Infiltrators in information systems often attempt to mask their malicious activities within legitimate network activity to avoid detection and allow them to monitor, exfiltrate or compromise information. So long as the host network activities and routines are observable regular and predictable, adversaries will be able to easily blend into their environment and avoid detection.

The government should research methods that can be used on networks to help expose adversaries and agents who are hiding within legitimate network activity by varying that activity in ways that will make the adversary stand out. For example, if all legitimate services on a network could be programmed to not transmit during a specific but changing time slot of each day, any service that did transmit during that time would be suspect. 

Such a research program could have the following elements:

 

Unpredictability 1 – Changing Machine Roles to Detect Behavioral Invariance - Develop and employ processes on computer networks to periodically vary the role of each physical machine within the organization and, as a result, detect behavioral invariance on the machine. Such invariance will indicate work done by the machine regardless of legitimate roles, which will likely indicate the presence of an insider proxy or Trojan.

 

Unpredictability 2 – Activity Randomization - Develop systems that randomize key network behaviors (e.g., cron jobs) to make it more difficult for adversaries to understand and hide within those activities. As a further refinement to this idea, develop methods to enable coordinated pauses in activity for legitimate machines and processes; any machines or processes that continue to operate during these planned blackout periods would be considered suspicious.

 

·         Work has already been done that demonstrates randomization of processes within a host is an effective defense mechanism – this research could serve as a good foundation for extending the idea to a network level.

·         Even if the strategy does not eliminate the threat, it would delay it – the strategy might be able to be optimized to make the delay sufficiently long for the attacker to render him ineffective.

·         Implementation may add significant burden to system and network administration.

·         This would be an overt defense mechanism; once the adversary recognizes the unpredictability, he would understand the strategy.

·         Unless these ideas are implemented with true randomization, attackers may be able to figure out the algorithm or mimic the expected legitimate behavior.

National Cyber Leap Year Summit 2009 Participants’ Ideas Report, NITRD Program Office, September 16, 2009, pp 26-39, 32-33, 41-42

 

Antonatos, S., Akritidis, P., Markatos, E., & Anagnostakis, K. (2007). Defending Against Hitlist Worms Using Network Address Space Randomization. Computer Networks: The International Journal of Computer and Telecommunications Networking. Volume 51, Issue 12, 3471-3490.

 

Salem M., Hershkop S., & Stolfo S., (2008). A Survey of Insider Attack Detection Research. Insider Attack and Cyber Security, Springer US, 69-90.

 

Xu, J., Kalbarczyk, Z., & Iyer, R. (2003). Transparent Runtime Randomization for Security. Proceedings of the IEEE Symposium on Reliable Distributed Systems, 260-269.