Drawing on DRIW to Anticipate and Protect
Deception is one technique that can be used if a system such as NEWS allows the analyst to detect an attack pattern. Ron Newland, a systems engineer and program manager for the Data Resiliency in Information Warfare (DRIW) program, conducted by the Northrop Grumman team under contract to the Rome Laboratory, borrows the Star Trek concept of the "holodeck" to describe one deception tactic. Once an intruder has been detected in the reconnaissance phase of the attack, his access path is surreptitiously changed so that he enters a parallel system which emulates the real system but contains false data. The defender now becomes the attacker, using the "holodeck" to gather data on the intruder while feeding him false information.

Other potential responses, notes Zavidniak, include a covert move to another communications vehicle or the activation of commercial off-the-shelf (COTS) virus-detection software. Newland points out that a system can be designed to become gradually more restrictive in its operations, with different "DataCon" levels analogous to the Pentagon's DefCon system, and can escalate or de-escalate at very short notice.

The most important function of a system such as NEWS, however, may be to allow the system administrator to prepare for an attack. According to McCallam, this is the goal of DRIW. "We said, let's take the tack that someone is going to get in and do damage, but find a way to repair the system in real time." One foundation of this system is the concept of a minimal essential data set: the data which is both most important to the operation and which cannot be reconstituted easily if the system is compromised. "If I have an airspace management system that is tracking 200 targets, and 195 of them are my systems and five of them are bad guys, then I isolate and protect the information on those five targets. If I have an air traffic control system, what I really need to know is who's in the landing pattern." Using techniques similar to those used in computer forensics, where investigators recover deleted files from a hard drive, DRIW can bury the data beyond the reach of the intruder and recover it in real time after an attack. Even if the intruder manages to corrupt all the data on the system, the most essential data can be recovered rapidly.

DRIW is specifically designed to protect battle management, command and control (BMC2) systems. "It is the only real-time recovery capability that has been demonstrated," says Newland. In a hypothetical example, Newland shows how an attacker can threaten the success of an operation by changing a refueling time, and how a combination of early warning and rapid recovery can correct the corrupt data, allow the operation to proceed and leave the users confident that they can rely on their information systems.

The key to this capability is the use of "adaptive resource recovery agents" (developed by Florida-based team member Modus Operandi). The agents are software packages of different types, located in various places around the system. "Unless an intruder knows they are there, he will not be able to see them," says Newland. Periodically, the agents acquire a "snapshot" of the system data. They compare it with the data observed at different times and places by other agents, detect corruption and, at higher alert levels, block changes without authorization from the system administrator.

The objective of information resiliency is not to prevent attacks but to reduce them to a nuisance rather than a threat. "It's like ants at a picnic," says McCallam. "You'll never get rid of all the ants, but if only one or two get through, you'll be O.K."