Protecting the Military Cyberspace – DARPA Gears to Counter Network Worms


One of the most imminent threats to C4 systems, particularly mobile ad-hoc and COTS based networks, are large scale attacks by computer worms spreading malicious code. Such threats can target specific elements of the network, exploit valuable information and reduce net-centric warfare to a halt by overrunning the network capacity with “garbage”, stealing the identity of units and destinations, attacking routers etc. Network security experts claim that current defenses against such attacks are not sufficient. Future security systems should better identify failures at the earliest phase, by distributed sensing and dynamic reconfiguration of the network.

Current Threats

A worm is a piece of self-replicating malicious mobile code that spreads through a network without human interaction. Because they are self-propagating, worms can spread extremely quickly. Typically, worms do not alter or delete files; rather, they reside in memory, eat up system resources, and slow down computers. A Trojan horse is a hidden piece of malicious code added to a seemingly useful and benign program. When this program runs, the hidden code may be performing malicious activities like allowing “back door” access to your computer by hackers or destroying files on your hard disk. Trojans are commonly used to introduce spyware or worms into a system. The main difference between a Trojan and a virus is that Trojans are unable to replicate.

Future Risks of Network Attacks

Unlike current structured, centrally managed and hierarchical networks,  Mobile Ad-hoc Networks (MANET) comprise a dynamic structure. Unbounded by central administrative control, such networks operate without central authority, they number and identity of the participants is and topology of network are constantly changing, limiting the effectiveness of contemporary security systems beyond their local boundaries.

Advanced security systems are under development under the DARPA’s DCAMANETS program to improve MANET security. Such measures, are developed specifically for future ad-hoc systems, comprising distributed detection of node infections and failures to maintain system throughput over the duration of attack, minimizing system shutdown due to attack or system failure. These countermeasures are designed to “capture” threats by establishing quarantine procedures to automatically recover the compromised nodes. Dynamically reconfiguration of the whole network will also be feasible to secure and isolate mission essential resources and services from potential attacks.

For example, when an attack of a worm propagation is detected at a specific unit’s communications, all members of this unit are shut-down through an “auto-recovery” process, which is supervised via communications control element that eradicates the threat and verifies that all the recovered elements have been disinfected. Meanwhile, the control element distributes the warning and profile of the attack to update the security countermeasures of the remaining (yet uninfected) network units. Such countermeasures will ensure that no more than 10% of the network nodes would be infected by worm attack.

The goal of the program is to sustain available network throughput at 75% of its maximum capacity, throughout the attack. Dynamic Quarantine Program will be able to detect a wide spectrum of computer worms and propagating malicious code programs including scanning, flash, topological and stealthy worms. Detection should enable to identify and respond to threats at the same day they were released, to minimize propagation and damage.

Today, Day-Zero application-level defense, protecting networks from virus, worms and malicious code attacks, providing behavior blocking technology are already offered by Finjan Software. This application scans all potentially malicious content arriving from the network to verify that the inspected behavior aligns with the predefined security policy. Any piece of code that violates the security policy is blocked and logged at first strike, preventing Trojans and other such threats from entering the corporate network and connected PCs. In addition, Behavior Blocking technology can proactively block unknown security threats.

Other defenses developed for MANET systems will be able to sense local failures, evolving attacks and execute countermeasures and automatic recovery in real-time. Automatic and dynamic quarantine will be provided by forensics analysis of malicious code, including static and dynamic code analysis.

Protection of Networks and Distributed Applications

DARPA’s Cyber Panel Program represents another approach to network security. This program is developing capabilities to help defend mission-critical information systems by monitoring them for signs of cyber attack, and allowing operators to manage the operation of system security and survivability features to avert or counter developing attack situations. These include applying passive intrusion detection sensors with capabilities to actively probe for additional attack information. Cyber Panel enables intrusion assessment to detect security threats through correlation and analysis of observed and reported activities. Autonomic responses are employed to enable reaction within milliseconds from the detection of any anomaly, blocking suspected services and applications. Monitoring and response components are being developed that allow warfighters to observe the performance, health and threat state of mission critical information systems, project the likely impact of reported cyber attacks on system operation, assess possible defensive actions, and carry them out.

December 13, 2005: U.S. Air Force to launch Cyber Patrol

The US Air Force is addressing this problem of network security applying new cyber-attack countermeasures under a new information warfare program awarded to Northrop Grumman Corporation’s Information Technology (NGTI) sector. Under the program NGTI will develop information “network patrol” applications that will provide early warning alerts and enable active response to information-security threats.

The evolving architectural framework will provide information, computer and network security, damage assessment and recovery, security policy enforcement and active response. The system will integrate cyberspace surveillance, cyber indications and warning, high-speed and host-based intrusion detection, correlation of attack indicators, decision support, recovery and cyber forensics technologies. Current and maturing commercial- and government-off-the-shelf applications will be used, including intrusion sensor technology with data-correlation techniques and visualization tools for managing large-scale networks. The system will be available to the U.S. Air Force, coalition partners, intelligence operations and U.S. law-enforcement agencies. The five year program value will be $24.8 million.