ARM
Active Resource Manager

HUNTSVILLE –  As computer network systems used by military, government, and business organizations become more vital to the organizational mission, they also grow larger, faster, more complex, more heterogeneous, and more difficult to protect.  Nowhere is the nation’s reliance on network systems more critical than in network-centric warfare (NCW).  Successful conduct of NCW requires information sharing across a span of information domains and networks.  Among the many challenges to successful NCW is the requirement for the networks to be robust and secure.  Necessary to securing these networks is the provision of a technology for active network management. 

Figure 1: ARM Architecture for Interactive Network Defense

Larger view here

Active Resource Manager (ARM), now in Phase II development will provide intelligent monitoring and control for military network systems, enabling network security personnel to respond rapidly and effectively to cyber threats.  ARM will integrate data from an extensible set of network management resources, cyber-defense components, and executable policies.  Near real-time reasoning agents will aggregate and correlate network events and generate response recommendations.  An integrated enterprise management system will be used to execute responses as directed by the security manager.  This work is sponsored by the Office of the Secretary of Defense and managed by the Air Force Research Labs in Rome, New York.

ARM is an important piece of Sentar’s comprehensive strategy for cyber defense.  Sentar is developing a new generation of integrated information management and assurance solutions.  Of the many Sentar initiatives underway, the most relevant to ARM is WCI-CND, SABOR, and AKA-CND. WCI-CND is designed to provide intelligent situation awareness for military network security managers, using a multi-agent framework for sensor integration, information fusion, correlation, and decision support; the AKA-CND provides runtime knowledge authoring for WCI-CND; and the SABOR project is extending KnoWeb® with technologies to support the continued optimal operation of distributed applications in the presence of changing resource demands and availability.  Now these technologies are joined by ARM, the Active Resource Manager. ARM constitutes a quantum leap forward in our overall strategy, both technically and commercially.

For more information about ARM, contact Dr. Andrew Potter, principal investigator. 

accrediScan is a DIACAP auditing tool targeted to the Information Assurance professional for enabling easier auditing of DISA STIG compliance. It automatically checks the security configuration information on a network of distributed systems and records the results to a central database. accrediScan audits multiple versions of Windows®, Unix, and Linux platforms using the DISA-provided Security Readiness Review (SRR) scripts and Gold Disk. The central accrediScan console displays detailed platform audit results to simplify DIACAP self-assessment and Scorecard reporting, and reducing a manual, tedious, time-consuming activity down to a matter of minutes with a single click of a button. Contact Sentar for further technical, partnering, and licensing details.

For more information about accrediScan, including how to order, download the .pdf file here

Technical Description: WCI-CND is a highly evolved Computer Network Defense situation awareness and decision-support system. This efficient, effective, flexible, and extensible cyber-defense capability is built upon an extensible technology for integrating best-of-breed network defense sensors and performing intelligent information fusion, correlation, and policy-based decision support. WCI-CND implements and monitors security policy compliance and enforcement, correlates data from vulnerability, seamless surveillance sensors, security policy and other inputs to synthesize high-level security knowledge—providing the security manager an integrated situation awareness of the security posture of a network.

Capability/Advantage over other technologies: The use of easily adaptive model processing enables the system to implement evolving policies and technological capabilities. The WCI intelligent agents 'understand' the cyber defense concepts they implement through an advanced internal language system utilizing highly evolved artificial intelligence. The system and agents emulates the thought process of a security manager enabling system-advanced capabilities for accomplishing automated correlation and decision support. This is unlike other systems that are built upon sets of rules and/or algorithms with capabilities for particular sets of issues, but actually do not have an internal language comprehending the security concepts in cyber-defense.

Relevance to Customer/End User: WCI gives the security manager a very clear synopsis of prioritized critical security information with decision support options. WCI is capable of evolving to meet the changing security needs of a network environment—with minor cost and minimal time impact. This continuous evolution is possible because WCI-CND: is sensor-independent with a standardized approach for sensor interfaces enabling it to consume data from any input easily; is hardware platform independent and can be deployed anywhere and/or everywhere across the network; was designed for continuous evolution—easily incorporating changing technologies and priorities into its functionality; has a flexible architecture that permits the introduction of any new technology, whether it is a new response capability, a new type of sensor or information-generating source, irrespective of the OS, interface or type of data generated.

Relevance to other Applications: Potential applications include CND for GMD and other missile defense systems (including THAAD, US Air Force Airborne Laser, and Navy Systems), command and control (C2), anti-terrorism intelligence, and a wide variety of industries, including Financial Services and Utilities.

Full size view here

WCI-CND Application:

Full size view here
 

WCI-CND Application - Related Events - CTR2_Sensor:

Full size view here

Technical Description: Secures agent based Computer Network Operations (CNO) applications by using both conventional security measures and a set of innovative intelligent measures that employ Autonomic Computing concepts. Specifically, SAB-CND has the ability to detect malicious activities and attacks based on unexpected behaviors, as well as performance degradations, and takes appropriate action to ensure continued CNO operations.

Capability/Advantage over other technologies: The SAB-CND technology provides a significant increase in capability over systems that exists today because most existing agent platforms do not adequately address the security holes within their environment.

Relevance to Customer/End User: Computer Network Operations (CNO) application assurance despite Information Warfare (IW) attacks.

Sentar is in the process of designing and prototyping a Secure Agent Based platform for Computer Network Defense (SAB-CND). The SAB-CND Platform will integrate conventional security measures with innovative intelligent analysis and response measures based on IBM's concepts of autonomic computing. Sentar is also working a related Phase I SBIR for operational reconstitution. In the SABOR environment, software will automatically rebuild and continue operating after being attacked. Opportunities for SAB-CND and SABOR deployment include military CND applications as well as any mission critical system network. In addition to CND applications, the general secure agent-based platform is applicable to such areas as Network Centric Warfare (NCW), emergency management, electronic market places, and the semantic web.
 

Agent-based Knowledge-design Assistant (AKA) technology for Computer Network Defense (CND) provides security managers with a powerful tool that will allow them to respond rapidly and flexibly to changing hostile network conditions. Security managers and their commanders will be able to adapt the system to maintain continuity of operations in the face of unforeseeable circumstances, perform post-attack forensics flexibly and creatively, and quickly respond to security policy revisions on short notice. AKA-CND provides its users with greater autonomy in adapting the CND capability to new and evolving requirements in areas such as post attack forensics, security policy revisions, and continuity of operations. By enabling security systems to adapt and evolve the CND capability to new and unforeseen conditions, the AKA will enhance the ability of mission critical systems to withstand cyber-attack.

This research investigates a concept for automatically monitoring and auditing system security configurations and assuring compliance with established security policies. The concept uses multiple, distributed, intelligent software agents, which may be mobile, to compare the security configurations of network devices and software with established security policy. The agents will either 1) notify the security manager before proceeding, or 2) automatically implement the necessary configuration changes to the system found in violation of the policies. The proposed concept is based upon an agent platform that provides secure execution and host migration and is interfaced with a computer network defense system that supports responsive decision making by network security managers.

Larger view here

Sentar’s Software and Database Guard (SDG) is used to secure mission critical software and databases from malicious code. This provides attack sensing and situation awareness of trust status discrepancies in databases and software. We use advanced technologies such as proof carrying code, statistical anomaly detection, artificial diversity, nested processes, and security wrappers in combination with intelligent agents to provide indications and warnings of malicious data corruption or code tampering to security managers. SDG provides military and commercial organizations with a capability to secure a wide range of applications against malicious data corruption or code tampering. SDG improves network defense and information assurance for military, homeland security, intelligence, logistics, and commercial systems.

Larger view here

Technical Description: The Mission Critical Software and Data Guard (SDG) Phase II SBIR project investigates and prototypes software technologies for protecting crucial information assets. We are applying and enhancing security wrapper technology to 1) specify which software applications, program scripts, data files, and databases to monitor; 2) identify under what conditions the security wrappers should trigger; 3) how the protection system will interpret the suspected protection violation attempts; and 4) how the protection system will respond to detected violations.    The security wrappers are a lightweight monitoring capability designed to minimize the performance impact on the host applications and systems. The protection system uses knowledge-based rules to quickly identify sophisticated attacks and to prevent malicious or accidental damage. The decision support rules are used to assess the likelihood of malicious intent and thwart an attempted protection violation before damage results. Active response is supported by intercepting host operating system calls and controlling program execution.

Capability/Advantage over other technologies:The advantage of the SDG approach over other technologies is the combination of low-level protection techniques with high-level decision support. The functions are separated in the SDG system so as to minimize the performance impact on the protected system and still provide decision making knowledge. This separation allows the reuse of the low-level security wrappers with high-level rules of use. Other approaches place the decision making aspect in the low-level protection technology, often with severe performance impacts.

Relevance to Customer/End User: Virtually all DoD mission critical systems require information assurance. Damage to mission critical systems can be inflicted by unauthorized intruders, authorized users with malevolent intent, or by poorly implemented software programs. All of these threats are imminently posed against modern military information systems.

Relevance to other Applications: The SDG protection system is a strong dual use technology. In addition to many government agencies, nearly any commercial entity that has sensitive data and applications needs information assurance. Government agencies that require protection from malicious insiders include weapons systems, intelligence and counter-intelligence agencies, criminal investigators, and social support programs. Business entities with sensitive information to protect include finance and insurance, industrial production systems, and corporations with intellectual property.

Sentar is working on development of a Protection Analysis Work Station (PAWS) to complement Sentar’s situation awareness systems. Inputs to PAWS will consist of existing plans and guidelines for system protection along with a variety of data, information and knowledge on cyber threats, sensor responses, analysis results, and system behavior. The PAWS will perform a variety of analysis on all the inputs, including forensics to determine threats, attack patterns, criticalities, validity of current response plans and guidelines. The output of PAWS will be updates to security plans and cyber threat evaluation and response guidelines. Thus, in conjunction with the situation awareness systems, the PAWS will provide for continuous evaluation of responses to cyber threats.

Larger view here

Sentar is leveraging ongoing government and academic research in the development of an Agent-Enabled Advanced Intrusion Detection System to protect networks against cyber attacks. The proposed architecture combines next generation intrusion detection and prevention techniques with Sentar's previous work in intelligent agents. This combines intelligent agents, statistical anomaly detection, and model-based profiles to provide high attack detection rates (up to 80 percent), the ability to detect previously unknown attacks, and a dramatic reduction in false alarm rates. The overall result is a user friendly, flexible infrastructure capable of rapidly adapting new intrusion detection capabilities to enable security managers to stay out in front of the growing and ever-changing cyber threat.

Larger view here

In order to effectively capture and maintain mission-critical knowledge assets, many of today's organizations require large-scale, knowledge-based systems. These systems deploy knowledge assets to users across distributed computing resources including intranets and the Internet. Those using these advanced technologies include military command and control, medical diagnosis and treatment, and enterprise management organizations.

The technology supporting knowledge-based systems has progressed to the point of being able to capture and use information on the order of thousands of knowledge units (algorithms/rules/frames/axioms), a level that begins to approximate human-like problem solving. To-date however, no knowledge management system has been capable of supporting dynamic distributed problem solving over multiple large-scale and distributed knowledge systems.

Such a system must be capable of manipulating and coordinating hundreds of thousands to millions of knowledge units. Typical systems fall short for a number of reasons. First, most systems employ inference engines that operate only on knowledge that resides in the specific knowledge bases they control. For example, database search engines effectively manage information finding and retrieval, but they cannot retrieve knowledge in general form, or combine knowledge retrieved from multiple sources, into integrated inference patterns. In contrast, humans perform inference processes that involve widely distributed knowledge of more than one representation type or domain.

Second, existing systems for distributed problem-solving functions typically require human reasoning intervention to bridge gaps in inference sequences; particularly between domain-specific and type-specific automated knowledge processing sub-sequences. In cases where human intervention occurs, it usually takes the form of case-specific procedures implemented in software or hardware interfaces. Accordingly, a need exists for a knowledge management system for distributed problem-solving systems.

Sentar has developed such a system -- KnoWeb™
 

For humans and computers to work collaboratively at an intelligent level, they must be able to argue with one another. This would include the ability to exchange views, explain the support for their views, and offer counter-arguments to the views of one another. Some researchers have proposed that human-computer argumentation should be identical with argumentative processes used in purely human collaboration. However, this places unnecessary obstacles in the path to development of an effective technology. For example, it would require that computers have verbal skills comparable to those of their human counterparts. A more accessible approach would be to distill the fundamental structures and processes necessary for collaborative argumentation and use these as the foundation for a collaboration technology. Such is the approach of Argumentative Reasoning Theory (ART).

ART is a theory of knowledge representation, reasoning, explanation, and argument interaction. It is designed to support intelligent human-computer collaboration. ART provides the ability to represent reasoning in a form that is computable, intuitive, and amenable to discovery. ART accomplishes this by defining a model based on major theories from argumentation, rhetoric, and discourse analysis. By integrating Toulmin’s (1958) model of argumentation, Perelman and Olbrechts-Tyteca’s (1969) strategic forms of associative and dissociative reasoning, and Mann and Thompson’s Rhetorical Structure Theory (RST), ART defines a model for representing and manipulating argument structures. Arguments, when satisfied, are instantiated into a dynamic rhetorical network that represents a dynamic integral description of a domain situation.

Download a copy of the latest ART technical report, Sentar Technical Report 07-069, for further details.