John R. James

Architecture of a cyber defense competition

This paper describes the effort involve in executing cyber defense exercise while focusing on the white cell and red forces activities during the 2003 inter-academy cyber defense exercise (CDE). These exercise components were led by the National Security Agency and were comprised of security professionals from Carnegie Mellon Universitys CERT, the United States Air Force, and the United States Army. This hands-on experience provided the capstone educational experience for information assurance students at the U.S. service academies. The white cell developed the scenarios and anomalies, established the scoring criteria, refereed the exercise, and determined the winner based on the effectiveness of each academy to minimize the impact to their networks from the red forces network intelligence gathering, intrusion, attack and evaluation. To understand better all that is involved, this paper takes advantage of the authors three years of experience in directing the activities associated with the planning and execution of the 2003 exercise.

A Survey of Knowledge-Based Systems for Computer-Aided Control System Design

During the last few years several knowledge-based systems for Computer-Aided Control System Design (CACSD) have been built. This paper provides a review of those artificial intelligence (AI) programming techniques which support the construction of these knowledge-based systems, surveys some of the systems built thus far, and comments on the characteristics that one should require of software tools in order to build a knowledge-based system for control system design. Section 1 introduces the subject. Section 2 reviews the data structures (knowledge bases) which store the symbolic data used by the various inference mechanisms. Section 3 surveys knowledge-based systems for computer-aided control system design. Section 4 comments on capabilities of expert system programming environments for CACSD and the paper is concluded in Section 5.

Building trustworthy systems: guided state estimation as a feasible approach for interpretation, decision and action based on sensor data

Sensor management plays a key role in control of critical infrastructure systems. This paper describes an approach for improving capabilities for interpretation, decision, and action based on sensor data through application of an intermediate level of aggregation. Improvements in complex system understanding are needed now at the interface between human understanding of system state and machine understanding of system state. The human understanding of the state of the system (situation understanding) must be achieved under ever more demanding time constraints. As expectations increase for faster, more-informed (better) decisions by humans at the supervisory-control level, improvements are needed for providing support for interpreting sensor data to understand current system behaviors and make informed human decisions on actions needed to cause future system behaviors to comply with some planned sequence of events or patterns of behavior. Likewise, as the number and capabilities of networked sensors increase, improvements are needed in enabling autonomous control systems at local levels to understand current system behaviors and make informed machine decisions on actions needed to cause future system behaviors to comply with some planned sequence of events or patterns of behavior. The paper discusses achieving an intermediate level of aggregation: (1) as a scientific basis for understanding complex system behaviors, (2) as an effective tool for creation of technologies based an intermediate level of aggregation and (3) as a basis for education of leaders who must make decisions based on understanding of the current system state.

Unicode Steganographic Exploits: Maintaining Enterprise Border Security

Unicode is rapidly becoming the preferred means for representing symbols used in creating multimedia content, especially for information thats presented in multiple languages. This article discusses a unicode vulnerability that makes such content susceptible to being used for creation of covert channel communications. We also developed a solution architecture, the unified secure message augmentation (USMA) service. The USMA service incorporates rules (in an XML vocabulary) that we can apply to unicode transmissions that will detect an attempt to transmit a potential exploit, alert network managers to the presence of the unicode anomaly, and take action to mitigate the exploit.

Smart grid modeling approach for wide area control applications

This paper describes an approach for modeling smart grids for wide area control applications. More specifically, it is proposed to model smart grids as a set of interdependent composite networks. A composite network is one whose evolution in time and/or space is described as a composition of more than one category of networks. This work proposes an interconnection of a communication network, information network, and a power system network to model smart grids. More specifically this work proposes a quantitative model focusing on bulk generation and transmission. The resulting model will be used for studying and simulating wide area measurement and control techniques and contingencies of components. The modeling methodology is based on the initial partitioning by the National Institute of Standards and Technology (NIST) of the smart grid domains. A basic example with control of load (demand response) and generator set points over a communication link is presented.

Modeling of information dominance in complex systems: a system partitioning and hybrid control framework

This paper provides a view of modeling the information dominance problem of military systems as representative of modeling other complex systems. The ideas are an extension of earlier efforts to base analysis of information assurance for complex systems on system partitioning into a system of systems. The approach discussed rests upon the notion that the system at hand is intended to achieve some useful purpose and that a system of systems approach provides a feasible methodology for composing the system functionality (behaviors) as an aggregation of sub-systems functionality. Many subsystem processes have continuous process models while higher system models are usually discrete. Composition of components requires consideration of interaction of subsystems, especially when feedback loops are present. A model of information assurance (IA) processes consistent with this hybrid system model of complex processes is described. Information dominance is defined as superior situation understanding and superior support for making decisions under uncertainty. The information dominance model is then presented as an extension of the AI model. The paper concludes with a conjecture that more effective intrusion detection can be achieved by using the known purpose of an information system (e.g. achieving information dominance in support of an operation) to guide allocation of intrusion detection resources.

Flowing valued information based on a need to share

The ability to share information between organizations in an ad-hoc, networked environment frequently found in humanitarian assistance/disaster relief (HADR) operations, remains a challenge today. For example, US Armed Forces participating in HADR operations do not have an organic ability to share information bi-directionally with Non-Government Agencies (NGO) such as Doctors-Without-Borders. It such cases, communications are normally accomplished outside existing military networks.

Using the trees to find the forest trustworthy computing as a systems-level issue

There is a need to provide information system managers with better tools to estimate the trustworthiness of an information system. We believe it is necessary to consider trustworthiness of an enterprise information system as being more than an estimate of the reliability of the individual components. Some approach for analyzing component-level attacks to evaluate the impact on enterprise-level goals is needed as well as some approach for analyzing a series of information system attacks as part of a possible attack plan against the enterprise. Lower-level sensing of malicious activities and reaction to these activities is necessary to maintain reliability of individual information system components. However, toomuch of the current research effort is directed at component-level activity detection and reaction and too little of the current effort is directed at enterprise-level detection and reaction. We provide some thoughts on what is needed to be able to accumulate estimates of reliabilities of information system components into estimates of trustworthiness of information systems.

Cyber-physical situation awareness and decision support

Cyber-physical situation awareness is essential to management of government services and conduct of business processes. In particular, all of the nations critical infrastructures depend upon proper operation of supervisory control and data acquisition (SCADA) devices and proper operation of these devices faces threats from possible occurrences of a variety of deliberate and inadvertent cyber events. This paper discusses an ongoing approach for incrementally improving cyber-physical situation awareness by (1) extending previous results for information architecture understanding, (2) sharing protected information among information owners whose knowledge (measurement) of their own state can be improved by choosing to share information with others, and (3) comparing measured cyber-physical system state to predicted cyber-physical system state.

Performance modeling of the advanced field artillery tactical data system

Planning of complex activities is a deliberative process and automation support for re-planning activities should provide for cognitive modeling of the planning process. One approach for modeling military planning systems is to partition the process into separable components and analyze the components individually. The paper takes the position that the cognitive model should contain details of the domain being supported and, especially for support of online re-planning, knowledge of the system implementation architecture, including performance modeling of the implementation architecture. A possible issue is the failure of the separable components assumption when the system is composed of components. We discuss these thoughts in some detail and provide an overview of a test bed framework being implemented to perform experiments on the validity of this approach. In particular, we are interested in creating analysis tools that apply metrics to sensed data to assist in determining when a re-planning activity is required and in prioritizing re-planning activities. The framework is intended to support experiments with military decision making and, in particular, with re-planning activities that support execution of a military operation order (OPORD). We are investigating use of a simulation tool to accumulate information at the message-packet-level and perform analysis at the network-application-level. We discuss use of this framework for pattern recognition of activities distributed in time and space. We provide an introduction to our approach for partitioning the problem space and some ideas on design of experiments using this approach.