As security devices and protocols become widely used on the Internet, the task of managing and processing communication security policies grows steeply in its complexity. This paper presents a scaleable, robust, secure distributed system that can manage communication security policies associated with multiple network domains and resolving the policies -esp. those that specify the use of IP-AH/ESP security protocols -into security requirements for inter-domain communication.Technology innovation includes a formal model for IPsec policy specification and resolution, a platform independent policy specification language and a distributed policy server system. The formal model consists of a hierarchical domain model for IPsec policy enforcement and a lattice model of IPsec policy semantics. The policy specification language enables users to specify IPsec policies using the formal model regardless of the make of the security devices. The policy servers maintain the security policies in a distributed database, and negotiate the security associations for protecting inter-domain communication. Both the policy database and the policy exchange protocol are protected from passive and active attacks. Several UNIX implementations are available for non-commercial uses.
Current DoD enterprise networks routinely face targeted cyber attacks, and even though attack-related information is recorded in various places, this information is often left unexamined until after attacker objectives have been achieved. This is especially true for large networks consisting of continuously changing networked devices, including laptops, servers, printers, IP phones, and more. This paper describes the design of Gestalt, a next-generation cyber information management platform that simplifies access to cyber event data stored in the nooks and crannies of a distributed enterprise. The ready and secure access to cyber information provided by Gestalt is a key enabler for a new set of techniques that can detect and mitigate targeted cyber attacks within hours instead of months. Current state-of-the-art approaches to automated and operator assisted cyber defense are ill-suited to counter targeted cyber attacks because these technologies (1) focus only on aggregated one-dimensional features across multiple devices, (2) do not provide the required coverage over all networked devices and observables accessible on those devices, and (3) lack the expressiveness and deeper semantic backing required to detect targeted attacks across a sea of lowlevel observables. Gestalt provides innovations in (1) automatically discovering devices and useful data sources in the enterprise (beyond simple IP connectivity), (2) maintaining a metadata index of devices and observable information (even of devices without schemas and connectors), and (3) transparently decomposing and federating semantic graph queries to devices (rather than extracting and aggregating information in a central store), and integrating the results back into a well-defined ontology.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.