Notice

The material in this document is protected by the US copyright laws, and it provided solely to familiarize readers with the system CEWPS™ and the Smart Vaccine™. No part of this document can be used, copied, reproduced in any form or fashion. Contact the author of the document regarding any information in this document.

Dr. Rocky Termanini, MERIT CyberSecurity™ Consulting July 10, 2013

The Cognitive Early Warning Predictive System™/the Smart Vaccine™ How to protect the Critical Infrastructures of the nation

For the Journal of Defense Software Engineering By

Dr. Rocky Termanini, CISSP, PE, July 10, 2013


Abstract

One of the great contributions to humanity was the discovery of the vaccine. Dr. Edward Jenner and Louis Pasteur share this honorable credit. Without adaptive immunity, one fourth of the human race would have been terminally ill. Building a Digital Immune System to combat cyber malware is one of the most innovative ideas that will soon become reality. This is the story of the digital Smart Vaccine.


Introduction

This paper brings a new dimension into cyber security continuum. It describes the blueprint and the conceptual design strategy of intelligent system called the Cognitive Early Warning Predictive System™ (CEWPS). CEWPS™ is the new Digital Immune System (DIS) because it follows the Human Immune System (HIS), in other words, it is the counterpart of Human Immune system and applied solely to the digital world. CEWPS will be equipped with an ultra-fast broadband grid that will be used to accommodate heavy alert traffic, attack data and vaccination services. CEWPS is fully autonomic in handling surprise attacks (particularly for the critical infrastructure systems), and designed to predict incoming massive attacks and issue “just-in-time alerts to trigger a defense

response. All this magic is done with the help of an autonomic agent that we call “The Smart

Vaccine™”. Once the viral attack is recognized, an early warning alert is broadcast throughout the (DIS) grid. The Smart Vaccine quickly performs its “acquired Immunity” function by delivering the proper vaccine and inoculating all systems on the grid. The attack is nullified and normal operations are transparently resumed. Subsequently, the attack episode is documented and stored in the Knowledge Base for vaccination support against future attacks.


There are two technical justifications for building the CEWPS™/SV. The first reason is the accelerated proliferation of cybercrime and cyber terrorism. Graph-A simply shows the accelerated progression and sophistication of malware vis-à-vis Anti-Virus Technologies. Malware engineers have succeeded to craft diabolical rootkits and dismantle anti-virus code and make the most venomous payload to contaminate the world with.


image


The second reason is that the State-of-the-art of Anti-Virus Technologies (AVT) is suffering from an innovation stagnation. AVT is still struggling with first level malware such as SPAM, Phishing and ID Theft. Trojans such as Stuxnet, Duqu and Flame have outpaced (AVT) with they have sent a strong wake-up call with their autonomic self-configuring, self-navigating and their predictive intelligence. For two decades AVT did not offer a true innovative solution that could match the accelerating sophistication of cyber terrorism. Cyber Terrorism is the beast that can destroy our critical infrastructures, threatens our economy and can disrupt our societal welfare. Our critical infrastructures are openly vulnerable and AVT was not designed to handle large scale defense, nor was it designed to provide a holistic shield against cyber terrorism. Another big hole is the Analog/Digital control systems such as SCADA.

The objective of CEWPS™/Smart Vaccine is to fill the gap and provide an integrated security shield to match the potency of cyber terrorism. Graph-B shows the leading position of CEWPS™/Smart Vaccine Malware technology and AVT state-of-the-health. With such advanced concepts, it behooves the government and the private sector to review the state of the current technology and transition their defensive strategy to include early warning predictive system and digital immunity.

We need to remember that OEM operation systems had very basic innate immunity like humans are born with it. No system has been designed with adaptive immunity that comes with vaccination and has the capability to recognize the attack and remember it.


image


CEWPS™/SV Grounded Concept & Analogy with the Human Immune Systems One way to outsmart the growing danger of cyber malware is to look at the contributions of the Human Immune System (HIS) and try to replicate it for the digital world. CEWPS™/The Smart Vaccine was designed to work like (HIS). Let’s look at the compelling analogy of the two systems: when the human body is attacked by a pathogen (bacteria or virus), the pathogen penetrates the skin, its poison (antigen) is quickly recognized by the B-cells, and antibody (defense unit) is sent to quarantine the attacking object. The killer cells dispose of it, and in the meantime the memory cells remember the attack episode and keep a sample of the antigen for the next battle. Graph-C illustrates how the remarkable Human Immune System uses “defense by offense” mechanism to eradicate sickness.


image


The CEWPS™/Smart Vaccine™ is also designed to use “Defense by Offense” mechanism before the virus contaminates other computers or even mutate to another object. When an attacking virus penetrates a computer through email, or Microsoft Internet Explorer, CEWPS™/Smart Vaccine™ will quickly recognize the foreign virus, neutralize and quarantine it. CEWPS™ will issue an early warning to the other systems on the grid. The Smart Vaccine will intercept the roaming worm and inoculate the other critical systems with the proper vaccine (code). The Virus Knowledge Base will store the attack episode for future references. All systems will be up without any interruption.

Graph- D illustrates the magic work of the Smart Vaccine™ within the CEWPS™ environment.


image


Business-centric Drivers

There are two significant drivers that justify the rapid adoption of the CEWPS™/Smart Vaccine. The first driver is to offer a cognitive early warning system to all critical infrastructures and mission critical systems in the country. The escalating cyber terrorism initiated from hostile countries to the United States is a major threat to our economic societal prosperities. For example, an Electronic Pearl Harbor attack on a metropolitan power grid could create havoc in several major cities with astronomical financial losses.

The second driver is that the state-of-the-art of Anti-Virus Technology (AVT) is still behind the technology curve, as shown previously in Graph-B. None of the AVT is fully autonomic, grid- centric, or artificially intelligent to reason and predict an attack.

CEWPS™/SV addresses the gaps in today technology by offering a holistic predictive approach to protect mission critical infrastructure.


Proposed Solution Framework

CEWPS™/Smart Vaccine™ is engineered, after the human body, with loosely coupled grids that provide virtualization and communication among the grids with one another at highly intelligent semantic level. The objective is to achieve high level of concurrency and parallel reliability as shown in Graph - E. If one layer goes down, the other layers keep performing until the system fixes itself and the three grids resume normal operation.


image


Top Layer: The Early warning and Malware Collecting Grid: It has the cognitive intelligence to detect, quarantine all incoming stealth attacks, recognize their origin, identify their structure and payload, and dispatch alert messages to the Smart Vaccine and Critical Systems grids. The Early Warning grid is the Radar of CEWPS™. It is made of honeypots, booby-traps, reasoning engines, and detection semantic knowledge engines. Furthermore, the grid acts as a parasympathetic neural network to manage all normal situations. The grid has its Central Command Center (CCC) with multiple dashboards to generate Business Intelligence real-time readings. However, It will instantly mutate into a sympathetic neural network when an attack is detected, and trigger an army of agents (like the Human B-cells) to track the virus and immobilize it. This is a part of its Resilient Management characteristics.


Middle Layer: The Smart Vaccine Factory Grid: is the main grid of CEWPS. Its main function is to build “acquired immunity” and immunological memory of attack episodes in the critical systems.


The Smart Vaccine is more than the sum of its parts — it is the intersection of three versatile technologies (Grid, Autonomic and On-Demand Computing). It exchanges info with Combat Command Center (3C). t is the kernel of the CEWPS™. The Smart Vaccine™ incrementally learns from its own vaccination episodes during the marshaling process. Graph-F shows the autonomic anatomy of the Smart Vaccine™.


image


Bottom Layer: The Critical Infrastructure Systems Grid: It connects all the critical systems of the infrastructure with the most sophisticated cloud middleware Graph F-a to deliver the necessary immuniware services. The Smart Vaccine™ Grid and the Critical System Grid are pathologically connected with neuron-like wide-band real-time connections, to achieve the most critical operation of the CEWPS™ during a severe surprise. The following services are performed autonomically:

image


The Holistic Implementation Methodology

The implementation of CEWPS™/Smart Vaccine is the composite of many collaborative clustered logically into six phases, as shown in Graph-G.


image


Phase-1 Build the Cyber Attack Knowledge Collection Grid (infrastructure)

One of the necessary pre-requisite for the success of CEWPS™/Smart Vaccine™ is to collect historical data about attacks. The Digital Immune System (DIS) has to draw knowledge from the past and project it into the future. Ideally, there should be a “virtual” global Cyber Malware Grid that connects all law enforcement agencies in friendly countries. DHS’s Fusion centers would play a pivotal role and virtually would be part of the grid. This massive grid would offer significant “raw “data on cyber-crime and terrorism and violent attacks in the world. This massive resource would give us almost every situation of Cybercrime continuum. Honeypot nets could also be another source to collect malware.


Phase-2 Collect Cyber Attack Episodes

CEWPS™ will use "Ontology" technology to classify and catalog all disparate attack episodes. Another term for ontology is "taxonomical Hierarchy of items". Simplistically speaking, ontology is software to convert heterogeneous and unstructured pieces of information into a homogenous fabric of knowledge. Oracle Spatial 11g, an option for Oracle Database11g Enterprise Edition, Oracle delivers an advanced semantic data management. With native support for RDF/RDFS/OWL/SKOS standards, Oracle semantic engine will enable us to transform attack episodes into normalized knowledge patterns. Graph G-a Shows the raw data treatment.


image


Phase-3 Build the Cyber Attack Knowledge Engine (AKE)

Another compelling feature of (DIS) is its arsenal of historical attack episodes catalogued in the Knowledge Database (KDE) as BN patterns, which will be used for intelligent and predictive data mining, as well as for causal discovery. All attack episodes will be characterized by three vectors: Classes (categories), attributes (properties), and relationships (logical axioms) among the episodes.


image

The next step is to transform the cluster of parent-child and their conditional probabilities into a unified knowledge Directed acyclic Graphs (DAG), before we do any reasoning. Each node represents a state with its conditional probability. The nodes are connected to show causality and direction of influence. Graph- H shows the graphical representation of a sample cyber-attack.


A cyber-attack belief network is usually complex structure with many clusters of concurrent events. Prediction and abduction require a joint probability distribution. It becomes impossible to do it by hand. We need a highly intuitive graphic tool to build a cyber-attack model and conduct reliable analysis, such as Bayesialab or Charles River Software.


Again, like the Human Immune System (HIS), prior attack episodes are collected, and through (BBN) and the associated conditional probabilities of the prior episodes, we calculate, with the help of probabilistic and causal reasoning engine, the posterior probability that an attack.


image


CEWPS™/Smart Vaccine will rely heavily on historical patterns during the prediction of incoming attacks. The Diagram below shows how unstructured attack episodes will be transformed into knowledge-situation ready to serve as reference in setting up early warnings and predicting attacks.


Phase-4 Build the Smart Vaccine and the Early-Warning Reasoning Engine

The Early Warning Reasoning Engine is the brain that performs the prediction of the attack. Using Pearl causal and evidential reasoning will be done before an intelligent early warning is broadcast. The Reasoning Engine (RE) will uses forward and backward chaining on semantic attack episodes "patterns". Deliberation is validated with strict rules and assumptions. After many recursive searches and matching, the Reasoning Engine will eventually generate the optimal solution, including the consequences of the attack and what precautions have yet to be taken, as shown in Graph-I .


image


Phase-5 Build the Prototype

Cyber-attacks are premeditated pre-emptive acts of violence committed by perpetrators using a computer as a tool to attack computing facilities or critical infrastructures. Cyber-attacks can be predicted and even deterred with a well-trained “intelligent” system such as the CEWPS™/SV. In order to predict the arrival of a cyber-attack, we need three fundamental pre-requisites. First, the need to acquire a good understanding of the domain of cyber-attacks, and collect and convert “prior” attacks into Bayesian Network models, and semantically catalogue into a knowledge base.. Second, the need to build an “Early Warning” probabilistic reasoning engine to evaluate the causal and evidential relationship of each network, and to select the best decision within given constraints. And third, the need to build an “Early Response” vaccination unit so Smart Vaccine agents could inoculate critical systems before the hostile event. Through stepwise refinement the prototype will acquire experience and reliability.


Phase-6 Prototype Testing and Evaluation

CEWPS/Smart Vaccine is intelligent system that stores experience and learns from its own mistakes. Since malware is always in boiling state ready to unleash terror energy, CEWPS/Smart Vaccine has to spend enough time boot camping to get ready for the real battle.


The Electronic Perl Harbor, The Cyber War Scenario

Everyone remembers the historical blasphemy of Pearl Harbor: On December 7, 1941, one of the largest American military defeats occurred. An entire naval fleet was destroyed; hundreds were killed, all before

    1. am on Sunday. The US did not have any knowledge of this attack, partially because of ignorance. The Japanese attack on the US naval base of Pearl Harbor was a classic case of "It will not happen to me!" …


      image


      The On June the 3d, 2003, The Northeastern region of the United States was hit by an unusual type of cyber attach, that is called “The Virus Rain”.

      The attack caught the region by surprise and hundreds of incident response teams scrambled to catch up with the attack.


      Systematically and with a progression of 10 minute interval, the attack spread out very fast and hit the whole region like a hurricane bringing down the power grid, followed by the metro rail grid, AMTRACK, ATMs, and the Telecom network. The Computer Emergency Response Team (CERT), estimate over 200,000 different types of viruses have been unleashed to paralyze the region. Later, it was referred to as “The Virus rain®”!


      The Virus Rain® is a fictitious massive cyber-attack, but it may become reality soon. All the technologies of the attack are present today; but more importantly, it will be fueled with anti- American sentiment. The Virus Rain™ was designed, and launched from several remote stealth cyber launch pads. It hit the heart of New England with its payload of Remote-control viruses, mutating stealth-smart bombs, backdoor hemorrhoid zombies, and autonomic heart-attack, and kamikaze agents. It was like the four horsemen of Apocalypse, or the final battle of Armageddon. All this will be done on Internet!

      The global malware market is maturing and is phenomenally open-ended, globalized, and virtually real. It is a sleeping giant ready to wake up anytime.

      The Evil Supermarkets

      There are 1500 virus supermarkets in the world, selling underground custom-made packaged attacks for different purposes. In fact, some governments have already built their cyber war labs to fabricate their own cyber weapons. The US is aware of such labs and has the capability to neutralize most attacks. The Pentagon plans to build several "cyber bunkers” to counter attack such invasion. Most westernized nations have started to build defensive cyber bunkers, while other South East Asian

      The Electronic Pearl Harbor is what could happen again, but this time the attack will be on Internet. The attack would be launched from some unknown location in cyberspace. Cyber Information war here we come. All the famous forecasters two decades ago overlooked the internet sleeping giant and and ridiculed it’s a fad like bobby socks or bubble gum. Today the digital world is controlled by a handful of “non-college” people who could blackmail any government.

      With the Early Warning Predictive System™ in place, stealth attacks will be caught by one of the trappers “Honeypots” on the Early Warning and malware collector grid. The attacking object “payload” will be quietly intercepted and logged by stealth trapping tools.


      Attack preliminary data will be transferred to The Smart Vaccine Grid, where the Knowledge engines, will defuse the payload, reverse-engineer the internals of the attacking virus, and patterns will mapped and recognized, correlated ontologically, and stored as knowledge presentation for the proper vaccine prescription. The matched Vaccine will be fabricated and dispatched to the Mission Critical System Grid, which is getting ready to receive the Smart Vaccine.


      The Smart Vaccine will be assembled according to a master workflow template and a stealth wrapper will prepare its delivery to target systems Mission Critical Systems Grid. At the receiving end, the Smart Vaccine instantiates the inoculation process of all critical systems which become immune against the attacking object. The vaccination episode is then documented autonomically, and sent back to the Grid Knowledge Headquarters for further analysis and linked to the Longitudinal Vaccination Record.

      Graph-K gives an aerial view of the pathological functioning of the CEWPS™/SV environment.

      image


      The Value Proposition

      The viability to commercialize CEWPS™/Smart Vaccine™ seems very promising due to four important factors. First, CEWPS™/Smart Vaccine can be used as a “multi-tenant” delivery model on the cloud. The service would be called Vaccination as a Service (VaaS). CEWPS™ will be the first system that offers cyber vaccination services on the cloud. Second, CEWPS™/Smart Vaccine™ is a holistic solution that will be built on solid technologies such as autonomic computing, grid computing, on-demand computing. Third, the CEWPS™/Smart Vaccine™ cloud would offer infinite scalability, larger bandwidth, and high virtualization. Fourth, the cloud would offer the best techno-economic option to quickly prototype CEWPS™/Smart Vaccine and demonstrate the benefits.

      The CEWPS/Smart Vaccine™ will be the best solution adopted by the public and private sectors. There are more than 30,000 federal agencies, and state, county and city governments that are

      potential buyers for homeland security products and services in the United States. Approximately

      $22b of a $60b Federal IT budget is directed towards internal cyber security efforts.


      In the commercial segment, Fortune 1,000 organizations represent the best opportunity to subscribe to the CEWPS™/Smart Vaccine services. IT security expenditures in Fortune 500 companies are exceeding $12 billion. Having CEWPS™/Smart Vaccine on the cloud can combine the best of three worlds: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Vaccination as a Service (VaaS), all combined into one package. Graph-L illustrated the operation.

      image


      Conclusion

      Digital Immune system (DIS) paradigm is the futuristic and holistic solution to the asymptotic limitation of the current Anti-Virus Technologies (AVT), and to the elimination of global cybercrime and terrorism.


      Since all cyber terror attacks can be mapped into Bayesian Networks framework, and through probabilistic and evidential reasoning, deeper knowledge can be acquired about the anatomy of cybercrime and how to eradicate it, like how it happened with the human immune system. We can take solace from the fact that Digital Immune System will be keep up with the crime and eventually be two steps ahead of it.


      References

      1. Bnet.builder, About Bayesian Belief Networks, Charles River Analytics, 2005

      2. Adnan Darwiche, Modeling and Reasoning with Bayesian Networks, Cambridge University Press, 2009

      3. Richard Murch, Autonomic Computing, IBM Press Series, Prentice Hall, 2004

      4. Joshy Joseph, Craig Fellenstein, Grid Computing, IBM Press Series, Prentice Hall, 2004

      5. Judea Pearl, Causality, Models, Reasoning, and Inference 2d Edition, Cambridge University Press, 2010


        image

      6. The White House, The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, February 2003

      7. Rocky Termanini, Predicting Suicide Bombing in Newark NJ, Paper presented to DHS NJ 2010

      8. Dr. Rocky Termanini, Holistic Strategy to Protect the Critical Infrastructures, December 2007

      9. Rocky Termanini, The Electronic Pearl Harbor revisited, Paper presented at The American Society of Military Engineers, NJ 2004

      10. Jiri Vomlel, Two applications of Bayesian Networks, Laboratory for Intelligent Systems, 1998.


image Dr. Rocky Termanini, CEO of MERIT CyberSecurity Group, is a subject matter expert in IT security and brings 46 years of cross-industry experience at national and international levels. He is an active member of the Los Angeles Electronic Crime Task Force (LAECTF). He is the designer of “Cognitive Early-Warning Predictive System/ The Smart Vaccine™” which replicates the human immune system to protect the critical infrastructures against future cyber wars. Dr. Termanini holds a PhD in Artificial Intelligence from Yale.

Dr. Termanini spent 5 years in the Middle East working a security consultant in Saudi Arabia, Bahrain and the UAE. Professor Termanini’s teaching experience spans over 40 years. He taught Information Systems courses at Connecticut State University, Quinnipiac University, University of Bahrain, Abu Dhabi University, and lectured at Zayed University in Dubai. He can be reached at rocky@termanini.com and by mobile: + (203) 252-0604