By Charlotte Adams
WASHINGTON - Intrusion-detection technology is taking center stage as a way to safeguard the crucial U.S. computer and communications infrastructure from hacker-inflicted damage.
The President`s Commission on Critical Infrastructure Protection recently recommended a quadrupling of current infrastructure assurance research spending to more than $1 billion by 2004. Money for intrusion detection research would come out of that fund.
Reports on Defense Department vulnerabilities are hardly encouraging. Auditors from the U.S. General Accounting Office - the investigative arm of Congress - estimate that hackers attempted as many as 250,000 break-ins against DOD computers in 1995, and Pentagon officials acknowledge more than 250 successful penetrations last year.
Intrusion-detection technology is an obvious place to turn. Several intrusion-detection products are already on the market and computer scientists are conducting plenty of ambitious research with funding from the U.S. Defense Advanced Research Projects Agency (DARPA) and other DOD entities.
But more money for intrusion-detection research is necessary say members of the commission and other experts. The most crucial intrusion-detection needs center on real-time detection, and identification and response tools for network attacks, says retired Air Force Gen. Robert Marsh, chairman of the presidential commission.
Intrusion detection is where firewalls were half a decade ago, says Teresa Lunt, a program manager with DARPA`s Information Survivability (IS) program. The technology`s state of the art leaves a lot to be desired, particularly in its false alarm rate. In one widely fielded Air Force system, for example, there were four real intrusions over a one- to two-week period out of approximately 12 million events, which were aggregated and then analyzed manually. Officials of DARPA`s IS program, by contrast, hope to get the false alarm rate "down to a few thousandths of a percent," Lunt says.
More R&D to come
Although DARPA`s IS program supports complex, specification-based and statistical approaches to the problem, much more work is required, particularly in defending large networks from new and multipoint attacks, Lunt says. Greater use of artificial intelligence in intrusion-detection systems is also necessary, says John Davis, head of the National Security Agency`s National Computer Security Center and the panel`s R&D lead.
The IS program ends next year, so DARPA officials may propose a follow-on effort to look at areas such as cyber attack "indications and warnings," possibly starting in 2000. Other national R&D technology priorities include monitoring and threat detection - including physical systems such as the water supply - vulnerability assessments and systems analysis, risk management and decision support, system protection and damage mitigation, contingency planning, incident response, and recovery, Davis says.
Another promising angle is an Advanced Concepts Technology Demonstration aimed at coordinating responses to intrusion detection across 30 DOD sites.
This demonstration is under management of the U.S. Air Force Rome Laboratory in Rome, N.Y., on behalf of the U.S. Defense Information Systems Agency (DISA) in Falls Church, Va., with tri-service participation.
Its cornerstone, the Information Assurance Automated Intrusion Detection Environment, would (if funded) attempt to automate the collection, correlation, integration, and evaluation of input from devices such as firewalls, integrity checkers, and operating system audit mechanisms, says John Pirog, a computer engineer with the Rome Lab Information Warfare (IW) Group. The object is to enable a large, distributed network to determine whether it is under attack.
The concept demonstration would establish a framework with local sites feeding regional areas, which, in turn, would report to a command center at DISA, Pirog says. The DOD`s Global Command and Control System (GCCS) could then distribute warnings.
Such work will be an important step, but it is essentially "ad hoc data collection," Lunt says. It still is necessary to ask how to perform large-scale assessments and what the higher and lower levels should do, she explains.
Current work
DARPA`s IS program includes several intrusion-detection projects. One of the most ambitious efforts by Boeing Defense & Space Group in Seattle is working on technology to track and contain intruders across large heterogeneous networks; it would continue to operate in real-time, even while under attack, Boeing officials say.
Boeing`s approach stresses the necessity for an intrusion-detection system to talk with other intrusion detectors, firewalls, and routers, along with operating systems, packet filters, and network management components to track hackers and "shut off their connections," Lunt says. Among other things, Boeing engineers are developing a protocol to "support the intruder-tracking and isolation process," company officials say.
The DARPA IS program is also funding projects using "statistical anomaly detection" to defend against unusual and unexpected attacks, Lunt says. A project with SRI International of Menlo Park, Calif., is attempting to build a statistical profile for the behavior of devices such as routers to pinpoint unusual activity, she says. Researchers at Carnegie-Mellon University in Pittsburgh are trying a similar approach.
DARPA officials are also funding "specification-based" efforts to trigger alarms if certain rules are violated. This approach targets objectionable behavior without needing to know, ahead of time, exactly how an attempt is being carried out.
Researchers at the Microelectronics Center of North Carolina in Research Triangle Park, N.C., are combining statistical- and specification-based approaches. Officials hope to work with high-speed traffic, such as Internet protocols over asynchronous transfer mode networks, Lunt says.
Officials involved with the DARPA IS program and Rome Lab are also planning a competition between prototype intrusion-detection systems this July and the following July, Lunt says. She wants to determine what approaches are best, and to examine different combinations. Another payoff would be the development of an intrusion detection evaluation methodology, she says.
Rome Lab scientists also are working with Net Squared Inc. of Davis, Calif., on a statistical-based intrusion-detection approach addressed at server ports, says Joe Giordano, a computer scientist with Rome`s IW Group. For example, although convention dictates that port 25 be used for e-mail and port 80 for World Wide Web traffic, this is no hard-and-fast rule that attackers need follow.
The Net Squared Network Radar, which includes an object-oriented Network Monitoring Toolkit for application development, can design monitors that "detect attempts ... to bypass security measures," says Todd Heberlein, Net Squared president. Company experts also are playing a role in DARPA`s new Information Assurance program, which aims to inject security into the Defense Information Infrastructure architecture. A major beneficiary will be the GCCS.
DARPA`s IS program is also supporting an intrusion-detection software interoperability and reusability initiative, known as the Common Intrusion Detection Framework, or CIDF. This would enable independently developed components "to meaningfully share event data and analytical results," - something that is not readily available today, DARPA officials say.
