美国陆军实验室加强战场赛博防御带宽挑战问题研究(英文)

  英国janes.ihs网2019年7月15日讯,美国陆军研究实验室(ARL)针对战术网络中的带宽限制问题开展研究,争取在几个方面赢得未来战场的网络安全优势。这项工作旨在解决ARL及其“网络安全服务供应商” (CSSPs) 遇到的“持续支撑基地网络”(用于网络持续不断的支撑保障而不仅仅是网络的作战部署)问题,ARL已经研制出相关样机,尽可能压缩网络信息流量,同时具备检测和调查各种网络信息恶意活动的能力,基本概念就是:将称为“数据信息”(messages)或“数据包”(packets)的一定数量数据输入中央服务器,仅用更少的宽带,就能实现安全防护。ARL这项研究与陶森大学共同开展,旨在加强美陆军邮政、场站、基地等设施的网络安全保护。

ARL research addresses bandwidth challenges for battlefield cyber defence

Jane’s International Defence Review

by Gerrard Cowan, Belfast/15-Jul-2019

The US Army Research Laboratory (ARL) is seeking to address bandwidth restrictions in its tactical networks, work that could have several cybersecurity advantages on the battlefield, the organisation told Jane’s.

The work was initiated to solve problems that ARL and its Cyber Security Service Providers (CSSPs) were facing in ‘sustaining base’ networks (networks for sustainment rather than combat deployment), although ARL “always hoped that our research would benefit the warfighter by allowing traditional network intrusion techniques to be useful on the battlefield”, said Sidney C Smith, a computer scientist at ARL who led the project.

In the commercial world, cybersecurity systems use distributed network intrusion techniques that enable a small number of trained analysts to monitor multiple networks at the same time, according to ARL. However, this requires that data be transmitted from network intrusion detection sensors on the defended network to central analysis servers, which demands too much bandwidth for typical army networks.

A prototype, developed as part of ARL’s new research, compresses network traffic as much as possible while still providing the ability to detect and investigate malicious activity, ARL said. This is based on the concept that such activity tends to manifest itself early on, meaning that only a certain amount of data – known as ‘messages’ or ‘packets’ – needs to be sent to the central servers, thus using less bandwidth.

The work by ARL, partnered with Towson University, hopes to bolster the protection of networks at the army’s many posts, camps, and stations, said Smith. There are two major benefits to the tool, he told Jane’s.

First, while open-source systems can be configured only to capture traffic after an alert has been generated, thus saving bandwidth, any information leading up to the alert is lost. This makes it difficult to determine the flaw in the system that allowed the attack to get through, he said. “Treating an attempted intrusion like a successful intrusion can waste precious resources,” he said. “Treating a successful intrusion like an attempted intrusion can leave one open to further exploitation.”

Second, commercial systems search for intrusions on the basis of certain pre-defined rules. However, there can be tens of thousands of these; if all of them were active, the sensor could be using so many resources processing rules that it could not capture all of the packets. The approach taken by ARL, where the flow of data stops after a certain number of messages have been transmitted, enables these rules “to be pruned to a very small subset of the rules available”, he explained.

It is possible that attackers could pad their sessions in an attempt to avoid detection, adapting to the new tool, Smith said. This means sending enough large packets to cause the system to stop collecting data on the flow. However, this might actually be easier to detect than the malicious activity itself, he said.

While autonomous cyber defence might be the technology of the future, rules and machine-learning algorithms must still be created and trained by humans, Smith added. “Novel attack methods may escape existing detection methods and require human interaction to identify and adjust the automation to account for them in the future.”