Network traffic is a critical part of evaluating real-time end-to-end network trust. This project will leverage our mature commercial network traffic analysis system, FlowTraq, to design and implement a powerful new system, which we call FlowTrust, to evaluate real-time trust scores of networked computer systems based on observed network traffic. By the time a network component is identified as having suffered a breach or fault, that component will have interacted with many others in its network. Components not directly compromised by an intrusion may be secondarily compromised by sending sensitive information to a compromised host, being logged into from that host, or by acting on tainted information. Loss of trust can thereby cascade from host to host. Re-establishing end-to-end network trust therefore requires determining the timing, nature, and participants of all suspect communications, to identify and halt compromise cascades as they occur. FlowTrust builds on principles of flow analysis and epidemiology to determine the extent to which a trust breach permeates a network. It accomplishes this by categorizing network sessions according to potential to propagate negative trust, flagging risky communications as they occur, and facilitating fast identification of compromised hosts.
Benefit: The resulting system will greatly aid in real-time evaluation of end-to-end network trust in a live system, including not only DoD networks, but those of trust-sensitive commercial organizations such as cloud storage, banks, and hospitals. It will be capable of tracking intrusions and potential breaches of data confidentiality and data integrity through multiple network hops, allowing instantaneous assessment of the scope of loss of trust. The principles developed will be applicable to analysis of a wide variety of network systems, including complex hardware, multiple-host software installs, and systems-of-systems. Although FlowTrust will be at its greatest utility as part of a comprehensive end-to-end network trust analysis system, on its own it will be commercially useful in a wide variety of network security applications. A software embodiment of this system will be offered for sale as a tool for live monitoring of intrusions and malware infections, and for sophisticated network forensics, allowing in-depth after-the-fact tracing of security breaches.
