Security Research Division

1
Security Research Division

• David Balenson, Division Manager, Security
  Research

2
Security Research Division

• Vision
• To be internationally recognized as the leading
  authority in intrusion prevention research
• Mission
• To conduct fundamental and applied research and
  to develop prototype applications that provide
  highly accurate, highly automated approaches to
  computer and network security and response

3
Security Research Division

• Premier research organization with 35 members
• Breadth depth of INFOSEC RD
• Over 400 years of collective experience
• First organization focused on INFOSEC RD
• Initially founded through DARPA encouragement
• Only organization focused solely on INFOSEC RD
• Demonstrated technical success over 20 years
• Addressing hard problems 2-5 years out
• Very strong focus on technology transfer
• Substantial impact on INFOSEC RD community
• Strong business development
• Long standing relationship with Government
  INFOSEC RD program managers
• www.isso.sparta.com/research

4
Impact on INFOSEC RD Community

• Publications
• Journals and conferences DISCEX, IEEE SP, NDSS,
  Usenix Security
• Release selected software via Open Source,
  opensource.sparta.com
• Advanced Security Research Journal (ASRJ)
• Community leadership and participation
• Standards organizations IETF, OMG
• Professional organizations ACM, IEEE, ISOC,
  Usenix, IACR, APWG
• Trade associations ITAA, CRA
• Partnerships
• Academic ARL CN CTA, Internet2
• Government PCIS, I3P, IRC

5
Threat Evolution Malicious Code
Attacks Targeted on Specific Organization
Human response impossible Automated response
required, i.e., automated remediation and
automated attribution
Sasser
Seconds Minutes Hours Days Weeks or months
Flash Worms e.g., Sasser
Human response impossible Automated response
unlikely Proactive blocking possible
Warhol Worms e.g., Slammer
Human response difficult/impossible Automated
response possible
Phishing
Blended threats
E-mail Worms
Human response possible
Macro Viruses
File Viruses
Boot, Com Infectors
Time
Early 1990s Mid 1990s Late 1990s
2000 2003 2006
6
The Intrusion Protection Challenge

• Intrusion protection is addressing a
  fundamentally hard, if not intractable problem
• Unknown attacker
• Unknown attack
• Unknown vulnerability
• 100 reliable solution, zero false positives
• Intrusion protection technologies are nascent in
  nature
• Regardless of the difficulty, the need remains
  high
• Requires substantial RD partnership among
  government, industry, and academia

7
(No Transcript)
8
Security Research Areas
Policy-based Security Controls
Malicious Code Defense
High Performance Assurance Forensics
Policy-based Security Controls
Intrusion Prevention

• Policy-based Security controls
• Augmentation of Operating Systems including boot
  loaders, OS primitives, and file system
  primitives with key security capabilities
  including mandatory access controls, multi-level
  security, audit, and network exploitation
  prevention to provide policy-based assurance in
  hosts and network components
• Example projects
• SELinux, MAC Framework for BSD Darwin, SEBSD,
  SEDarwin, and SEFOS
• Trusted computing platforms
• Intrusion prediction, impact assessment, recovery
  remediation, and incident management
• Automated security policy definition, deployment
  and configuration
• Policy management languages
• Security management and access controls (RBAC,
  TBAC, TMAC, CBAC, and ABAC)

9
Secure Operating System Technology Transfer Flow
10
Configuration Synthesis and Policy Enforcement
(SPiCE)

• Automatically translate high-level policy into
  lower-level configurations across heterogeneous
  set of components
• Achieve policy consistency across multiple
  enforcement mechanisms
• Utilize a high-level policy expression language
  (Cape) based on the CBAC basic access control
  model
• Include a mechanism for representing the system
  structure
• Develop translation techniques and mechanisms to
  synthesize enforcement mechanism configurations
  from Cape policies and system structure
  information

11
Attribute-Based Access Control (ABAC)

• Flexible, decentralized, and scalable access
  control for collaborative environments
• Base authorization decisions on attributes of
  requestor

• Attributes and delegations are carried in
  credentials signed by credential issuers
• Requestor and access mediator can be strangers
• Use trust negotiation to exchange credentials,
  while managing attribute sensitivity

12
Security Research Areas
Policy-based Security Controls
Intrusion Prevention
Malicious Code Defense
High Performance Assurance Forensics
Intrusion Prevention

• Intrusion prevention
• Mechanisms, algorithms, and prototype code that
  inhibit unauthorized users from gaining access
  through vulnerabilities in networks network
  protocols
• Example projects
• Prediction, response recovery, traceback, and
  source identification
• Scalable, coordinated mechanisms distributed
  DDoS protection
• Intrusion detection for mobile ad-hoc networks
  (MANETs)
• Client and Server-assured Document Access
  Controls (TDOC)
• Cyber Defense Technology Experimental Research
  (DETER) Testbed and Evaluation Methods for
  Internet Security Technology (EMIST)
• Authentication and confidentiality techniques for
  the physical link layers
• Low-bandwidth, low-energy key management
  techniques for wireless mobile ad hoc networks
  (MANETs)
• Demonstrations in CERDEC Tactical Wireless
  Network Assurance (TWNA) and ARL Secure Mobile
  Networking (OSD Horizontal Fusion) programs

13
Flexible Policy Models and Architectures for
Client and Server-assured Document Access
Controls (TDOC)

• Developing advanced document control models for
  document-centric environments so as to limit
  insider abuses

• Providing solutions that are portable across COTS
  documents formats/applications
• Seeking solutions that are dual-use, commercially
  viable, easy to deploy and cost-efficient
• Providing solutions with a high degree of
  assurance through the use commercially available
  trusted platforms
• Demonstrating our ideas by building a prototype
  high-assurance document management system

14
Security Research Areas
Malicious Code Defense
Malicious Code Defense
Policy-based Security Controls
Intrusion Prevention
High Performance Assurance Forensics

• Malicious code defense
• Analyze attack mechanisms, attack methodologies,
  attack perpetrators, and attack sources. Deep
  semantic analysis of viruses, worms, Trojans,
  Warhol attacks, Spam and Phishing attacks
• Example projects
• Static and dynamic malware analysis
• Malware technology, trends, and malicious code
  detection
• Zero-day worm protection
• SPAM detection blocking anti-phishing
• Custom integration and testing of anti-virus and
  anti-spam engines
• Enterprise scale security metrics
• Developing applying formal models to security
  analysis
• Adaptation of economics, decision theory, and
  game theory research
• Architectural strategies solutions

15
Malware Analysis

• Perform in-depth analysis of malware samples,
  including capabilities, structure, and
  relationships to other samples
• Malware includes viruses, worms, trojans, and
  backdoors
• Employ a combination of static and dynamic
  analysis techniques
• Isolated virus lab

16
Security Research Areas
Malicious Code Defense
Policy-based Security Controls
Intrusion Prevention
High Performance Assurance Forensics
High Performance Assurance Forensics

• High performance assurance and forensics
• Hardware and software research leading to deep
  content inspection processing, and analysis of
  packets at line speeds current focus is OC-48
  to OC-192 and beyond
• Example projects
• Network processors, high-bandwidth wireless
  networks
• High-speed multifunction security appliance
• Automatic generation of protocol analyzers
• Data mining, collection, reduction, and
  normalization
• Machine learning algorithms applications

17
High-Speed Multi-Function Appliance (HSMFA)

• Prototype a field-programmable, high-speed,
  multi-function security appliance
• Achieve deep packet inspection and processing at
  line speeds between 1 Gbps and 10 Gbps (OC-48 and
  OC-192)
• Provide network monitoring, intrusion prevention,
  anti-virus, anti-spam, and anti-scam function in
  a single platform

18
Multiple Dimensions Of The Asymmetric Security
Problem
Multiple levels and implementations of protocols
Asymmetric network topology
Completeness in grid composition
Restrictions in organizational hierarchies
Sophistication of threats, attacks,
vulnerabilities
Different time scales for detection and reaction
19
Technology Transfer Approach
Further Research
Internal Technology Transfer
WE PLAN

• IRD
• Seedlings
• Proposals
• Prototypes

WE PLAN
AN ALTERNATIVE
WE DO
Transfer to Systems Integrators
Sell or license

• Publications
• Conferences
• Open Source
• Patents

20
Our Customers and Partners

• Government agencies
• Systems integrators
• Leading technology corporations
• Leading universities

21
Thank You