A Compositional Optimum Network Sensor Utilization System
The goal of the Compositional Optimum Network Sensor Utilization System (CONSensUS) project is to establish a basis towards a significantly improved intrusion detection system. Current intrusion detection systems are largely ad hoc, created from signatures of known attacks, process reports from single sensors, do not reflect the needs of the mission, and are incapable of responding to attacks. The work will lead to a system that processes reports from multiple sensors that are placed optimally throughout a network to cope with attacks to the system and to the sensors themselves, and that cause minimal performance impact on the mission itself. Correlations and analysis of attack and sensor models, sensor reports, and other system state information is used to decide on suitable responses, which may include activating additional sensors.
The proposed tasks are associated with the formal modeling of attacks, sensors, network topology, and the mission, and the creation of algorithms to process these models to decide on the optimal placement of sensors in a network and to correlate and abstract the reports from distributed sensors to create an assessment of an attacked system as a basis for deciding on human or automatic response. The following tasks are proposed:
Formal modeling of sensors needed to detect attacks: We will extend Jigsaw to allow the specification of sensors that can be used to detect attacks.The specification can either be direct, in which case the single (or multiple) sensors are enumerated, or indirect, in which case the properties of sensors associated with an attack are given but no specific sensor is identified.
Formal modeling of missions: The overall purpose of any system is to achieve some mission which an attacker attempts to defeat. We propose to model missions in terms of resources needed over time.
Representation of network topology: To reason about sensor placement, we will require a language to specify network structure, in particular, the location of key components (routers, firewalls, sensors, servers), what operating systems they are running, what protocols are being used.
Planning algorithms as the basis for sensor placement: We would develop algorithms to determine the feasible locations for sensors with respect to classes of attacks specified in Jigsaw, both known and unknown attacks. The algorithm to be developed will determine possible sharing of sensor activity, for example consider a scenario attack where a given sensor at some location can detect multiple states of the attack.
Redundant selection of sensors: Once the feasible locations are identified where it is assumed that sensors are immune to attacks, it is necessary to determine a revised placement relaxing the sensor immunity assumption. In this case, sensors can be impacted by attacks, rendering their reports suspect. This will require an iterative algorithm, possibly Planning, whereby based on the specification of an attack it is determined what sensor reports can be trusted, and a subset of correctly reporting sensors is a candidate placement set. Where there is uncertainty concerning the trustworthiness of sensor reports, then the analysis of sensor reports can involve Byzantine agreement, which requires that 3n+1 sensors be deployed in the face of n untrusted sensors. Clearly, this involves the deployment of redundant sensors, which is also the case when the attacker can launch attacks that compromise sensors in addition to other resources.
Optimal placement of sensors with respect to mission needs: The above algorithm development does not account for the performance impact of sensors. To account for mission impact, the sensor specifications will be used in conjunction with the mission specifications. From a feasible placement a placement set will be determined that has the minimal impact on the mission.
Dynamic deployment of sensors: Once an attack is discovered, it is often necessary to deploy additional sensors in order to gather additional details about the attack, especially if it is a spreading attack. The deployment of sensors can impact the mission's performance, so it is necessary to specify the mission in terms of a partial ordering of tasks thus allowing low priority tasks to be sacrificed while the attack is being battled.
Handling uncertainty: We will extend the DASSA model to include a metric for assurance, e.g., the reliability of sensors.
The CONSensUS model links a Jigsaw engine, a DASSA engine, and a sensor coverage model using Jigsaw to determine optimal sensor placement, coverage, and impact on the mission and works as follows: Threats to the mission are discovered either through an exhaustive search through a Jigsaw model or they are expressly stated by the security administrator. An engine using the Jigsaw model determines sets of sensors and their respective configurations that can detect these threats. This information is then fed to the DASSA engine that determines mission impact and optimally chooses which sensors to activate by comparing the resulting graphs. In addition to sensor placement and configuration, additional responses to attacks could also be determined in the same manner. Ideally, graphs may be formed of dimensions coverage vs. cost, where the tradeoff for larger attack coverage would be the impact on the mission critical resources. Each point along the graph would be a specific optimal set of sensors and their configuration, which parallels the DASSA mission model for resources. Further research will determine how to discern sets of optimal coverage based on the Jigsaw model and the mission impact principles used in the DASSA project.
last modified 3/27/02