Timothy H. Lacey

How the Cyber Defense Exercise Shaped an Information-Assurance Curriculum

In this article, we provide a brief history of the Cyber Defense Exercise (CDX), describe Air Force Institute of Technology (AFITs) participation in it, and explain how the experience shaped the information-assurance curriculum and course format at AFIT. The CDX is an annual competition designed to give students the opportunity to learn and demonstrate best practices in defensive information assurance. The CDXs fundamental objective is to design and implement a network that provides specified IT services and defend it against an onslaught of cyberattacks and natural events. CDX participants included blue forces (students), red forces (attacker) and a white cell.

RIPsec - Using reputation-based multilayer security to protect MANETs

This paper examines the theory, application, and results for a Reputation-Based Internet Protocol Security (RIPsec) framework that provides security for a Mobile Ad-hoc Network (MANET) operating in a hostile environment. While there has been significant research in MANET security, the research has tended to address subsets of the overall security challenge. RIPsec leverages existing technologies to provide an overarching layered security framework that provides a more comprehensive security solution than existing approaches. Protection from external threats is provided in the form of encrypted links and encryption-wrapped nodes while internal threats are mitigated by behavior grading that assigns reputations to nodes based on their demonstrated participation in the routing process. End-to-end message security using public and private certificates protects against both internal and external threats. Network availability is improved by behavior grading and round-robin multipath routing. Simulation results showed that the number of routing errors sent in a MANET was reduced by an average of 52% when using RIPsec. The cost in network performance for the security provided by RIPsec was a reduction in throughput. However, the reduction was acceptable given the increase in security. The network load was also reduced, decreasing the overall traffic introduced into the MANET and permitting individual nodes to perform more work without overtaxing their limited resources. The RIPsec framework was analyzed to demonstrate its robustness against a number of well-known attacks against ad-hoc networks. Of the four features incorporated into RIPsec (encryption, IPsec transport mode, behavior grading, and multipath routing), three other frameworks incorporated two of the features (encryption and behavior grading), and the remaining eight frameworks only incorporated one of the four security features. The incorporation of all four security features at multiple levels makes RIPsec very robust against attacks.

A Qualia Framework for Awareness in Cyberspace

As the newest mission area for the US Air Force, cyberspace is getting a lot of attention, and rightfully so. Every person, system, and device that communicates via the use of electronics and the electromagnetic spectrum is a part of this fascinating domain. Cyberspace is not new...it has been around for many years. However, our understanding of how this domain can be exploited has increased dramatically in recent years. As users and managers of cyberspace, we need to know what is happening in this domain. More importantly, we must know how to defend our cyber resources, exploit an adversarys use of the domain, and hold the adversarys operations at risk if need be. All of this requires cyberspace awareness. This is not your grandfathers awareness (one-size-fits-all data overload), but awareness based upon what is relevant to each individual at any level of the command hierarchy, presented in a useable form. The objective is to attain universal situational awareness, defined as awareness across all media and including all the hierarchy.

Integrating CDX into the graduate program

The Air Force Institute of Technology competed for the first time in the all-service cyber defense exercise this year. To do so required a restructuring of the existing specialty track in information systems security/assurance, in order to align with the exercise schedule and maintain an appropriate graduate level emphasis. In addition, the school was able to enroll, for the first time ever, senior enlisted members of the Air Force and Marine Corps who contributed a wealth of tactical, practical, knowledge and experience in deploying information systems under less than ideal conditions. The merits of these factors were borne out by the schools success on its maiden effort.

The Impact of the NSA Cyber Defense Exercise on the Curriculum at the Air Force Institute of Technology

This paper describes how the curriculum and course format at the Air Force Institute of Technology (AFIT) has evolved based on our experience with the highly-successful Cyber Defense Exercise (CDX) sponsored by the National Security Agency (NSA). Using industry-standard hardware and software, AFIT graduate students designed, built, and operated a robust network infrastructure that survived scans, denial of service attacks, social engineering, viruses, and root kits orchestrated by a team of NSA-sponsored hackers. AFITs two-quarter graduate-level course format changed this year to provide more hands-on, student-initiated education, which we found to be an effective teaching style for information security courses. This change in course format placed more emphasis on a coordinated team approach to defending the network. In this paper, we explain how the students formed teams and planned their activities and discuss how effective organization and division of labor can successfully thwart cyber attacks

Scalable wavelet-based active network detection of stepping stones

Network intrusions leverage vulnerable hosts as stepping stones to penetrate deeper into a network and mask malicious actions from detection. Identifying stepping stones presents a significant challenge because network sessions appear as legitimate traffic. This research focuses on a novel active watermark technique using discrete wavelet transformations to mark and detect interactive network sessions. This technique is scalable, resilient to network noise, and difficult for attackers to discern that it is in use. Previously captured timestamps from the CAIDA 2009 dataset are sent using live stepping stones in the Amazon Elastic Compute Cloud service. The client system sends watermarked and unmarked packets from California to Virginia using stepping stones in Tokyo, Ireland and Oregon. Five trials are conducted in which the system sends simultaneous watermarked samples and unmarked samples to each target. The live experiment results demonstrate approximately 5% False Positive and 5% False Negative detection rates. Additionally, watermark extraction rates of approximately 92% are identified for a single stepping stone. The live experiment results demonstrate the effectiveness of discerning watermark traffic as applied to identifying stepping stones.