• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Adaptive Network Defense

Active Network Intrusion Detection and Response

Objective
The objective of the Active Networks Intrusion Detection and Response (AN-IDR) project is to develop intrusion detection and response mechanisms with greater adaptability, mobility, power, and effectiveness by exploiting the technology produced by DARPA's Active Networks Program. Active network technology provides a highly customized infrastructure that allows network users to reprogram and customize routers, firewalls, switches, and other components to provide new network services on the fly. This project will develop active-network-based intrusion detection, tracing, response, and/or recovery mechanisms that are: (1) self-deploying, i.e., autonomous, migrating and self-configuring; and (2) self-adaptive to location, topology, platform, and environment.

Approach
The effectiveness of conventional intrusion detection and response (IDR) mechanisms is limited for several reasons. These mechanisms cannot detect all attacks because new attacks are being created continually. They cannot be deployed everywhere and kept fully enabled because of performance costs. It is difficult to keep them properly configured at all times because the network and threat environment continually evolves. Furthermore, the evolution of attacks toward coordinated actions against networks of hosts over long periods of time requires detection and response services that can themselves migrate through the network in reaction to evidence of such an attack.

The AN-IDR project team consists of SPARTA ISSO and Boeing Phantom Works, who have several years of joint experience developing the Intruder Detection and Isolation Protocol (IDIP) and associated software under DARPA funding. IDIP provides cooperation among intrusion detection systems, firewalls, routers, network management components, and hosts so that intrusions that cross multiple network boundaries can be automatically traced and blocked as close to their sources as possible. The AN-IDR project will design and build new IDR functions that run on active network technology, using IDIP as a source for IDR concepts and functionality. The project is organized as three tasks.

The first task formulated a number of different active IDR usage scenarios to illustrate different ways of exploiting active network technology; e.g., roving vulnerability scanners, TCP connection escorts. From these IDR scenarios, twenty-seven specific functional requirements for active network infrastructure components were derived.

The second task is using active network technology to deploy new IDR functionality for dynamic and flexible IDR staging. This involves implementing active deployment mechanisms so that new IDR techniques can be autonomously deployed throughout an active network, whenever and wherever needed. The team has defined and begun implementing an initial demonstration scenario involving the disruption of streaming audio/video sessions by a distributed denial of service (DDOS) attack. To provide a source of DDOS attacks, the team has deployed the much-publicized hacker toolkit called "Stacheldraht" (Barbed Wire).

The third task will explore the power of active packets as a means of creating powerful active IDR functions that are dynamic and adaptable. The project team will explore modifying and augmenting active packets in transit so that IDR functions may be tailored as they traverse the network in response to the evidence they find. The project team will investigate extending the wrapper paradigm to network traffic by encapsulating suspicious packets in protective code that can monitor the packets, or deflect them from sensitive sites, or otherwise limit damage they might cause.The crosscutting issues of securing active networks and IDR operation across administrative domains will be considered in developing these prototypes.

Research Focus

Initial AN-IDR Prototype
Our initial prototype illustrates the potential value active network technology can provide in the intrusion detection and response problem domain. This prototype demonstrates the capability to detect and automatically respond quickly and effectively to distributed denial of service attacks launched by the hacker toolkit Stacheldraht. The automated response is implemented as an active program (mobile code) that installs itself in the router nearest the attack's target, a RealMedia streaming audio/video server, and migrates to upstream routers along all attack paths between the target and packet flooding sources. The active program implements a conventional rate limiter algorithm that allows suspicious traffic, containing a mix of legitimate and malicious packets, through routers at a controlled rate; it discards excessive packets that would otherwise overwhelm the RealMedia server's network. The result is that the server is able to resume providing usable service for the legitimate packets that pass through the rate limiter. The effectiveness of the rate limiter program increases successively as it migrates closer to the flooding sources, thereby demonstrating the benefits of migrating code and active network technology.

Additional Information
For additional information contact Dan Sterne (dan.sterne@SPARTA.com) at 443-430-8000.