1

IA&SIA&S

IA&S Roadmap and ITS Direction

Dr. Jay LalaITS Program Manager

23 February, 2000

IA&S Problem Space

Malicious

Code

Multi-Domain/

Multi-Level Security

SituationalUnderstanding

Modeling/Simulation

Semantic Assuranc

e

FormalizedDesign &

Assessment

IntrusionDetection

IASensors

AdaptiveSurvivableNetwork

Infrastructures

PhysicalSecurity

AutonomicResponse

Policy

Courseof ActionProjection

AutoForensics

AdaptiveSurvivable

Architectures

DynamicCoalition

Law Enforcement Policy

ProtectiveMechanisms

Crypto DynamicPolicy

Cyber SensorExploitation

The known core is a fraction of whole IA problem space

IA&S is illuminating key portions of the dark space

Significant identified & unknown problems exist in the dark space

IntrusionAssessment

CyberStrategy

Lifecycle Attacks Insider

Attacks

?

? ?

?

Security of

Mobile Agents

ComposableTrust

IA&S Problem Space

Malicious

Code

Multi-Domain/

Multi-Level Security

SituationalUnderstanding

Modeling/Simulation

Semantic Assuranc

e

FormalizedDesign &

Assessment

IntrusionDetection

IASensors

AdaptiveSurvivableNetwork

Infrastructures

PhysicalSecurity

Policy

Courseof ActionProjection

AutoForensics

AdaptiveSurvivable

Architectures

DynamicCoalition

Law Enforcement Policy

ProtectiveMechanisms

Crypto DynamicPolicy

Cyber SensorExploitation

The known core is a fraction of whole IA problem space

IA&S is illuminating key portions of the dark space

Significant identified & unknown problems exist in the dark space

IntrusionAssessment

CyberStrategy

Lifecycle Attacks Insider

Attacks

?

? ?

?

Security of

Mobile Agents

AutonomicResponse

ComposableTrust

4

IA&SIA&SInformation Assurance and

Survivability

Information Assurance and Survivability

Expe

rimen

tatio

n

Dynamic CoalitionsCoalition Policy Mechanisms

Doug Maughan dmaughan@darpa.mil

Fault Tolerant NetworksTolerant Mechanisms

Doug Maughan dmaughan@darpa.mil

Intrusion Tolerant SystemsTolerant Systems

Jay Lalajlala@darpa.mil

Strategic Intrusion AssessmentAttack Recognition & Correlation

Sami Saydjari ssaydjari@darpa.mil

IA Science & Engineering ToolsDesign Tools & Models

Michael Skroch mskroch@darpa.mil

Autonomic Information AssuranceDynamic Reflexive Systems

Brian Witten bwitten@darpa.mil

Information AssuranceComposable Trust

Sami Saydjari ssaydjari@darpa.mil

Cyber Command & ControlHuman Directed Strategy

Catherine McCollum cmccollum@darpa.mil

Integration

http://dtsn.darpa.mil/iso/

Program Core Areas in the IA&S Problem Space

Malicious

Code

Multi-Domain/

Multi-Level Security

SituationalUnderstanding

Modeling/Simulation

Semantic Assuranc

e

FormalizedDesign &

Assessment

IntrusionDetection

IASensors

AdaptiveSurvivableNetwork

Infrastructures

PhysicalSecurity

Policy

Courseof ActionProjection

AutoForensics

AdaptiveSurvivable

Architectures

DynamicCoalition

Law Enforcement Policy

ProtectiveMechanisms

Crypto DynamicPolicy

Cyber SensorExploitation

IA and IS did initial exploration of the space

IA&S is attacking high leverage problems in newly known parts of the space

IntrusionAssessment

CyberStrategy

Lifecycle Attacks Insider

Attacks

?

? ?

?

Security of

Mobile Agents

AutonomicResponseAIA

ComposableTrust

CC2

DC

SIA

CC2

FTN

IA

ITS

IASET

Small, early explores continuing into dimly glimpsed areas not yet ready for concentrated effort

6

IA&SIA&S20-Year Vision:

Program Investments

IA SET AIA CC2 SIA ITS DC FTN I I I I I Reliable Observation System Detect Malicious Code on the fly Understand adversary intent, predict course Reliable attribution (trace back) Automatic forensics

Reliable Decision & Control System Automatic containment of attacks Expunge malicious Code on the fly Continue mission in face of attack Graceful degradation - self healing properties Deception Strategy and tactics playbook Real time countermeasures development

Safe Multi-level/domain security (MLS) (MDS) Insider threat mitigation Globally coordinated data sharing & mission execution

Well understood science based design capability Measurable levels of assurance Safe havens – critical core - impervious to attack Known emergent properties

SEE

ACT

SHARE

DESIGN

Grey Shading indicates level of investment Thermometer shows expected relative progress in 5 years

7

IA&SIA&SIntrusion Tolerant Systems

Premise Attacks will happen; some will be successful Attacks may be coordinated across multiple sites

Hypothesis Attacks can be detected, contained, and tolerated, enabling continued correct

progress of mission critical applications ITS Program Goals

To conceive, design, develop, implement, demonstrate, and validate tools and techniques that would allow fielding of intrusion tolerant systems.

An intrusion tolerant system is one that can continue to function correctly and provide the intended services to the user in a timely manner even in the face of an attack.

8

IA&SIA&SITS FUNCTIONS & CAPABILITIES

DESIGN VALIDATION

MOBILE CODE/DATA INTEGRITY

MALICIOUS CODE CONFINEMENT

ERROR DETECTION/ TOLERANCE TRIGGERS

ERROR COMPENSATION/RESPONSE/ RECOVERY

Detect design faults; plug exploitable code vulnerabilities; Validate key intrusion tolerant properties

Rapidly distinguish intact & corrupted entities before execution

Monitor software executables

Value & Time Domain Detectors; Comparison & Voting; Acceptance Checks

Survivable Architectures; Graceful Degradation; QoS Trade-OffsSpatial, temporal, design, analytical redundancies; Dynamic reconfiguration

9

IA&SIA&SCapabilities and Enabling

Technologies

Avoid faults. Detect design faults. Plug exploitable code vulnerabilities. Assurance & preservation of software dependability properties via program analysis, annotation and

manipulation tools (Scherlis).

Validate intrusion tolerance. Validate key security properties of intrusion tolerant architectures.

Ontology of intrusion tolerance (Stavridou).

Analytical modeling & simulation. Assure mobile code / data integrity. Rapidly distinguish intact & corrupted entities before

execution. Language-based security: Language-independent PCC safety policy (Appel); Scalable PCC certifying

compiler, prover, & checker (Appel); Provably-secure mobile code format (Franz); Self-enforcing object code using in-lined reference monitors (Schneider).

Confine malicious mobile code and malicious host. Monitor software executables. Protect mobile code.

Sandbox individual active scripts (Ghosh); Mutate mobile code to protect from malicious host (Badger); Wrap programs and mediate all interfaces (Balzer); Monitor COTS s/w via internal binary agents (Agarwal).

10

IA&SIA&SCapabilities and Enabling

Technologies

Detect errors. Detect errors in outputs of applications, utilities, system software. Redundant systems - Rearguards (Schneider). Application-based error detection.

Process errors. Provide forward or backward error recovery. Provide error compensation via redundancy. Recover & respond. Perform QoS trade-offs and graceful degradation to provide continued user services for as many critical functions as possible. Log repair and damages.

Agile objects for rapid reconfiguration & location elusiveness (Chien); Fragmentation redundancy & scattering of objects (Khosla); Digital Semantic Integrity (DSI) mark methods (Rosenthal).

Functional & analytic redundancy; Design diversity; Temporal redundancy; Dynamic reconfiguration & adaptation; Market-based resource allocation; Intrusion-tolerant transaction processing protocols.