[11]   

The Information Warfare Team at Rome Laboratory has formulated a solution that addresses a portion of the Information Survivability issue for future mission critical systems. This vision is accompanied by a phased plan to build a prototype decision support system to detect intrusions and manage large scale networks from a information protect perspective, for use by Air Force decision makers at all levels.

For both the government and the private sector, continuity of operations for critical systems is largely dependent upon the availability, integrity and confidentiality of information. Protecting this information from compromise and unauthorized modification has been the goal of the Air Force INFOSEC technology program. INFOSEC as a security discipline has undergone several changes, but its focus has always been on creating monolithic, security systems capable of repelling all unauthorized activity at the host. However, many of the trusted systems built in the 1980's were difficult to use and integrate, ultimately limiting their impact on the marketplace. The host-based single system paradigm no longer applies to the real world environment, because mission-critical information may now reside on remote systems via NFS mounted disks or distributed databases accessible perhaps, via Java scripts. The bottom line is that a new approach is necessary!

This position paper reflects our vision in that it establishes a firm foundation which allows for the immediate integration of existing tools, technologies, and knowledge databases from several related technology areas, providing an architecture for continued, future growth while preserving current investments. We accommodate both host-based and distributed computing environments, while maintaining our focus on COTS offerings to supply both the infrastructure framework and specific security products.

Our solution will use COTS intelligent enterprise management software such as Gensym's G2 or Tivoli's Enterprise Console as the integration infrastructure or framework. This will allow us to integrate data from various emerging technology disciplines such as; risk management (vulnerabilities, threats, countermeasures), network management, system/network recovery, intelligent agents, and proactive /predictive intrusion detection to maximize our critical system's information survivability posture. Creating an automated, integrated capability incorporating all of the above disciplines will far exceed that achievable by reliance on any one single technology.

Our solution for the next generation of survivable information systems will correlate the fact that an intrusion has occurred, is occurring, or is likely to occur using indications & warnings, network monitoring / management data, known vulnerabilities and threats in order to arrive at a recommended recovery process and its associated residual risk.

Rome Laboratory's in-house program to develop a working prototype will integrate tools and technologies from the following disciplines:

Network Management : Network management data will provide a precise representation of the enterprise and its configuration. Information about network protocols, host platforms, circuits, service providers, routers, bridges, multiplexers, and their individual configuration, including network security policies, will form the canvas for the system. HP's OpenView and IBM's NetView are the two leading candidates among several existing products that have the potential for use here.

Risk Management : Potential integration candidates are Automated Network System Security Risks e.g. ANSSR, Expert System for Progressive Risk Identification Techniques e.g. ESPRIT), as well as several commercial offerings e.g. Risk Watch, and LAVA

Intrusion Detection : Current technology focuses on after-the-fact intrusion detection. We need to develop a proactive/predictive intrusion detection technology incorporating advances in pattern matching, user profile analysis, and intrusion signature recognition. The ultimate goal is the ability to anticipate attacks before they occur. Several potential candidates are available from commercial, government and academic sources, and much R&D effort is being expanded in this area.

Modeling and Simulation : Both candidate intelligent enterprise management software packages have considerable modeling & simulation capability. These can be used for attack playback, "what-if" analysis and scenario refinement to aid operations activities, training programs and real-time risk assessment.

Intelligent Agents : Intelligent agents are critical due to the sheer volume of network management and intrusion detection data to be collected. Their small size and their ability to perform specific well defined functions will greatly enhance near-real-time processing and reduction of audit data. An added benefit will be more balanced collection and data reduction workload over the network.

Data and System Recovery Methodology : A major focus of defensive information protection is automated recovery procedures for system disruptions and loss of data or service resulting from information attack.

Not only does this approach address the needs of the decision makers at the top, but at all intervening levels within the networks, down to the individual system level. This will permit network administrators and intrusion data analysts to be more proactive rather then totally reactive, and to evaluate different responses to malicious activity in real time in order to secure mission critical networks for decision makers and the warfighter

Back to the Table of Contents
   [11]