Notes from CSIIRW-09

We attended and presented at the Cyber Security and Information Intelligence Research Workshop, April 13-15, 2009 at Oak Ridge National Labs (ORNL). . The audience numbered about 150 attendees, with academic and government representing the biggest segment, and a few representatives from government, systems integrator , and technology providers. In his keynote, Dr. Doug Maughan from DHS reviewed and assessed federal cyber initiatives from 2003 to the present. While noting that the amount of activity around cyber security is encouraging, Doug challenged the cyber security research community to be “bolder and riskier in their thinking”, to do a better job of capitalizing on the increased interest, and to come together on an agreement for a “National Cyber Security R&D Agenda”. In other featured presentations, Dr. Nabil Adam from DHS and Rutgers University introduced issues and programs at the intersection of Cyber and Physical Systems Security. SCADA and Smart Grid systems were highlighted. In his “Are we on the Right Road” presentation, George Hull from Northrop Grumman confronted basic challenges. With 5.4 million unique malware samples discovered in 2007, and companies like Symantec now doing up to 300 updates per day, signature-based systems don’t and can’t work. And as systems become ever more complex, the complexity works against security and reliability. Hull suggested that cyber security is not about the endpoints or the network. Rather, the real focus needs to be defending the information. Dr. Robert Stratton from Symantec presented findings from Symantec’s Internet Security Threat Report (April 2009). Of particular interest to Milcord was the finding that in 2008 “Symantec observed an average of 75,158 active bot-infected computers per day in 2008, an increase of 31 percent from the previous period.”

The panel discussions surfaced some points for pondering, including observations that as venture capitalists seem to be moving away from cyber security as an investment area the government needs to fill the void in R&D funding. Some questioned the effectiveness of some government cyber R&D programs like NSF, going so far as to refer to it as ‘welfare for scientists’, disconnected from real-world needs, and unlikely to produce innovation that results in deployable systems.

Milcord presented findings from its DHS-sponsored botnet research on the Behavioral Analysis of Fast Flux Service Networks. Specifically we discussed behavioral patterns of domains, name servers, and bots that we discovered from our FastFlux Monitor into the short-term behavior, long-term behavior, organizational behavior, and operational behavior of botnets that use fast flux service networks.