Drawing on DRIW to Anticipate and Protect
Deception is one technique that can be used if a system such
as NEWS allows the analyst to detect an attack pattern. Ron
Newland, a systems engineer and program manager for the Data
Resiliency in Information Warfare (DRIW) program, conducted
by the Northrop Grumman team under contract to the Rome Laboratory,
borrows the Star Trek concept of the "holodeck" to
describe one deception tactic. Once an intruder has been detected
in the reconnaissance phase of the attack, his access path is
surreptitiously changed so that he enters a parallel system
which emulates the real system but contains false data. The
defender now becomes the attacker, using the "holodeck"
to gather data on the intruder while feeding him false information.
Other potential responses, notes Zavidniak, include a covert
move to another communications vehicle or the activation of
commercial off-the-shelf (COTS) virus-detection software. Newland
points out that a system can be designed to become gradually
more restrictive in its operations, with different "DataCon"
levels analogous to the Pentagon's DefCon system, and can
escalate or de-escalate at very short notice.
The most important function of a system such as NEWS, however,
may be to allow the system administrator to prepare for an attack.
According to McCallam, this is the goal of DRIW. "We said,
let's take the tack that someone is going to get in and
do damage, but find a way to repair the system in real time."
One foundation of this system is the concept of a minimal essential
data set: the data which is both most important to the operation
and which cannot be reconstituted easily if the system is compromised.
"If I have an airspace management system that is tracking
200 targets, and 195 of them are my systems and five of them
are bad guys, then I isolate and protect the information on
those five targets. If I have an air traffic control system,
what I really need to know is who's in the landing pattern."
Using techniques similar to those used in computer forensics,
where investigators recover deleted files from a hard drive,
DRIW can bury the data beyond the reach of the intruder and
recover it in real time after an attack. Even if the intruder
manages to corrupt all the data on the system, the most essential
data can be recovered rapidly.
DRIW is specifically designed to protect battle management,
command and control (BMC2) systems. "It is the only real-time
recovery capability that has been demonstrated," says Newland.
In a hypothetical example, Newland shows how an attacker can
threaten the success of an operation by changing a refueling
time, and how a combination of early warning and rapid recovery
can correct the corrupt data, allow the operation to proceed
and leave the users confident that they can rely on their information
The key to this capability is the use of "adaptive resource
recovery agents" (developed by Florida-based team member
Modus Operandi). The agents are software packages of different
types, located in various places around the system. "Unless
an intruder knows they are there, he will not be able to see
them," says Newland. Periodically, the agents acquire a
"snapshot" of the system data. They compare it with
the data observed at different times and places by other agents,
detect corruption and, at higher alert levels, block changes
without authorization from the system administrator.
The objective of information resiliency is not to prevent attacks
but to reduce them to a nuisance rather than a threat. "It's
like ants at a picnic," says McCallam. "You'll
never get rid of all the ants, but if only one or two get through,
you'll be O.K."