Network Mission Assurance Phoenix Challenge 2002 Conference

Transcription

1 Phoenix Challenge 2002 Conference Lockheed Martin Advanced Technology Laboratories Distributed Processing Laboratory 1 Federal Street A&E Building 3W Camden, New Jersey Mike Junod mjunod@atl.lmco.com (856) September 12, 2002

2 Presentation Outline ATL Organization Holistic Information Assurance Information Assurance Efforts (NMA) Framework Threat Analysis & Prediction (TAP) Cyber Attack Workstation (CAW) Dynamic Trust-based Resource Allocation (DyTR( DyTR) Intelligent Agents Virtual Network Simulator (VNS) 2

3 ATL Organization Lockheed Martin Martin R. R. Coutts, Coutts, Executive Vice Vice President System System Integration R. R. Frew, Frew,, VP VP Technology NE&SS NE&SS J. J. Pridmore,, Director Advanced Technology Laboratories Government R&D DARPA (50%) Over the past five years, ATL has become a major DARPA contractor Lockheed Martin leader in information technology (ITO, ISO, TTO) Established military relevance capability Government laboratories (15%) Transition path from DARPA to the field Strategic foothold for ACTD, ATD follow-ons ons Commercial (<5%) Near term: small, working strategic relationships Long term: Grow to represent >20% of business Lockheed Martin (35%) Currently 50/50 mix of development vs. services/consulting 3

4 Overall Objectives Objectives Dynamically Identify, Protect, and Ensure Survivability and Continued Operation of High Value/Critical Assets (Holistic Vision) Predictively Determine Likely Attack Campaigns to Mitigate Major Disruption of High Value Assets & Ensure Critical Infrastructure Survivability Research Focus Areas Active Network Management and Adaptive Quality of Service Adaptive, Distributed Resource Allocation & Control Secure Adaptive Agent Framework Attack Knowledge Representation to infer Attack Patterns Faster than Real-Time Exploration of Attacks & Response Effects Dynamic Network Mapping and Exploit Determination in Support of Autonomic Information Warfare Operations Dynamic Trust Assessment 4

5 Holistic Information Assurance 5

6 Distributed, Holistic Information Assurance Infrastructure Model and Control Inspect infrastructure state Reflect controls back onto enclave infrastructure Asset Identification Dynamically identify critical assets for mission objectives Map critical assets to low level resources Threat Analysis and Prediction Infer patterns from network event observations Correlate patterns to likely attack campaigns Explore campaign effects on critical assets Response Coordination Analyze campaign effects relative to mission objectives Identify and Initiate most effective response Distributed, Holistic Information Assurance Asset Identification Enclave Infrastructure HCI Infrastructure Model & Control Threat Analysis & Prediction Events (eg.. Sensors) Dynamic Infrastructure Infrastructure Discovery State & Analysis Reflective Infrastructure Model Event Correlation Attack Type Instance Attack KB Critical Asset Identification Infrastructure Configuration Dynamic Infrastructure Modeler Holistic Attack Campaign Synthesis Attack Patterns Response Commands Attack Campaign Step Response Coordination Dynamic Response Control Response Objectives Response Decision Reasoning Impact Effects Impact Analysis Ensure Survivability of High Value Assets and Continued Operation of Critical Infrastructure Components 6

7 NMA Framework Core Infrastructure Information Model Distributed Object Services Code and Object Mobility Reflective Sensor Control Dynamic QoS Manager Network Discovery Network Resource Mgmt. Visualization (Tree View) Multiple Views Sensor Attribute Access Integration alone is not sufficient. You need orchestration! Pluggable IA Capabilities Sensors Controllers Actuators Interfaces 7

8 Threat Analysis and Prediction Attack Knowledge Base Attacker Capability Ontology Attack method rules ICAT (public software fault database based on CVE) Use of Protégé,, an open- source ontology editor Representation of attacker capabilities that result from the exploitation of software faults Attack Projection Forecasts the effects of the attack on infrastructure assets Takes predicted next attack step and simulates the effect upon the infrastructure and critical assets Identifies areas of need for close monitoring 8

9 Cyber Attack Workstation Tool Options Account for for Risk Reconnaissance Exploit Options 9 Reconnaissance and Attack Tool Automation Automate the process of monitoring and attacking network Provide library of intelligence gathering, penetration, and denial of service tools for use through single interface Allow user with little experience in hacking to test attack mechanisms Exploit & Attack Database Define High Level Attack Campaign Attack Campaign Generation Defense Through Understanding of the Offense

10 Advanced Technology Laboratories Dynamic Trust-based Resources Active, dynamic networks have limited or no a priori access allocation Adaptively determine trust Dynamically allocate resources 10 DARPA DARPA FTN FTN Contract Contract out out of of AFRL AFRL

11 ATL s Agent Technology Extendible Mobile Agent Architecture GCCS-M Host Agent Sensor Control Host Agent Legacy Systems e.g. GCCS-M Agent Dock Communication, Mobile Agents DTF Host Agent Dock Flexible Agent System Workflow Reusable Components! Agent Agent System Controller Agent Dock Agent Dock: Agent Management, Security, Resource Control, QoS 11 Task Path Flexible Agent Workflow Patterns Reusable components and assembly patterns

12 EMAA Security Architecture Agent Audit Logging SSL: Remote Host Authentication and Encryption DOC K CommunicationServer AgentManager Agent authentication Sole provider of threads to agents EMAAClassLoader Secure Class Loader JVM Checks agent privileges Loads authorized classes Establishes permissions for each agent according to policy. Security Manager Access Controller Operating System Hardware EMAA Framework Dynamically checks permissions in policy. Application Specifics 0% 100% Maximize the security provided by the framework 12

13 Some of ATL s Agent-Based Systems Some of ATL s Agent Systems Robots, Agents, People Cooperating Agents for Specific Tasks (CAST) Joint Interagency Task Force - East (JIATF-E) Log C2/Agile Commander Dismounted Guardian Small Unit Ops LCS - Marine Joint Logistics/JTL ACTD Airborne Manned/ Unmanned System (AMUST) Air Mobility Command, Coalition Operations, etc. Customer DARPA DARPA, NWDC DARPA CECOM CECOM DARPA DARPA DARPA Army AATD AFRL Application TBD (Seedling) Navy Time-Critical Strike, Coalition C2 Ship Tracking Plan Monitoring Threat Alerts Logistics Requests Logistics Integration SA for Command on the Move Plan Monitoring/ Replanning ABS Ingredients Heterogeneous Teams Info, imagery collection, correlation, dissemination Information retrieval, integration Sentinels Data sharing, distributed Fusion Human-computer dialog Data integration/mediation Data access, sentinels Data sharing/fusion Data access, sentinels ATL Agent Technology has been Deployed on >20 Programs 13

14 Virtual Network Simulator (VNS) Designed to rapidly configure and simulate Army tactical networks Focuses on training Information Assurance Manager (IAM) or IA Network Manager (IANM) to react to network attacks Interfaces with CECOM s existing Internet Attack Simulator (IAS) Simulates CECOM/s attack taxonomy and C2 Protect tool behaviors Instructors Interface Configures network training scenarios Selects and launches network attacks Monitors student performance Student Interface Initializes network configuration and protection mechanisms Monitors network performance and attack alerts Responds to attacks using available protection tools Internet Attack Simulator Virtual Network Simulator HLA Runtime Infrastructure (RTI) 14

15 VNS Interfaces VNS Network Monitoring Features Alert Messages from the IDS change the borders from light BLUE to flashing RED Links Change Between bright GREEN and RED to signify changes in traffic density Student Network Monitoring Display VNS Network Control Features The scan of the router is detected by the IDSs Student is able to drill down and investigate Student is able to recognize trouble as the attacked links heat up Student is able to select a router to investigate further Student deduces the DoS attack and takes corrective action Student Network Control Dialog Boxes 15

16 Lockheed Martin Booth Questions? 16

17 NMA Papers 1. T. Hughes, "Knowledge- and Simulation-based Threat Analysis and Reasoning (KSTAR)", Internal Report, April J. Denny, "Automated Response for Computer Network Defense", Lockheed Martin ATL Internal Report, March P. Muckelbauer, "Critical Asset Identification", Internal Report, March T. Hughes, "Threat Analysis and Prediction", Internal Report, Feb M. Junod, "Holistic Information Assurance", Internal Report, March M. Junod, Cyber Attack Workstation (CAW) 7. M. Junod, Dynamic Trust-based Resource Allocation (DyTR) 17