Attack Attribution for Hybrid, Cooperative and Non-Cooperative Infrastructure

Attack Attribution for Hybrid, Cooperative and Non-Cooperative Infrastructure

Project Sponsor:	Performing Company:	Principal Investigators:
Advanced Research and Development Activity (ARDA) under the Information Assurance for the Intelligence Community: IAIC Program	Cs3 Inc. 5777 W Century Blvd Suite 1185 Los Angeles, CA 90045-5600 Phone: (310) 337-3013	Donald Cohen K. Narayanaswamy

Project Documents

Recent ARDA Deliverables include the following:
- Survey of Level 1, 2, and 3 Attribution Techniques
- Assessment of the Impact of Cooperation on Level 1, 2, and 3 Attribution Techniques
- Techniques and Algorithms Report (1 of 3)
ARDA Principal Investigator Meeting Briefing, Presented at the ARDA IAIC and P2INGS Kick Off Meeting, November 18-20, 2003 in Nashville, TN

Problem:

The broad goal of this project is to significantly advance techniques and tools for attack attribution to support the Intelligence Community (IC). The attack attribution is defined to have the following aspects:

Level 1 Attack Attribution:
- Identification of attacking machines
Level 2 Attack Attribution:
- Identification of controlling machines
Level 3 Attack Attribution:
- Identification of humans behind attack
Level 4 Attack Attribution:
- Identification of sponsoring organization

This research project focuses on attack attribution at Levels 1, 2, and 3 as defined above.

Technical Objectives:

Specific technical objectives for this project include the following:

Level 1 attribution from a single packet
- From a network security perspective, for the Intelligence Community, confidentiality and integrity are more important than availability.
- Attribution from a single packet can handle all network attacks, even those that do not involve DoS floods.
Attribution techniques must work for "real" networks:
- Handle heterogeneity of infrastructure -- different capabilities
- Availability of evidence from many different methods
- Ability to overcome the likely presence of considerable non-cooperative infrastructure
Ability to dynamically change behavior of attribution system:
- Placement of new sensors/actuators dynamically
- Incorporation of new correlation criteria, analysis, etc.
Build a usable prototype that embodies above ideas.
- Find ways to leverage existing Cs3 and non-Cs3 technologies.

Novel Ideas:

Level 1 Attribution Approach:
- Combining partial evidence from multiple methods; handling non-cooperation and heterogeneity
Level 2 Attribution Approach:
- Builds on Level 1 by analyzing the communication traffic with Level 1 computers for evidence that other computers could have controlled them.
- In general, this analysis could require examination of historical communication data, because control of the Level 1 computers would have occurred prior to the detection of an attack leading to traceback of the Level 1 computers.
Framework for Level 3 Attribution:
- Based upon a behavior model that partially characterizes human attributes of the attacker(s);
Prototype with open architecture to integrate 3rd party tools that analyze different aspects

Project Tasks:

The specific project tasks that will be pursued during the course of this 18 month project include:

Analysis of Existing Attribution Techniques Study of Level 1, 2, and 3 attribution techniques: Hundreds of papers gathered and being evaluated What kinds of cooperation do the techniques require? Understand ideas, tools, and how usable they are	October 2003 -- January 2004
Level 1 Attribution Techniques Devised Handle hybrid cooperative capabilities Communication over non-cooperative infrastructure	October 2003 -- March 2004
Level 2 Attribution Techniques Devised Using signature analysis of communication data to identify how computers are controlled Combining variety of packet source determination techniques	Dec 2003 -- June 2004
Level 3 Attribution Techniques Devised Behavioral Model for Level 3 Attribution: April 2004 -- September 2004 Partial characterization of human attributes of the attacker based upon various sources of data Combine Cs3 and non-Cs3 analytical tools Use Cs3's TriggerWare software for dynamic event correlation	January 2004 -- September 2004
Development of Prototype AATIC Incorporate TriggerWare and dynamic sensors. Preliminary demo: (July 2004 -- August 2004)	December 2003 -- March 2005
Demonstration in IC Scenario:	September 2004 -- January 2005

Schedule of Milestones/Deliverables:

Monthly Status Reports	October 2003 to March 2005
Algorithm and Techniques Technical Report	March 2004
Report on Level 1, 2, 3 Attack Attribution	March 2004
On Site Project Status meeting	end April 2004
On Site Project Status meeting with work in progress prototype demo	between July, 15, 2004 - August, 15, 2004
Behavior Model for Level 3	September 2004
Algorithm and Techniques Technical Report	September 2004
ARDA West Coast PI Projects Status meeting	expected August 2004 - September 2004 time-frame
Prototype system using Cs3 and non-Cs3 technologies	February 2005
Triggerware Integration	February 2005
Case Study Report	February 2005
Algorithm and Techniques Technical Report	February 2005

Completed Deliverables:

Reports listed under "Project Documents" above.
Monthly Status Reports October, November, December 2003; January, February, and March 2004.

Project Sponsor:

Performing Company: