An Integrated Cyber Panel System

The DARPA Cyber Panel program has funded research in defending mission-critical information systems from strategic coordinated attacks. This research spans many areas including novel sensors, alert correlation and reduction, visual correlation, mission impact assessment, and response. This paper describes the integration of Cyber Panel technologies from the different areas into an advanced cyber defense system and the demonstration of that system. 1. Cyber Panel Concept The DARPA Cyber Panel Program is focused on the defense of mission-critical information systems at the theater-level. The program has invested in technologies that help identify stealthy scans and coordinated attacks, assess system health and the mission impact of attacks, and choose and implement effective system and security configuration changes in response to attacks. These technologies provide necessary functions for an advanced cyber defense system. Network defenders today analyze low-level alerts and system logs and often do not understand how the events they are seeing affect operations that rely on the computing resources. Operations personnel, on the other hand, are concerned with making sure their staffs accomplish their defined mission, and generally have no insight into the network they rely upon and the attacks that are affecting it and them. This functional gap, coupled with an asymmetric dependency, puts defenders at a disadvantage of not being able to adequately defend mission-critical resources during active attack situations. Cyber Panel attempts to bridge this gap by introducing the concept of a cyber mission. A cyber mission is the set of high and low level tasks that must be performed by the defended computing resources at some time in support of the operational mission. Performance of these tasks relies on the availability and trustworthiness of the underlying system and network infrastructure. The effects of attack activities may be linked to the cyber mission to provide the network defender with status on the cyber mission as it relates to the operational mission. This linkage enables the defender to make better choices when defending an enclave. When this functionality is coupled with technologies that identify extremely stealthy probes and key coordinated attack steps and those that anticipate likely adversary actions, an advanced cyber defense system is born. Such a system will reduce the ability of adversaries to strike at the United States through information systems by improving the ability of network defenders to rapidly perceive the extent of attacks, understand what mission-critical computing resources are threatened, and take effective defensive actions. 2. Integrated Cyber Panel System The Integrated Cyber Panel System is designed to provide cyber awareness and control for survivability. The system helps the operator defend the enclave against cyber attacks and maintain mission-required enclave functionality. It integrates technologies and concepts from the following Cyber Panel areas: • Attack Sensing and Warnings [1] • Automated [2] and Visual [3] Alert Correlation • Response Formulation [4] and Evaluation • Cyber Warfare Strategies and Tactics [5] Many infrastructure components have been developed to facilitate integration of these technologies including high-level models of the network and mission and common underlying communication tools. Cyber Panel technologies provide either awareness or response functionality. Situation awareness technologies include 1. sensors that monitor for attack activities and system status, 2. correlators that provide alert filtering, clustering, prioritizing, and classifying, and 3. situation selectors that correlate observations with mission knowledge to identify situations of interest. Situation response technologies include response recommenders that evaluate alternatives and recommend responses in light of the mission and response managers and actuators that implement the responses. Many of these components rely extensively on a knowledge base that describes the network and mission being defended. The orchestration of these components is shown in Figure 1. Integrated Cyber Panel System Protected Enclave Cyber Sensors Alert