DARPA network monitoring
- By Brian Robinson
- Oct 20, 2008
Network-centric operations offer a wealth of new capabilities for the military, but they also present major problems for network monitoring and security. To tackle that challenge, the Defense Advanced Research Projects Agency awarded a $4.4 million contract to advanced technologies provider BBN Technologies.
The award is for DARPA’s Scalable Networking Monitoring program, which the agency described in a solicitation published in August 2007. The projected size of the Global Information Grid and the anticipated explosion in the size of the Internet that will come with IPv6, the next-generation network protocol, present new challenges to information assurance, the solicitation states.
Current methods of monitoring networks, such as signature-based scanning and anomaly-based heuristic monitoring, struggle to track threats, and the methods don’t scale well, DARPA officials said. New methods will be needed to deal with future networks.
BBN’s approach uses long-term trend analysis to build a picture of the data moving through the network and then apply a correlation engine to infer standard behavior and detect potential threats.
That differs from current approaches, said Tim Strayer, BBN’s principal investigator for the program, in which developers must tailor algorithms to work on specific data, and the algorithms often produce false alerts that nevertheless need attention.
Another problem involves the speed of future networks. Network monitors work by looking at each data packet that flows through the network, but that won’t be possible with the speed at which networks will run in the future.
“As the data rate of the network goes up, the time budget allowed to look at packets and their data becomes compressed,” Strayer said. “Microprocessors [in the monitors] can keep up, but there’s a problem accessing memory because of all the read/writes that are needed.”
New network-monitoring methods will be needed for future networks that run at speeds as fast as 100 gigabits/sec, he said.
The hard part for BBN will be designing algorithms that can scan the data appropriately and then translate those algorithms into a set of sensors that will pull the necessary data off the network, Strayer said. It will also require developing the right models that will go into the correlation engine so it can interpret the data correctly.
In addition to the generic problems associated with these large, high-speed networks, highly distributed military networks come with their own baggage, such as traffic that doesn’t necessarily come and go via the same links.
“This kind of asymmetric routing defeats firewalls rather handily, and [monitors] are only seeing half of the data flow,” Strayer said. “So our algorithms will be paying attention to this, so they can pull enough data out to know if certain events are happening.”
BBN’s solution is designed to first act on the gateway between the Unclassified but Sensitive IP Router Network and the rest of the world, and the hardware it will run will not be field deployable. But there’s nothing to prevent it from being developed for those kinds of systems in the future, he said.
The first 18-month phase of the program, which will develop solutions that will run on networks operating as fast as 1 gigabit/sec, will go to final testing about December 2009. The start date for a second 18-month phase, which will develop algorithms that will cater to 100 gigabits/sec speeds, is undecided, Strayer said.
Brian Robinson is a special contributor to Defense Systems.