1 / 21

DARPA OASIS Meeting Santa Fe New Mexico

DARPA OASIS Meeting Santa Fe New Mexico. July 26, 2001 Joseph E. Johnson, PhD Vladimir Gudkov, PhD. Overview of Our Work. IRIS A C4I Emergency Management System in operation for four years for SC. IRIS requires maximum invulnerability. Part I: Complete System Replication

zelenia-jarvis
Download Presentation

DARPA OASIS Meeting Santa Fe New Mexico

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DARPA OASIS MeetingSanta Fe New Mexico July 26, 2001 Joseph E. Johnson, PhD Vladimir Gudkov, PhD Not for Public Release

  2. Overview of Our Work • IRIS • A C4I Emergency Management System in operation for four years for SC. IRIS requires maximum invulnerability. • Part I: Complete System Replication • Addresses site specific threats • Part II: Network Security • Threats to networks– Vladimir Gudkov Not for Public Release

  3. IRIS – Background • Our team developed the Internet Routed Information System (IRIS) to manage all threat events and response tracking for SC. • IRIS consists of a central Oracle 8i database running on an IBM Unix (RS/6000 H70) multiprocessor with Java, GIS mapping, with all data interfacing by standard web browsers. Soon we will implement voice recognition interfacing. • IRIS is a Command Control Communication Computer & Information C4I type system and very pertinent to DARPA security efforts. • The system has been fully operational for 4 years managing all emergency events & threats, resource requests, messages, and logs. New additions include databases for critical facilities, donated goods, damage tracking, and personnel tracking. • Specifically, IRIS manages threats of BCN terrorism, and specifically tracks Information Infrastructure and computer attacks. • We anticipate new funding in Oct 2001 explicitly to build a biological terrorism module. Not for Public Release

  4. IRIS Threats – DARPA Initiatives • Threats: • Acts of nature (hurricanes, epidemics, power & IP loss..) • Unintentional Acts of Man (including hardware failures & software bugs), • Intentional Acts of Man (including network attacks and viruses and all forms of crime and terrorism). • Our DARPA efforts are designed to make the IRIS system as robust and invulnerable as possible: • For Site Specific Threats use System Replication • For Network Threats – Today's talk Not for Public Release

  5. System Replication • We utilize three identical dual processor IBM H70 Unix systems located at USC, UU, and Maui HPCC in secure environments linked by Internet II. • We continue to study optimal means of program and data replication (from SC EPD) so that full operations can be recovered and continued from any of the three sites within minutes. • We reported on our progress in this area at the last PI meeting and we will give a final report at the next appropriate meeting. Not for Public Release

  6. Network as a Complex System: Information Flow Analysis Santa Fe, July 25, 2001 Vladimir Gudkov & Joseph E. Johnson University of South Carolina Not for Public Release

  7. Project Goals Real time network monitoring for: • Automatic detection of known attacks • Detection ofUNKOWNattack in wide time range (from msec to months) on reconnaissance stage of the attack Not for Public Release

  8. Approach • To describe the information traffic for the host-to-host communication as a trajectory in multi-dimensional parameter-time space • To understand the properties of the Information Flow • Usefast pattern recognition methods (Wavelet Analysis) for network analysis and for detection of possible intrusions Not for Public Release

  9. Information traffic description • To understand the structure of the variables for internet host-to-host communications we used dumped output of network traffic. • Parameters encapsulated in the data flow packages have been divided into two separated classes: dynamical and static (MAC[Router] % IP address) • The information traffic for the host-to-host communication can be described as a trajectory in multi-dimensional static parameter-time space Not for Public Release

  10. Frame 1 (161 on wire, 161 captured) Arrival Time: Nov 8, 2000 10:49:08.2032 Time delta from previous packet: 0.000000 seconds Frame Number: 1 Packet Length: 161 bytes Capture Length: 161 bytes Ethernet II Destination: 00:60:08:9b:e7:56 (00:60:08:9b:e7:56) Source: 00:10:5a:19:01:ee (asgnet2.psc.sc.edu) Type: IP (0x0800) Internet Protocol Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Currently Unused: 0 Total Length: 147 Identification: 0x7302 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x2f0c (correct) Source: asgnet2.psc.sc.edu (129.252.170.50) Destination: ivispbx2.asg.sc.edu (129.252.170.43) Transmission Control Protocol, Src Port: nbsession (139), Dst Port: 1309 (1309), Seq: 34966149, Ack: 519891016 Source port: nbsession (139) Destination port: 1309 (1309) Sequence number: 34966149 Acknowledgement number: 519891016 Header length: 20 bytes Flags: 0x0018 (PSH, ACK) ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 8360 Checksum: 0x0dbd NetBIOS Session Service Message Type: Session message Flags: 0x00 .... ...0 = Add 0 to length Length: 103 SMB (Server Message Block Protocol) Message Type: 0xFF Server Component: SMB SMB Command: SMBntcreateX (0xa2) Error Class: Success Reserved: 0 Error Code: No Error Flags: 0x98 .... ...0 = Lock&Read, Write&Unlock not supported .... ..0. = Receive buffer not posted .... 1... = Path names caseless ...1 .... = Pathnames canonicalized ..0. .... = OpLocks not requested/granted .0.. .... = Notify open only 1... .... = Response to client/redirector Flags2: 0x8003 .... .... .... ...1 = Long file names supported .... .... .... ..1. = Extended attributes supported .... .... .... .0.. = Security signatures not supported .... 0... .... .... = Extended security negotiation not supported ...0 .... .... .... = Don't resolve pathnames with DFS ..0. .... .... .... = Don't permit reads if execute-only .0.. .... .... .... = Error codes are DOS error codes 1... .... .... .... = Strings are Unicode Reserved: 6 WORDS Network Path/Tree ID (TID): 12292 (3004) Process ID (PID): 53280 (d020) User ID (UID): 14339 (3803) Multiplex ID (MID): 17792 (4580) Data (71 bytes) A Package Header Not for Public Release

  11. Information Flow Representation • We can describe (on-line) the complete structure of the package header in terms of MATHEMATICAL FUNCTIONS • The basis for theoretical and numerical analysis Not for Public Release

  12. Questions to answer on the first stage of experiments • What is a characteristic dimension of the network parameter space? • How many nodes are needed to consider the network as "complexenough" system? • How dimension of the space depends on the network topology and on the number of nodes? Not for Public Release

  13. Method: Chaotic Data Analysis* *e.g. H.D.I. Abarbanel et al., Rev. Mod. Phys. 65 (1993) 1331 and references therein Not for Public Release

  14. Method: (continue) Not for Public Release

  15. Dimension of Information flow Not for Public Release

  16. Structure of “Information” space • Dimension (number of independent parameters) is about 10 – 12 • It does not depend on the network topology, size, operating systems … • Therefore, one can study a structure of network traffic and the possible network intrusion in terms of that parameters. Not for Public Release

  17. Fourier Transform Not for Public Release

  18. Wavelet (local cosine) Not for Public Release

  19. What we’ve got? • Method to describe (in real time) information traffic and the possible network intrusion in terms of well defined the network parameters • Understanding some aspects of basic (fundamental) structure of the information flow • the ability to detect intrusions on reconnaissance stage of the attacks Not for Public Release

  20. What we are working on? • Understanding of the normal network behavior • a quantitative method for detecting and classification of the dangerous level of the possible attacks • a model independent way to obtain the best possible (optimized) level for the detection of an intrusion for a given class of intrusions Not for Public Release

  21. How do we plan to do this? • Correlations of the parameters using pattern recognition in multi-dimensional space (Wavelet analysis, Fast Fourier Transform, Statistical Methods…) • Time-scale signal separation and noise reduction (wavelets, random matrices, …) • On-line analysis (to test methods, hypotheses etc) Not for Public Release

More Related