Addressing the Intruder Detection Dilemma

Addressing the Intruder Detection Dilemma ARL Center for Intrusion Monitoring and Protection Kerry Long Lead, Advanced Development Center for Intrusion Monitoring & Protection Computational & Information Sciences Directorate U.S. Army Research Laboratory 301-394-2720 klong@arl.army.mil What is the CIMP ? Program management Planning/administration Standards & partnerships Technology transfer Center for Intrusion Monitoring & Protection Threat Assessment & Special Ops (2) Extended analysis Situational awareness Special operations LE/CI liaison Education/training Cyber Analysis Team (44) Monitoring/detection Analysis processes Response/reporting Site/customer interface Research and Development Team (5) Applied R&D Tool assessment Technology integration Process improvement Collaborations Systems & Sensors Engineering Team (4) Configuration Mgmt Capacity Planning Infrastructure scanning The ARL Center for Intrusion Monitoring and Protection (CIMP) currently monitors and analyzes network data to detect intruders for multiple Army and DoD customers Introduction-Our Assumptions • The number one threat to information confidentiality and integrity is the intruder who has gained access to a trusted cyber environment No matter what internal safeguards have been put in place, a successful intruder will ultimately undermine security goals There is currently no way to keep out a determined, savvy intruder from a publicly connected network • • Introduction –Our Observations • Our nation’s R&D infrastructure is a major target for sophisticated state sponsored attackers and cyber terrorists. Assets have been compromised, critical information has been exfiltrated, our technological advantage is at risk IA community is focused on developing tools and methods to prevent intrusions from occurring. Less resources are devoted to dealing with the situation once the intrusion has occurred Research and development in all IA related areas is largely decoupled from the implementers of IA • • Introduction –Our Objectives • To address the problem of the savvy intruder through detection rather than prevention. Plenty of others focused on prevention To develop better practical methods for detecting and dealing with intruders once they have penetrated a trusted network To couple our research and development with our operations into one constantly improving system • • How it’s Currently Done 7 INFOSEC Practitioners U.S. Government Sponsors DoE Hard Problems List DARPA SPAWAR NRL OSD NSA CIA CECOM ARL AFIWC AFRL ONR NIST National Computer Security Needs NSF NRO Academic R&D Fed Lab & FFRDC R&D Industry R&D Why We’re Different Network Raw Data Tool Assessment New Requirements New IDS Tools Process Modifications New Methodology Our IDS Model R&D Initiatives IDS Tool Suite Analysis Methods Industry Best Practices Process Improvement Tool1 Tool2 Tool3 Tool4 Tooln Beta1 … Adhoc1 ... 1st Level Analysis 2nd Level Analysis LE/CI Engagement Security Analysts Feedback Reports & Situational Awareness Real-time & Real World - Events & Activities CIMP Toolset--Key to Success Header Analysis Scans with Automatic Virus Attacks Packet-Based Signature Detection Simple Scans Behavior Analysis Anomaly Detection and New Attacks Viruses and Worms Scans with Target Responses New and Variant Attacks Compromises Session-Based Signature Detection R&D Computer Network Defense CND DoD, Army, AMC, RDECOM, ARL & Customers IDS (network & host-based) HPCC, Large Data Bases Impact Threat M&S Correlation Pro-active Cyber-defense CIMP Core Competencies University Army High ARO Research Sponsored Performance Initiatives, IA Activities Computing UCSB, GMU, Research CMU Center Small Business Innovative Research Contracts Mechanisms Graph Matching Anomaly IDS Host-Based IDS Neural Nets Dist IDS Data Reduction External R&D Data Mining High Speed IDS Vulnerability Our current Research Initiative Interrogator Objective Development of a “near real-time” surveillance and analysis architecture that serves the needs of both researchers and analysts DoD capabilities enhanced by this project Allows new detection methods to be thoroughly tested and prototyped without adversely affecting monitoring operations. Enables rich data mining operations and true retrospective analysis Scientific/technical approaches • Sensors are easily configurable, inexpensive and are designed to be placed in hostile environment • Enables advanced network security analysis over extended locations/periods of time • Allows quick introduction of new tools and techniques in detecting attacks on networks • Core idea: use analysts to test new IDS concepts as part of their everyday workflow Accomplishments • Developed an integrated architecture that communicates securely and continuously between sensors and data repository Developed a distributed sensor monitoring and statistics tool 15 sensors currently in place operating in beta environment Designed and implemented an alerts database that allows a Network Security Officer to view and analyze alerts over multiple sites • • • What We’re Striving For… • r n a e d i v o y p u h g s c f P b t s u n r b y d e a c t i h p o • F p z h y l v f r d g i e b t a n M I C c o P L R A s u effectively by other organizations or private sector • Accelerate the integration of new methodology, technology and tools • Establish an IA lab to be the mechanism for technology development and transfer We want to have an impact!