOSC/NCC (continued) • Automated incident/trouble ticket reporting to reduce operator workload • (e.g. AFCERT, MAJCOM NOSC, Local ARS, TC2CC) • Common Enterprise Picture for Network Management and IA Situational Awareness • Visual Basic prototype for task analysis feedback • Implement with intuitive thin-client tools (e.g. Web) • AFRL/HE designing state-of-the-art interface for final demonstration spiral

  15. Funding Issues

  16. AFRL/IF Cooperation with Government and Industry • Industry • Secure Computing Corp: Sidewinder Firewall Integration (Real-time Alerts, Dynamic Reconfiguration, Mediated DB Access) • Applied Visions Incorporated: SBIR/Collaboration to evolve 3D COTS visualization • Netsquared: Developed network sensor with concept of “session”. State machine reduces false alarms in pattern matches. • MountainWave: SBIR to develop Common Enterprise Picture (Network Management & IA) • Syracuse Research Corporation: Threat, Vulnerabilities & Countermeasures DB integration • ITT: CRDA pursued to provide technology training in support of a transitioned/fielded prototype capability • Motorola: CRDA pursued in joint exploration of innovative visualization capabilities • Government/FFRDC’s • AFRL/HECA: Information Portrayal Expertise, Crew Task Analysis • AFRL/IFS: Master Caution Panel • AFIWC: CSAP21, MOA • ESC/DIW - AIA - AC2ISRC: AFED Tech Transition into IAEDS POM • ESC/DIG: NMS-BIP tech transition for AFED • AF MAJCOMS: AFED Initiative Participation • OSD/DISA: AIDE ACTD, IMDS • DARPA: Leverage over $100M/year 6.2 Technology • NSA-ARL/TX: Self-Learning Knowledge Algorithms • CECOM: EPIC Transition to ISYSCON • MITRE: Lighthouse, Common Vulnerabilities and Exposures (CVE)

  17. Decision Support/COA AFED Utilities Low Level NetFlare Host Based Agents Policy Enforcement W E B W E B High Level TBD Lighthouse CMU Automated Vul.Assessment /Adv. Intrusion Detection DAWIF TVC BottleNeck ISS Emerald Forensics Reporting Correlation/Data Mining FACS Incident Report ARS Intrusion Detection (Remote Hosts) Potentially Preprocessed by CIDDs AIDE Hierarchy Visualization/Control Automated Intrusion Response NEDAA Sidewinder ASIM/CIDD JIDS RT GUI Web Sidewinder Raptor NetRadar ITA AVI IMDS Real Secure Cisco NetRanger Cisco Potential IAEDS Components DB Data via Web DB Data Direct Other Data Cmd/Config Web Srv App Svrs AFED/AIDE RT DB AFED Trend DB App Svrs App Svrs Bridge

  18. Enterprise Management Situational Assessment ALPHA CHARLIE BRAVO DELTA Information Operations Vulnerabilities Risk Analysis Open Source (DNS, Whois) Network Control (Firewalls, Routers) Host/Network Intrusion Detection Network/Link Management EPIC Integration Architecture Action/Protection Preemptive Measures & Courses of Action Reporting Analyst/Organization Rules Security Policies Complex Attack Methodologies INFOCON Rules Reporting Rules Courses of Action Oracle Database Algorithms/KB Schema/Tables Access Policies Peer-to-Peer Sharing Normalization, Correlation & Data Storage Visualization Data Reduction Fusion Correlation Data Mining Trend Analysis Knowledge Base Advanced Intrusion Detection Analysts GUI Screens System Operation/ Control (WEB) Existing Enterprise Sensors/Feeds (Inputs & Outputs) COTS & GOTS

  19. Enterprise Management Situational Assessment ALPHA CHARLIE BRAVO DELTA Information Operations Vulnerabilities Risk Analysis Open Source (DNS, Whois) Network Control (Firewalls, Routers) Host/Network Intrusion Detection Network/Link Management EPIC Integration Architecture Action/Protection Preemptive Measures & Courses of Action Reporting Analyst/Organization Rules Security Policies Complex Attack Methodologies INFOCON Rules Reporting Rules Courses of Action Oracle Database Algorithms/KB Schema/Tables Access Policies Peer-to-Peer Sharing Normalization, Correlation & Data Storage Visualization Data Reduction Fusion Correlation Data Mining Trend Analysis Knowledge Base Advanced Intrusion Detection Analysts GUI Screens System Operation/ Control (WEB) Existing Enterprise Sensors/Feeds (Inputs & Outputs) COTS & GOTS

  20. Enterprise Management Situational Assessment ALPHA CHARLIE BRAVO DELTA Information Operations Vulnerabilities Risk Analysis Open Source (DNS, Whois) Network Control (Firewalls, Routers) Host/Network Intrusion Detection Network/Link Management EPIC Integration Architecture Action/Protection Preemptive Measures & Courses of Action Reporting Analyst/Organization Rules Security Policies Complex Attack Methodologies INFOCON Rules Reporting Rules Courses of Action Oracle Database Algorithms/KB Schema/Tables Access Policies Peer-to-Peer Sharing Normalization, Correlation & Data Storage Visualization Data Reduction Fusion Correlation Data Mining Trend Analysis Knowledge Base Advanced Intrusion Detection Analysts GUI Screens System Operation/ Control (WEB) Existing Enterprise Sensors/Feeds (Inputs & Outputs) COTS & GOTS

  21. Browser Views Normal Browser view Filtered Browser view

  22. AVI’s Secure Scope

  23. System Attribute Visualization • e.g. Mapping Network Components to Vulnerabilities

  24. System Constraint Visualization (Policy Enforcement) e.g. Policy Violations by Multiple Components VRML 2.0 with behaviours and external interfaces

  25. Event Listing

  26. Signature Summary

  27. Mission Critical Systems EUCOM SPACECOM STRATCOM TRANSCOM SOCOM SOUTHCOM PACOM ACOM CENTCOM GCCS JOPES Logistics GTN Personnel SIPRNET NIPRNET This medium is classified SECRET US Government property Trinitron Notional IA COP GCCS IA COP CINCS Intel CYBERWATCH INTELLINK WATCHCON NSIRC MID NMCC DII Red Team INFOCON What should this look like? What does a CinC/JTF Commander want? What does a CinC/JTF Commander need?

  28. Collaborative Planning Mission Critical Systems EUCOM SPACECOM STRATCOM TRANSCOM SOCOM SOUTHCOM PACOM ACOM CENTCOM GCCS JOPES Logistics GTN Personnel SIPRNET NIPRNET Inform Mission Critical Applications GCCS Respond IA COP CINCS Intel CYBERWATCH Net Services Layer INTELLINK Assess WATCHCON Identify NSIRC Sensor Grid Layer MID This medium is classified SECRET US Government property NMCC Trinitron Non-Intrusive Intrusive DII Red Team INFOCON Network (IP Routing) Layer COMPUTER NETWORK DEFENSE NAVY COMPONENT TASK FORCE SIPRNET Other NIPRNET NAVY Physical/Circuit Layer VIGILANCE NETWORK RF Space Terrestrial Tools . . . and . . . Processes

  29. EUCOM SPACECOM STRATCOM TRANSCOM SOCOM SOUTHCOM PACOM ACOM CENTCOM Mission Critical Applications This medium is classified SECRET US Government property Trinitron JOPES SIPRNET Congestion Notional IA COP GCCS IA COP Mission Critical Systems CINCS Intell CYBERWATCH GCCS JOPES Logistics GTN Personnel SIPRNET NIPRNET INTELLINK WATCHCON NSIRC MID NMCC Mission Critical Applications DII Red Team INFOCON Net Services Layer Sensor Grid Layer Network (IP Routing) Layer IDNX Switch Physical/Circuit Layer

  30. ALERT! We are seeing multiple attacks using similar exploitation techniques! Correlate and report to Global Ctr ALERT! We are seeing multiple attacks using similar exploitation techniques! Correlate and report to Global Ctr IA Situational Awareness and Decision Spt System Network Level Monitoring (Intrusion Detection) Sensor Host Level Monitoring Sensor Sensor Sensor IA Architecture Vision Consistent Thresholds Ensures consistent technology and reporting Global IA Situational Awareness Global Regional Regional Base Post Station Local Enclaves

  31. Advanced Crew System Interfacesfor Information Operations Center (IOC)

  32. Potential Problems for Fusion Engines to Solve • Problem: Identifying low, slow mapping and probing attempts • Issues: Sensor data grows quickly and it is difficult to store, problems with storage and retrieval • Current plan: utilize a trend database that saves suspicious events and compressing other data • Problem: Acquiring knowledge from domain experts for data analysis • Issues: Some data gathering has been done but data is not readily available • Problem: Data correlation (between sensors and events) in real-time to identify attacks and reduce false alarms • Issues: Throughput (for real time operation) is biggest problem. • Current plan: Implement “rule” in native code • Problem: Goal seeking to determine the intent (or goal) of an attack • Issues: Need a flexible, backward chaining capability • Problem: Need rule/filter deconfliction between components • Issues: Need to ensure that all filtering/rules do not conflict with each other and that a filter does not block data needed by a rule. • Problem: Data Mining to identify new attack signatures • Problem: Modification of KB knowledge space by non-KB experts • Problem: Threat profile/identification extrapolation • Problem: Machine learning algorithms that enable the system to anticipate analysts “next move”

  33. Technology Assessment COTS/GOTS • Speech recognition • Large screen displays • Multi-media integration • Graphics processing chips • Scientific data visualization • CSCW tools (whiteboards, VTC, etc.) Current R&D • User Modeling • Information Needs Modeling • Dialog Management • Heterogeneous Data Integration & Fusion • Intelligent Push Technology • Uncertainty Portrayal • Pedigree Capture & Source Characterization • Mixed-Initiative Systems • Conversational Querying • Drill down New Development • Capturing User Intent/Intent Inferencing • User-Centric Relevance Measures • Information Life Cycle Adapted from: AFSAB 1998 report, “Information Management to Support the Warrior” and Information Ops TPIPT

  34. Elicitation + Representation + Portrayal + Interaction To achieve this... You must understand the right information at the right time disseminated in the right way displayed in the right way do the right things at the right time in the right way the Information Space the Decision Space the Cognitive Space the Task Space the System Space the Physical Space the Group Space the Personnel Space • Functional–examine goals & structural features • Cognitive–identify the cognitively demanding aspects of decision makers’ tasks • Analyze work domain constraints & taskcontext • Supports team decision making and coordination • Supports software design (to include visualization)

  35. Machine Learning Algorithms for Auto-Refining Visualisations • Dynamic IO Field • ROE, CONOPS • Rapidly Evolving Technology • Standards, Processing Power • Knowledge elicitation can fail to improve visualization • Users tend to think only in terms of current process/technology • Cannot specify what they want until they see it • Balance expeditious acquisition with due diligence in knowledge elicitation • The “My Yahoo”(.com) concept • Custom visualizations • Customizable visualizations • Self-arranging menus & drill-downs based on analyst use

More Related