Project Title: Information Warfare Attack Assessment System (IWAAS)

Sponsor: Defence Evaluation & Research Agency (DERA)

Partners: Anite Government Systems Ltd

Duration: 1997 – 2000

Staff: Dr Andrew Rathmell, Principal Investigator; Dr Richard Overill, Principal Investigator; Lorenzo Valeri, Researcher.


Paper: Dr Andrew Rathmell, Dr Richard Overill, and Lorenzo Valeri, Information Warfare Attack Assessment System (IWAAS). Paper presented at Information Warfare Seminar, 21-23 October 1997, London. [PDF or RTF]

Abstract
IWAAS is a concept that aims to provide threat assessment and Indicators & Warnings of an IW attack.  It is the onceptual architecture of an open source decision support system with three purposes:

i) to evaluate the Information Warfare (IW) threat posed by a variety of actors
ii) to provide Indicators and Warnings (I&W) of an IW attack
iii) to predict enemy Courses of Action (COA)

This paper provides an overview of the issues involved in conceptualising and designing this system.  The paper outlines the aim of adapting a country risk analysis approach to quantifying the capabilities and intentions of potential IW threats.

Presentation: Information Warfare Attack Assessment System (PowerPoint97)


As the 1998 UK Strategic Defence Review noted, the Ministry of Defence is committed to “improve our ability to … provide an immediate warning of attack [on our] defence information networks.”   However, the key problem in Information Assurance (Defensive Information Operations) is the collapse of warning time.  Networked organisations no longer enjoy the warning of attack that they have had in the past against military attack.  IW attacks, especially cyber-attacks, remove this warning time and therefore pose a challenge to existing approaches to Early Warning and Attack Assessment as well as to traditional Information Security approaches.

Information Warfare Attack Assessment System (IWAAS) is a conceptual architecture and research framework for addressing this problem.  The IWAAS research programme aims to develop systematic methodologies for addressing the problem of providing Early Warning and Attack Assessment of offensive IW.

The IWAAS conceptual architecture and research programme was first proposed in 1997 (NB to KoB insert http link to October 97 IWAAS paper and PPT presentation).  In response to the immediate demands of the Ministry of Defence for enhanced IA, since 1997 ICSA has worked with DERA and Anite Government Systems Ltd in a programme that has concentrated on the development of the Intrusion Detection component of IWAAS.  The aim is to develop a system able to reliably detect logical intrusions into a computer network.

Phase 1

Phase I of IWAAS, completed in September 1998, focused on Intrusion Detection Systems (IDS).  Phase I included i) a research review of the state of the art in the IDS research community and marketplace and ii) a proof of concept demonstrator applying behavioural analysis to intrusion detection.  Phase I concentrated on exploiting intelligent, self learning technologies pioneered in the retail finance sector for detection of patterns of misuse.  In Phase I, the project concentrated on applying neural network technologies to detection of known intrusion signatures on Unix hosts.

Phase II

Phase II, completed in 1999, built on the lessons of phase I.  Phase II included i) ongoing research review and development tracking; ii) elaboration of a full intrusion detection system architecture; iii) creation of a data generation and simulation environment; iv) enhancement of the behaviour analysis prototype.  In Phase II, the project continued to focus on Unix host-based misuse detection but sought to develop a complete system architecture in the context of the Common Intrusion Detection Framework.  In addition, the project explored a variety of analysis tools at the network level as well as developing hybrid approaches that combine misuse and anomaly detection.

Phase III

Phase III, begun in September 1999, is transitioning this research into an operational prototype that meets the needs of a changing customer base.  Phase III includes i) ongoing research review and development tracking; ii) implementation of an operational, platform independent intrusion detection system architecture; iii) implementation of self-learning analysis engines with functionality across NT and Unix networks as well as host-based; iv) test and validation of prototype system on experimental and operational networks.

Exploitation

IWAAS is a joint research project between DERA, King’s College London and Anite Government Systems Ltd.  Technology transfer and the application of new approaches in an interdisciplinary framework are at the heart of the project.

The medium term aim of this project is to produce an operational Intrusion Detection System based around machine learning techniques that will be commercially exploitable and deployable in widely networked infrastructures across the MoD, UK government and UK national infrastructures.



Last modified Friday, 04-Aug-2000 17:39:52 BST by ICSA