The authors have years of experience in developing theories, technologies and systems for information security. Nong Ye is an associate professor at Arizona State University, and has been working with the Information Warfare Team of the Air Force Research Laboratory (AFRL) on several projects sponsored by the Air Force Office of Scientific Research and the Air Force Research Laboratory. Joseph Giordano and John Feldman are the leading members of the AFRL Information Warfare Team. Chet Hosmer is the President of WetStone Technologies, Inc. The authors hope to share with other participants of the Workshop the following:

1. our visions and insights into the domain-specific survivability requirements and characteristics of DoD information infrastructures and applications, as well as the commonality of DoD information infrastructures and applications with those in other domains such as banking, transportation, electric power and telecommunication;

2. our views on the shortfalls of existing intrusion protection and detection techniques in meeting the information survivability needs of information infrastructures and applications in DoD and other domains;

3. our solutions to meeting the information survivability needs of those information infrastructures and applications through process modeling, model-based information fusion, and integration of existing techniques; and

4. our preliminary research results from an existing system that we have developed to implement the solutions.

      In general, critical information infrastructures and applications in the DoD, banking, telecommunication, transportation and electric power domains share the following characteristics.

1. They are widely distributed through connections to public WANs which makes them subject to a large number of intrusions from everywhere in the world.

2. Due to the critical and sensitive nature of information and operations that they support and maintain, they draw more organized, sophisticated intruders.

3. They must maintain continuous operation, have little tolerance to intrusions and their consequences, and thereby require tight control with regards to protecting against and detecting intrusions.

For information infrastructures and applications in those domains, we are dealing with a large number of well-organized, sophisticated intrusions. Because of little tolerance to intrusions in those domains, we must effectively prevent intrusions before intrusions occur, and quickly detect intrusions to give early Indications & Warning (IW) while intruders are progressing across the security boundary of protected network domains and inside protected network domains.

      Both intrusion prevention and intrusion detection are necessary to provide a full-scale defense against intrusions. Examples of intrusion prevention techniques are firewall, authentication, and encryption. Although the advancement of deployable intrusion detection techniques has been widespread over the past few years, much practice of intrusion detection still relies on human analysts. For example, the U. S. Air Force has hundreds of intrusion detection sensors around the world and has a large number of human analysts monitoring, analyzing, and reacting in near real-time to unauthorized activities. As the number of host computers, networks and sensors increase dramatically over the next several years, the ability for the human analyst to keep up with the alarms and events presented by these sensors will become quite impossible. In addition, the ability to perform in-depth analysis of more sophisticated attackers and attack profiles will be an unaffordable luxury. For example, most sensors today have thresholds that are based upon a certain number of events occurring from or to specific IP address over very short periods of time (less than an hour). If the attacker is at all sophisticated, or simply patient, they could "fly" under the current radar undetected by present day sensors.

      Many sensor techniques currently collect network activities that occur at or around the perimeters of our network domains. This collection technique has two significant drawbacks. First, the visibility of network traffic is limited to what goes in or out of the network via the "front door". The action performed by the data passing through the front door is significantly removed from where the action is performed. For example, a TELNET session being watched by current sensor techniques may appear to be performing normal commands and actions within a session. However, due to the use of alias commands, spawned host processes that perform background actions, or the use of other protocols such as e-mail that delivers encrypted or embedded content that passes through the sensors undetected, the sensors can be easily fooled. Moving sensor technology closer to the host applications is necessary in order to gain greater context as to what the behavior actually is. Unfortunately, most of the sensors today are prone to false alarms. A good example of this is the "dirty word" filters currently employed by most intrusion detection sensors including two of the most popular sensors NetRanger and ASIM. The sensors report the occurrence of words such as root, alias, or phrases such as access denied, and even canonical strings such as /etc/passwd. The simple detection of these strings in the data stream is not based upon its context, but instead on how many times it exists over a specific period of time. This means if a user with a web browser accesses a page containing the string /etc/passwd the sensor alarms. It is important to note that currently these types of sensor alarms make up approximately 25% of the alarms handled by operators.

      As information infrastructures and applications such as those in the domains of military operations, electronic commerce, utility power management, air traffic control, telecommunication, transportation and banking become common on the next generation internet, perimeter-only intrusion prevention and detection techniques will quickly become obsolete. A possible advancement of these technologies lies in the research and development of approaches that will produce a combined Indication and Warning (IW) ratings from a wide range of intrusion detection techniques that include perimeter detection approaches, application behavior sensing techniques, along with host and content monitoring methodologies.

      We have been investigating a processing engineering approach to modeling various aspects of computer network activities to a full range from the perimeter of a network system to hosts and to entities inside hosts. Process engineering traditionally targets industrial systems (e.g., continuous process systems in chemical industry and discrete-part manufacturing systems) to protect, monitor, diagnose and control the operation of those systems. To maintain the proper operation of an industrial system, laws and rules governing the normal operation of the system must be specified. The operation of the system is monitored to detect deviations from the normal operation. Those deviations show symptoms of an anomaly in the system. If an anomaly is detected, the root cause of the anomaly is diagnosed and traced so that an appropriate action can be taken to correct the anomaly and recover the system back to the normal operation. A well-established body of systematic knowledge and technology has been accumulated over the past decades for process engineering.

      By considering intrusions as anomalies of process occurring in a computer network system, we apply a process engineering approach to protecting against and detecting intrusions to the computer network system. This approach allows us to take advantage of systematic knowledge and technology for process engineering to model and control the secure operation of a computer network system in a more scientific, effective and efficient manner.

      A process model of security-aware network system describes security-relevant components and activities of a computer network system. What components and activities of a computer network system are included in the process model is determined by their relevance to the network security. The process model of security-aware network system contains four levels of abstraction: objective, conceptual, functional and physical. Each level captures different aspects of network activities.

      The objective level states the security goals of the network system such as confidentiality, integrity, availability, accountability, and so on. At this level the network system is considered as a single entity ‘system’ which defines the security of the network system from a black-box viewpoint. The conceptual level describes security-critical states of the network system and events that make state transitions. Each state is considered as a component of the system at this level. The state-transition model focuses on the temporal aspect of the system behavior. The functional level models the structural aspect of the system. The structural model of the system behavior describes functional components and their structural relationships in the network system. Some examples of functional components are router, packets, hosts (servers and clients), ports, application programs, files, users, and so on. The physical level describes the physical configuration of the network system, physical components, and physical interactions among physical components.

      The following figures illustrate a process model of security-aware network system, the integration of model-based intrusion prevention and detection techniques, and their computational implementation using the Common Intrusion Detection Framework. For each system component at each level of the process model, existing techniques such as specification-based, statistical-based and signature-based techniques are used to prevent and detect violations of the secure operation of that component. Different techniques produce different IW ratings for the component which are fused into a composite IW rating for the component to indicate the state (compromised or not) of the component. Composite IW values at the component level are then fused into an IW value for the system to account for interactive effects of coordinated actions in sophisticated intrusions. The fusion and correlation of component-level IW values into a system-level IW value must consider the relationships of system components. Details of the process model and model-based information fusion techniques will be presented at the Workshop.

Figure 1. A process model of security-aware computer network system.

Figure 2. The CIDF-compliant implementation and of the process model and techniques.

Figure 3. Intergration of intrusion prevention detection techniques.

Acknowledgment
      The first author would like to acknowledge the funding support to this work by AFOSR under grant number F49620-98-1-0257, and by AFRL, Air Force Material Command, USAF, under agreement number F30602-98-2-0005. The U.S. government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either express or implied, of AFOSR, AFRL, or the U.S. Government.

Back to the Table of Contents
   [45]