Keeping Malicious Code at Bay

August 2002
By Henry S. Kenyon

Changing threats, technologies redefine notions of network security.

Research is extending the boundaries of information assurance technology to include the operational reliability of individual systems and the ability of tactical wireless networks to remain secure. Scientists are developing agile solutions to counter new types of cyberassaults and to protect vulnerabilities detected in emerging technologies.

Defending a computer network against attacks can be viewed as a game of chess—but one with constantly changing rules. By keeping ahead of existing and potential threats, the Defense Advanced Research Projects Agency (DARPA) provides U.S. warfighters with robust equipment that will function in any physical, cyber or radio frequency environment. To maintain the reliability of military communications equipment and to counter new modes of cyberattacks, DARPA scientists now view information assurance as more than simple network security. According to Dr. Anup K. Ghosh, a program manager at DARPA’s Advanced Technology Office, Arlington, Virginia, two additional areas—trustworthy systems and defense against malicious code—are receiving research funding.

Trustworthy system design provides the military with reliable, safe and secure devices. “From a commander’s point of view, this means it must be available when it’s called. In other words, it doesn’t crash. It’s secure so soldiers know there are no data confidentiality leaks, and they are not going to be compromised by people hacking into their systems,” Ghosh says.

Malicious codes are a form of network attack that has emerged in the past few years. Traditionally, DARPA researchers focused on intrusion detection and how to counter individual hackers trying to enter government systems. But today, threats come from group or automated attacks, Ghosh explains. Instead of a single person trying to gain access to one network, an individual or a team will write malicious code that automates system break-ins through vulnerabilities in the software. Once inside, these programs, or worms, replicate themselves and spread to other networks.

The traditional response to attacks—detecting a threat and sending out an alert—becomes dangerously slow in the face of worm-based threats that spread throughout the Internet in as little as 15 minutes. The speed of these attacks means there is almost no time for a human-in-the-loop response. The key question facing researchers is, What types of mechanisms cannot be turned against the network? If attackers know that a certain response will degrade the quality of service, then they will use denial of service against a target, he observes.

Because worms can spread across multiple networks very quickly, DARPA scientists have developed a containment system called sandboxing that permits a suspect piece of code to be observed in a safe environment where it cannot access files or network resources. Administrators can test files and packets for malicious code before admitting them into the network.

Internet-enabled systems accessing databases or files are especially susceptible to malicious code. Ghosh notes that these attacks are becoming more extensive and sophisticated. Many intrusions are really attempts to map a network for vulnerabilities. “Because they are simply probing, it’s hard to know if you are under attack. Probes are usually under the radar of typical intrusion detection systems,” he explains.

To counter probes, software sensors can be distributed throughout a network where they can correlate data and record patterns over weeks or months. For example, over a three-month period, sensors may record systematic attacks against targets ranging from the Pentagon, the military services and DARPA. After studying the information, analysts would know that this was a coordinated attack seeking to map vulnerabilities in government systems, Ghosh says.

The research aims to give administrators what Ghosh calls cyber situational awareness. This is achieved by gathering data from sensors and other systems spread across a network or group of networks to create a complete picture of an attack.

The goal is to respond in real time by thwarting or slowing down attacks through autonomic response, Ghosh says. An example of this proactive method is an automatic rate-limiting defense to counter distributed denial of service attacks. Rate limiters control the amount of traffic flow within a network node to alleviate a denial-of-service attack.

Another response is introducing delays into the system if a specific node or server is being attacked. “You are essentially slowing down the attacker’s ability to exploit that particular service. In fact, it might even convince that person to move on to another site. It’s like the traditional log-in. If you enter the wrong user name and password, it introduces a wait before you get the chance to do it again,” he points out.

DARPA researchers also are studying the use of artificial intelligence (AI) techniques to detect and deter attacks. But questions remain about how they can be used to respond. One possibility is developing machine learning techniques that automatically switch a device or network to different configurations, permitting smooth operation and preventing attacks from succeeding.  Although this capability does not exist, Ghosh sees it as an area where research is necessary.

Intelligent agent software is another AI tool that may be useful; however, it potentially is both a solution and a threat, Ghosh says. Because agents are mobile code—software that can move around in a device or network—they must be prevented from being converted into delivery systems for viruses and worms. For example, an intrusion detection agent that queries the state of servers could be captured and corrupted by a hostile program. DARPA research uses redundant programs to counter this threat. The agents copy themselves, and if a corrupted agent is discovered, it is terminated and restarted, he asserts.

Wireless communications is the next major area of DARPA information assurance research, Ghosh says. The agency had previously concentrated its efforts on headquarters information technology systems—Internet-connected workstation and server platforms. This same technology is now migrating to smaller mobile devices and embedded platforms. As a result, researchers are looking for new risks. “As we begin to move commercial operating systems like Windows XP into tactical handheld systems such as personal digital assistants, missile guidance systems or targeting systems, the question is, ‘What types of information assurance issues are creeping into this space?’” he expresses.

Tactical devices must be highly reliable and depend on complex applications such as Internet-based networks and Java-based virtual machines, but they are susceptible to threats such as mobile-code-based attacks, Ghosh says.

Because wireless devices in the field do not follow a traditional client-server scenario, tactical equipment must rely on approaches such as intermittent connectivity, peer-to-peer networking and ad hoc networks. Almost all of these mobile devices require battery power, which is why many low-power networks operate intermittently, he offers.

These considerations challenge established information assurance practices. For example, detecting an intrusion in a wireless network is more difficult because it is not always possible to monitor individual devices from a central server. Battery power is another key constraint in low-power systems. Because many of these devices operate in a sleep mode to maintain energy, Ghosh notes that a denial-of-service attack against a wireless network simply needs to keep the equipment awake long enough to consume its battery power.

Battlefield wireless networks also require a different approach to security. In headquarters systems, the clients and servers are traditionally considered secure because they are in a guarded physical location, while the network is viewed as insecure. However, in embedded wireless systems, many devices such as remote sensor networks and intelligent munitions are unattended. “You have to assume that some equipment is going to fall into the enemy’s hands,” he allows.

Ideally, the capture of a single device should not compromise an entire system. Research is focusing on protecting mobile networks should equipment containing classified data be compromised. “You want to be able to detect the capture and then remotely zero out the data on that device,” he says.

Jamming also poses potential difficulties for tactical networks. DARPA is researching technologies that look at both ends of this question: the ability to jam enemy communications and the ability to maintain connectivity in a noisy environment. Ghosh notes that directional communications and ad hoc networks are possible solutions to battlefield interference. “We’re looking at the perspective of an ad hoc network—say in an urban warfare type of environment. If soldiers are able to authenticate and securely exchange information through programmable devices, what kinds of information assurance issues are involved?” he asks.

The trustworthiness of an individual device is a key security question. “If I know that a platform will take mobile code, do I have provisions on it to ensure that the code is trusted in the first place? If I were the enemy and knew that it [the device] would run any arbitrary code, I could reprogram it to monitor network communications or broadcast on a different channel,” he says.

Verifying user identity is another concern. For authentication, he notes that even if a device uses encryption, it is possible to unknowingly establish a secure link with an enemy. Authentication is a problem with embedded wireless systems because they cannot take advantage of online infrastructures designed to vouch for, or revoke, a user’s certificate, he says.

Ghosh notes that researchers also are developing more trustworthy platforms for wireless devices such as cellular telephones and modifying commercial devices such as handheld computers by adding security features. These applications permit the partitioning of the operating system. If a device was to load malicious code, the program would be unable to access sections such as the address book, nor could it send data out via radio frequency links, he submits.


Additional information on information assurance research at the Defense Advanced Research Projects Agency is available on the World Wide Web at

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.