Download PDF - Department of Navy Chief Information Officer - U.S. ...

More documents

Recommendations

Info

By John McEachen, John Zachary and David Ford“Slammer,Blaster,Code Red”— the simple fact that the general publicassociates these terms with computer network attacks speaks volumesfor how far awareness of network security has advanced inthe past few years. Unfortunately, the same cannot be said for thetechnology designed for repelling these attacks. Change has beenincremental and, for the most part, we are still conducting businessthe way we were 20 years ago. Consequently, while the sophisticationand virulence of network attacks have increased exponentially,the ability to stop these attacks has advanced only linearly.For example,in 2001 Code Red infected over 300,000 network hostsin half a day. In 2003,it took under 30 minutes for the Slammer wormto infect over 75,000 hosts, 90 percent of which were infected inunder 10 minutes. This escalating rate of propagation highlights therequirement for network detection mechanisms to serve as real-timeearly warning devices. Clearly,there is a critical need for transformationalchange in the way the Department of Defense (DoD) performscomputer network defense (CND).Therminator is a new and radical approach to CND on an immediatebasis and to systems of exchange on a more abstract level. Consequently,Therminatoris well-suited as a transformational enabler forthe network-centric vision of FORCEnet. While the specific applicationof Therminator has been most recently applied to IP networks,the concepts and techniques can be applied to all manner of networksand communications systems.Therminator is based on proven science from combinatorics, statisticsand thermodynamics. The system can be considered a new layerin the “Defense in Depth” approach to network security and providesnetwork administrators with a novel perspective (Figure 1) onhow their network is operating. Therminator is highly scalable andits composite approach can even facilitate creation of “Therminatorsof Therminators.” It has been tested at the U.S. Pacific CommandNetwork Operations Center,Ft.Shafter,Hawaii,U.S.Pacific CommandHeadquarters, Camp H.M. Smith, Hawaii and the U. S. Army SignalCommand, Ft. Huachuca, Ariz. Follow-on installations are beingplanned.BackgroundThe development of a dependable and secure networked computinginfrastructure depends on real-time monitoring and detectionof anomalous events. These events and behaviors typically aresourced at a host and are propagated over a network to a victimFigure 1. A generic snapshot of the primary Therminator display.The top portion of the graph is a display of average bucket sizes associatedwith conversation groups. The lower portion of the graph illustrates the “thermal canyon” — the relationship of various networkstates over time (indicated from left to right).18 CHIPS Dedicated to Sharing Information*Technology*Experience
host or network. The typical approach is to apply intrusion detectionprinciples to a network to capture and classify maliciousbehavior. The earliest intrusion detection systems (IDS) integratedsignature-based analysis for detection with normal network models.Since then, many different systems have been based on theassumption that malicious network activity is inherently differentfrom normal activity. Recent experience, however, suggests thatthe scope and character of network attacks is such that intrusiondetection systems are insufficient network protection mechanisms.This is especially true of signature-based IDS, which compare realevents to a set of known malicious or abnormal events. These typesof systems are poor at detecting new attacks, variations of knownattacks or attacks that can be masked as normal network behavior.The complex, interactive nature of computer networks is subjectto the critical mass effect. The spread of worm-like attack is muchlike the effect observed with a paper napkin when increasing forceis applied. The progress of the tear is hardly noticeable at first until,quite suddenly, the napkin is ripped in two. The physical nature ofcomplex,interactive systems such as computer networks highlightsthe need for rapid, real-time indication of attack propagation.Thus, there is a real need for a new approach in thinking about CND.Therminator emphasizes active real-time network monitoring andanomaly detection as complementary mechanisms to the traditionalnetwork intrusion detection process. The separation of network trafficbehavior into normal, anomalous and malicious categories underthe umbrella of real-time monitoring and configuration managementgives operators a holistic view of network activity.Motivated by the need for CND transformation,the real-time implementationof Therminator was developed in 2001 at the Fort ShafterNOC by two students of the Naval Postgraduate School,Lt.StephenDonald, USN, and Capt. Robert McMillen, USMC. Using live operationalnetwork traffic and working in tandem with scientists fromthe National Security Agency,the Institute for Defense Analysis andthe SANS (SysAdmin, Audit, Network, Security) Institute, the teamproduced a working application in 90 days. Testing and analysishave continued over the past two years and in March 2003, softwaredevelopment was picked up by the University of South CarolinaDistributed Systems Security and Cryptography Laboratory.Most recently, Lancope, Inc. of Atlanta, Georgia, released a versionof its Stealthwatch Intrusion Detection System that integrates manyof the Therminator concepts. This product, called Stealthwatch +Therminator (SW+T or SWAT),combines the information-dense yieldof Stealthwatch with the data reduction features of Therminator toproduce a system that provides both macro- and micro-views of anIP network. The ideas behind SW+T are based on a non-exclusivelicense purchased by Lancope from DoD in November 2002.Commercial ventures not withstanding, research in Therminatorapplications aligned with specific national security interests continuesat the Naval Postgraduate School, the University of South Carolinaand the Georgia Institute of Technology. Areas of investigationinclude implementation of Therminator in hardware to operate atgigabit speeds, and analysis of Therminator concepts in nontraditionalnetworks.ConceptA computer network is a complex interactive system. The signal itproduces is the result of many millions of precise,directed exchangesbetween thousands of its component parts. To maintain informationsuperiority, survivability (reliability, usability and security) andmission support,it is essential that the state of readiness in this complexmachine be timely and understandable to decision makers atseveral levels in the chain of command. In addition, it is crucial thatthis trusted state of readiness be defended from those that continuallyact to undermine both its readiness and integrity. This meansthat the long and short term actions of those who seek to controlour critical infrastructure be transparent to those entrusted with thetask of defending and repairing it.For many researchers the complexity of this problem is an obstacle.The Therminator research initiative uses the complexity of this problemas an advantage. By extending the work and lessons learned bymany generations of scientists, Therminator uses the well-foundedtheories of statistical mechanics and combinatorics as a template anda strategy for dynamic data reduction, visualization, analysis, interpretationand forensics. Thus, it does not rest on the ad hoc opinionof a single researcher or single group of researchers on what seemslike a good strategy, it avoids reinventing the wheel by building onwell-established scientific and mathematical principles.Therminator provides a continuous real-time, compact and visualrepresentation of states of exchange between network entities. Thebasic premise results from modeling the network as a finite numberFigure 2. The division of labor in the Therminator model. Therminator provides a general mapping of the characteristics of communicationsexchanges, providing a generic metric for warfighters to compare anomalies across applications.CHIPS Winter 2004 19
Page 1 and 2: CHIPS Winter 2004 1
Page 3 and 4: Volume XXII Issue I4 Editor’s Not
Page 7 and 8: way to Baghdad without going to the
Page 9 and 10: you’ve provided. While geographic
Page 11: although we constantly upgrade the
Page 14 and 15: Front row, left toright: Lt. Cmdr.L
Page 16 and 17: By Lt. Cmdr. Edwin L. Armistead, US
Page 20 and 21: Figure 3. Therminator’s approach
Page 22 and 23: What is FISMA?The Federal Informati
Page 24 and 25: By Sandra J. SmithAssessing the IT
Page 26 and 27: First U.S. NavyInstallationof DMS A
Page 28 and 29: “Our goal is a Web-enabled Navy-M
Page 30 and 31: shown here purposely simplify the e
Page 32 and 33: By Rebecca Nielsen and Kenya Spinks
Page 34 and 35: It is clear that spectrum is a keyc
Page 36 and 37: The title of this article is actual
Page 38 and 39: DepartureModelCMMI CompatibleFeat
Page 40 and 41: Ensuring C4 for the WarfighterBy Lt
Page 42 and 43: By Robert L. Sullivan and Robert B.
Page 44 and 45: Teamwork SolvesNMCI ProblemBy Bob B
Page 46 and 47: connected your call to an operator
Page 48 and 49: ViViD ContractsN68939-97-D-0040Cont
Page 50 and 51: Research and Advisory BPAsListed Be
Page 52: 52CHIPS Dedicated to Sharing Inform

Download PDF - Department of Navy Chief Information Officer - U.S. ...

Create successful ePaper yourself

Delete template?

Save as template?