attack campaigns is far outpacing the ability to defend ... attack campaign has an overall goal and is .... We believe that automation in these areas is crucial.
Network Mission Assurance Michael F. Junod, Patrick A. Muckelbauer, PhD, Todd C. Hughes, PhD, Julius M. Etzl, and James E. Denny Lockheed Martin Advanced Technology Laboratories Camden, NJ 08102 {mjunod,pmuckelb,thughes,jetzl,jdenny}@atl.lmco.com
Abstract
1. Introduction
The doctrine of Network Mission
This document describes the Network
Assurance (NMA) evaluates the value of
Mission Assurance (NMA) doctrine of
information assurance and the risk of
Lockheed Martin Advanced Technology
computer threats based upon their impact on
Laboratories (ATL). This doctrine is used as a
the organizational functions supported by the
guide to focus our information assurance
network. The NMA framework is comprised
efforts in different research areas and ensure
of
Asset
these efforts can work together in a dynamic
Identification, Infrastructure Model and
distributed network environment and
Control, Threat Analysis and Prediction, and
effectively leverage and incorporate point
Response Coordination. Our research in
security solutions into a robust information
support of the NMA investigates technical
assurance architecture.
four
technical
functions:
solutions for trust-based resource control,
It is our belief that one cannot simply
reflective and reconfigurable network
back-fit existing security point solutions onto
services, autonomic network defense, and
existing architectures and expect to have an
cyber-attack representation. We contend that
improved security infrastructure. In fact, this
NMA unifies the purpose and function of
can result in a less secure architecture that
separate information assurance programs into
requires a great deal of manual effort in
a holistic, network-centric solution.
maintenance and monitoring.
Point security products (e.g., vulnerability
race is simply its current scope. Since most
scanners, intrusion detection systems,
security systems focus on relatively atomic
firewalls) often operate in isolation. In
attack actions (e.g., port scans, buffer
contrast, according to NMA, security
overflows), they have difficulty defending
solutions should not only be integrated with,
against coordinated attack campaigns. An
but orchestrated among, the components of a
attack campaign has an overall goal and is
network infrastructure.
composed of many atomic actions over time
NMA is a high level concept that spans a
that must be carefully and successfully carried
large area of information security and
out to achieve the desired goal.
information assurance. In support of this
The need for rapid assembly of tactical
doctrine, ATL is leveraging its applied
networks exacerbates the difficulty. In a
research strengths in quality of service (QoS),
dynamic coalition environment, one does not
distributed processing, data fusion, and
have the opportunity to perform the
intelligent agents to apply to the information
vulnerability assessment and red team testing
assurance domains. We believe that research
one would on static configurations. Further,
and technologies from many other academic,
one cannot assume that the systems will
commercial, and government sources also
always provide the same mission critical
support the NMA doctrine.
functionality. With future reconfigurable
2. Network Mission Assurance Approach
systems using open system architectures,
The ability to launch successful cyber
what parts of the system are critical at any
attack campaigns is far outpacing the ability
given time in the mission becomes a run-time
to defend against them. A fundamental
rather than design-time decision.
problem in the information assurance arms
The goal of the Network Mission
2
Assurance (NMA) is to keep the mission-
of new technologies to future operational
critical systems operational while under a
environments.
cyber attack. This implies the ability to
3. ATL NMA Research Areas
identify and map critical assets to operational
With these concepts in place the four main
support capabilities. It also requires efficient
research areas of Lockheed Martin Advanced
and judicious use of resources by focusing
Technology Laboratories’ Network Mission
additional resources on threatened assets.
Assurance
(NMA)
are:
(1)
Asset
In addition, we believe there is great value
Identification, (2) Infrastructure Model and
in leveraging offensive attack campaign or
Control, (3) Threat Analysis and Prediction,
threat knowledge for better defense. This
and (4) Response Coordination. Figure 1
allows us to explore full life cycle response
provides a conceptual overview that illustrates
through simulation before reflecting any
the functional relationship between the
changes onto the infrastructure components.
technology components of the NMA research
NMA is intended to work in concert with existing
areas.
information
assurance efforts, which we believe are both necessary and effective. However, we also contend that there must be a higher level vision that drives requirements, metrics, and capabilities for transition
Figure 1. Network Mission Assurance conceptual overview
3
3.1 Asset Identification
identification can enable more effective,
The functions of asset identification are to identify
critical
mission
reactive, and proactive responses by
objectives
protecting assets that are most relevant to
dynamically and continuously and to map,
mission success, and provide a valuable
possibly through
discriminator for resource allocation.
multiple
levels of
abstraction, the criticality of mission
3.2 Infrastructure Model and Control
objectives to low-level infrastructure assets.
We believe that infrastructure models for
For example, in mission terms it might be
information assurance must satisfy two
important to identify at the high level a
important conditions. First, they must
critical unmanned autonomous vehicle (UAV)
represent the state of the infrastructure in a
video feed. In system terms, this video feed
manner that allows a system to reason about
would map at the low level to network flows,
itself. Second, they must actuate changes in
ports, and processors on hosts in the
the model in the infrastructure itself. The
operational equipment.
models we have in mind are, therefore,
While others have recognized the need for
reflective. Specifically, the reflective
critical asset identification, we believe there is
infrastructure provides a representation of the
a need to make this process continuous and
infrastructure that maintains infrastructure
dynamic, and we have outlined an approach
state and critical asset analysis; threat history,
for realizing this process. In addition, we have
analysis, and projection; and responses and
identified how to integrate the results of
status.
critical asset identification with other security
Changes to the model, however, need not
components of a distributed system. For
be reflected immediately into the actual
example, results from critical asset
infrastructure but rather be considered as a
4
hypothetical state. This supports the ability to
they constitute threat actions by an adversary.
reason over proposed changes using
Second, systems must predict what the
simulation before actuating the changes back
adversary is likely to do next. Third, systems
on to the infrastructure components.
must project the impact of the adversary’s
3.3 Threat Analysis and Prediction
trajectory on infrastructure assets, in
Current network security measures are
particular the assets critical to mission
designed to make it more difficult for
success.
attackers to penetrate the boundary of an
These functions are crucial for planning
infrastructure. However, if an adversary is
and implementing an effective response to an
successful in penetrating this line of defense
attack campaign. Performing these tasks in
while eluding detection, very little stands in
less time than attackers perform their own
the way of total compromise of the
tasks is particularly difficult now that so many
infrastructure. There is a good reason this
attacks are heavily scripted and distributed.
model
an
We believe that automation in these areas is
infrastructure against a potential adversary,
crucial. Threat Analysis and Prediction
for all its complexity, is far less complicated
research is necessary to fill this current gap in
than recognizing and analyzing the attack of
infrastructure security.
an actual adversary.
3.4 Response Coordination
is
so
pervasive:
sealing
Threat Analysis and Prediction research
Information assurance decisions have
seeks to reduce this complexity by looking at
probabilistic and interdependent effects upon
three types of necessary tasks. First, systems
an organization’s operations. The complexity
must correlate events occurring throughout
of decisions can overwhelm human operators
the infrastructure and deduce correctly that
in large infrastructures. Thus, timely response
5
for infrastructure defense necessitates
4.1 Dynamic Trust-based Resources
automated response coordination.
Cooperation and sharing of resources on a
Response Coordination seeks to enable
network requires some degree of trust
automated threat response decision making. It
between the entities involved. In current
integrates with components for threat analysis
systems, this degree of trust manifests itself
and network control through infrastructure
through static configuration of authentication
models. We believe decision-theoretic
and access control mechanisms that determine
concepts such as belief, action, and utility
trust levels and map them to access rights.
map well to infrastructure defense concepts
This approach requires a great deal of
such as threat, control, and mission. These
planning and effort. As the time provided to
mappings can be leveraged to reason about
organize
effective responses, even in conditions of
infrastructures decreases and their interactions
uncertainty.
become more complex, it is increasingly
4. ATL Work in Support of NMA
unlikely the proper degree of trust can be
collaborative
computer
This section provides brief overviews of
determined at system configuration time.
the specific areas of research that Advanced
Clearly this is the case for self-organizing,
Technology Laboratories (ATL) is working in
autonomous systems where cooperating
to support the Network Mission Assurance
entities may not even be known at
(NMA). Our goal is to provide mission
configuration time.
assurance by ensuring survivability of high
Current solutions, in and of themselves,
value assets and continued operation of
are too rigid, require too much human
critical infrastructure components.
intervention, and are inadequate for managing resources among rapidly assembling,
6
dynamic, active network components. What is
tightly couple this continually assessed trust
needed in such cases is a dynamic, adaptive
with
determination of trust that is integrated with
mechanisms to ensure that requesting
resource allocation mechanisms, so that as
processes are trusted and, thus, permitted to
trust in an entity degrades, so does its access
use system resources. If a requesting process
to resources. Such trust-based resource
exhibits suspicious behavior, DyTR will
allocation mechanisms are necessary to limit
degrade its level of trust for that process, and
and ultimately completely restrict the
subsequently reduce that process’s access to
disruptive behavior of an entity and ensure
system resources, so that other critical
fault tolerance.
resources can continue to operate to achieve
The goal of Dynamic Trust-based
low-level
resource-allocation
fault-tolerant behavior.
Resources (DyTR), which ATL is currently
4.2 ATL’s Next Generation Infrastructure
developing under the DARPA Fault Tolerant
ATL’s Next Generation Infrastructure
Networks program, is to go beyond traditional
(ANGI) project has developed technology for
authentication-based approaches to trust and
building systems that can be deployed in
build systems where the trustworthiness of
increasingly more dynamic, distributed, and
entities adapts over time based on system
open environments. This includes an
events. DyTR provides an adaptive trust-
integrated set of services for dynamic system
assessment methodology that allocates
modeling as well as for system QoS.
resources dynamically to an initial level of
ANGI is a library of tools and executable
credentials, continually assesses trust, and
services for developing and deploying
adaptively allocates resources in accordance
distributed objects. Among these services are
with changes in perceived trust. DyTR will
model sharing and sensor mechanisms that
7
allow systems to discover and monitor their
associating utility (value or cost) with some of
own configuration and environment.
those actions and beliefs. It is a probabilistic
We have also developed for ANGI a rich
reasoning technique that extends the concepts
set of QoS controls for classifying and
of Bayesian networks and decision trees.
shaping traffic flows, which provide the
ATL is applying this technique to
foundation for managing and securing the
information assurance by evaluating sensor
shared network infrastructure and, in
findings and specific threat alerts in a model
particular, protecting a system against
of potential responses and their impact upon
distributed denial of service attacks. The QoS
network services and assets. Then the
controls are superior to traditional firewall
decision network selects the action with
filters because they provide wider and more
maximal expected utility, which factors
fine-grained range of influence. They also
certainty and priority in a holistic manner for
provide an end-to-end solution allowing
mission assurance.
greater latitude over where to place the
The primary challenge of this research is
controls. This allows confinement of
to identify and incorporate a technology for
potentially malicious flows through limits and
response selection which functions to provide
priorities and protection of critical flows that
mission assurance under the inherent
are necessary to mission success.
uncertainty
4.3 Decision Network Technology
data/control in large infrastructures.
Decision networks—also known as
and
incompleteness
of
4.4 Distributed Autonomic Response
influence diagrams—use a graph structure to
Coordinator
represent dependencies between possible
ATL is developing a prototype Distributed
decisions and uncertain beliefs, also
Autonomic Response Coordinator (DARC)
8
that uses the ANGI framework as the
responses against single- and multi-node
foundation to deploy and manage the
attacks.
distributed sensor information as well as
4.5 Cyber Attack Workstation
ANGI’s dynamic QoS capabilities for
In keeping with our belief that leveraging
response mechanisms. The DARC prototype
offensive attack campaign knowledge makes
uses existing intrusion detection and
for better defense, ATL has also developed a
vulnerability assessment products as sensors.
prototype Cyber Attack Workstation (CAW).
We intend to apply decision network logic
The CAW provides a pluggable API and GUI
to develop autonomic response to more
for adding, integrating, and executing cyber
devastating and more rapid cyber attacks. The
reconnaissance and attack scripts. The
challenge is to develop an autonomic
interface generates a map of the network as
response mechanism that can understand an
reconnaissance information is gathered, which
attack campaign to determine the best
allows the user to target specific hosts with
response in a dynamic environment given the
particular vulnerabilities. The interface also
uncertainty of intrusion detection and
allows users to select the level of risk they are
vulnerability assessment sensor information.
willing to accept, and the CAW will adjust the
This will ensure mission assurance in the
parameters of attacks accordingly.
presence of an attack.
Future versions of the CAW will
The goal of DARC is to provide a
automatically and dynamically formulate and
distributed, autonomic response capable of
execute cyber offensive attack campaigns that
detecting, adapting, and collaboratively
meet mission objectives and constraints. The
responding to cyber attacks. It will enable the
CAW will determine the appropriate steps of
coordination and monitoring of start-to-end
the campaign based on the intent of the user
9
and the risks the user is willing to accept. The
Metabase
long-term goal is to incorporate the attack-
meaning that capability attributions have been
campaign understanding and decision-model
assigned to the vulnerabilities listed in the
logic developed for DARC in order to
database. This formal representation will
produce more sophisticated offensive attack
allow advanced reasoning for correlating,
campaigns.
predicting, and projecting attacks.
4.6 Attacker Capability Ontology
5. Future Work
A key enabler of ATL’s future work in
ATL
(http://icat.nist.gov/icat.cfm),
continues
its
research
and
information assurance is the formal
development in information assurance in each
representation of, and reasoning about, cyber
of the projects described above, using the
attack data. Two important aspects of this
NMA doctrine as a guide. As NMA
domain we have attempted to capture are: (1)
technology matures, we seek to deploy
the
software
information assurance products technology as
vulnerabilities and the capabilities that
well as transfer the results of our research into
attackers gain by exploiting them on actual
the
systems, and (2) the relationships among
community.
these capabilities. For this effort we have
Acknowledgements
relationship
between
developed the Attacker Capability Ontology.
broader
information
assurance
Defense Advanced Research Projects
The Attacker Capability Ontology is
Agency/Air Force Rome Laboratory, contract
implemented in both Resources Description
Number F30602-02-C-0109.
Framework Schema (RDFS) and DARPA
References
Agent Markup Language (DAML). It has also
NMA
been integrated with the ICAT Vulnerability
Home
Page:
external.lmco.com/projects/ia/
10
http://www.atl.
