File preview
SDNA : A Self-shielding Dynamic Network Architecture
Problem
With patience, a vulnerability in a computer network can be found and exploited Once inside, an attack can easily spread Prevent and limit attacks before detection 0-day, USB/email, compromised OS, etc.
User
Application
SDNA Key Concepts
Normal User Experience Normal Socket Semantics Normal Network Semantics
Dynamics Coordination SDNA Packet manipulation Network SDNA Packet manipulation
User
Application
OS Dynamics concealed
Dynamics present
OS
Device A
Device B
Photo by user ilovebutter, used under Creative Commons Attribution 2.0 Generic (CC BY 2.0) License
Like a hallway with many doors… Burden on attacker, all choices except 1 are a trap Must make choice to test its correctness Correct door constantly changes, cannot follow Not just “security through obscurity”
Integrated, decentralized architecture IPv6 based, IPv4 compatible Continually change network’s appearance in multiple ways Network access is managed & protected by a hypervisor Transparent to OS, apps, and user Cryptographically strong Network is secure by default
Photo by Ethan Prater, used under Creative Commons Attribution 2.0 Generic (CC BY 2.0) License
Security
Addresses cannot be meaningfully observed or used to locate/identify important nodes Network appearance differs per user & node Sender of a packet can be verified Secure against a compromised OS Non-SDNA devices/packets are easily detected and dropped/honeypotted
User Application OS
Feasibility/Usability
No changes to OS or apps Use existing CAC systems No changes to network hardware Dynamics are hidden from legitimate users
Use large IPv6 address space to create dynamics
Goals
Disrupt planning & effectiveness of attacks Prevent first node from being attacked Prevent spread after a successful attack Provide additional information to improve detection of and recovery from attacks Sponsor
Walt Tirenin, AFRL FA8750-10-C-0089 and FA8750-11-C-0179
Contact
Justin Yackoski : jyackoski@i-a-i.com 301-294-4251 http://www.i-a-i.com
Approved for Public Release; Distribution Unlimited: 88ABW-2012-2986,23-May-2012
Direct user Authentication, bypassing OS
SDNA
Source: http://en.wikipedia.org/wiki/IPv6_packet
Example capture of packets in an SDNA network
© INTELLIGENT AUTOMATION, INC
Problem
With patience, a vulnerability in a computer network can be found and exploited Once inside, an attack can easily spread Prevent and limit attacks before detection 0-day, USB/email, compromised OS, etc.
User
Application
SDNA Key Concepts
Normal User Experience Normal Socket Semantics Normal Network Semantics
Dynamics Coordination SDNA Packet manipulation Network SDNA Packet manipulation
User
Application
OS Dynamics concealed
Dynamics present
OS
Device A
Device B
Photo by user ilovebutter, used under Creative Commons Attribution 2.0 Generic (CC BY 2.0) License
Like a hallway with many doors… Burden on attacker, all choices except 1 are a trap Must make choice to test its correctness Correct door constantly changes, cannot follow Not just “security through obscurity”
Integrated, decentralized architecture IPv6 based, IPv4 compatible Continually change network’s appearance in multiple ways Network access is managed & protected by a hypervisor Transparent to OS, apps, and user Cryptographically strong Network is secure by default
Photo by Ethan Prater, used under Creative Commons Attribution 2.0 Generic (CC BY 2.0) License
Security
Addresses cannot be meaningfully observed or used to locate/identify important nodes Network appearance differs per user & node Sender of a packet can be verified Secure against a compromised OS Non-SDNA devices/packets are easily detected and dropped/honeypotted
User Application OS
Feasibility/Usability
No changes to OS or apps Use existing CAC systems No changes to network hardware Dynamics are hidden from legitimate users
Use large IPv6 address space to create dynamics
Goals
Disrupt planning & effectiveness of attacks Prevent first node from being attacked Prevent spread after a successful attack Provide additional information to improve detection of and recovery from attacks Sponsor
Walt Tirenin, AFRL FA8750-10-C-0089 and FA8750-11-C-0179
Contact
Justin Yackoski : jyackoski@i-a-i.com 301-294-4251 http://www.i-a-i.com
Approved for Public Release; Distribution Unlimited: 88ABW-2012-2986,23-May-2012
Direct user Authentication, bypassing OS
SDNA
Source: http://en.wikipedia.org/wiki/IPv6_packet
Example capture of packets in an SDNA network
© INTELLIGENT AUTOMATION, INC