| General Dynamics has been developing computer network defense software and processes for many years. One development as been the Integrated Information Infrastructure Defense System (I3DS) policy-based security system that allows the network defender to selectively modify by node the level of visibility into the node, and the degree of defensive response to detected threats. As an extension to I3DS and similar CND software, General Dynamics designed the Course of Action Process (COAP) to assist the network defender in rapidly understanding evolving situations, predicting future threat events, and recommending responses.
This presentation will describe some of the features of the COAP that appear to be improvements to the state of the art in computer network defense. For example, tailorable filters allow the network defender to highlight and maintain the top-N events that need to be addressed, as opposed to the endless list of events scrolling past the user. In addition to presenting just the frequency of events, the events are categorized by type, including the breadth and depth of events of that type across the network. The depth of event represents “how deep” into the network security architecture the threat has been detected. The breadth is a useful measure to determine how widespread any given type of event is across the network, thereby helping to distinguish between worm-like activity and human-hacker type activity. Composite scores are used to decide which threat events to display to the user by depth, breadth, frequency, and composite scores.
COAP has also designed a predictive component that predicts likely next threat events given detected events to date. Unlike traditional “pattern matching” techniques that require a unique pattern to be defined for each type of attack, the Network Intrusion Model defines a superset of related threat events and predicts next threat events along probable intrusion sequences within the model. This predictive situation modeling places predicted threat events on an “event watch list” that is highlighted for the network defender. The predictive aspect helps ensure a proactive set of recommended responses, and not just after-the-fact recommended responses.
In addition to recommending responses, COAP also tracks response status information. When expected responses are not forthcoming, additional responses are recommended to further increase visibility into the cause and to recommend further appropriate responses.
COAP detections and response options were designed around I3DS detection and response capabilities, but also applicable to other computer network defense tools. |
| Dr. Patrick D. Allen is Senior Lead Systems Engineer for General Dynamics Advanced Information Systems, and has 25 years experience in information operations, modeling and simulation, and project management. Pat is the designer of Course of Action Process and the Information Warfare Planning Capability’s Course of Action Support Tool (COAST). He has also worked on the DARPA project for Defense Against Cyber Attacks in Mobile Ad hoc Networks. He is the author of Information Operations Planning, available from Artech House, October 2006. Dr. Allen has a BS in Physics, a Masters and Doctorate in Operations Research, and a Masters in Strategic Studies. He is also a certified Project Management Professional from PMI, and an adjunct Professor at Old Dominion University teaching systems analysis, system of systems engineering, and software project management. |