Communication Protocol for CyAMS and the Cyber Fighter Associate Interface

October 1, 2015

Army Research Laboratory, Aberdeen Proving Ground, Maryland

This program evaluates agility maneuvers that may be employed within networks to mitigate the effect of cyber attacks.

As the military adopts more networked equipment, the opportunity for cyber attacks to occur has also risen. To mitigate the effect these attacks have, network administrators and security experts must be able to decide on the best course of action based on many factors. The Cyber Fighter Associate (CyFiA) will help decide the best course of action given a set of cyber agility maneuvers by measuring the cost and utility of potential maneuvers, along with node and network facts, to select the maneuvers that will lead to mission success.

The CyFiA will suggest agility maneuvers to accomplish a mission in response to a vulnerability or threat (known infection). The first mission for the CyFiA is to evaluate agility maneuvers and provide recommendations for a patch management mission. These maneuvers are a set of various actions that can be used to prevent the propagation of an attack by patching a device so it is immune to the attack. The CyFiA is meant to be expandable to allow for new agility maneuvers to be added in the future.

To test the effectiveness of the CyFiA, a program called Cyber Army Modeling and Simulation (CyAMS) was used. This program uses the ns-3 network simulator, a discrete-event network simulator for Internet systems (ns-3 2004). CyAMS can model very large-scale networks with the help of a high-performance computing system. Currently, CyAMS is implemented on a system called Thufir, a hybrid computer mixing graphics-processing unit (GPU) and standards cores. CyAMS has demonstrated the ability to model networks containing up to 35 million nodes.

To accomplish agility maneuver simulations for the large simulated networks, there needs to be a method to transfer the considerable amount of data from CyAMS to the CyFiA knowledge engine. Therefore, a communications program was designed and developed that transfers the data between the separate programs.

The CyFiA currently consists of three parts: the CyFiA knowledge-based system, the Risk-Cost Calculation program, and CyAMS. The network is being simulated on CyAMS. The Risk-Cost Calculation program needs input from CyAMS to calculate cost/utility, and provide information to the CyFiA knowledge-based engine so it can recommend agility maneuvers to CyAMS. There needs to be frequent communication between the programs, so a protocol was defined that relies on the exchange of User Datagram Protocol (UDP) packets utilizing specific ports. UDP is a minimal message-oriented Transport Layer Protocol that allows for efficient message passing between programs and computers.

To support the CyFiA, the following information for each node needs to be exchanged between the programs: location (latitude/longitude), capability and operating system, node health information, edge endpoint and communication throughput, battery information, state change (agility maneuver, health, etc.), patch size, and graphical user interface (GUI) update information (state change, GUI information).

The protocol allows a high data transfer rate as well as the ability to add functionality to the programs in the future. CyAMS provides various inputs to the communications program, which distributes information between different programs. As the communications program receives information from CyAMS, it resends the information to the CyFiA knowledge tool and Risk-Cost Analysis program. Sockets do not permit listening and sending on the same port. Therefore, whichever port CyAMS sends on, the communications program will resend on that port, plus 1 for CyFiA or plus 2 for Risk-Cost.

NASA’s World Wind GUI is one of the programs that receives information using this protocol. The World Wind GUI receives state updates from the CyAMS simulation any time a node within the simulation changes state. In addition to node state changes, the GUI also receives any data regarding link changes that may occur as a result of the simulation, or due to a critical path change. These state changes will then be reflected within the GUI itself. This can be seen in the figure. The links highlighted in yellow represent the critical path nodes that are required for the mission. The green node is patched or immune, and the red node is the source of the infection.

The communications program is the main program that connects the CyFiA knowledge base program, Risk-Cost program, and CyAMS together. In the communications program, each port uses its own thread so that packets are not skipped. After the program receives each packet, it resends the packet to both the CyFiA and the Risk-Cost program. This is repeated with packets being received from the CyFiA and Risk-Cost programs.

Although the general layout of communication is complete, the communication program will have to be modified when the CyFiA is extended. Another change that can be made is the integration of the communication program into the CyFiA.

This work was done by Brian Henz and Lisa M. Marvel of the Army Research Laboratory; Scott Brown of Secure Mission Solutions, and David Harman of the University of Maryland, College Park. ARL-0185

---