Effective Monitoring of a Survivable Distributed Networked Information System * Paul Rubel, Michael Atighetchi, Partha Pal BBN Technologies {prubel,matighet, ppal}@bbn.com Martin Fong SRI International mwfong@sri.com Richard O’Brien Adventium Labs richard.obrien@adventiumlabs.org Abstract In 2002, DARPA put together a challenging proposition to the research community: demonstrate using an existing information system and available DARPA developed and other COTS technologies that a very high level of survivability against unconstrained attack by a nation- state-level red team is achievable. This report describes the monitoring, intrusion detection, and reporting infrastructure of the resulting system, highlighting the design principles and lessons learned that are generally applicable to survivable information systems. 1. Introduction Over the past decade, substantial resources have been invested in the defense of sensitive information systems against the threat of cyber-attacks. Initially, system security focused on attack prevention. However, it soon became obvious that it is impossible to build a system that is invulnerable to every new attack, but yet is usable, interoperates with others and is economically viable. These realizations lead to a focus on detection. If attacks cannot be prevented, the thought was, they must be quickly detected so that human operators can take remedial actions. However, intrusion detection systems (IDSes) do not identify all “zero-day” attacks and can produce a large volume of low-level alerts, including many false positives. From the realization that not all attacks can be prevented, and some may not even be detected accurately and early enough, came the newest focus: tolerate or survive the undesirable effects caused by (partially) successful attacks. Each new realization increased the necessity, importance, and complexity of monitoring. Initially, logging was less critical because all attacks were “prevented”. As detection became necessary, monitors were placed at the hosts and along network * This work was supported by DARPA and AFRL under Contract no. F30602-02-0134 flows. In order to survive rather than just detect attacks, additional monitoring of the network, within hosts, and within applications is needed. Implementing the required level of monitoring is non-trivial and involves finding solutions to a set of challenges. Where should one place sensors so that sensor coverage and fidelity are maximized? How can one mitigate the tension between protection and detection (e.g., how to encrypt all traffic without blinding sensors)? How does one deal with information overload and resource over-utilization while enabling the processing of very large amounts of monitoring events? In this paper we describe how we dealt with these monitoring challenges in the context of designing the survivable version [1] of a military information management system. The design, by selectively combining aspects of protection, detection, and adaptive response, provides a high barrier to entry from outside the system and also makes it difficult to spread attacks within the system; increases the likelihood of detecting attack activity as early as possible, even if the attack source cannot be determined exactly; and copes with attacks by adapting to the changes they cause. We give an overview of the survivable system in Section 2, and then describe sensor placement and alert generation in Section 3. Section 4 notes the techniques used to boost alert fidelity. Section 5 focuses on correlation techniques in alert processing. We summarize lessons learned from Red Team Exercises in Section 6, present related work in Section 7 and conclude with a summary and future work. 2. Background – The defense-enabled JBI A number of efforts have been under way to enhance the reach and capability of information management systems to meet the DoD’s need for network centric warfare. The Joint Battlespace Infosphere (JBI) is one such effort. The JBI is a