Online surveillance of computerized systems – Analysis of current and future needs

M. Couture, A. Hamou-Lhadj, M. Dagenais, A. Goel, "Online surveillance of computerized systems – Analysis of current and future needs", NATO Joint Symposium (RTO SET-183 / IST-112), Quebec City, QC, 2012.

The rapid development of software and hardware technologies has led to a significant increase in the number and variety of computer systems and networks supporting command and control (C2) operations. Current operations may use any mix of hosts (any type of computerized system and its software). The risk of occurrence of errors or failures on these hosts has become increasingly larger over the years not only because of the rising complexity of the software and hardware, but also because of the larger number of cyber attacks and their ever-increasing sophistication and diversity. The presence of anomalies in a host may correlate with the presence of important security breaches. Some of these can be very hard to detect and eliminate. They can stay stealthy and dormant for long periods of time, maintaining hosts in a compromised state with the likely consequence of a serious impact on C2 operations when activated.
Current surveillance technologies running on these hosts are relatively limited in their ability to detect unwanted software behaviours and states. Significant improvements in the effectiveness of online host-level monitoring are necessary in order to ensure the dependability of services offered by the hosts during C2 operations. Operators and system administrators need continuously updated reports depicting detected anomalies and their potential impacts in order to be able to build and maintain situational awareness of their hosts, and to be able to react and/or pro-act in timely fashion to correct or prevent any problems. The nature of current and future cyber threats demands detection techniques that are able to cover the widest possible spectrum of anomalies. In this paper, approaches outlined in the "NATO Code of Best Practice for C2 Assessment" (COBP) [1] are utilized to study current and future needs in terms of technologies for online host-level surveillance, which can be considered as another component of C2. We first formulate problems that are specific to this domain and describe their characteristics and constraints according to the COBP prescriptions. An analysis of the various classes of Measures of Merit (MoMs) is then made in order to identify a number of potential solutions for the improvement of host-level surveillance, which could involve both current leading-edge and anticipated detection technologies.