Like all military computer networks, the Air Force enterprise extends beyond the confines of its wired, core infrastructure. To enable warfighters to respond to threats worldwide, the Air Force increasingly uses airborne and "forward-deployed" networks (sometimes called "enclave" networks) that operate in even the harshest and most remote environments. But portability and extension can create security risks.

Such "constrained" networks have limited or intermittent bandwidth links to the Air Force enterprise. This means they can't be secured in the same ways or to the same extent as enterprise-centric networks, which makes them potentially vulnerable to cyber threats. As the Air Force stretches the boundaries of traditional computer networks to meet emerging threats, the need for new data security solutions is greater than ever. This data security challenge isn't limited to enclave networks. Air bases disconnected from the main Air Force enterprise face similar problems in guarding their networks from electronic attack.

MITRE researchers are working on a cutting-edge solution for plugging the security holes in constrained network environments. The prototype, called Security Information Management for Enclave Networks (SIMEN), is an intelligent network collector that filters and prioritizes electronic security event data, ensuring that Air Force network administrators receive accurate, updated information as quickly as possible. This will enable them to respond to hacker attacks against even the most remote of networks, explains MITRE's Rosalie McQuaid, a lead information security engineer and principal investigator for the SIMEN research program.

Towards a "Threat-focused" Architecture

"This work will lead to the development of what we call a 'threat-focused' architecture—one that will allow for a faster response to threats across the entire network," McQuaid says. "This is something that's a priority across the Department of Defense."

The work is being conducted within the framework of MITRE's internal research program with sponsorship from the Air Force. In developing the SIMEN intelligent event collector, the MITRE research team aims to help the Air Force customize commercial information security tools called security information management systems, or SIMs. These custom SIMs can be tweaked to meet evolving user needs and could eventually be deployed on any government computer network, she says.

"What was lacking was a global view of the Air Force's network security situation," McQuaid says. SIMEN aims to provide that view, as well as help users conserve bandwidth in constrained network environments. "If bandwidth is limited, you don't want to use it up in data monitoring."

Building a Better Air Force SIM

Today many military networks, including the Air Force's, deploy commercial SIMs as part of their data security arsenal. SIMs generally consist of server software, agents installed on either servers or security devices, and a central management console. They enable users to aggregate and process security data collected from network devices into meaningful information that can be used to assess and neutralize threats. But the Air Force's enclave networks can't use commercial SIMs, because the enclave networks can't support the bandwidth-hogging real-time sensor data feeds that must be transmitted to the centrally located SIMs.

McQuaid offers a scenario to illustrate what this means for the constrained networks. "Say a network enclave has a laptop with an externally controlled 'bot.' This network enclave then becomes a source of threat to the Air Force enterprise. If the network and its links were to be saturated with data from the threat agent, even with a centrally located SIM, that threat agent would be very hard to track down," she explains.

By using a solution such as SIMEN, the Air Force could extend the SIM's capabilities to the enclave network. Deploying a light sensor net footprint and intelligent gateway on the network enclave, SIMEN collects, queues, and prioritizes raw data on security breaches and transmits the data to the Air Force's enterprise SIM, where network security analysts can parse it and identify the source of the threats. The result is greater situational awareness of vulnerabilities in the Air Force's network environment, which ultimately translates into improved capabilities for warfighters, McQuaid explains. "The simplicity of this whole idea resonated with people," she adds.

"It pays attention to the network, responds to what it sees, and filters data," says Joseph Judge, a MITRE lead information security engineer who works on the project. "We're taking the chatty, voluminous logs of network data and making them easier to transfer and analyze."

"Any remotely deployed network could benefit from this type of tool," adds Peter Kertzner, a lead information security engineer who works on the project. "Network security monitoring can never really be perfect, but the more you improve your situational awareness—the more data points you have, the better decision making you can have."

Keeping Key Data on the Right Course

Given the overwhelming volume of data processed each day by military computer networks and given the potential vulnerability of those networks to terrorism and even garden-variety hacking, it's especially important for the military to have new security tools at its disposal, explains Philip Petitt, an advanced technology development program manager with the Air Force.

"In general, information assurance—making sure that data transferred on a network is in fact valid and trustworthy and virus-free—takes a lot of work," says Petitt, who is working with McQuaid and her team to ensure that SIMEN meets the Air Force's requirements.

"Rosalie's methodology is another way of getting the right information to the right people at the right time," he says. "Some of it has to do with the way the information is classified. But if you look at the military enterprise versus, say, even something as large as the General Motors enterprise—the amount of data feeds coming in is huge. "It's critical to prioritize traffic so that the right information can go to the right places.

"This isn't a problem just for the Air Force. The Navy has somewhat different network issues, but it has the same issues with data prioritization." The project was initially focused on the Air Force's needs, but the Army, Navy, and NATO have also expressed interest, McQuaid says.

The eventual SIMEN prototype will be optimized to work with any commercial SIM product, adds Brian Soby, a MITRE senior information security engineer working on the project. The prototype uses common compression algorithms to reduce message size and deploys secure sockets layer encryption for added security, Soby explains.

Plans are also in the works for the SIMEN prototype to be tested by NATO officials allowing MITRE researchers to see how the tool functions in a real-world environment, McQuaid adds. The prototype will also be tested at the 2008 Joint Expeditionary Force Experiment, a biennial event where emerging military technologies are put through their paces by Air Force experts.

—by Maria S. Lee

Related Information

Articles and News

• Giving Military Information Sharing a Little More Backbone
• Closing a Can of Worms: Designing an Automated Worm Detection System
• Information Assurance Industry Uses CVE and OVAL to Identify Vulnerabilities
• MITRE Fuels its Own Innovation Engine

Technical Papers and Presentations

• Security Information Management for Enclave Networks(SIMEN)

Websites

• MITRE's Work: overview
• Center for Integrated Intelligence Systems (CIIS)

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.

Privacy Policy | Contact Us