Digital clones offer insight about attack and defense strategies.
Solutions to today’s information security challenges may reside in the virtual world. Modeling, simulation and evolutionary computational techniques offer organizations a way to observe how real hackers operate and attack systems. Because tireless computers are doing all the work, data can be gathered around the clock ready for analysts to examine and evaluate.
Military leaders agree that network-centric warfare is about people, not networks. However, they acknowledge that the concept cannot succeed unless commanders can be confident that their systems are secure and that information accuracy can be ensured. One of the challenges in this arena, however, is assessing the effectiveness of security measures in the cyberworld where threats are constantly changing.
A collaborative effort among military, academia and industry has brought a revolutionary dimension to analyzing information operations by using evolutionary agent-based simulations. The work was conducted by the U.S. Army; George Mason University’s Krasnow Institute in Fairfax, Virginia; and BiosGroup Incorporated, a company acquired by NuTech Solutions Incorporated, Charlotte, North Carolina.
The project, known as adaptive network intrusion design and defense facilitated by evolutionary agent-based simulations, grew out of an advanced concept technology demonstration (ACTD). While the original ACTD was designed to investigate advanced network intrusion defense, the adjunct work examined adaptive network defense mechanisms. The initial goal of the project was to build models of network protections that could evolve as threats changed. Because adequate resources were not available to achieve this comprehensive objective, researchers focused their attention on the adversarial side of the problem and designed a method for analyzing the evolution of threats.
Col. Carl W. Hunt, USA, director of technology, Joint Task Force-Computer Network Operations, Arlington, Virginia, worked on the project when he was commander of the Army Criminal Investigation Command’s Computer Crime Investigative Unit (CCIU). Dr. Kenneth A. De Jong, professor of computer science at George Mason University, contributed his expertise in evolutionary computation.
Working with BiosGroup, Col. Hunt and De Jong began their work by building agent-based models of systems. The high-level models included approximately 2,500 Blue Force nodes. To reflect real-life conditions, nodes were designed with various levels of security—from workstations that featured seldom-changed passwords and ineffective intrusion-detection tools to highly secured systems.
The next step was to create virtual adversaries, which the researchers developed by using information gathered by the CCIU. From interviews with hackers, investigators gained intelligence about attack techniques as well as the sociological aspects of hacking. In addition, they reviewed computer logs of attacks to ascertain the technical aspects of break-ins, Col. Hunt shares.
Alone, these network models mimic the way organizations react to cyberattacks today, the colonel says. De Jong points out that these models can be used to assess the effectiveness of current security strategies. For example, if the U.S. Defense Department issues a directive that passwords must be changed weekly, systems administrators can assume that a certain percentage of personnel will not comply. By putting this information into the model, they would be able to determine how such directives affect the overall state of security, he says.
While models of the current environment are useful, Col. Hunt relates that the challenges information security officers face today are more fluid. “We build what might be called a line of defenses. Defense-in-depth is trying to make it very difficult for intruders to penetrate in traditional ways. But the problem is that untraditional approaches catch us by surprise, and there are operating system vulnerabilities that pop up from time to time,” the colonel notes.
De Jong explains that evolutionary computation is a way to get computer systems to evolve and adapt over time. It is in this area that the concept closely resembles Darwin’s theory of survival of the fittest. The way to make a computer system adaptive is by changing its traditional state of employing only one strategy to an approach that uses a variety of tools. The most effective methods will be used more often, while less effective ones will be left on the shelf, or will “die off” in Darwinian terms.
“So you always have a population of alternatives, and you’re constantly trying those alternatives because you’re really trying to attack a black box. You don’t know what’s going on inside, so you’re trying to find the best way to be secure today,” De Jong says.
During a simulation run, a designated number of Red Team virtual hackers are tasked with breaking into Blue Force systems. For example, beginning with the assumption that the Blue Forces have all their security procedures in place, five hackers attempt to break into the systems. After all of the virtual adversaries are stopped, each clones itself, and this next generation of hackers attempts to break into the same systems. However, through the application of evolutionary computation techniques, this new generation’s behavior will be different from the initial group’s. Sometimes the new generation’s techniques are better than previous generations’ methods, and sometimes they are worse. Only attackers with the most effective techniques survive to go on to produce new generations of techniques.
Evolutionary computation uses the Darwinian approach to create better hackers, De Jong explains. The virtual hackers constantly test break-in alternatives, and those that are more adept at breaching systems clone offspring that are better at challenging system security. Those that are less effective are not replicated and disappear, he states. Through evolutionary computation, the virtual hackers could consist of hundreds of thousands of combinations of skill levels.
“The general notion is that we have a population of 10, 20, 30 individuals who represent alternative strategies for doing something, and all of those individuals are given the opportunity to try to break into the system. Some of them are more successful than others. Then we have the notion that the successful ones are allowed to produce clone-like copies of themselves with variations. The effect of that is you can actually see novel strategies that were not part of the initial set of alternatives,” De Jong relates.
To evaluate the virtual hackers’ success, researchers instructed them to gain access to, or own, as many systems as they could. To assess how a population of hackers changes over time, De Jong first uses the agent-based model created by the BiosGroup to compute the base fitness of each hacker that has specific capabilities and strategies. At first, the average fitness level of the virtual hacker population is relatively poor. After conducting several simulation runs, the virtual hackers’ fitness improves, which allows analysts to review how threats expand.
In reviewing the data gathered through the evolutionary computation method, researchers are not interested in the hacker of average fitness but rather the “super hacker.” Although all hacker activity begins with random probing, over time certain hackers find a weak spot, gain access and compromise a number of systems. More fitness points are awarded to the hacker that gains entrance at a system’s root level. This information can then be used to identify systems vulnerabilities.
Exploration of evolutionary agent-based models at the Krasnow Institute focused on two primary methods that hackers use to penetrate systems. Scanning tools allow hackers to probe a network address to find a computer that responds. If a computer responds in a certain way, it indirectly identifies itself, and the intruder can determine the operating system it features then exploit vulnerabilities.
Sniffing is the second method the researchers assigned to their virtual Red Team members. In this case, an intruder is already part of a network, so every packet on the network passes through the hacker’s interface box. Sniffing tools, openly available on hackers’ Web sites, allow a user to obtain other people’s passwords from the packets. Within 24 hours, a sniffer could accumulate 30 passwords, for example, some of which would allow a hacker to log into another person’s account.
When a hacker uses the scanning method, greater access to the network is achieved, but systems administrators may detect the unusual activity. Sniffing is more difficult to detect because it is typically discovered only if someone notices that a user is logged into a system twice. “The point is that some of these techniques are noisier than others, and intrusion detection devices pick up that activity,” Col. Hunt explains.
“The idea was to model hacking at that level and to see, if we start out with hackers that have those two tools, whether they could figure out which ones or what combination of those two would be effective for infiltrating a secure system that they knew relatively little about,” the colonel details. He adds that hackers must determine the best balanced use of the tools. If a hacker relies on more scanning than sniffing, he may make a lot of progress, but the likelihood of being detected is greater. However, if sniffing is the primary tool, the intruder may not be discovered, but he is not making much progress.
Simulation allows analysts to examine a complex problem, such as hacking strategies, in one place and from different angles. “You look at the problem from the perspective of economics, physics, biology, and you bring multiple disciplines into a problem area. A biologist would say, ‘This is the way I would deal with that problem.’ A physicist would say, ‘This is where I see my contribution to solving that problem,’ and a computational scientist would say something else. And the economist would say, ‘Nobody would do that for economic gain, so this is what they want,’” Col. Hunt relates. One of the reasons the Army chose to work with the Krasnow Institute was its multidisciplinary resources, he adds.
De Jong explains that the next step would be to bring in security personnel who would fix the identified problems. The model could then be run again, which would demonstrate the new techniques hackers may use to find other ways into a system. “It’s a way of stress-testing a complex system. These evolutionary systems don’t have the same sort of cognitive biases that we do, so they tend to find loopholes where we humans would say, ‘Hey, I never thought of that,’” he points out.
Col. Hunt explains that the next logical step for the research would be a co-evolutionary approach where the behavior of both the Red Team and the Blue Team changes based on each other’s activity. Several objectives could be achieved from this work. Network architectures could be tested virtually, eliminating the need to build new systems. Computer forensics would improve as analysts have the opportunity to review more intrusion activities. In addition, evolutionary strategies could be developed so that Blue Force systems could be improved incrementally.
“You never really end up with a standard operating procedure. You end up with a set of strategies that allows you to build more adaptive architectures. If you think about it, we put intrusion detection systems in place now, and they do one or two things. They scan against a signature file, and every time they see a signature, they alert somebody or some other system. So they are kind of single-purpose. If you allow components of your network architecture to swarm around the problem, isolate it and deal with it, that’s a very adaptive, very evolutionary strategy for countering a certain set of intruder behaviors without compromising the rest of your network,” the colonel explains.
Col. Hunt and De Jong agree that uses for evolutionary computation models extend beyond the network design and information security arenas. Because they demonstrate the possible outcomes as variables change, they could be used as part of the decision-making process to explore the effect of choosing certain approaches. In addition, the security of other types of infrastructures, such as waterways and power plants, could be examined.
The next phase for this technique would be to develop an operational prototype of the defense simulation system, the colonel says. Functional capabilities could be delivered in one to two years, he predicts.