Notice

The material in this document is protected by the US copyright laws, and it provided solely to familiarize readers with the system CEWPS™ and the Smart Vaccine™. No part of this document can be used, copied, reproduced in any form or fashion. Contact the author of the document regarding any information in this document.

The Cognitive Early Warning Predictive System™/the Smart Vaccine™

How to protect the Critical Infrastructures of Smart City

For the Journal of Defense Software Engineering

By

Dr. Rocky Termanini, CEO MERIT CyberSecurity Consulting™; CISSP, PE, July 10, 2013

Abstract

One of the great contributions to humanity was the discovery of the vaccine. Dr. Edward Jenner and Louis Pasteur share this honorable credit. Without adaptive immunity, one fourth of the human race would have been terminally ill. Building a Digital Immune System to combat cyber malware is one of the most innovative ideas that will soon become reality. This is the story of the digital Smart Vaccine.

Introduction

This paper brings a new dimension into cyber security continuum. It describes the blueprint and the conceptual design strategy of intelligent system called the Cognitive Early Warning Predictive System™ (CEWPS). CEWPS™ is the new Digital Immune System (DIS) because it follows the Human Immune System (HIS), in other words, it is the counterpart of Human Immune system and applied solely to the digital world. CEWPS will be equipped with an ultra-fast broadband grid that will be used to accommodate heavy alert traffic, attack data and vaccination services. CEWPS is fully autonomic in handling surprise attacks (particularly for the critical infrastructure systems), and designed to predict incoming massive attacks and issue “just-in-time alerts to trigger a defense

response. All this magic is done with the help of an autonomic agent that we call “The Smart

Vaccine™”. Once the viral attack is recognized, an early warning alert is broadcast throughout the (DIS) grid. The Smart Vaccine quickly performs its “acquired Immunity” function by delivering the proper vaccine and inoculating all systems on the grid. The attack is nullified and normal operations are transparently resumed. Subsequently, the attack episode is documented and stored in the Knowledge Base for vaccination support against future attacks.

There are two technical justifications for building the CEWPS™/SV. The first reason is the accelerated proliferation of cybercrime and cyber terrorism. Graph-A simply shows the accelerated progression and sophistication of malware vis-à-vis Anti-Virus Technologies. Malware engineers have succeeded to craft diabolical rootkits and dismantle anti-virus code and make the most venomous payload to contaminate the world with.

The CEWPS™/Smart Vaccine™ is also designed to use “Defense by Offense” mechanism before the virus contaminates other computers or even mutate to another object. When an attacking virus penetrates a computer through email, or Microsoft Internet Explorer, CEWPS™/Smart Vaccine™ will quickly recognize the foreign virus, neutralize and quarantine it. CEWPS™ will issue an early warning to the other systems on the grid. The Smart Vaccine will intercept the roaming worm and inoculate the other critical systems with the proper vaccine (code). The Virus Knowledge Base will store the attack episode for future references. All systems will be up without any interruption.

Graph- D illustrates the magic work of the Smart Vaccine™ within the CEWPS™ environment.

Business-centric Drivers

There are two significant drivers that justify the rapid adoption of the CEWPS™/Smart Vaccine. The first driver is to offer a cognitive early warning system to all critical infrastructures and mission critical systems in the country. The escalating cyber terrorism initiated from hostile countries to the United States is a major threat to our economic societal prosperities. For example, an Electronic Pearl Harbor attack on a metropolitan power grid could create havoc in several major cities with astronomical financial losses.

The second driver is that the state-of-the-art of Anti-Virus Technology (AVT) is still behind the technology curve, as shown previously in Graph-B. None of the AVT is fully autonomic, grid- centric, or artificially intelligent to reason and predict an attack.

CEWPS™/SV addresses the gaps in today technology by offering a holistic predictive approach to protect mission critical infrastructure.

Proposed Solution Framework

CEWPS™/Smart Vaccine™ is engineered, after the human body, with loosely coupled grids that provide virtualization and communication among the grids with one another at highly intelligent semantic level. The objective is to achieve high level of concurrency and parallel reliability as shown in Graph - E. If one layer goes down, the other layers keep performing until the system fixes itself and the three grids resume normal operation.

Top Layer: The Early warning and Malware Collecting Grid: It has the cognitive intelligence to detect, quarantine all incoming stealth attacks, recognize their origin, identify their structure and payload, and dispatch alert messages to the Smart Vaccine and Critical Systems grids. The Early Warning grid is the Radar of CEWPS™. It is made of honeypots, booby-traps, reasoning engines, and detection semantic knowledge engines. Furthermore, the grid acts as a parasympathetic neural network to manage all normal situations. The grid has its Central Command Center (CCC) with multiple dashboards to generate Business Intelligence real-time readings. However, It will instantly mutate into a sympathetic neural network when an attack is detected, and trigger an army of agents (like the Human B-cells) to track the virus and immobilize it. This is a part of its Resilient Management characteristics.

Middle Layer: The Smart Vaccine Factory Grid: is the main grid of CEWPS. Its main function is to build “acquired immunity” and immunological memory of attack episodes in the critical systems.

The Smart Vaccine is more than the sum of its parts — it is the intersection of three versatile technologies (Grid, Autonomic and On-Demand Computing). It exchanges info with Combat Command Center (3C). t is the kernel of the CEWPS™. The Smart Vaccine™ incrementally learns from its own vaccination episodes during the marshaling process. Graph-F shows the autonomic anatomy of the Smart Vaccine™.

Bottom Layer: The Critical Infrastructure Systems Grid: It connects all the critical systems of the infrastructure with the most sophisticated cloud middleware Graph F-a to deliver the necessary immuniware services. The Smart Vaccine™ Grid and the Critical System Grid are pathologically connected with neuron-like wide-band real-time connections, to achieve the most critical operation of the CEWPS™ during a severe surprise. The following services are performed autonomically:

• Alert management

• Vaccine Delivery management

• Vaccination Registration and Management

• Emergency Response

• Information Collection Management

• Damage Control and management
  

                                                                                  

The Holistic Implementation Methodology

The implementation of CEWPS™/Smart Vaccine is the composite of many collaborative clustered logically into six phases, as shown in Graph-G.

Phase-1 Build the Cyber Attack Knowledge Collection Grid (infrastructure)

One of the necessary pre-requisite for the success of CEWPS™/Smart Vaccine™ is to collect historical data about attacks. The Digital Immune System (DIS) has to draw knowledge from the past and project it into the future. Ideally, there should be a “virtual” global Cyber Malware Grid that connects all law enforcement agencies in friendly countries. DHS’s Fusion centers would play a pivotal role and virtually would be part of the grid. This massive grid would offer significant “raw “data on cyber-crime and terrorism and violent attacks in the world. This massive resource would give us almost every situation of Cybercrime continuum. Honeypot nets could also be another source to collect malware.

Phase-2 Collect Cyber Attack Episodes

CEWPS™ will use "Ontology" technology to classify and catalog all disparate attack episodes. Another term for ontology is "taxonomical Hierarchy of items". Simplistically speaking, ontology is software to convert heterogeneous and unstructured pieces of information into a homogenous fabric of knowledge. Oracle Spatial 11g, an option for Oracle Database11g Enterprise Edition, Oracle delivers an advanced semantic data management. With native support for RDF/RDFS/OWL/SKOS standards, Oracle semantic engine will enable us to transform attack episodes into normalized knowledge patterns. Graph G-a Shows the raw data treatment.

Phase-3 Build the Cyber Attack Knowledge Engine (AKE)

Another compelling feature of (DIS) is its arsenal of historical attack episodes catalogued in the Knowledge Database (KDE) as BN patterns, which will be used for intelligent and predictive data mining, as well as for causal discovery. All attack episodes will be characterized by three vectors: Classes (categories), attributes (properties), and relationships (logical axioms) among the episodes.

The next step is to transform the cluster of parent-child and their conditional probabilities into a unified knowledge Directed acyclic Graphs (DAG), before we do any reasoning. Each node represents a state with its conditional probability. The nodes are connected to show causality and direction of influence. Graph- H shows the graphical representation of a sample cyber-attack.

A cyber-attack belief network is usually complex structure with many clusters of concurrent events. Prediction and abduction require a joint probability distribution. It becomes impossible to do it by hand. We need a highly intuitive graphic tool to build a cyber-attack model and conduct reliable analysis, such as Bayesialab or Charles River Software.

Again, like the Human Immune System (HIS), prior attack episodes are collected, and through (BBN) and the associated conditional probabilities of the prior episodes, we calculate, with the help of probabilistic and causal reasoning engine, the posterior probability that an attack.

CEWPS™/Smart Vaccine will rely heavily on historical patterns during the prediction of incoming attacks. The Diagram below shows how unstructured attack episodes will be transformed into knowledge-situation ready to serve as reference in setting up early warnings and predicting attacks.

Phase-4 Build the Smart Vaccine and the Early-Warning Reasoning Engine

The Early Warning Reasoning Engine is the brain that performs the prediction of the attack. Using Pearl causal and evidential reasoning will be done before an intelligent early warning is broadcast. The Reasoning Engine (RE) will uses forward and backward chaining on semantic attack episodes "patterns". Deliberation is validated with strict rules and assumptions. After many recursive searches and matching, the Reasoning Engine will eventually generate the optimal solution, including the consequences of the attack and what precautions have yet to be taken, as shown in Graph-I .

Phase-5 Build the Prototype

Cyber-attacks are premeditated pre-emptive acts of violence committed by perpetrators using a computer as a tool to attack computing facilities or critical infrastructures. Cyber-attacks can be predicted and even deterred with a well-trained “intelligent” system such as the CEWPS™/SV. In order to predict the arrival of a cyber-attack, we need three fundamental pre-requisites. First, the need to acquire a good understanding of the domain of cyber-attacks, and collect and convert “prior” attacks into Bayesian Network models, and semantically catalogue into a knowledge base.. Second, the need to build an “Early Warning” probabilistic reasoning engine to evaluate the causal and evidential relationship of each network, and to select the best decision within given constraints. And third, the need to build an “Early Response” vaccination unit so Smart Vaccine agents could inoculate critical systems before the hostile event. Through stepwise refinement the prototype will acquire experience and reliability.

Phase-6 Prototype Testing and Evaluation

CEWPS/Smart Vaccine is intelligent system that stores experience and learns from its own mistakes. Since malware is always in boiling state ready to unleash terror energy, CEWPS/Smart Vaccine has to spend enough time boot camping to get ready for the real battle.

The Electronic Perl Harbor, The Cyber War Scenario

Everyone remembers the historical blasphemy of Pearl Harbor: On December 7, 1941, one of the largest American military defeats occurred. An entire naval fleet was destroyed; hundreds were killed, all before

1. am on Sunday. The US did not have any knowledge of this attack, partially because of ignorance. The Japanese attack on the US naval base of Pearl Harbor was a classic case of "It will not happen to me!" …

The On June the 3d, 2003, The Northeastern region of the United States was hit by an unusual type of cyber attach, that is called “The Virus Rain”.

The attack caught the region by surprise and hundreds of incident response teams scrambled to catch up with the attack.

Systematically and with a progression of 10 minute interval, the attack spread out very fast and hit the whole region like a hurricane bringing down the power grid, followed by the metro rail grid, AMTRACK, ATMs, and the Telecom network. The Computer Emergency Response Team (CERT), estimate over 200,000 different types of viruses have been unleashed to paralyze the region. Later, it was referred to as “The Virus rain®”!

The Virus Rain® is a fictitious massive cyber-attack, but it may become reality soon. All the technologies of the attack are present today; but more importantly, it will be fueled with anti- American sentiment. The Virus Rain™ was designed, and launched from several remote stealth cyber launch pads. It hit the heart of New England with its payload of Remote-control viruses, mutating stealth-smart bombs, backdoor hemorrhoid zombies, and autonomic heart-attack, and kamikaze agents. It was like the four horsemen of Apocalypse, or the final battle of Armageddon. All this will be done on Internet!

The global malware market is maturing and is phenomenally open-ended, globalized, and virtually real. It is a sleeping giant ready to wake up anytime.

The Evil Supermarkets

There are 1500 virus supermarkets in the world, selling underground custom-made packaged attacks for different purposes. In fact, some governments have already built their cyber war labs to fabricate their own cyber weapons. The US is aware of such labs and has the capability to neutralize most attacks. The Pentagon plans to build several "cyber bunkers” to counter attack such invasion. Most westernized nations have started to build defensive cyber bunkers, while other South East Asian

The Electronic Pearl Harbor is what could happen again, but this time the attack will be on Internet. The attack would be launched from some unknown location in cyberspace. Cyber Information war here we come. All the famous forecasters two decades ago overlooked the internet sleeping giant and and ridiculed it’s a fad like bobby socks or bubble gum. Today the digital world is controlled by a handful of “non-college” people who could blackmail any government.

With the Early Warning Predictive System™ in place, stealth attacks will be caught by one of the trappers “Honeypots” on the Early Warning and malware collector grid. The attacking object “payload” will be quietly intercepted and logged by stealth trapping tools.

Attack preliminary data will be transferred to The Smart Vaccine Grid, where the Knowledge engines, will defuse the payload, reverse-engineer the internals of the attacking virus, and patterns will mapped and recognized, correlated ontologically, and stored as knowledge presentation for the proper vaccine prescription. The matched Vaccine will be fabricated and dispatched to the Mission Critical System Grid, which is getting ready to receive the Smart Vaccine.

The Smart Vaccine will be assembled according to a master workflow template and a stealth wrapper will prepare its delivery to target systems Mission Critical Systems Grid. At the receiving end, the Smart Vaccine instantiates the inoculation process of all critical systems which become immune against the attacking object. The vaccination episode is then documented autonomically, and sent back to the Grid Knowledge Headquarters for further analysis and linked to the Longitudinal Vaccination Record.

Graph-K gives an aerial view of the pathological functioning of the CEWPS™/SV environment.

Conclusion

Digital Immune system (DIS) paradigm is the futuristic and holistic solution to the asymptotic limitation of the current Anti-Virus Technologies (AVT), and to the elimination of global cybercrime and terrorism.

Since all cyber terror attacks can be mapped into Bayesian Networks framework, and through probabilistic and evidential reasoning, deeper knowledge can be acquired about the anatomy of cybercrime and how to eradicate it, like how it happened with the human immune system. We can take solace from the fact that Digital Immune System will be keep up with the crime and eventually be two steps ahead of it.

References

1. Bnet.builder, About Bayesian Belief Networks, Charles River Analytics, 2005

2. Adnan Darwiche, Modeling and Reasoning with Bayesian Networks, Cambridge University Press, 2009

3. Richard Murch, Autonomic Computing, IBM Press Series, Prentice Hall, 2004

4. Joshy Joseph, Craig Fellenstein, Grid Computing, IBM Press Series, Prentice Hall, 2004

5. Judea Pearl, Causality, Models, Reasoning, and Inference 2d Edition, Cambridge University Press, 2010

   
   

   

6. The White House, The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, February 2003

7. Rocky Termanini, Predicting Suicide Bombing in Newark NJ, Paper presented to DHS NJ 2010

8. Dr. Rocky Termanini, Holistic Strategy to Protect the Critical Infrastructures, December 2007

9. Rocky Termanini, The Electronic Pearl Harbor revisited, Paper presented at The American Society of Military Engineers, NJ 2004

10. Jiri Vomlel, Two applications of Bayesian Networks, Laboratory for Intelligent Systems, 1998.

Dr. Rocky Termanini, CEO of MERIT CyberSecurity Group, is a subject matter expert in IT security and brings 46 years of cross-industry experience at national and international levels. He is an active member of the Los Angeles Electronic Crime Task Force (LAECTF). He is the designer of “Cognitive Early-Warning Predictive System/ The Smart Vaccine™” which replicates the human immune system to protect the critical infrastructures against future cyber wars. Dr. Termanini holds a PhD in Artificial Intelligence from Yale.

Dr. Termanini spent 5 years in the Middle East working a security consultant in Saudi Arabia, Bahrain and the UAE. Professor Termanini’s teaching experience spans over 40 years. He taught Information Systems courses at Connecticut State University, Quinnipiac University, University of Bahrain, Abu Dhabi University, and lectured at Zayed University in Dubai. He can be reached at rocky@termanini.com and by mobile: + (203) 252-0604