Defense Configuration Development
At the basis of this C2 problem is a decision made by a CSA. A CSA must decide where to utilize available defenses. This defense configuration development problem is a multicriteria decision making problem.
A CSA must balance network defense priorities with mission priorities. This requires a full understanding of available defense capabilities. The defense characterization process described in Section provides this vital information. A CSA must also understand mission priorities, critical network assets, and services. Understanding these three components allows the C2PD program to develop a decision-support tool for assigning, deploying, and orchestrating multiple defenses simultaneously.
This decision-support for assigning defense techniques is inherently an optimization problem. Multi-criteria optimization allows for the balancing of multiple objectives, maximizing the defense provided to network assets, and minimizing resource consumption that affects mission priorities. A decision engine utilizing this technique provides several mathematically optimal defense configurations to a CSA. Multi-criteria decision-making techniques also allow for CSA interaction with the optimization process in order to allow for human-in-the-loop decision-support.
After a CSA has selected the most preferred defense configuration for implementation, the defense deployment framework described in Section provides the ability to deploy these defenses onto the network. This allows for an initial human-in-the-loop decision and enables future autonomous behavior where the decision engine could suggest changes to defense configurations based on observations of network activity or changes in mission priority.
Framework
Current manual methods for installation, configuration, and activation of cyber defenses are labor-intensive. This slow process does not allow a CSA to manipulate defenses more quickly than an attacker can adapt. C2PD provides an automated method for deployment of defense configurations, drastically shortening a CSA’s response time.
CSAs protect the network by utilizing a diverse collection of sensors, defenses, and other assets installed throughout the network. C2PD provides a common communication framework to integrate all of these tools into a C2 system. The use of botnets is an example of this concept of centralized control and decentralized execution. Botnets connect a diverse array of computing assets by standardizing communication and enabling distributed C2.
The C2PD framework provides common communication and distributed C2 for cyber defenses. This framework incorporates sensors, cyber defenses, and other cyber assets into modules. A CSA adds or removes modules to the framework based on mission requirements. Distributed control of modular defenses for rapid deployment provides a scalable defensive posture.
This framework is a distributed multi-agent system [7]. All defenses, defense assets, and C2 interfaces associate with their own agent in the framework through a common Application Program Interface (API). Defenses and defense assets report to the C2 interface via communication by their respective agents. This method of control conceals the implementation details of cyber defenses from the controller.
The framework has a set of core services. First, the registration service provides naming and location services for agents within the network. Second, a message service is required to allow communication between agents. A message encryption service provides encryption for messages transmitted within the network over any message transport service. Additionally, an audit service is available for system integrity. This auditing service records all events with timestamps within the framework. A logging service outputs a record of events to administrators. This logging service can correlate logs from multiple hosts across the network and present a single log to a CSA. The publish-and-subscribe service enables the specification for types of input and output for agents or environments. A policy service allows for granular control of the various services running on the framework. Finally, a metrics service reports performance and resource usage statistics from across the network hosts and agents. Figure 2. Core services within API framework represents the use of these services within the framework by each agent.