f473953a3219b0f74eb58c8a5cf7f5a6.ppt
- Количество слайдов: 43
Dept. of Homeland Security Science & Technology Directorate Priorities in Security Research Funding 23 September 2004 ACM CCS Washington, DC October 26, 2004 Douglas Maughan, Ph. D. Program Manager, HSARPA douglas. maughan@dhs. gov 202 -254 -6145 / 202 -360 -3170
Presentation Agenda l l l DHS Overview Cyber Security R&D Activities u National n n Strategy to Secure Cyberspace Secure Domain Name System (DNSSEC) Secure Protocols for the Routing Infrastructure u DHS / NSF Cyber Security Testbed u Large-scale Network Security Datasets u Cyber Economic Assessment studies l “New” Activities 23 September 2004 2
General DHS Organization Secretary (Ridge) & Deputy Secretary (Loy) Management (Hale) Border & Transportation Security (Hutchinson) Emergency Preparedness & Emergency Response (Brown) • Coast Guard • Secret Service • Citizenship & Immigration & Ombuds • Civil Rights and Civil Liberties • Legislative Affairs • General Counsel • Inspector General • State & Local Coordination • Private Sector Coordination • International Affairs • National Capital Region Coordination • Counter-narcotics • Small and Disadvantaged Business • Privacy Officer • Chief of Staff Information Analysis & Infrastructure Protection (Libutti) Science & Technology (Mc. Queary) 23 September 2004 3
Border and Transportation Security (BTS) l Mission: Securing our nation's air, land, and sea borders is a difficult yet critical task. The United States has 5, 525 miles of border with Canada and 1, 989 miles with Mexico. Our maritime border includes 95, 000 miles of shoreline. Each year, more than 500 million people cross the borders into the U. S. , some 330 million of whom are non-citizens. u CBP – Customs and Border Protection u ICE – Immigrations and Customs Enforcement u TSA – Transportation Security Administration u APHIS – Animal and Plant Health Inspection Service u ODP – Office for Domestic Preparedness 23 September 2004 4
Emergency Preparedness & Response l Mission: Ensure that our nation is prepared for catastrophes whether natural disasters or terrorist assaults. Not only will the EP&R Directorate coordinate with first responders, it will oversee the federal government's national response and recovery strategy. u FEMA – Federal Emergency Management Agency u NIRT – Nuclear Incident Response Teams u DES – Domestic Emergency Support u NDPO – National Domestic Preparedness Office 23 September 2004 5
Information Analysis and Infrastructure Protection (IAIP) l Mission: Ensure the capability to identify and assess current and future threats to the homeland, map those threats against our vulnerabilities, issue timely warnings and take preventive and protective action to secure the national infrastructures. u NCSD – National Cyber Security Division u NCS – National Communications System u PSD – Physical Security Division u ICD Our main internal DHS customers – Infrastructure Coordination Division 23 September 2004 6
Science and Technology (S&T) Mission Conduct, stimulate, and enable research, development, test, evaluation and timely transition of homeland security capabilities to federal, state and local operational end-users. 23 September 2004 7
S&T Organization Chart Under Secretary for Science & Technology (Mc. Queary) Office of Plans Programs and Budgets (Albright) Homeland Security Advanced Research Projects Agency (Oxford) Office of Research and Development (Mc. Carthy) Office of Systems Engineering & Development (Kubricky) 23 September 2004 8
Crosscutting Portfolio Areas § Chemical § Biological § Radiological § Nuclear § High Explosives § Cyber Security § USSS § Paul Mahon, Ptfl Mgr 23 September 2004 9
Execution Science and Technology Directorate Office of Research and Development • • • Homeland Security Advanced Research Projects Agency Systems Engineering & Development Centers Fellowships Scholarships Stewardship of an enduring capability Innovation, Adaptation, & Revolution Development Engineering, Production, & Deployment 23 September 2004 10
Legacy of HSARPA Name How is it different from DARPA? § Differences u 85 -90% of funds for identified DHS requirements u 10 -15% of funds for revolutionary research n Breakthroughs, n New technologies and systems u These percentages likely to change over time, but we need to meet today’s requirements 23 September 2004 11
Presentation Agenda l l l DHS Overview Cyber Security R&D Activities u National n n Strategy to Secure Cyberspace Secure Domain Name System (DNSSEC) Secure Protocols for the Routing Infrastructure u DHS / NSF Cyber Security Testbed u Large-scale Network Security Datasets u Cyber Economic Assessment studies l “New” Activities 23 September 2004 12
Cyber Security R&D Portfolio: Scope l The Internet serves a significant underlying role in many of the Nation’s critical infrastructures u l Adversaries face asymmetric offensive / defensive capabilities with respect to traditional warfare u l l Makes cyberspace an appealing battleground Cyberspace provides the ability to exploit weaknesses in our critical infrastructures u l Communications, monitoring, operations and business systems Provides a fulcrum for leveraging physical attacks The most significant cyber threats to the nation are very different from “script-kiddies” or virus writers DHS S&T focus is on those threats and issues that warrant national-level concerns 23 September 2004 13
Cyber Security R&D Center Requirements Pre R&D Customers Critical Infrastructure Providers DNSSEC Prioritize requirements • NCSD • NCS • USSS • National Documents Post R&D Experiments and Exercises Workshops SPRI Sector Roadmaps Solicitation Preparation Cyber Economics Outreach – Venture Community & Industry Future Programs Other Sectors e. g. , Banking & Finance BAA SBIR R&D Coordination Government & Industry Customers • NCSD • NCS • USSS Critical Infrastructure Providers Other Sectors e. g. , Banking & Finance Supporting Programs PREDICT DETER 23 September 2004 14
Post Research Activities l Experiments u U. S. / Canada Secure Blackberry Experiment 3 phase homeland security deployment activity n Includes industry participants from both countries n u Oil and Gas Sector workshop in late July n Expected to lead to technology pilot deployments n u Department of Treasury FS ISAC, FSSCC, Numerous sector participants n Technology pilot organization in process n 23 September 2004 15
Post Research Activities (continued) l Exercises u National Exercise Plan (managed by DHS ODP) u National Cyber Security Exercise as part of NEP n l Several regional cyber security tabletop exercises Others u U. S. NORTHCOM Unified Defense 05 / TOPOFF 3 n CWID 2005 (originally known as JWID) n 23 September 2004 16
DHS S&T Commercial Outreach Strategy l l Assist commercial companies in providing cyber security technology to DHS and other government agencies Assist DHS S&T-funded researchers in transferring cyber security technology to larger, established security technology companies Partner with the venture capital community to transfer technology to existing portfolio companies, or to create new ventures We will work with the VCs to: u u u l Focus on bringing innovation to the marketplace Accelerate development and deployment Provide orders-of-magnitude leverage of DHS R&D funding Government We will partner with the VCs, not compete with them u u u Work with many VCs and portfolio companies Provide liaison and bridge activities We do not invest for equity Established Commercial Companies DHS Researchers Emerging Commercial Companies 23 September 2004 17
Presentation Agenda l l l DHS Overview Cyber Security R&D Activities u National n n Strategy to Secure Cyberspace Secure Domain Name System (DNSSEC) Secure Protocols for the Routing Infrastructure u DHS / NSF Cyber Security Testbed u Large-scale Network Security Datasets u Cyber Economic Assessment studies l “New” Activities 23 September 2004 18
Domain Name System and Security l Critical Internet infrastructure component u Virtually l DNS database maps: u Name n l to IP address (for example: www. isi. edu = 128. 9. 176. 32) u And l every Internet application uses the DNS many other mappings (mail servers, IPv 6, reverse…) DNS threats identified in early 1990 s DNSSEC u Cryptographic signatures in the DNS u Assures integrity of results returned from DNS queries n Protects against tampering in caches and during transmission u End-system checks the chain of signatures up to the root 23 September 2004 19
Activities To Date l l Formation of ad-hoc government and industry “steering committee” Two workshops in early and late May u 3 May: Amsterdam – as part of the RIPE agenda u 23 May: San Fran – affiliated with NANOG u Attendees included: DNS software developers, DNS root operators (U. S. and International), government network operators, and numerous other stakeholders l l Initial R&D Funding – NIST, industry Future Activities u Pilot deployments of DNSSEC on. us and. gov network 23 September 2004 20
Secure Protocols for the Routing Infrastructure (SPRI) l l l BGP is the routing protocol that connects ISPs and subscriber networks together to form the Internet BGP does not forward subscriber traffic, but it determines the paths subscriber traffic follows The BGP architecture makes it highly vulnerable to human errors and malicious attacks against u u u l Links between routers The routers themselves Management stations that control routers Working with industry to develop solutions for our current routing security problems and future technologies 23 September 2004 21
DHS / NSF Cyber Security Testbed l l “Justification and Requirements for a National DDOS Defense Technology Evaluation Facility”, July 2002 We still lack large-scale deployment of security technology sufficient to protect our vital infrastructures u l l Recent investment in research on cyber security technologies by government agencies (NSF, DARPA, armed services) and industry. One important reason is the lack of an experimental infrastructure and rigorous scientific methodologies for developing and testing next-generation defensive cyber security technology The goal is to create, operate, and support a researcher-andvendor-neutral experimental infrastructure that is open to a wide community of users and produce scientifically rigorous testing frameworks and methodologies to support the development and demonstration of next-generation cyber defense technologies 23 September 2004 22
Architectural Plan l l l Construct a homogeneous emulation cluster based upon University of Utah’s Emulab Implement network services – DNS, BGP Add containment, security, and usability features to the software Add (controlled) hardware heterogeneity Connect to other government and industry testbeds (once we have our act together) 23 September 2004 23
DETER Testbed Architecture Image fills this entire area (OR originates at the upper left corner of the area outlined and is sized to the full width or height of this bounding box. ) 23 September 2004 24
DETER Testbed Status l Developed Draft Policy and Procedures u Experiment Definition u Experiment Review Board u Security Isolation Argument l l Architecture Design Report ISI and UCB Node Operational Held first set of Experiments June 8, 2004 Workshop held yesterday u In conjunction with ACM CCS in Washington, DC u Open to entire research community 23 September 2004 25
A Protected REpository for Defense of Infrastructure against Cyber Threats l PREDICT Program Objective “To advance the state of the research and commercial development (of network security ‘products’) we need to produce datasets for information security testing and evaluation of maturing networking technologies. ” l Rationale / Background / Historical: u u Researchers with insufficient access to data unable to adequately test their research prototypes Government technology decision-makers with no data to evaluate competing “products” Bottom Line: Improve the quality of defensive cyber security technologies 23 September 2004 26
Activities To Date l Industry Workshop (Feb. 11 -12, 2004) u u Begin the dialogue between HSARPA and industry as it pertains to the cyber security research agenda Discuss existing data collection activities and how they could be leveraged to accomplish the goals of this program Discuss data sharing issues (e. g. , technical, legal, policy, privacy) that limit opportunities today and develop a plan for navigating forward Develop a process by which “data” can be “regularly” collected and shared with the network security research community 23 September 2004 27
Workshop Attendees (Feb. 11 -12, 2004) l l l AOL UUNET Verio XO Communications Akamai Arbor Networks Riverhead Networks System Detection Cisco Packet Clearing House Symantec l l l USC-ISI UC San Diego Univ. of Washington BBN Technologies CERT/CC LBNL Internet 2 CAIDA Merit Networks Citigroup Cooley, LLC (Lawyer) 23 September 2004 28
Data Collection Activities l Classes of data that are interesting, people want collected, and seem reasonable to collect u Netflow u Packet traces – headers and full packet (context dependent) u Critical infrastructure – BGP and DNS data u Topology data u IDS / firewall logs u Performance data u Network management data (i. e. , SNMP) u Vo. IP (1400 IP-phone network) u Blackhole Monitor traffic 23 September 2004 29
Trusted Access Repository Process PREDICT Coordination Center (Government-funded, Externally hosted) Institutional Sponsorship Data Providers Data Listing Researchers Data Hosting Sites Proposal Review Process Accepted Proposals MOU / MOA 23 September 2004 30
Sample Datasets that will be available l University of Michigan u l University of Washington u l Wisconsin Advanced Internet Lab – Netflow, i. Sink logs, IDS logs XO Communications u l Performance data, Net. Flow data, and routing protocol data from the Abilene network University of Wisconsin u l Host-based forensic data and honeypot data Internet 2 u l Dark address space monitoring, honeypot monitoring, BGP Beacon routing data, and routing protocol sensors, Mich. Net routing protocol data and Netflow data Netflow and routing protocol logs Packet Clearing House u BGP routing dataset and Vo. IP measurement data 23 September 2004 31
Sample Datasets (continued) l CAIDA u l Internet Software Consortium (ISC) u l Packet traces from Internet Business Exchange (IBX) point Los Nettos - LA regional network provider u u u l Packet traces from OC 48 operational network Equinix u l DNS packet traces from F-root Verio u l Topology measurement data, Network Telescope data Full packet headers, Net. Flow data, SNMP data, and standard logs DNS root server data. Los Nettos hosts both the B and L root servers Internet topology data based on the SCAN topology-mapping project LBNL u Anonymized enterprise traffic from internal LBNL networks 23 September 2004 32
PREDICT – Proposed Timeline l Sep 1 - Oct 30: Working groups complete actions identified at last PI meeting u Data Schema WG u Application Process WG n All MOU/MOAs in develoment u Public Relations WG l Oct 1 -Nov 15: Conduct internal PREDICT Process Pilot l Nov 15 - Dec 15: Conduct external PREDICT Process Pilot l Dec 15 -Jan 15: Modify PREDICT processes based on feedback from PREDICT pilot l ~Jan 15: PREDICT goes live u Working through announcement process 23 September 2004 33
Cyber Economic Assessment Studies l l Examination of current “cyber event” cost evaluation methods Business Case Development u Understanding of costs and losses u Strategies for encouraging cyber security investment l Cyber Risk Prioritization 23 September 2004 34
Presentation Agenda l l l DHS Overview Cyber Security R&D Activities u National n n Strategy to Secure Cyberspace Secure Domain Name System (DNSSEC) Secure Protocols for the Routing Infrastructure u DHS / NSF Cyber Security Testbed u Large-scale Network Security Datasets u Cyber Economic Assessment studies l “New” Activities 23 September 2004 35
Recent SBIRs l SBIR = Small Business Innovative Research l CROSS-DOMAIN ATTACK CORRELATION TECHNOLOGIES u Objective: Develop a system to efficiently correlate information from multiple intrusion detection systems (IDSes) about “stealthy” sources and targets of attacks in a distributed fashion across multiple environments. l REAL-TIME MALICIOUS CODE IDENTIFICATION u Objective: Develop technologies to detect anomalous network payloads destined for any service or port in a target machine in order to prevent the spread of destructive code through networks and applications. These technologies should focus on detecting “zero day attacks”, the first appearance of malicious code for which no known defense has been constructed. 23 September 2004 36
HSARPA Cyber Security Broad Area Announcement (BAA 04 -17) l A critical area of focus for DHS is the development and deployment of technologies to protect the nation’s cyber infrastructure including the Internet and other critical infrastructures that depend on computer systems for their mission. The goals of the Cyber Security Research and Development (CSRD) program are: u u u l To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems; To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation’s critical information infrastructure. To facilitate the transfer of these technologies into the national infrastructure as a matter of urgency. http: //www. hsarpabaa. com 23 September 2004 37
BAA Technical Topic Areas (TTAs) l System Security Engineering u Vulnerability Prevention n u Vulnerability Discovery and Remediation n u Tools and techniques for analyzing software to detect security vulnerabilities Cyber Security Assessment n l Tools and techniques for better software development Develop methods and tools for assessing the cyber security of information systems Security of Operational Systems u Security and Trustworthiness for Critical Infrastructure Protection n n 1) Automated security vulnerability assessments for critical infrastructure systems 2) Improvements in system robustness of critical infrastructure systems 3) Configuration and security policy management tools 4) Cross-platform and/or cross network attack correlation and aggregation 23 September 2004 38
BAA TTAs (continued) l Security of Operational Systems u Wireless n n l Security tools/products for today’s networks Solutions and standards for next generation networks Investigative and Prevention Technologies u Network n Attack Forensics Tools and techniques for attack traceback u Technologies n to Defend against Identity Theft R&D of tools and techniques for defending against identity theft and other financial systems attacks, e. g. , phishing 23 September 2004 39
BAA Program / Proposal Structure l l NOTE: Deployment Phase = Test, Evaluation, and Pilot deployment in DHS “customer” environments Type I (New Technologies) u New technologies with an applied research phase, a development phase, and a deployment phase (optional) n l Type II (Prototype Technologies) u More mature prototype technologies with a development phase and a deployment phase (optional) n l Funding not to exceed 36 months (including deployment phase) Funding not to exceed 24 months (including deployment phase) Type III (Mature Technologies) u Mature technology with a deployment phase only. n Funding not to exceed 12 months 23 September 2004 40
Tackling Cyber Security Challenges: Business Not as Usual l Strong mission focus (avoid mission creep) Close coordination with other Federal agencies Outreach to communities outside of the Federal government u Building public-private partnerships (the industrygovernment *dance* is a new tango) l l l Strong emphasis on technology diffusion and technology transfer Migration paths to a more secure infrastructure Awareness of economic realities 23 September 2004 41
Summary l l DHS S&T is moving forward with an aggressive cyber security research agenda Working with industry to solve the cyber security problems of our current infrastructure u DNSSEC, l Working with academe and industry to improve research tools and datasets u DHS/NSF l Secure Routing Cyber Security Testbed, PREDICT Looking at future RDT&E agendas with the most impact for the nation u SBIRs, BAA 04 -17 23 September 2004 42
Douglas Maughan, Ph. D. Program Manager, HSARPA douglas. maughan@dhs. gov 202 -254 -6145 / 202 -360 -3170 23 September 2004 43