professor Ruslan Smelianskiy

4. How can levels of Cyber Conflict and Cooperation be measured and compared across technical

changes?

professor Ruslan Smelianskiy

On Information Security, Karl Popper and a peasant

Information Security: What Are We Dealing With?

professor Ruslan Smelianskiy

Outline

• Information Security - is it a science or is it an art?• If it is a science, is it a natural one or is it a social science?• If it is not an art, then even if it is engineering or applied

science then should it be treated as a science?• What does it mean “to be treated as a science”?• What is the state of the art in Information security as some

sort of the science?• What we have to do to treat the Information security as a

science?• What lessons from this?

professor Ruslan Smelianskiy

Basic classification

“Art is the product or process of deliberately arranging items (often with symbolic significance) in a way that influences and affects one or more of the senses, emotions, and intellect.”

“Science (from the Latin scientia, meaning "knowledge") is an enterprise that builds and organizes knowledge in the form of testable explanations and testable predictions about the world.”

professor Ruslan Smelianskiy

Basic classification

Formal Science

Natural ScienceSocial Science

Empirical Science

Structural Linguistics

Mathematics (apriority, calculus, axiomatic, logic)

Hypothesis, theories, Laws formulation

Physics

Chemistry

Biology

Semiotics

Psycology

Sociology

Social Engineering

professor Ruslan Smelianskiy

Scientific method

• Observation is quantitative or qualitative descriptions/measurement of facts and phenomenon. The abstractions have to be used in such sort descriptions.

• Analysis of observations is systematic differentiation of significant ones against minor ones.

• Synthesis is generalization of analysis results as theory or hypothesis.

• Prediction is consequences deriving from a proposed theory or hypothesis by deduction, induction or by some other logical methods.

• Falsifying the predictions by experiment.

All data and the results should be treated critically on every level of consideration.

professor Ruslan Smelianskiy

Certainty vs Science

• The science differs from other kind of knowledge making activities (certainty) is necessity to prove, to justify every theoretical consequence by experimental, empirical data.

• Karl Popper writes that scientific knowledge "consists in the search for truth", but it "is not the search for certainty“...

• Popper proposed falsifiability (the ability of theories to come in conflict with observation) as the landmark of empirical theories, and falsification (the search for observations that conflict with the theory) as the empirical method to replace verifiability and induction by

purely deductive notions.

• “Belief in the omnipotence of science and the certainty about the continuity of the process of accumulation of scientific knowledge, the unknown remains so only temporarily, is a continuous stimulus to

productive activity constantly updated scientific society.” (F.Karpa)

professor Ruslan Smelianskiy

Information Security – Art or Science?

• IS = Social Science + IT (Computer Science)– Art ( K.Mitnik “The Art of Deception”)

• Information Security in that part of it which relate to the Computer and Network Security

• This area of knowledge includes more than 40 years of development (Multix project, F.Corbato, MIT 1963)

Security Kernel

70

Develop CriteriaAnd MakeAvailable

CommercialEvaluations

80

TCB for System Composition

Formal Model for

Access Polices

90

Internet Explosion

professor Ruslan Smelianskiy

Some statistics on Attack and Malware datasets

Dataset name Number of citations Year of initial publication

Average citations per year

KDD Cup 99 dataset 2,850 1999 237

Vx heavens 9,530 1999 794

Anubis 115 2007 28

CWSandbox 243 2006 48

Wepawet 25 2008 8

Datasets citation rates according to Google Scholar

professor Ruslan Smelianskiy

Monitoring with Intrusion Detection Systems

• State of the art in network security monitoring– Over 200 research projects in intrusion detection since 1980

– Major hardware vendors have IDS solutions – Cisco, IBM, Intel, etc

• Over 30 specialized vendors like SourceFire, Arbor, Narus, etc.– http://www-rnks.informatik.tu-cottbus.de/en/node/209

• No common methods for IDS evaluation and comparison– Commercial testing available like NSS Labs:

http://www.nsslabs.com/research/network-security/network-ips/

professor Ruslan Smelianskiy

Monitoring standardization

• No currently available standarts– NIST recommendations on intrusion detection give too general

answers to those questions - where IDS should be placed? How do we choose appropriate type of IDS according to our needs? How do we tune it to gain optimal efficiency? http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

• How can we trust the results of monitoring network security with such tools in the situation like we have now?

Two elephants

professor Ruslan Smelianskiy

Moore’s law vs Gilder’s law

professor Ruslan Smelianskiy

GlobalInfrastructur

eImpact

RegionalNetworks

MultipleNetworks

IndividualNetworks

IndividualComputer

Target and Scope of Damage

1st Gen• Boot viruses

Weeks 2nd Gen• Macro viruses• Email • DoS• Limited

hacking

Days3rd Gen• Network DoS• Blended threat

(worm + virus+ trojan)

• Turbo worms • Widespread

system hacking

Minutes

Next Gen• Infrastructure

hacking • Flash threats• Massive

worm driven DDoS

• Damaging payload worms

Seconds

1980s 1990s Today Future

professor Ruslan Smelianskiy

Sophistication of hacker tools

19901980Low 2000

Packet forging/ spoofing

Password guessing

Self-replicating code

Password cracking

Back doors

Hijacking sessions

Scanners

Sniffers

Stealth diagnostics

High

Exploiting known vulnerabilities

Disabling audits

professor Ruslan Smelianskiy

Resume

It seems reasonable for information security community and national governments to support developing open and public collections of up-to-date malware along with results of it’s preliminary analysis. And what seems to be most important – it is necessary to recover the practice of publishing raw experimental data, on which the research results rely. The overall experience of the information security field and other natural sciences demonstrates that publicity of this kind always greatly encourage both quality and quantity of research projects.

professor Ruslan Smelianskiy

A parable

Once there was a peasant, who had a horse that was considered a rich man in his village. He was envied. But when his horse went into the forest and never came back, his neighbours ceased to be jealous of him, and some even felt sorry for him. When his horse returned and brought with it one more horse, some again became jealous of him. And then his son fell from the horse and broke his leg. Many have ceased to envy him. But here's the war began, all the young guys drafted into the army and were killed in the war, and his lame son was not taken, and some again became jealous of him. Only the peasant never grieved, and never was joyous about that. He could not do it because he could not foresee the future and did not see any good in sadness and joy .

professor Ruslan Smelianskiy

Conclusion

In our reality, the lack of pictures of the future can lead to irreversible

consequences.