DARPA OASIS Meeting Santa Fe New Mexico

1
DARPA OASIS MeetingSanta Fe New Mexico

• July 26, 2001
• Joseph E. Johnson, PhD
• Vladimir Gudkov, PhD

2
Overview of Our Work

• IRIS
• A C4I Emergency Management System in operation
  for four years for SC. IRIS requires maximum
  invulnerability.
• Part I Complete System Replication
• Addresses site specific threats
• Part II Network Security
• Threats to networks Vladimir Gudkov

3
IRIS Background

• Our team developed the Internet Routed
  Information System (IRIS) to manage all threat
  events and response tracking for SC.
• IRIS consists of a central Oracle 8i database
  running on an IBM Unix (RS/6000 H70)
  multiprocessor with Java, GIS mapping, with all
  data interfacing by standard web browsers. Soon
  we will implement voice recognition interfacing.
• IRIS is a Command Control Communication Computer
  Information C4I type system and very pertinent
  to DARPA security efforts.
• The system has been fully operational for 4 years
  managing all emergency events threats, resource
  requests, messages, and logs. New additions
  include databases for critical facilities,
  donated goods, damage tracking, and personnel
  tracking.
• Specifically, IRIS manages threats of BCN
  terrorism, and specifically tracks Information
  Infrastructure and computer attacks.
• We anticipate new funding in Oct 2001 explicitly
  to build a biological terrorism module.

4
IRIS Threats DARPA Initiatives

• Threats
• Acts of nature (hurricanes, epidemics, power IP
  loss..)
• Unintentional Acts of Man (including hardware
  failures software bugs),
• Intentional Acts of Man (including network
  attacks and viruses and all forms of crime and
  terrorism).
• Our DARPA efforts are designed to make the IRIS
  system as robust and invulnerable as possible
• For Site Specific Threats use System Replication
• For Network Threats Today's talk

5
System Replication

• We utilize three identical dual processor IBM H70
  Unix systems located at USC, UU, and Maui HPCC in
  secure environments linked by Internet II.
• We continue to study optimal means of program and
  data replication (from SC EPD) so that full
  operations can be recovered and continued from
  any of the three sites within minutes.
• We reported on our progress in this area at the
  last PI meeting and we will give a final report
  at the next appropriate meeting.

6
Network as a Complex System Information Flow
Analysis

• Santa Fe, July 25, 2001
• Vladimir Gudkov Joseph E. Johnson
• University of South Carolina

7
Project Goals

• Real time network monitoring for
• Automatic detection of known attacks
• Detection of UNKOWN attack in wide
  
• time range (from msec to months)
• on reconnaissance stage of the attack

8
Approach

• To describe the information traffic for the
  host-to-host communication as a trajectory in
  multi-dimensional parameter-time space
• To understand the properties of the Information
  Flow
• Use fast pattern recognition methods (Wavelet
  Analysis) for network analysis and for detection
  of possible intrusions

9
Information traffic description

• To understand the structure of the variables for
  internet host-to-host communications we used
  dumped output of network traffic.
• Parameters encapsulated in the data flow packages
  have been divided into two separated classes
  dynamical and static (MACRouter IP address)
• The information traffic for the host-to-host
  communication can be described as a trajectory in
  multi-dimensional static parameter-time space

10
A Package Header

• Window size 8360
• Checksum 0x0dbd
• NetBIOS Session Service
• Message Type Session message
• Flags 0x00
• .... ...0 Add 0 to length
• Length 103
• SMB (Server Message Block Protocol)
• Message Type 0xFF
• Server Component SMB
• SMB Command SMBntcreateX (0xa2)
• Error Class Success
• Reserved 0
• Error Code No Error
• Flags 0x98
• .... ...0 LockRead, WriteUnlock not
  supported
• .... ..0. Receive buffer not posted
• .... 1... Path names caseless
• ...1 .... Pathnames canonicalized

• Frame 1 (161 on wire, 161 captured)
• Arrival Time Nov 8, 2000 104908.2032
• Time delta from previous packet 0.000000
  seconds
• Frame Number 1
• Packet Length 161 bytes
• Capture Length 161 bytes
• Ethernet II
• Destination 0060089be756
  (0060089be756)
• Source 00105a1901ee (asgnet2.psc.sc.edu)
  
• Type IP (0x0800)
• Internet Protocol
• Version 4
• Header length 20 bytes
• Differentiated Services Field 0x00 (DSCP
  0x00 Default)
• 0000 00.. Differentiated Services
  Codepoint Default (0x00)
• .... ..00 Currently Unused 0
• Total Length 147
• Identification 0x7302
• Flags 0x04

11
Information Flow Representation

• We can describe (on-line) the complete structure
  of the package header in terms of MATHEMATICAL
  FUNCTIONS
• The basis for theoretical and numerical analysis

12
Questions to answer on the first stage of
experiments

• What is a characteristic dimension of the network
  parameter space?
• How many nodes are needed to consider the network
  as "complex enough" system?
• How dimension of the space depends on the network
  topology and on the number of nodes?

13
Method Chaotic Data Analysis
e.g. H.D.I. Abarbanel et al., Rev. Mod. Phys.
65 (1993) 1331 and references therein
14
Method (continue)
15
Dimension of Information flow
16
Structure of Information space

• Dimension (number of independent parameters) is
  about 10 12
• It does not depend on the network topology, size,
  operating systems
• Therefore, one can study a structure of network
  traffic and the possible network intrusion in
  terms of that parameters.

17
Fourier Transform
18
Wavelet (local cosine)
19
What weve got?

• Method to describe (in real time) information
  traffic and the possible network intrusion in
  terms of well defined the network parameters
• Understanding some aspects of basic (fundamental)
  structure of the information flow
• the ability to detect intrusions on
  reconnaissance stage of the attacks

20
What we are working on?

• Understanding of the normal network behavior
• a quantitative method for detecting and
  classification of the dangerous level of the
  possible attacks
• a model independent way to obtain the best
  possible (optimized) level for the detection of
  an intrusion for a given class of intrusions

21
How do we plan to do this?

• Correlations of the parameters using pattern
  recognition in multi-dimensional space (Wavelet
  analysis, Fast Fourier Transform, Statistical
  Methods)
• Time-scale signal separation and noise reduction
  (wavelets, random matrices, )
• On-line analysis (to test methods, hypotheses etc)