Download PDF - Department of Navy Chief Information Officer - U.S. ...

More documents

Recommendations

Info

Figure 3. Therminator’s approach can be applied across a broadspectrum of FORCEnet applications.of conversation groups called buckets that pass information, calledballs,among themselves. This produces a notion of a network staterepresented by the aggregate of all the buckets with the balls theycontain. The complexity and asynchrony of this exchange among alarge set of network nodes creates a high-dimensional combinatorialsystem to which dimensionality reduction inspired by statisticalphysics is applied. From this network state and the state transitionsthat occur during each packet arrival, the thermal propertiesof entropy, energy, temperature, work and heat can be computedand displayed. Asymmetrical perturbations in these displays haverevealed anomalous network activity resulting from malicious activityand misconfigurations, some of which were not detected bystandard signature-based intrusion detection systems.Application to FORCEnetComputer networks and interacting systems in general, are basedon a layered architecture to facilitate systems interoperability anddesign. The layered design paradigm permeates many modern distributedsystems affecting solutions to the association problem.The inherent elegance in the Therminator approach and the aspectthat makes it applicable to FORCEnet, is that it yields a model ofconversation exchange dynamics that is consistent across horizontallevels (different applications) and across vertical levels (differentarchitecture layers, shown Figure 2). A consistent model acrossvertical levels will allow technicians, analysts and decision makersto compare apples to apples because all behavior is cast in the samegeneral model (conversation exchange dynamics). This will reducethe time from data collection to information creation to knowledgeunderstanding and finally decision making.In other words, using the Therminator approach, anomalous activityin one environment (e.g., satellite control systems) could be reliablycorrelated with activity in a very different setting (e.g., IP networks).This is made possible because both are considered only interms of their exchange properties and related dynamics. A subsetof these potential applications is shown in Figure 3.The Therminator architecture as shown in Figure 4 is based on anapplication-independent central core processing element that isfed by application-dependent sensors. In the case of IP networksthese sensors are packet sniffers which perform rudimentarymetadata association. External to the core are the graphical userinterface (GUI) modules and plug-ins for second-order analysis ofthe core output.Figure 4. The Therminator architecture is centered upon a coreevent correlator. Input is received from application-dependentsensors and output is fed to a GUI and second-order plug-ins.ExamplesTherminator has been extensively tested in both controlled laboratorysettings and on real-world network traffic. The current softwarebasedimplementation handles generated network traffic from 10Mbps to 100 Mbps without dropping packets. A visualization of thebucket spaces and thermal manifolds provide interactive real-timefeedback of the conversations exchange dynamics. Users are ableto drill-down to specific packet information simply by clicking anywherein the GUI.Figure 5 illustrates the thermal manifold or “thermal canyon” producedfrom an exchange between 1,000 client machines on anuntrusted network with 10 Web servers on a trusted network. Networkload was approximately 1,500 packets per second. Figure 6illustrates the same exchange of traffic with a single UDP (UserDatagram Protocol) packet injected. The difference in the thermalcanyon between Figures 5 and 6 is evident, keeping in mind thatduring this two-minute period over 200,000 packets were exchanged.Figure 7 shows the Therminator response to an actual event on anoperational network: a flood of ICMP (Internet Control Message Protocol)packets originating inside a monitored network detected afternormal working hours. The packet flood consisted of 6,032 ICMPecho requests/replies within a four-second time period. ICMP echorequests/replies are not anomalous per se. In this event, however,the owner of this particular client machine was logged off and athome, thus prompting a notification to the local CERT (ComputerEmergency Response Team) for follow-up. This event was not detectedby any other installed network protection system.The final example of an operational success of this model occurredwhen Therminator detected a Code Red worm attack during a demonstration.The case study shown is an interesting example of therange of anomalies that Therminator is capable of revealing. Figure8 shows a small number of packets entering the NPS network thatcorrespond to the Code Red worm. This is in contrast to the result ofthe swift counteraction of the firewall administrator shutting20 CHIPS Dedicated to Sharing Information*Technology*Experience
Figure 5. The display associated with synthetic network trafficfrom 1,000 untrusted clients to 10 trusted Web servers over aperiod of two minutes. This figure represents over 200,000packets.Figure 8. A snapshot of the Code Red attack in progress. Thedisplay highlighted by the red circles is associated with the CodeRed worm entering the NPS campus. The area highlighted bythe yellow circles is associated with the firewall administratorshutting down the firewall in response to notification of the arrivalof the worm. Compare the display associated with the intrusionof the Code Red worm with that of the actions taken bythe firewall administrator shortly thereafter.down the firewall highlighted by the yellow circles. This area showsthousands of Web requests heading to the Internet while all the responsesare blocked.Figure 6. The same 200,000 packets shown in Figure 5 plus a singleadditional UDP packet. The difference is evident at approximately60 seconds.SummaryTherminator is a radical attempt at transformation in DoD CND andin FORCEnet monitoring in general. Traditional approaches to CNDcannot keep up with the rapid changes in network intrusions. Byreducing data to an expression of exchange dynamics,Therminatorcan provide a metric for an apples to apples comparison across communicationsapplications thus allowing for informed and rapid decisionmaking.Figure 7. A snapshot of an actual packet flood observed withinan operational network. This flood consisted of over 6,000 packetsin a four-second period from a single host during off-hours.John McEachen is an Associate Professor of Electrical and ComputerEngineering at the Naval Postgraduate School. Dr. McEachen is the codirectorof the ECE Advanced Networking Laboratory and the formerdirector of Reconfigurable Intrusion Detection and Deception LaboratoryResearch (RIDDLR). In 2003, he was awarded the Richard W. HammingAward for excellence in interdisciplinary teaching and research.John Zachary is an Assistant Professor of Computer Science at the Universityof South Carolina and Director of the Distributed Systems Securityand Cryptography Laboratory. Dr. Zachary was formerly employedby the Advanced Research Laboratory of Penn State University.David Ford is a Research Professor at the Naval Postgraduate Schooland the DISA chair for Information Assurance. He is formerly of the NationalSecurity Agency.CHIPS Winter 2004 21
Page 1 and 2: CHIPS Winter 2004 1
Page 3 and 4: Volume XXII Issue I4 Editor’s Not
Page 7 and 8: way to Baghdad without going to the
Page 9 and 10: you’ve provided. While geographic
Page 11: although we constantly upgrade the
Page 14 and 15: Front row, left toright: Lt. Cmdr.L
Page 16 and 17: By Lt. Cmdr. Edwin L. Armistead, US
Page 18 and 19: By John McEachen, John Zachary and
Page 22 and 23: What is FISMA?The Federal Informati
Page 24 and 25: By Sandra J. SmithAssessing the IT
Page 26 and 27: First U.S. NavyInstallationof DMS A
Page 28 and 29: “Our goal is a Web-enabled Navy-M
Page 30 and 31: shown here purposely simplify the e
Page 32 and 33: By Rebecca Nielsen and Kenya Spinks
Page 34 and 35: It is clear that spectrum is a keyc
Page 36 and 37: The title of this article is actual
Page 38 and 39: DepartureModelCMMI CompatibleFeat
Page 40 and 41: Ensuring C4 for the WarfighterBy Lt
Page 42 and 43: By Robert L. Sullivan and Robert B.
Page 44 and 45: Teamwork SolvesNMCI ProblemBy Bob B
Page 46 and 47: connected your call to an operator
Page 48 and 49: ViViD ContractsN68939-97-D-0040Cont
Page 50 and 51: Research and Advisory BPAsListed Be
Page 52: 52CHIPS Dedicated to Sharing Inform

Download PDF - Department of Navy Chief Information Officer - U.S. ...

Create successful ePaper yourself

Delete template?

Save as template?