The USAF has been moving toward complete information superiority. The four pillars of that focus, and they are well known, are: Dominant Maneuver, Focused Logistics, Precision Engagement, and Full Dimensional Protection. The critical enabling concept of "Defense in Depth" not only facilitates this mission, but ensures the confidentiality, integrity and availability of information systems necessary to accomplish this mission. True defense in depth combines intrusion detection, damage control and system recovery, layered over a vulnerability assessed survivable information system infrastructure. This, in essence, is the underlying concept of defensive information warfare. Defensive information warfare addresses the issues and necessary technologies for protecting a system and ensuring the integrity of the data and information within that system. This means guaranteeing that the system remains on-line and maintains its real time informational integrity. Current approaches are only accomplished by protecting and restricting access through firewalls, advanced log-in approaches, filtering gateways, and the like. Current recovery approaches have three major shortcomings: (1) they treat all systems (real time and non-real time) as being relatively static and composed of independent, discrete transactions (rather than linked events such as tracks), thereby justifying the use of off-line recovery strategies that take too long to restore and lead to discontinuities in the operator's display; (2) they treat all data as being equal, reload the data without consideration for criticality to flight and frequency of update, thereby failing to restore the most critical information first; and (3) they fail to consider and predict the nature of the damage and its location in the architecture, then either restore too much or not enough data. In addition to these shortcomings, much of the previous work on intrusions into systems naively assumed that protection against intrusive events was adequate, thereby making recovery unnecessary. Unfortunately, this only provides defense at the surface level, as opposed to a full defense-in-depth posture.

     In mid 1997 an Integrated Process Team, composed of the USAF and the organizations holding five contracts for information recovery, was formed to share study results and to expedite the process of transferring technology concepts into technology insertions. The members of the IPT are:

• Mr. Joe Giordano, the Technical Director for the Rome Lab Recovery Projects,
• Mr. Dennis McCallam, from Northrop Grumman, who is Chairman of the Rome Recovery IPT and Technical Director for the Rapid Information Recovery for Real Time Intruded Systems effort,
• Mr. Michael Winburn of Software Productivity Solutions and the Technical Director for the Automated Resource Recovery Agent effort,
• Dr. Peter Chen, Foster Distinguished Chair Professor from the Computer Science Department of Louisiana State University and the Technical Director for the Reconstructing the Information Attack Scenario effort,
• Dr. Sushil Jajodia, Director of the Center for Secure Information Systems and Professor of Information and Software Systems Engineering at George Mason University and the Technical Director for the Trusted Recovery from Information Attacks effort, and
• Dr. Brajendra Panda, Faculty Member Professor in the Computer Science Department at North Dakota State University and the Technical Director for the Damage Assessment and Recovery Through Data Dependency effort.

     The USAF Rome Lab has been addressing the needs of Defensive Information Warfare and in particular, concentrating on technologies that will enable real time information resiliency and reconstitution. Specifically, the defense in depth of an attacked system is enhanced by completing the information recovery with no or minimal impact to the performance of the system under attack. Under the auspices of the USAF Rome Lab, the IPT focused on providing a forum and focal point for shared research on recovery techniques, and promoting the application and implementation of those research results toward solving real world USAF and US Defense problems. The Rome Recovery IPT goal has become a key national resource for recovery research, implementation, and technology transition. In doing so, Rome Lab is getting increasing recognition as the center of excellence for Information Recovery and Resiliency approaches.

The position of this group can be summarized as follows: Information recovery is achievable in real time for real time systems. We formalized our recovery methods around three different recovery models: HotStart, WarmStart, and ColdStart. The HotStart model is the most desirable, in that both the effects of and the response to an information attack are transparent to the user. In cases where HotStart is unachievable, the WarmStart model allows for certain crucial system functions to continue while the information attack is intercepted and repulsed. The ColdStart model applies in cases where the information attack succeeds in bringing the information system down; here the goal is efficient, trusted recovery to a consistent configuration. We offer four fundamental findings of our research to date.

1. True information resiliency can be effected by an integration of defense is in depth concepts. - In order to develop reconstruction strategies the components of defense in depth (see figure) were examined.
   

   We examined entry regulation and denial to see what areas of a system were protected and where the potential omissions were. For example, a high level understanding of intrusion approaches was examined. This is an important component for the recovery approach because an understanding of how a system can be corrupted, and the effects of that corruption guide the development of an overall solution. The need for substantive information from damage assessment provided the recovery techniques with specific information on what was damaged and how it was damaged. This correlates the attack strategy with the affected portion(s) of the system. Next, an evaluation of special operational modes yielded auxiliary information on the origin of the attack and dictated the need for maintenance of recording the footprint of the intrusion. Finally, specific approaches to information recovery were examined using critical pieces of information from other portions of the defensive structure.

2. Methods can be formalized to assess the real time recoverability of a given system. - Complete system recovery requires an analysis of the potential vulnerabilities and entry points of a system, a knowledge of intrusion attack methods, information from intrusion detection on where the damage was done, and an understanding of the hierarchy of information computations, and data flow within the system.
3. There exists in any system, a hierarchy of computations yielding a Minimal Essential Data Set. - Up to now, data in a real time system has not been analyzed in terms of levels of importance. As a result, current methods of replenishing data do not follow an importance hierarchy, tend to treat all data within a system as equal computational components, and therefore restore all data simultaneously and laboriously rather than in order of importance. Most real time systems combine data computations that integrate over a period of time (such as aircraft tracking systems) with transactional based computations. Within those computations, there are those significant pieces of information that can be conceptually differentiated to restore lost information. Smart ways of data partitioning, recording, and encoding will facilitate the efficient information replenishment on systems experiencing information warfare events. This approach to data reconstruction evaluates the information lost and views this as a data class domain issue. The totality of data contained in the information base within a system therefore partitions across three domains: critical for human and system survival, shared across and outside the system, and information resource node specific. These domains will define a hierarchy for reconstruction precedence.
4. The new technologies being developed for Computer Forensics have applicability for information recovery. - Computer forensics provides those tools and techniques that gather and analyze electronic evidence that has been intentionally modified. The integration of real time tools that can "see" information hidden or obliterated can greatly affect the real time recoverability of the information in an attacked system. In addition, the integration of intelligent agents into a system can monitor and isolate attacks, and then begin the recovery process.

     In summary, we have been researching new and novel approaches to providing information resiliency and strengthening the defense in depth posture of real time critical systems.

Back to the Table of Contents
   [18]