|
One of the most imminent threats to C4 systems,
particularly mobile ad-hoc and COTS based networks, are large scale
attacks by computer worms spreading malicious code. Such threats can
target specific elements of the network, exploit valuable information
and reduce net-centric warfare to a halt by overrunning the network
capacity with "garbage", stealing the identity of units and
destinations, attacking routers etc. Network security experts claim
that current defenses against such attacks are not sufficient. Future
security systems should better identify failures at the earliest
phase, by distributed sensing and dynamic reconfiguration of the
network.
Current Threats
A worm is a piece of self-replicating malicious mobile
code that spreads through a network without human interaction. Because
they are self-propagating, worms can spread extremely quickly.
Typically, worms do not alter or delete files; rather, they reside in
memory, eat up system resources, and slow down computers. A Trojan
horse is a hidden piece of malicious code added to a seemingly useful
and benign program. When this program runs, the hidden code may be
performing malicious activities like allowing "back door" access to
your computer by hackers or destroying files on your hard disk.
Trojans are commonly used to introduce spyware or worms into a system.
The main difference between a Trojan and a virus is that Trojans are
unable to replicate.
Future Risks of Network Attacks
Unlike current structured, centrally managed and hierarchical
networks, Mobile Ad-hoc Networks (MANET) comprise a dynamic
structure. Unbounded by central administrative control, such networks
operate without central authority, they number and identity of the
participants is and topology of network are constantly changing,
limiting the effectiveness of contemporary security systems beyond
their local boundaries.
Advanced security systems are under development under the
DARPA's DCAMANETS program to improve MANET security. Such measures,
are developed specifically for future ad-hoc systems, comprising
distributed detection of node infections and failures to maintain
system throughput over the duration of attack, minimizing system
shutdown due to attack or system failure. These countermeasures are
designed to "capture" threats by establishing quarantine procedures to
automatically recover the compromised nodes. Dynamically
reconfiguration of the whole network will also be feasible to secure
and isolate mission essential resources and services from potential
attacks.
For example, when an attack of a worm propagation is
detected at a specific unit's communications, all members of this unit
are shut-down through an "auto-recovery" process, which is supervised
via communications control element that eradicates the threat and
verifies that all the recovered elements have been disinfected.
Meanwhile, the control element distributes the warning and profile of
the attack to update the security countermeasures of the remaining
(yet uninfected) network units. Such countermeasures will ensure that
no more than 10% of the network nodes would be infected by worm
attack.
The goal of the program is to sustain available network
throughput at 75% of its maximum capacity, throughout the attack.
Dynamic Quarantine Program will be able to detect a wide spectrum of
computer worms and propagating malicious code programs including
scanning, flash, topological and stealthy worms. Detection should
enable to identify and respond to threats at the same day they were
released, to minimize propagation and damage.
Today,
Day-Zero application-level defense, protecting networks from
virus, worms and malicious
code attacks, providing behavior blocking technology
are already offered by Finjan Software. This application scans all potentially malicious content
arriving from the network to verify that the inspected behavior aligns
with the predefined security policy. Any piece of code that violates
the security policy is blocked and logged at first strike, preventing
Trojans and other such threats from entering the corporate network and
connected PCs. In addition, Behavior Blocking technology can
proactively block unknown security threats.
Other defenses developed for MANET systems will be able to sense local
failures, evolving attacks and execute countermeasures and automatic
recovery in real-time. Automatic and dynamic quarantine will be
provided by forensics analysis of malicious code, including static and
dynamic code analysis.
Protection of Networks and Distributed Applications
DARPA's Cyber Panel Program represents another approach
to network security. This program is developing capabilities to help
defend mission-critical information systems by monitoring them for
signs of cyber attack, and allowing operators to manage the operation
of system security and survivability features to avert or counter
developing attack situations. These include applying passive intrusion
detection sensors with capabilities to actively probe for additional
attack information. Cyber Panel enables intrusion assessment to detect
security threats through correlation and analysis of observed and
reported activities. Autonomic responses are employed to enable
reaction within milliseconds from the detection of any anomaly,
blocking suspected services and applications. Monitoring and response
components are being developed that allow warfighters to observe the
performance, health and threat state of mission critical information
systems, project the likely impact of reported cyber attacks on system
operation, assess possible defensive actions, and carry them out.
December 13, 2005: U.S. Air Force to launch Cyber
Patrol
The US Air Force is addressing this problem of network
security applying new cyber-attack countermeasures under a new
information warfare program awarded to Northrop Grumman Corporation's
Information Technology (NGTI) sector. Under the program NGTI will
develop information "network patrol" applications that will provide
early warning alerts and enable active response to
information-security threats.
The evolving architectural framework will provide
information, computer and network security, damage assessment and
recovery, security policy enforcement and active response. The system
will integrate cyberspace surveillance, cyber indications and warning,
high-speed and host-based intrusion detection, correlation of attack
indicators, decision support, recovery and cyber forensics
technologies. Current and maturing commercial- and
government-off-the-shelf applications will be used, including
intrusion sensor technology with data-correlation techniques and
visualization tools for managing large-scale networks. The system will
be available to the U.S. Air Force, coalition partners, intelligence
operations and U.S. law-enforcement agencies. The five year program
value will be $24.8 million. < Back to the top
> |
