Sounding the alarm

The Air Force Research Laboratory Information Directorate, Rome, N.Y., last month tapped Litton/PRC Inc. to build a system that will collect information on cyberattacks or other unauthorized users throughout the Air Force as part of a Defense Departmentwide effort to stem the increasing number of intrusions into DOD computer systems.

The development of an automated intrusion-detection system, which will become a part of a larger DOD system to detect and gather data on computer intrusions, is the first task order under the Defensive Information Warfare Technology Applications (DIWTA) contract, awarded to a team headed by Litton/PRC last month.

Under the four-year, $19.6 million contract, the systems integrator also will offer other information security solutions, including vulnerability and risk assessment, automated warning and response, and forensics.

The contract also will be part of DOD's response to a directive issued by President Clinton last year, known as Presidential Decision Directive 63, which called on federal agencies to develop plans and systems to protect mission-critical computer systems.

The Automated Intrusion Detection Environment (AIDE), the first project, will collect information from individual intrusion-detection systems throughout the Air Force to deposit into a central system.

The data will be pulled together at local, regional and global levels to generate easily understood reports for administrators on different issues such as similar attacks at several sites. The AIDE is a joint effort between the research lab's Information Directorate and the Defense Information Systems Agency.

The Rome site also is working with the commanders in chief at DOD commands worldwide to collect intrusion information. The data will flow into the Joint Task Force for Computer Network Defense, and the JTF-CND then will correlate the information on a global scale.

"We are working across DOD...[and] in the end, feeding all of the information to DISA's Global Network Operations Security Center and the JTF-CND," said Brian Spink, the AIDE program manager and an electronics engineer at the Rome Research Site's Defensive Information Warfare Branch.

The JTF-CND serves as the coordination center for DOD agencies and services to report computer security breaches and for responding to cyberattacks.

But without the intrusion information from the Air Force and the other services, the JTF-CND is next to useless, said Kent Schneider, vice president and general manager of command, control, communications and intelligence systems at PRC.

DIWTA and similar contracts will play a role in overall defense strategy, he said. "This contract is certainly not targeted only at Air Force requirements," Schneider said. "It will certainly be used to enhance their effort in the joint environment."

PRC, in addition to facilitating the automation and creation of the central system, is developing a form of "adaptive" intrusion detection, an application that allows the system to learn from past intrusion signatures to recognize future intrusions even if the attacker is using no known method, Schneider said.

"It's basically devising techniques and tools that allow you to take existing systems and systems in development and allow them to be monitored as a whole," Schneider said. "The idea of developing adaptive tools that can adjust to a variety of threats is recognizing that the problem is really an issue of defense in depth, with threats from outside and inside the organization."

The work will focus on the Non-Classified Internet Protocol Router Network, which DOD uses to send unclassified messages, and DOD connections to the Internet, Spink said. NIRPNET and many DOD Web sites have come under such heavy fire from hackers and other unauthorized users that the department has contemplated cutting off all connections to the Internet.

Work on the AIDE has been under way for more than a year. The Rome site had used other contracts for the work but decided to create the DIWTA contract last year to provide a more focused group of vendors and resources, Spink said.

Through DIWTA, the Air Force has access to 30 vendors, including Booz-Allen & Hamilton Inc., Computer Sciences Corp., Litton/TASC Inc. and Trident Data Systems Inc., and future tasks under consideration will include technology from many of them, Spink said.