Analytical Evaluation Framework

Similar documents
Analytical Evaluation Framework

Fall 2014 SEI Research Review Aligning Acquisition Strategy and Software Architecture

Strategic Technical Baselines for UK Nuclear Clean-up Programmes. Presented by Brian Ensor Strategy and Engineering Manager NDA

Technology Maturation Planning for the Autonomous Approach and Landing Capability (AALC) Program

COM DEV AIS Initiative. TEXAS II Meeting September 03, 2008 Ian D Souza

Discerning the Intent of Maturity Models from Characterizations of Security Posture

THE NATIONAL SHIPBUILDING RESEARCH PROGRAM

Durable Aircraft. February 7, 2011

U.S. Army Training and Doctrine Command (TRADOC) Virtual World Project

Transitioning the Opportune Landing Site System to Initial Operating Capability

Radar Detection of Marine Mammals

A RENEWED SPIRIT OF DISCOVERY

Investigation of a Forward Looking Conformal Broadband Antenna for Airborne Wide Area Surveillance

Underwater Intelligent Sensor Protection System

Future Trends of Software Technology and Applications: Software Architecture

Rump Session: Advanced Silicon Technology Foundry Access Options for DoD Research. Prof. Ken Shepard. Columbia University

Best Practices for Technology Transition. Technology Maturity Conference September 12, 2007

THE NATIONAL SHIPBUILDING RESEARCH PROGRAM

Social Science: Disciplined Study of the Social World

Cross-layer Approach to Low Energy Wireless Ad Hoc Networks

Innovative 3D Visualization of Electro-optic Data for MCM

Department of Energy Technology Readiness Assessments Process Guide and Training Plan

OSATE overview & community updates

Learning from Each Other Sustainability Reporting and Planning by Military Organizations (Action Research)

August 9, Attached please find the progress report for ONR Contract N C-0230 for the period of January 20, 2015 to April 19, 2015.

INTEGRATIVE MIGRATORY BIRD MANAGEMENT ON MILITARY BASES: THE ROLE OF RADAR ORNITHOLOGY

DoDTechipedia. Technology Awareness. Technology and the Modern World

Management of Toxic Materials in DoD: The Emerging Contaminants Program

Adaptive CFAR Performance Prediction in an Uncertain Environment

AFRL-RH-WP-TR

THE CREATION OF DIFFERENTIAL CORRECTION SYSTEMS AND THE SYSTEMS OF GLOBAL NAVIGATION SATELLITE SYSTEM MONITORING

SA Joint USN/USMC Spectrum Conference. Gerry Fitzgerald. Organization: G036 Project: 0710V250-A1

10. WORKSHOP 2: MBSE Practices Across the Contractual Boundary

Experiences Linking Vehicle Motion Simulators to Distributed Simulation Experiments

Academia. Elizabeth Mezzacappa, Ph.D. & Kenneth Short, Ph.D. Target Behavioral Response Laboratory (973)

Robotics and Artificial Intelligence. Rodney Brooks Director, MIT Computer Science and Artificial Intelligence Laboratory CTO, irobot Corp

Mathematics, Information, and Life Sciences

USAARL NUH-60FS Acoustic Characterization

REPORT DOCUMENTATION PAGE. A peer-to-peer non-line-of-sight localization system scheme in GPS-denied scenarios. Dr.

Wavelet Shrinkage and Denoising. Brian Dadson & Lynette Obiero Summer 2009 Undergraduate Research Supported by NSF through MAA

THE DET CURVE IN ASSESSMENT OF DETECTION TASK PERFORMANCE

Hybrid QR Factorization Algorithm for High Performance Computing Architectures. Peter Vouras Naval Research Laboratory Radar Division

Signal Processing Architectures for Ultra-Wideband Wide-Angle Synthetic Aperture Radar Applications

REPORT DOCUMENTATION PAGE. Thermal transport and measurement of specific heat in artificially sculpted nanostructures. Dr. Mandar Madhokar Deshmukh

Army Acoustics Needs

14. Model Based Systems Engineering: Issues of application to Soft Systems

Department of Defense Partners in Flight

REPORT DOCUMENTATION PAGE

REPORT DOCUMENTATION PAGE

UNCLASSIFIED UNCLASSIFIED 1

DARPA TRUST in IC s Effort. Dr. Dean Collins Deputy Director, MTO 7 March 2007

Modeling Antennas on Automobiles in the VHF and UHF Frequency Bands, Comparisons of Predictions and Measurements

IREAP. MURI 2001 Review. John Rodgers, T. M. Firestone,V. L. Granatstein, M. Walter

Student Independent Research Project : Evaluation of Thermal Voltage Converters Low-Frequency Errors

LONG TERM GOALS OBJECTIVES

SILICON CARBIDE FOR NEXT GENERATION VEHICULAR POWER CONVERTERS. John Kajs SAIC August UNCLASSIFIED: Dist A. Approved for public release

Development of a charged-particle accumulator using an RF confinement method FA

Marine~4 Pbscl~ PHYS(O laboratory -Ip ISUt

EFFECTS OF ELECTROMAGNETIC PULSES ON A MULTILAYERED SYSTEM

Coherent distributed radar for highresolution

The Algorithm Theoretical Basis Document for the Atmospheric Delay Correction to GLAS Laser Altimeter Ranges

JOCOTAS. Strategic Alliances: Government & Industry. Amy Soo Lagoon. JOCOTAS Chairman, Shelter Technology. Laura Biszko. Engineer

ADVANCED CONTROL FILTERING AND PREDICTION FOR PHASED ARRAYS IN DIRECTED ENERGY SYSTEMS

Survivability on the. ART Robotics Vehicle

Satellite Observations of Nonlinear Internal Waves and Surface Signatures in the South China Sea

3. Faster, Better, Cheaper The Fallacy of MBSE?

Combining High Dynamic Range Photography and High Range Resolution RADAR for Pre-discharge Threat Cues

Fuzzy Logic Approach for Impact Source Identification in Ceramic Plates

Design of Synchronization Sequences in a MIMO Demonstration System 1

Operational Domain Systems Engineering

Bistatic Underwater Optical Imaging Using AUVs

AUVFEST 05 Quick Look Report of NPS Activities

Counter-Terrorism Initiatives in Defence R&D Canada. Rod Schmitke Canadian Embassy, Washington NDIA Conference 26 February 2002

Synthetic Behavior for Small Unit Infantry: Basic Situational Awareness Infrastructure

0.18 μm CMOS Fully Differential CTIA for a 32x16 ROIC for 3D Ladar Imaging Systems

MATLAB Algorithms for Rapid Detection and Embedding of Palindrome and Emordnilap Electronic Watermarks in Simulated Chemical and Biological Image Data

A Profile of the Defense Technical Information Center. Cheryl Bratten Sandy Schwalb

Solar Radar Experiments

UNCLASSIFIED INTRODUCTION TO THE THEME: AIRBORNE ANTI-SUBMARINE WARFARE

FAA Research and Development Efforts in SHM

REPORT DOCUMENTATION PAGE

An experimental system was constructed in which

Remote Sediment Property From Chirp Data Collected During ASIAEX

AFRL-RH-WP-TP

Report Documentation Page

VHF/UHF Imagery of Targets, Decoys, and Trees

Drexel Object Occlusion Repository (DOOR) Trip Denton, John Novatnack and Ali Shokoufandeh

HIGH TEMPERATURE (250 C) SIC POWER MODULE FOR MILITARY HYBRID ELECTRICAL VEHICLE APPLICATIONS

Non-Data Aided Doppler Shift Estimation for Underwater Acoustic Communication

A Comparison of Two Computational Technologies for Digital Pulse Compression

Automatic Payload Deployment System (APDS)

Acoustic Change Detection Using Sources of Opportunity

The Dutch perspective on C2 - Sim coupling Major John Janssens DMO / C3I / Simulation Expertise Centre

AFRL-RI-RS-TR

RF Performance Predictions for Real Time Shipboard Applications

MERQ EVALUATION SYSTEM

Ocean Acoustics and Signal Processing for Robust Detection and Estimation

Effects of Radar Absorbing Material (RAM) on the Radiated Power of Monopoles with Finite Ground Plane

RADAR SATELLITES AND MARITIME DOMAIN AWARENESS

Advancing Autonomy on Man Portable Robots. Brandon Sights SPAWAR Systems Center, San Diego May 14, 2008

Transcription:

Analytical Evaluation Framework Tim Shimeall CERT/NetSA Group Software Engineering Institute Carnegie Mellon University August 2011

Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE AUG 2011 4. TITLE AND SUBTITLE Analytical Evaluation Framework 2. REPORT TYPE 3. DATES COVERED 00-00-2011 to 00-00-2011 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Carnegie Mellon University,Software Engineering Institute,Pittsburgh,PA,15213 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 11. SPONSOR/MONITOR S REPORT NUMBER(S) 13. SUPPLEMENTARY NOTES GFIRST 2011: 7th Annual Government Forum for Incident Response and Security Teams (GFIRST) National Conference, 7-12 Aug 2011, Nashville, TN. 14. ABSTRACT This presentation provides a framework for evaluating network traffic analysis tools. 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified Same as Report (SAR) 18. NUMBER OF PAGES 17 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

Disclaimer NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder. This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. 2

Describing Network Analytical Capabilities Develop descriptions that support fair evaluation of current or potential capabilities to address network defense needs and operational cycles How does it fit not Is it good Input to acquisition, not decision for them Methodical and impartial, not objective Supportive of network security, but applicable somewhat beyond just network security Harvest analyst expertise Consideration of carry-over effects 3

Phase 1: A Language Model Nouns forms of data handled by the capability Inputs Processing Results Verbs primitive actions supported by the capability Data handling Process Analytic Presentational Adverbs characteristics of the capability Process Product Prepositions scope or limitations of the capability 4

Assessing Data What is the primary data handled by the capability? What is secondary data handled by the capability? What is supportive data handled by the capability? What primitive operations are associated with each? How well are the operations implemented? What is missing? 5

Example: Sourcefire IDS Primary input: Packet data Collect, Abstract, Parse, Alert, Store, Query, Export Secondary input: Network map Select, Group, Aggregate Supportive input: Signatures Import, Alert, Store, Export 6

Input/Processing/Output Input: what data does the capability consume? Sourcefire consumes network packets Process: what data is used for control or direction of the capability? Sourcefire uses signatures and network configuration information Output: what data is produced by the capability? Sourcefire produces alerts, and selective packet capture 7

Network Level of Abstraction Many capabilities are focused on particular range of protocols and behaviors IP layer: packet-based analysis, does not get into local behavior and only infers application behavior (e.g., SiLK) Application layer: message-based analysis, does not deal with transport mechanics (e.g., analysis of email patterns) 8

Assessing Operations What locus of operations forms the core functionality of the capability? What are secondary operations? What are supportive operations? How well are those operations implemented? How scoped is the intended application? Rating scheme: 0-5, plus n/a, not eval, absent 9

Summarizing Operational Gaps/Maturity Functional catego ories Balance functional maturity vs. capability gaps All tools have gaps Goal is to see how peaks and valleys match Gap Severity Maturity 10

Process Adverbs Sourcefire IDS: Operational Qualitiative Tactical Concise 11

Product Adverbs Sourcefire IDS: Not Data-diverse Immediate Responsive Interoperable Documented Supported Trained Robust No Workflow No AAA 12

Prepositions Under Conditions (e.g., edge vs. transit) At Size / scale (e.g., enclave vs. enterprise, days vs. months) Of Scope (e.g., CND vs. network ops) Within Coverage (e.g., sparse vs. complete) In time (e.g., interactive vs. batch vs. continuous) 13

Phase 2: Process Descriptions What form of reasoning should the model support? Fused-source intelligence C2/OODA? Forensic? Bayesian hypothesis testing? Abductive pattern matching? 14

Network Analysis Approaches collection observe validation orient fusion analysis decide dissemination act 15

Analysis Decomposed Forensic Vulnerability Access Exploit Impact Breadth Network Security Who What means motive opportunity sequence Analysis Contain Control Diagnose Correct Communicate Incident Response When Where Why How 16

Next Steps Expand initial visual results into fair comparisons Spider diagrams Input/Process/Output tables Network level tables Operational maturity/gaps Define requirements for evaluation process using model Team? Approach? Process? Outcomes? Threats? Tie capabilities to process needs Threshold approach (score needs to be X) Conditional approach (capability must include Y) Descriptive approach (need to support operations Z) Reasoning Support 17

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback