darpa oasis meeting santa fe new mexico

Not for Public ReleaseNot for Public Release

DARPA OASIS MeetingDARPA OASIS MeetingSanta Fe New MexicoSanta Fe New Mexico

July 26, 2001July 26, 2001

Joseph E. Johnson, PhDJoseph E. Johnson, PhD

Vladimir Gudkov, PhD Vladimir Gudkov, PhD


Overview of Our Work Overview of Our Work

• IRIS – A C4I Emergency Management System in operation

for four years for SC. IRIS requires maximum invulnerability.

• Part I: Complete System Replication – Addresses site specific threats

• Part II: Network Security – Threats to networks– Vladimir Gudkov


IRIS – BackgroundIRIS – Background

• Our team developed the Internet Routed Information System (IRIS) to manage all threat events and response tracking for SC.

• IRIS consists of a central Oracle 8i database running on an IBM Unix (RS/6000 H70) multiprocessor with Java, GIS mapping, with all data interfacing by standard web browsers. Soon we will implement voice recognition interfacing.

• IRIS is a Command Control Communication Computer & Information C4I type system and very pertinent to DARPA security efforts.

• The system has been fully operational for 4 years managing all emergency events & threats, resource requests, messages, and logs. New additions include databases for critical facilities, donated goods, damage tracking, and personnel tracking.

• Specifically, IRIS manages threats of BCN terrorism, and specifically tracks Information Infrastructure and computer attacks.

• We anticipate new funding in Oct 2001 explicitly to build a biological terrorism module.


IRIS Threats – DARPA InitiativesIRIS Threats – DARPA Initiatives

• Threats: – Acts of nature (hurricanes, epidemics, power & IP loss..)

– Unintentional Acts of Man (including hardware failures & software bugs),

– Intentional Acts of Man (including network attacks and viruses and all forms of crime and terrorism).

• Our DARPA efforts are designed to make the IRIS system as robust and invulnerable as possible:– For Site Specific Threats use System Replication– For Network Threats – Today's talk


System ReplicationSystem Replication

• We utilize three identical dual processor IBM H70 Unix systems located at USC, UU, and Maui HPCC in secure environments linked by Internet II.

• We continue to study optimal means of program and data replication (from SC EPD) so that full operations can be recovered and continued from any of the three sites within minutes.

• We reported on our progress in this area at the last PI meeting and we will give a final report at the next appropriate meeting.

Not for Public Release

Network as a Complex System: Information Flow Analysis

Santa Fe, July 25, 2001

Vladimir Gudkov & Joseph E. Johnson

University of South Carolina


Project Goals

Real time network monitoring for:

Automatic detection of known attacks

Detection of UNKOWN attack in wide

time range (from msec to months)

on reconnaissance stage of the attack


Approach

To describe the information traffic for the host-to-host communication as a trajectory in multi-dimensional parameter-time space

To understand the properties of the Information Flow

Use fast pattern recognition methods (Wavelet Analysis) for network analysis and for detection of possible intrusions


Information traffic description

To understand the structure of the variables for internet host-to-host communications we used dumped output of network traffic.

Parameters encapsulated in the data flow packages have been divided into two separated classes: dynamical and static (MAC[Router] % IP address)

The information traffic for the host-to-host communication can be described as a trajectory in multi-dimensional static parameter-time space


A Package HeaderFrame 1 (161 on wire, 161 captured) Arrival Time: Nov 8, 2000 10:49:08.2032 Time delta from previous packet: 0.000000 seconds Frame Number: 1 Packet Length: 161 bytes Capture Length: 161 bytesEthernet II Destination: 00:60:08:9b:e7:56 (00:60:08:9b:e7:56) Source: 00:10:5a:19:01:ee (asgnet2.psc.sc.edu) Type: IP (0x0800)Internet Protocol Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Currently Unused: 0 Total Length: 147 Identification: 0x7302 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x2f0c (correct) Source: asgnet2.psc.sc.edu (129.252.170.50) Destination: ivispbx2.asg.sc.edu (129.252.170.43)Transmission Control Protocol, Src Port: nbsession (139), Dst Port:

1309 (1309), Seq: 34966149, Ack: 519891016 Source port: nbsession (139) Destination port: 1309 (1309) Sequence number: 34966149 Acknowledgement number: 519891016 Header length: 20 bytes Flags: 0x0018 (PSH, ACK) ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set

Window size: 8360 Checksum: 0x0dbdNetBIOS Session Service Message Type: Session message Flags: 0x00 .... ...0 = Add 0 to length Length: 103SMB (Server Message Block Protocol) Message Type: 0xFF Server Component: SMB SMB Command: SMBntcreateX (0xa2) Error Class: Success Reserved: 0 Error Code: No Error Flags: 0x98 .... ...0 = Lock&Read, Write&Unlock not supported .... ..0. = Receive buffer not posted .... 1... = Path names caseless ...1 .... = Pathnames canonicalized ..0. .... = OpLocks not requested/granted .0.. .... = Notify open only 1... .... = Response to client/redirector Flags2: 0x8003 .... .... .... ...1 = Long file names supported .... .... .... ..1. = Extended attributes supported .... .... .... .0.. = Security signatures not supported .... 0... .... .... = Extended security negotiation not supported ...0 .... .... .... = Don't resolve pathnames with DFS ..0. .... .... .... = Don't permit reads if execute-only .0.. .... .... .... = Error codes are DOS error codes 1... .... .... .... = Strings are Unicode Reserved: 6 WORDS Network Path/Tree ID (TID): 12292 (3004) Process ID (PID): 53280 (d020) User ID (UID): 14339 (3803) Multiplex ID (MID): 17792 (4580) Data (71 bytes)


Information Flow Representation

We can describe (on-line) the complete structure of the package header in terms of MATHEMATICAL FUNCTIONS

The basis for theoretical and numerical analysis


Questions to answer on the first stage of experiments

1. What is a characteristic dimension of the network parameter space?

2. How many nodes are needed to consider the network as "complex enough" system?

3. How dimension of the space depends on the network topology and on the number of nodes?


Method: Chaotic Data Analysis*

* e.g. H.D.I. Abarbanel et al., Rev. Mod. Phys. 65 (1993) 1331 and references therein

] 1))-T(ds(n, ... 2T),s(nT),s(n[s(n),y(n)

constructLet

)()))(((

quantityscalar observed

and

))(( variablesdynamical

))((

nsnxgs

txg

txFdtxd


Method: (continue)

22)()(2)2(

2)(2

)()(dt

ds(t)

] ... ),(),(),([ :)(

) ... ),(),((mdt

s(m)

d

:equation thesolve To

TtsTtsTts

dttsd

TtsTts

tstststs

tsts


Dimension of Information flow


Structure of “Information” space

Dimension (number of independent parameters) is about 10 – 12

It does not depend on the network topology, size, operating systems …

Therefore, one can study a structure of network traffic and the possible network intrusion in terms of that parameters.


Fourier Transform


Wavelet (local cosine)


What we’ve got?

Method to describe (in real time) information traffic and the possible network intrusion in terms of well defined the network parameters

Understanding some aspects of basic (fundamental) structure of the information flow

the ability to detect intrusions on reconnaissance stage of the attacks


What we are working on?

Understanding of the normal network behavior a quantitative method for detecting and

classification of the dangerous level of the possible attacks

a model independent way to obtain the best possible (optimized) level for the detection of an intrusion for a given class of intrusions


How do we plan to do this?

Correlations of the parameters using pattern recognition in multi-dimensional space (Wavelet analysis, Fast Fourier Transform, Statistical Methods…)

Time-scale signal separation and noise reduction (wavelets, random matrices, …)

On-line analysis (to test methods, hypotheses etc)

darpa oasis meeting santa fe new mexico

Documents