CONSensUS - A Computational Optimum Network Sensor Utilization System

The goal of Compositional Optimum Network Sensor Utilization System (CONSensUS) is to establish a significantly improved intrusion detection system. Current intrusion detection systems are largely ad hoc, created from signatures of known attacks, process reports from single sensors, do not reflect the needs of the mission, and are incapable of responding to attacks. The work will lead to a system that processes reports from multiple sensors that are placed optimally throughout a network to cope with attacks to the system and to the sensors themselves, and that cause minimal performance impact on the mission itself. Correlations and analysis of attack and
sensor models, sensor reports, and other system state information is used to decide on suitable responses, which may include activating additional sensors.

The proposed tasks are associated with the formal modeling of attacks, sensors, network topology, and the mission, and the creation of algorithms to process these models to decide on the optimal placement of sensors in a network and to correlate and abstract the reports from distributed sensors to create an assessment of an attacked system as a basis for deciding on human or automatic response. Our tasks are:

- Formal modeling of sensors needed to detect attacks: We will extend Jigsaw to specify sensors used to detect attacks. The specification man be direct, where single (or multiple) sensors are enumerated, or indirect, where properties of sensors associated with an attack are given but no one sensor is identified.

- Formal modeling of missions: The overall purpose of any system is to achieve some mission which an attacker attempts to defeat.We propose to model missions in terms of resources needed over time.

- Representation of network topology: To reason about sensor placement, we will require a language to specify network structure, in particular, the location of key components (routers, firewalls, sensors, servers), what operating systems they are running, what protocols are being used.

- Planning algorithms as the basis for sensor placement:We will develop algorithms to determine the feasible locations for sensors with respect to classes of known and unknown attacks specified in Jigsaw. The algorithm to be developed will determine possible sharing of sensor activity, for example consider a scenario attack where a given sensor at some location can detect multiple states of the attack.

- Redundant selection of sensors: Once the feasible locations are identified where it is assumed that sensors are immune to attacks, it is necessary to determine a revised placement relaxing the sensor immunity assumption. In this case, sensors can be impacted by attacks, rendering their reports suspect.

- Optimal placement of sensors with respect to mission needs: The above algorithm development does not account for the performance impact of sensors. To account for mission impact, the sensor specifications will be used in conjunction with the mission specifications. From a feasible placement a placement set will be determined that has the minimal impact on the mission.

- Dynamic deployment of sensors: Once an attack is discovered, it is often necessary to deploy additional
sensors in order to gather additional details about the attack, especially if it is a spreading attack.