A Comprehensive Security Model Taxonomy as a Framework for Information Assurance:

The Corporate Vital Defense Strategy (CVDS)

 

 

 

Dissertation Idea Paper

 

 

Submitted in Partial Fulfillment

of the Requirements for the Degree of

Doctor of Professional Studies in Computing

 

at

 

Pace University

School of Computer Science & Information Systems

 

 

 

by

 

Stephen Parshley

 

 

March 23, 2001

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ABSTRACT

 

UPDATED INFORMATION AS OF Friday, March 23, 2001

 

IDENTIFICATION AND SIGNIFICANCE OF THE PROBLEM

 

INTRODUCTION

 

Focus of the Study

 

Viability of the Study

 

Relevance of the Study

 

Limitations of the Study

 

PROPOSED RESEARCH

 

ANTICIPATED BENEFITS

 

ONGOING ACTIVITIES

 

REFERENCES

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ABSTRACT

 

Organizations often develop Information Security planning, policies, and procedures ineffectively.  Information security plans frequently lack comprehensive analysis.  As a result, effective security implementation is reactive, a belated response to the consequences of inadequate information security.  Though there is much literature on information security, it is often difficult to know where to begin with attempts to plan, implement, or improve information security.  Many models have limited utility for large organizations because they are either too proprietary (dependent on organization’s structure, activity, or technology) or too generic (lacking specificity to produce actual security plans, policies, and procedures). 

 

The objective of this study is to provide a security model that is both comprehensive and independent of specific information technologies.  In this study, I present, test, and refine a model that offers the potential to provide utility that other models do not.  The model is the Corporate Vital Defense Strategy: A Framework for Information Assurance[1] (CVDS).  This security taxonomy model is conceptually comprehensive, not linked to any specific technology, but specific enough to be useful.  The model, as originally presented, is not fully developed.  I hypothesize that the model, once refined properly, will be conceptually and pragmatically valuable for planning information security policies, analyzing current security policies, and analyzing data sets to determine evidence of security breaches and vulnerabilities. 

 

In this research effort, I intend to accomplish three objectives:  1) Present the information security model, refining the model conceptually and improving the precision of its terminology.   2) Validate the model conceptually to demonstrate that it yields comprehensive information security strategies.  3) Demonstrate the pragmatic value of the model by applying it to a data set and analyzing results. 

 

The stringent information security demands of the military are an excellent environment to test information security models.  Therefore, I will test the model with a data set from DARPA.  Finally, I will make recommendations on the utility of the model for information security managers and suggest directions for further research on the model. 

 

 

 

 

 

 

UPDATED INFORMATION AS OF Friday, March 23, 2001

 

During the past two months, I have modified my initial idea, though the central effort remains the same.  My objective is to develop an information assurance planning model.  My vehicle to accomplish that objective is a taxonomy that borrows from three well-known but heretofore unlinked conceptual resources:  1)  Systems Analysis theory provides categorization of entities in an information system.  2) Fred Cohen, a leading figure in information assurance research, offers three categories of information disruptionloss, corruption, and denial of service.  3)  The use of attack models in security planning and testing is widely accepted.  I propose to combine these three categorization concepts, entities, attack models, and information disruption in a taxonomy that provides a finite set of conditions to investigate as part of basic information assurance planning. 

 

I plan to demonstrate the utility of my taxonomy in three distinct steps.  First, I will perform a conceptual validation of the taxonomy by showing how the combined categories properly capture all possible security considerations.  Specifically, I show how the taxonomy satisfies both U.S. defense (Information Assurance Technical Framework – IATF), and international (ISO – Common Criteria) planning criteria.  Second, I show, on a very limited scale, how to apply the taxonomy from concept to action by preparing a known data set for appropriate data mining and comparing results with other security models.  I have already obtained a DARPA data set and conducted a preliminary data examination with representatives in the Information and Technology Operations Center at USMA.  Third, I will offer conclusions and directions for future research so that the benefits of the model can be affirmed or the model can be modified to achieve desired benefits. 

 

As presently conceived, this work is valuable to the IT community because of the paucity of information assurance planning models, and the reliance most such models have on specific technologies or organizations.  My model transcends these limitations, providing information assurance planning guidance that is not dependent upon technology or organization, but instead dependent upon known information assurance security principles.  Regardless of the success of my model, the research is unique and will contribute to information assurance research, study, and application.    

 

 

 

IDENTIFICATION AND SIGNIFICANCE OF THE PROBLEM 

 

Though the study of information security has a significant body of literature, there are few comprehensible and usable information security models for large organizations.  The problem is that comprehensive models are often too generic to be applicable, and specific models are often too specific to be applicable to different organizations and technologies.  The result is a paucity of “off-the-shelf” solutions for large organizations seeking to plan, implement, or review information security strategies.   Furthermore, the role of information security is gaining prominence in both the corporate and national defense arenas.  Increasingly, national defense will be inextricably linked to the ability to dominate information warfare.  Since information is ubiquitous, there is great potential utility to a security model taxonomy that can capture the strategic needs of both corporate and defense environments.  The model I am researching offers the potential to provide solutions for both of these environments by offering conceptually comprehensive planning guidance and specific recommendations based upon current technologies used in each environment.   

 

INTRODUCTION

 

Focus of the Study

 

Briefly – I am working from a kernel idea.  My research is both conceptual and pragmatic.  I evaluate the conceptual and pragmatic validity of the security taxonomy model - CVDS.  As a result, I will determine the utility of the CVDS model relative to alternative security models.  The aim of my study is to contribute to information security research significantly enough to merit dissertation credit.

 

I intend to examine the CVDS model conceptually and pragmatically in the following ways:

 

1.  Thoroughly analyze, and where necessary, precisely define key terms and concepts.

                       

2.  Demonstrate the conceptual comprehensiveness of the model (as revised with my terms and definitions).

 

3.  Specify a methodology to apply the model to a pre-existing data set.  I plan to use a labeled data set from DARPA.  The data set identifies entities, data sources, and data types, thereby allowing comparative analysis of different security models. 

 

4.  List criteria (perhaps hypothesizing) to assess efficacy of the model.

 

5.      Evaluate a data set.

 

6.      Analyze resulting data to compare the model to known information security standards.

 

I have already met with the author of the security model and obtained approval for use of his model.  I have coordinated with personnel at USMA to obtain access to the DARPA data set.  I am gathering information on possible funding sources from DoD.  I am gathering information on specific data mining techniques (I intend to use Clementine software). 

 

Viability of the Study

 

This idea seems viable for a variety of reasons:

 

1.  I am building on published work.

2.  I have familiarity with DoD and security policies.

3.  I have some familiarity with databases.

4.  The project has clear value to both academic and military communities.

5.  The project has definitive objectives, achievable by the summer of 2002. 

 

Relevance of the Study

 

The security taxonomy model has promise, but as proposed, it is too unrefined to realize its potential.  My hope is that by researching the foundations of this model, I can gird up its conceptual foundations.  Once that work is complete, I want to refine the terminology and definitions in the model.  Precise, rigorous terms will make the model more understandable and applicable to real data sets.  As it stands, the model is too loosely defined.  With appropriate modifications, the model might:

 

1.  Offer a comprehensive taxonomy for both generic information security planning and specific information security analysis.

 

2.  Be applicable to any kind of information technology.

 

3.  Be applicable to specific data sets.

 

4.  Inform users of the scope and content of a satisfactory security policy by demonstrating the incompleteness or inaccuracy of existing security policies.  (That is to say, if properly applied, this comprehensive security model will miss nothing -- and that means security policies can either be validated or corrected relative to this gold standard for information security).  NOTE:  I do not assert that no other comprehensive security analysis models exist.  I only assert that this model might be of substantial value as an alternate means of investigating the efficacy of security policies and procedures.  Further, the model might allow data analysis from a perspective that gleans more useful security information from a data set than analyses done with different models.  Since the model has its foundations in well-established work in the information security field, research into this model could well prove a substantive contribution to the field. 

 

5.  Serve as a paradigm for future security model research both conceptually (to prepare security policies) and pragmatically (to implement security policies with effective, rational, and comprehensive deterrence strategies).

 

Limitations of the Study

 

The limits of the research will derive from the model itself and the data set I am analyzing.  The research is complete for the model when: I present, refine, and validate the model.  The research is complete for the data set when: I provide assessment criteria, apply the model, obtain results, analyze results, and offer conclusions.  Comparative analysis of the CVDS model is limited to at most two current security models tested on the same data set.  Deliverable products from the research include:

 

 

 

 

 

 

How much of the above list I can accomplish in a dissertation will have to be resolved as I do further research, but I am confident that I can refine, test, and validate the model.

 

PROPOSED RESEARCH & Methodology

 

1.      Develop a list of appropriate references on security models, terminology, and data analysis techniques. 

 

2.      Translate the generic language of the security model into meaningful actions to allow the model to be applied to a data set. 

 

3.      Normalize the data set.

 

4.      Determine appropriate analytical techniques for examining the data.

 

5.      Conduct data analysis

 

6.      Interpret results

 

7.      Offer conclusions

 

8.      Suggest further research directions individuals might take to build upon the major conclusions of my research. 

 

ANTICIPATED BENEFITS

 

I would hope that the major conclusions might include:

 

 

 

 

ONGOING ACTIVITIES

 

I am researching the Information Assurance Technical Framework (IATF) to ground myself in the currently accepted information security terminology and concepts.  I am also investigating the attack models to determine appropriate refinements to the CVDS model.  I am also gathering information on data mining in preparation for applying the model to the DARPA data set.

 

DOD implications – if the model performs as expected, I anticipate that it will represent a significant contribution both to the field of information security and directly advance Department of Defense efforts to develop effective security information plans, policies, and procedures regardless of the technologies involved.  I have already coordinated with the United States Military Academy personnel who work in the information warfare technology laboratory.  They have offered me technical assistance in applying the CVDS model to the DARPA data set. 

 

 

 

 

 

 

 

 

 

 

 

 

REFERENCES

 

Adriaans, Pieter, and Dolf Zantinge, Data Mining, Addison Wesley, October, 1996.

 

Cohen, F. B., Protection and Security on the Information Superhighway, John Wiley and Sons, 1995.

 

Connolly, J. L., and B. S. Abramowitz, The Trust Technology Assessment Program and the Benefits to U.S. Evaluations, Proceedings of the 11th Annual Computer Security Applications Conference, pp. 157-161, New Orleans, LA, December 1995.

 

NSA, Solution Development and Deployment, and Technical Directors, Information Assurance Technical Framework, Release 2.2.2, 1999.

 

Whitten, J. L., Bentley, L.D., and V.M. Barlow, Systems Analysis and Design Methods, Irwin, 1996. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

DARPA data sets information:

 

Off-line intrusion detection datasets produced as per consensus from

                          the Wisconsin Re-Think meeting and the July 2000 Hawaii PI

                          meeting.

         

                        

                          LLS_DDOS_1.0 -- Dataset One

 

                          This is the first attack scenario example data set to be created for

                          DARPA as a part of this effort. It includes a distributed denial of

                          service attack run by a novice attacker. Future versions of this and

                          other example scenarios will contain more stealthy attack versions.

 

                          This attack scenario is carried out over multiple network and audit

                          sessions. These sessions have been grouped into 5 attack phases,

                          over the course of which the attacker probes, breaks-in via the

                          sadmind vulnerability, installs trojan mstream DDoS software, and

                          finally launches a DDoS attack at an off-site server.

 

                               ADVERSARY: Novice

                               ADVERSARY_GOAL: Install components for, and carry out,

                               a DDOS attack

                               DEFENDER: Naive

                 

       

                        

                          LLS_DDOS_2.0.2 -- Dataset Two

 

                          This is the second attack scenario example data set to be created for

                          DARPA as a part of this effort. It includes a distributed denial of

                          service attack run by an attacker who is a bit more stealthy than that

                          of Dataset One. The attacker is still considered Novice, as the attack

                          is mostly scripted in a fashion that dispite being a bit more stealthy, is

                          still something that any attacker might be able to download and run.

 

                          This attack scenario is carried out over multiple network and audit

                          sessions. These sessions have been grouped into 5 attack phases,

                          over the course of which the attacker probes, breaks-in via the

                          sadmind vulnerability, installs trojan mstream DDoS software, and

                          finally launches a DDoS attack at an off-site server.

 

                               ADVERSARY: Novice

                               ADVERSARY_GOAL: Install components for, and carry out,

                               a DDOS attack

                               DEFENDER: Naive

 

                          More datasets are forth-coming and will contain examples of

                          more sophisticated adversaries and exploits. The goal for the

                          remainder of 2000 is to produce a total of 4 to 6 datasets

                          depending on content and labeling requirements as based on

                          feedback from initial datasets.

         

                          One effort being carried out is the analysis of false alarm rates of

                          DARPA, and perhaps other, ID systems when run against real

                          network traffic collected from Hanscom Air Force Base. At this point,

                          data is being collected and we are preparing to run several ID systems

                          on this data. As part of the agreement that allows for such data

                          collection, the data is treated as classified, will not be available for

                          re-distribution, and will be destroyed when it is 90 days old.

                    

                          In early 2000 some work was done to further analyze the

                          detect-ability of all attacks run against the WinNT host in the 1999

                          NT Auditing test data. We have compiled a table of all such attacks

                          and the detection results in 1999 as well as provided a perl script that

                          automatically locates the specific implementations of these attacks

                          used in 1999.

 

                               Table of NT attack instances and detection results in 1999.

                               A perl script for locating the 1999 NT attacks in the audit logs.

         

                       

                          NT Attack Day

 

                          An experiment with a level of NT auditing higher than that which was

                          run in the 1999 Evaluation was run in January of 2000. Here are the

                          collected traces of data from that run of one day's traffic and attack

                          impinging on the NT machine. High-level labeling information for these

                          is available now.

 

                               NT Audit Data

                               Outside Tcpdump Data

                               Inside Tcpdump Data

                               High-Level Attack Truth File (Word Document)

 

                          Note: This day contains data from 08:00 to 14:30 hours. The

                          network sniffers collected data until 17:00.

 

                          Detailed information about the attacks in this data set will be posted

                          soon.

 

 



[1] Raggad, Bel G. Published in the NSA/NIST proceedings of the 23rd National Information Systems Security Conference: NIST/NSA.  October, 2000.