Publications

Abstract not provided.

Abstract not provided.

Current protection strategies against insider adversaries are expensive, intrusive, not systematically implemented, and operate independently; too often, these strategies are defeated. The authors discuss the development of methods for a systems-based approach to insider security. To investigate insider evolution within an organization, they use system dynamics to develop a preliminary model of the employee life cycle that defines and analyzes the employee population's interactions with insider security protection strategies. The authors exercised the model for an example scenario that focused on human resources and personnel security activitiesspecifically, prehiring screening and security clearance processes. The model provides a framework for understanding important interactions, interdependencies, and gaps in insider protection strategies. This work provides the basis for developing an integrated systems-based process for buildingthat is, designing, evaluating, and operatinga system for effective insider security. © 2009 IEEE.

This report documents the architecture and implementation of a Parallel Digital Forensics infrastructure. This infrastructure is necessary for supporting the design, implementation, and testing of new classes of parallel digital forensics tools. Digital Forensics has become extremely difficult with data sets of one terabyte and larger. The only way to overcome the processing time of these large sets is to identify and develop new parallel algorithms for performing the analysis. To support algorithm research, a flexible base infrastructure is required. A candidate architecture for this base infrastructure was designed, instantiated, and tested by this project, in collaboration with New Mexico Tech. Previous infrastructures were not designed and built specifically for the development and testing of parallel algorithms. With the size of forensics data sets only expected to increase significantly, this type of infrastructure support is necessary for continued research in parallel digital forensics. This report documents the implementation of the parallel digital forensics (PDF) infrastructure architecture and implementation.

Abstract not provided.

Abstract not provided.

The key piece of knowledge necessary for building defenses capable of withstanding or surviving cyber and kinetic attacks is an understanding of the capabilities posed by threats to a government, function, or system. With the number of threats continuing to increase, it is no longer feasible to enumerate the capabilities of all known threats and then build defenses based on those threats that are considered, at the time, to be the most relevant. Exacerbating the problem for critical infrastructure entities is the fact that the majority of detailed threat information for higher-level threats is held in classified status and is not available for general use, such as the design of defenses and the development of mitigation strategies. To reduce the complexity of analyzing threat, the threat space must first be reduced. This is achieved by taking the continuous nature of the threat space and creating an abstraction that allows the entire space to be grouped, based on measurable attributes, into a small number of distinctly different levels. The work documented in this report is an effort to create such an abstraction.

The need to protect national critical infrastructure has led to the development of a threat analysis framework. The threat analysis framework can be used to identify the elements required to quantify threats against critical infrastructure assets and provide a means of distributing actionable threat information to critical infrastructure entities for the protection of infrastructure assets. This document identifies and describes five key elements needed to perform a comprehensive analysis of threat: the identification of an adversary, the development of generic threat profiles, the identification of generic attack paths, the discovery of adversary intent, and the identification of mitigation strategies.

Supervisory Control and Data Acquisition (SCADA) systems for automation are very important for critical infrastructure and manufacturing operations. They have been implemented to work in a number of physical environments using a variety of hardware, software, networking protocols, and communications technologies, often before security issues became of paramount concern. To offer solutions to security shortcomings in the short/medium term, this project was to identify technologies used to secure "traditional" IT networks and systems, and then assess their efficacy with respect to SCADA systems. These proposed solutions must be relatively simple to implement, reliable, and acceptable to SCADA owners and operators. 4This page intentionally left blank.

This report suggests a generic set of attack approaches that are expected to be used against Industrial Control Systems that have been built according to a specific reference model for control systems. The posed attack approaches are ordered by the most desirable, based upon the goal of an attacker. Each attack approach is then graded by the category of adversary that would be capable of utilizing that attack approach. The goal of this report is to identify necessary levels of security required to prevent certain types of attacks against Industrial Control Systems.

Abstract not provided.

Wireless networking is becoming a common element of industrial, corporate, and home networks. Commercial wireless network systems have become reliable, while the cost of these solutions has become more affordable than equivalent wired network solutions. The security risks of wireless systems are higher than wired and have not been studied in depth. This report starts to bring together information on wireless architectures and their connection to wired networks. We detail information contained on the many different views of a wireless network system. The method of using multiple views of a system to assist in the determination of vulnerabilities comes from the Information Design Assurance Red Team (IDART{trademark}) Methodology of system analysis developed at Sandia National Laboratories.

Distributed denial of service (DoS) attacks on cyber-resources are complex problems that are difficult to completely define, characterize, and mitigate. We recognize the process-nature of DoS attacks and view them from multiple perspectives. Identification of opportunities for mitigation and further research may result from this attempt to characterize the DoS problem space. We examine DoS attacks from the point of view of (1) a high-level that establishes common terminology and a framework for discussing the DoS process, (2) layers of the communication stack, from attack origination to the victim of the attack, (3) specific network and computer elements, and (4) attack manifestations. We also examine DoS issues associated with wireless communications. Using this collection of views, one begins to see the DoS problem in a holistic way that may lead to improved understanding, new mitigation strategies, and fruitful research.

This research explores four experiments of adaptive host-based intrusion detection (ID) techniques in an attempt to develop systems that can detect novel exploits. The technique considered to have the most potential is adaptive critic designs (ACDs) because of their utilization of reinforcement learning, which allows learning exploits that are difficult to pinpoint in sensor data. Preliminary results of ID using an ACD, an Elman recurrent neural network, and a statistical anomaly detection technique demonstrate an ability to learn to distinguish between clean and exploit data. We used the Solaris Basic Security Module (BSM) as a data source and performed considerable preprocessing on the raw data. A detection approach called generalized signature-based ID is recommended as a middle ground between signature-based ID, which has an inability to detect novel exploits, and anomaly detection, which detects too many events including events that are not exploits. The primary results of the ID experiments demonstrate the use of custom data for generalized signature-based intrusion detection and the ability of neural network-based systems to learn in this application environment.