| 2006 Technology
Symposium > Information Assurance
Information Assurance
Information Assurance investigates security vulnerabilities in distributed
information systems and develops architectures, systems and techniques
for providing protection from attack, and exploitation. Existing tools
for system protection will be tested and evaluated.
Automated Worm Detection and Response
Dan Ellis, Principal Investigator
Location(s): Washington and Bedford
Problem
Worms can propagate through an enterprise in seconds. Current defenses include coarse-grained perimeters protected by firewalls and monitored by intrusion detection systems. Current intrusion detection and response processes do not scale to the time frame or scope of the worm problem. The problem is to detect and mitigate worm attacks within an enterprise environment in real-time.
Objectives
We aim to limit the number of machines that get infected by detecting and quarantining network worms as they spread across an enterprise network.
Activities
We will develop and test an approach for detecting worms in enterprise networks. We will create a benign worm emulation system that can be run in operational enterprise networks to test the detection system. Our final demonstration will include detection and (emulated) response scenarios across MITRE's operational network.
Impact
We will design and test an approach to defending against a serious emerging threat. MITRE, government organizations, and the nation's information infrastructure are all vulnerable to this threat. By developing and validating this technology in an operational environment we can demonstrate an approach that many organizations could use.
^TOP
Dem/Val and SRS
Chris Do, Principal Investigator
Location(s): Washington
^TOP
Detecting Insider Threat Behavior
Greg Stephens, Principal Investigator
Location(s): Washington and Bedford
Problem
Trusted insiders committing espionage have caused tremendous damage to U.S. national security. The vulnerability of sensitive U.S. information assets to misuse by insiders is significant. Most organizations have large amounts of data accessible to users who do not have a need to know. Unfortunately, there are currently no effective mechanisms available to detect when users perform unauthorized information gathering (reconnaissance).
Objectives
Anecdotal evidence, formal insider threat studies, and common sense suggest that information reconnaissance is a common precursor to insider abuse. Therefore, the purpose of this effort is to develop a framework that includes specific techniques to detect unauthorized information gathering.
Activities
The project will develop sensors that collect and process data streams strongly tied to information use, initially focusing on the Common Internet File System (CIFS). We will use the wealth of organizational knowledge available to provide informational context, develop rules to flag inappropriate information gathering, and test the framework using a series of red team exercises.
Impact
Insider abuse is a significant and growing concern throughout the government and the private sector. Effectively detecting insider reconnaissance could thwart malicious insiders before they cause damage to national security and will help promote improved intelligence community sharing.
^TOP
Information Sharing via Trusted Intermediaries
Vipin Swarup, Principal Investigator
Location(s): Washington and Bedford
Problem
A first responder arrives at a medical emergency scene. Data such as terrorist warnings (DHS) and infectious diseases data (CDC) may be relevant to what he faces, but today he is often not told. This cross-boundary information sharing problem is faced in many environments, e.g., by soldiers, marines, policemen, and border guards.
Objectives
Our research hypothesis is that a new class of trusted intermediaries with adaptive sharing policies will enable enhanced cross-boundary information sharing. We will develop a secure infrastructure for sharing via trusted intermediaries, and will develop fine-grained, adaptive sharing policy mechanisms for trusted intermediaries.
Activities
We will design a language for specifying sharing transactions and a sharing decision capability for authorizing transactions. This will include techniques to find appropriate trusted intermediaries when necessary. We will develop fine-grained, adaptive sharing policy mechanisms that trusted intermediaries can use to share information further. Finally, we will build an infrastructure to execute and enforce sharing transactions and policies.
Impact
Inadequate information sharing is recognized as a critical problem across government agencies. Our proposed solutions, based on trusted intermediaries and risk-adaptive policies, will solve many pressing sharing policy problems. We will impact government agencies via papers that describe our concepts and techniques, and software that demonstrates the feasibility and benefits of our novel approach.
^TOP
Security Information Management for Enclave Networks (SIMEN)
Rosalie McQuaid, Principal Investigator
Location(s): Washington and Bedford
Problem
The Air Force enterprise contains networks that are bandwidth limited, intermittently attached, and/or internally constrained enclaves. These constrained network environments will not support commercial security information management (SIM) feeds and sensors. Recent threat activities have highlighted the need for an information assurance solution that provides consistent SIM-centric monitoring for these enclave networks.
Objectives
Our objective is to research and prototype a solution to address information assurance (IA) monitoring for constrained enclave networks. We will prototype a light sensor net footprint and an intelligent gateway to collect, queue, and prioritize raw security data locally for intelligent transmission to the enterprise SIM. The prototype will reduce resource impact and increase data integration to the SIM system.
Activities
This project will identify an efficient sensor net architecture by mapping priority threat categories to critical data sources contained in AF enclave networks. We will develop prioritization state-aware algorithms and apply them near the data sources. We will investigate and implement bandwidth-efficient techniques for transmission to the enterprise SIM, and implement and validate a lab prototype to produce a robust proof of concept.
Impact
This research will improve current SIM deployments within the Air Force by addressing limitations in commercial products. It will influence commercial SIM vendors and the Air Force SIM strategy. By providing IA monitoring to networks that cannot benefit from a centralized SIM, this research will extend the power of SIM technology to the edge of the Air Force enterprise.
^TOP
Trust and Adaptability in Web Services
Joshua Guttman, Principal Investigator
Location(s): Washington and Bedford
Problem
Widespread sharing and interpretation of richly structured data objects is a central motivation for Web services, and an underlying architectural idea in the Global Information Grid (e.g., Net-Centric Enterprise Services), the Distributed Common Ground System (DCGS), etc. However, access control must reflect the trust between authorities, the data shared, and associated metadata. Moreover, cryptographic protocols must establish authentication and confidentiality.
Objectives
We will develop techniques to secure Web services, meeting uniform but adaptable security goals. Web services create demanding requirements for security, but their transparency and uniform data model provide opportunities. We will adapt previous MSR-funded results connecting cryptographic protocols and trust management. Incorporating an XML-style data model will lead to a flexible framework for authentication, access control, and controlled sharing of semistructured data.
Activities
We will enrich our protocol/trust framework with an XML data model. A compiler will support demonstrations of controlled information sharing. Products annotated with metadata cryptographically bound to elements of these XML products will pass through a distribution system modeling DCGS. Access control decisions will be based on the certified characteristics of parts of the product, as well as attributes of the recipients.
Impact
We will demonstrate a compiler-based implementation of our method to secure service-oriented architectures. We will transfer the software as well as the underlying techniques to industry (via collaboration with vendor research labs), to MITRE direct-funded projects (via proposals for improved Web service security architectures), and to the Air Force (via the resulting software and the vision it embodies).
^TOP
Using Honeyclients for Detection and Response Against New Attacks
Kathy Wang, Principal Investigator
Location(s): Washington and Bedford
Problem
Exploits targeting vulnerabilities in client-side applications are a growing threat on today's Internet. Commonly deployed detection technologies such as honeypots and Intrusion Detection Systems (IDSs) are useful for detecting server-side attacks, but are not effective at detecting client-side attacks. We lack a proactive client-side attack detection technology.
Objectives
The project has two main objectives. First, we will develop a honeyclient prototype with capabilities for interaction with servers, client-side exploit detection, and exploit characterization and categorization. Second, since honeyclient technology is new and not well understood, we will research and document the capabilities and limitations of honeyclients for improving organizational situational awareness.
Activities
In the first two quarters, we will develop the initial honeyclient prototype's capabilities, including security enhancements and secure logging. By the end of the third quarter, we will have created honeyclients capable of supporting additional protocols, including DNS and peer-to-peer. In the fourth quarter, we will focus on exploring the theoretical capabilities and limitations of honeyclient technology.
Impact
By using honeyclient technology, our sponsors will gain the capability to proactively detect client exploits in the wild. This project will develop a baseline honeyclient capability and document the ongoing costs of running a honeyclient installation so that sponsors can make informed decisions about how best to apply honeyclient technologies as part of their security awareness strategies.
^TOP
|
