C3E Idea Detail - Diversity


Submitted by Luanne Burns

Title: Diversity

Problem:

In terms of functionality, homogeneous networks are advantageous to the users because of ease-of-use and ease-of-management. Recognizing these advantages, the government has launched initiatives to create a more homogeneous enterprise. A major consequence of this approach is that homogeneity favors the adversary since compromising one entity translates to wide-spread compromise. Experience has shown that it is not difficult for the adversary to gain single footholds in our networks; therefore, the risk incurred by the weakest link is incurred by the enterprise as a whole.

Proposal:

The government should research the feasibility and effectiveness of a designing and implementing a diverse network. The network should include a heterogeneous set of components and processes to make it more difficult for adversaries to completely compromise the system with a single attack vector. This diversity could be accomplished with virtual or physical machines and could also include diversity of performance (e.g., some systems can be really slow or inject processes to make that part of the system look really important.) Because the idea of heterogeneity as a mitigation strategy has already been well-researched, this study should focus on ensuring operational feasibility and discovering optimal diversity approaches. 

 

Such a research program could include the following elements:
 
Diversity 1 – Homogeneous versus Heterogeneous Evaluation  – Given the increased management burden of a diverse network, perform a rigorous tradeoff analysis to discover if a mediocre- or poorly-managed heterogeneous network is more secure than a well-managed homogeneous network. 
 
Diversity 2 – Selective Diversification – Perform analysis to determine the most mission-critical components/processes in the network and explore the implications of using diversification for those components/processes, as opposed to enterprise-wide diversification; as part of this analysis, work to discover how much diversification is “enough”.
 
Diversity 3 – Multi-Layer Diversification – Develop diversification techniques that work at all layers of the protocol stack and analyze the effectiveness of individual techniques and combinations of techniques. A discovery of effective diversification techniques that do not require major enterprise changes in terms of hardware or software would be particularly useful.
 
Diversity 4 – Dynamic Diversification – Develop analytics based on the current state of the system to determine and execute the current level of diversification necessary to achieve an acceptable level of risk and develop a way to adapt diversity over time. 

Strengths:

·         This approach could improve mission sustainability – if part of the network is compromised, the mission can continue, although perhaps at a degraded state.
·         In terms of security, the benefits and limitations of heterogeneity have already been well-researched.
·         Homogeneity is a forced state and requires significant policy and oversight, whereas heterogeneity is very natural.

Weaknesses:

·         Managing a diverse network would likely create a significant burden for network and system administrators, not only in time and manpower, but also in the requirement for a wide skill-set.
·         Management difficulties may have an unintended consequence of making it easier for the adversary to hide in the network.
·         The DoD has already invested significant funds to buy and deploy technologies across the enterprise that enable centralized management (i.e., very homogenous); a move away from this strategy would require a big culture shift and could be perceived as wasteful.
·         Forced diversity may require some mission elements to run sub-optimal systems

References:

National Cyber Leap Year Summit 2009 Participants’ Ideas Report, NITRD Program Office, September 16, 2009, pp 19-20, 26-28, 58-60.
 
Kuzmanovic, A. & Knightly, E. (2003). Low-rate TCP-Targeted Denial of Service Attacks: The Shrew vs. The Mice and Elephants. Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols For Computer Communications, SIGCOMM '03, 75-86.
 
Liu, Z., Lai Y., Ye N., (2003). Propagation and Immunization of Infection on General Networks with Both Homogeneous and Heterogeneous Components. Physical Review Volume 67, Issue 3, 031911-1 – 031911-5.
 
Omic, J., Orda A., & Mieghem P. (2009). Protecting Against Network Infections: A Game Theoretic Perspective. IEEE INFOCON 2009.
 
Wang Y., Wang X., Xie B., Wang D., & Agrawal D. (2008). Intrusion Detection in Homogeneous and Heterogeneous Wireless Sensor Networks. IEEE Transactions on Mobile Computing, Volume 7, Number 6, 698-711.
 
Zhang, Y., Vin, H., Alvisi, L., Lee, W., & Dao, S. (2001). Heterogeneous Networking: A New Survivability Paradigm. Proceedings of the 2001 Workshop on New Security Paradigms, NSPW '01, 33-39.

 

David Skillicorn The problem is to come up with meaningful diversity. People were surprised to discover that multitechnique software construction didn't help reduce errors -- the humans involved inserted the same bugs regardless of programming language, environment or whatever. I see the same pitfall -- the systems may look different to human observers, but be vulnerable to cyberattacks in similar ways that are hard for us, as humans, to notice.

Reply