1

Homestead, Utah May 9, 2001Homestead, Utah May 9, 2001NIWNIWSensorSensor: Network : Network Indications & WarningsIndications & WarningsVic Hogsett, NIS-9: vic@lanl.gov, PI, (505)667.7185 Vic Hogsett, NIS-9: vic@lanl.gov, PI, (505)667.7185

Scott Briles, NIS-3: briles@lanl.gov, DSP R&DScott Briles, NIS-3: briles@lanl.gov, DSP R&DDan Neagley, NIS-3: neagley@lanl.gov, FPGA R&DDan Neagley, NIS-3: neagley@lanl.gov, FPGA R&DKeith Lindsay, NIS-9: klindsay@lanl.gov, ConceptKeith Lindsay, NIS-9: klindsay@lanl.gov, Concept

Parrallel workParrallel workMaya Gokhale, NIS-3: maya@lanl.gov Maya Gokhale, NIS-3: maya@lanl.gov Ron Minich, CCS-1: rminnich@lanl.gov Ron Minich, CCS-1: rminnich@lanl.gov Konstantin N Borozdin: kbor@lanl.govKonstantin N Borozdin: kbor@lanl.gov

May 9, 2001 2

Cyber-Security Challenge:Cyber-Security Challenge:Bandwidth demands outpaceBandwidth demands outpacesoftware security solutionssoftware security solutions

• 50 (maybe 60) Mbit/sec protectable 50 (maybe 60) Mbit/sec protectable nownow

• Los Alamos enterprise: 100 Mbit/sLos Alamos enterprise: 100 Mbit/s• 50-60 hackers @ the moat @ any given 50-60 hackers @ the moat @ any given

timetime• Bandwidth, bandwidth, bandwidth 10 Bandwidth, bandwidth, bandwidth 10

GB-100 GB/sec demands here in a blinkGB-100 GB/sec demands here in a blink

May 9, 2001 3

Solution: Solution: board level integration ofboard level integration of

• Rules basedRules based• Accept best software solution and convert to Accept best software solution and convert to

specialized processor (NFR, Security CRADA)specialized processor (NFR, Security CRADA)• Anomaly detectionAnomaly detection

• Los Alamos effort to discover network Los Alamos effort to discover network “character” and measure deviations“character” and measure deviations

• Assisted learningAssisted learning• Discover miscreant packet signatures on the Discover miscreant packet signatures on the

fly (Dartmouth & Drexel)fly (Dartmouth & Drexel)

May 9, 2001 4

……by dedicatingby dedicating

… … an industry, academic, government an industry, academic, government and National Labs team to build a and National Labs team to build a platform and evolving distributed sensor platform and evolving distributed sensor system able to detect, report, and adapt system able to detect, report, and adapt to threats to a large high-performance to threats to a large high-performance computer network and the information computer network and the information that it holds.that it holds.

May 9, 2001 5

NIWSensor’s GoalsNIWSensor’s Goals• High-speed, real-time network traffic High-speed, real-time network traffic

detection, & reporting to analyses detection, & reporting to analyses centers with single-point administrationcenters with single-point administration

• Scaleable, user-configurable network Scaleable, user-configurable network interface/processing unit. interface/processing unit.

• Software-driven hardware developmentSoftware-driven hardware development• Highly expandable parallel processingHighly expandable parallel processing• Non-standard (i.e. hack-resistant) OSNon-standard (i.e. hack-resistant) OS

May 9, 2001 6

Technical Features Technical Features • An array of mission specific sensors built on An array of mission specific sensors built on

advancing Los Alamos computational advancing Los Alamos computational algorithms;algorithms;

• Performance on a 10 Gb/sec. Class B network Performance on a 10 Gb/sec. Class B network backbone and its sub-components;backbone and its sub-components;

• Real-time/logged detection, reporting & Real-time/logged detection, reporting & response;response;

• Adaptable to evolving needs, such as Adaptable to evolving needs, such as encryption;encryption;

• Extensible;Extensible;

May 9, 2001 7

Walk firstWalk first• 1 Gbit/sec rules implementation within a 1 Gbit/sec rules implementation within a

year would devote about 3 people fulltimeyear would devote about 3 people fulltime• Two ways to goTwo ways to go

• Highly proprietary industry fledgling (0.8 Highly proprietary industry fledgling (0.8 GMbit/s): BoeingGMbit/s): Boeing

• Highly addressable government solution (1 Highly addressable government solution (1 Gbit/s): DARPA/SLAACGbit/s): DARPA/SLAAC

• Parallel assisted learning/anomaly Parallel assisted learning/anomaly detection research underwaydetection research underway

• Very soon after to 2.4 Gbit/sVery soon after to 2.4 Gbit/s

May 9, 2001 8

Who Cares? Everybody!!Who Cares? Everybody!!• DOD, DOE DOD, DOE

• Nuclear weapons R&D, production Nuclear weapons R&D, production facilitiesfacilities

• Energy mix distributionEnergy mix distribution• DTRADTRA

• US industryUS industry• DOD forensics DOD forensics

May 9, 2001 9

Who’s on board?Who’s on board?• NFR, Security (CRADA: May 21)NFR, Security (CRADA: May 21)• Dartmouth College/DOJ (Funds In for Dartmouth College/DOJ (Funds In for

AI)AI)• DOE (On life support)DOE (On life support)• Drexel U. developing AI based Drexel U. developing AI based

management system management system • Several other corporations tentativeSeveral other corporations tentative