Security
IAC Relies on Sensor Hardware to Prevent Network Intrusions
By IAC Staff
In Fiscal Year 2003, the ARL Information Assurance Center (IAC), which provides network intrusion detection services for the Defense Research and Engineering Network (DREN), as well as other customers, uncovered 148 root-level compromises, 28 user-level attempted intrusions, and many malicious logic infections across its entire sensor base.
These networks that our defense research data fly across have become an increasingly hostile realm, where more than 100,000 scans and probes rattled the doorknobs of DREN addresses alone last FY.
Preventing intrusions is one of the most important roles of our systems staff as we have discussed in the last two issues of Link, but let's consider how we detect compromises when our protections have failed. The ARL IAC employs a suite of complementary tools that examine network traffic at each site where sensors are deployed. For the DREN, sensors are deployed at all the Major Shared Resource Centers, many of the Program's Distributed Centers, and the network peering points where DREN connects to other networks. The sensor hardware is a general-purpose computer, equipped with ample disk space and multiple network interfaces, one of which is attached to the network segment that is being monitored.
Care in placing, configuring, and monitoring sensor data allows intrusion detection to be managed quietly, and without introducing any latency to the network being monitored.
Most CERTs rely on a single tool, whereas the IAC distinguishes itslef by using a miltitool suite, giving analysts a more complete view of network activity. The ARL suite has consistently proven to be accurate in detecting intrusions without erroneoius alerts.
The coupling of perations and research permits the IAC to rapidly incorporate new methods and approaches into the analysis environment. ARL analysts are experts in adapting the toolset to monitor various deffense network configurations, as evidenced by the ATM high-speed network monitoring capability first developed by ARL. IAC developers regularly provide improvements to the analysis suite, surveying and evaluating newly developed Intrusion Detection System (IDS) methodologies, and implementing the best of breed.
R & D efforts are focused on improving deep threat analyses of collected sensor data along multiple axes (time, geography, function, etc.) to detcet new or stealthy intrusion attempts, and develping intelligence information from the collected IT activity through data fusion and mining. The ARL IAC leverages DoD and army research initiatives with universities and small businesses, providing technical direction and focus so the results are relevant and can be incorporated into the ARL suite.
The ARL IAC strives to maintain its excellent working relationships with all sites, Services, and CERTS, and with the military intelligence (MI) and law enforcement (LE) communties. ARL technical assistance and investigate support includes providing additional data or analyses as requested by MI or LE personnel.
ARL maintains ongoing activities to transfer IAC capabilities to additional organizations, broadening and strengthening the overall security posture for other government elements.