Von Welch and Randy Butler of NCASSR (right and second from right) demonstrate the Palantir Cyber Investigation Environment to NCSA PSP Meeting attendees.

Two frameworks currently under development at the National Center for Advanced Secure Systems Research--Mithril, intended to protect large-scale systems from overwhelming attacks while maintaining site usability, and Palantir, which will enable the secure, collaborative investigation of large-scale cyberattacks--were highlighted at NCSA's Private Sector Partners Meeting, May 21-23, 2007.

Mithril: Adaptive, Flexible Site Security

Mithril is a lightweight, flexible security framework that easily adapts to changes in a site's security requirements with minimal effect on usability. It consists of a set of integrated security enhancements that both increase a site's security day-to-day and allow dynamic, temporary adaptations in security in response to a heightened threat level. These enhancements allow a site to maintain a high level of openness and usability during normal periods of operation, but respond quickly to increased threat levels with increased security while still serving key customers.

Mithril's core management system, based on Adaptable IDS, detects violations of the system's security policies; a correlated event detection feature enables serious intrusion attempts to be distinguished from run-of-the-mill "script kiddie" attacks. If an intrusion is detected that compromises user information and/or the system's integrity, the login policies are elevated from standard SSH, and users are required to log in using a one-time password token. Events are detected in several ways, including through use of a computer mouse biometrics algorithm that "learns" the mouse movements of authorized workstation users and detects unfamiliar mouse usage. System alert messages and communications between administrators responding to attacks are handled by Secure Email List Services (SELS), which protects these communications from eavesdropping intruders.

Mithril was the subject of one of several presentations highlighting NCSA-developed techologies during the Private Sector Meeting. Currently, SELS, Mithril's secure communications component, is in the process of being tested for deployment on TeraGrid and NCSA production systems.

Palantir: Collaborative Cyberattack Investigation

The Palantir Cyber Investigation Environment is targeted for law-enforcement professionals and system administrators for large computing networks who must collaborate to respond to and investigate cyberattacks and intrusions. It allows investigators to create secure, exclusive workspaces where they can communicate, share leads and results, and access a suite of tools for conducting investigative work.

Palantir incorporates several previously-developed NCASSR-supported technologies, including the Framework for Log Anonymization and Information Management (FLAIM), which allows users to "sanitize" sensitive data for use in investigations; integrated one-time password sign-on contributed by the PKI Laboratory; SELS, which enables the creation of secure email lists for user communities; Data to Knowledge (D2K), which provides data analytics tools for sifting through logfiles and identifying key relationships and patterns for investigation; and VisFlow, which provides Palantir's visualization capabilities.

Currently in prototype form, Palantir was one of the NCSA-developed technologies featured during the May 21 demonstration session. Although still in early stages of development, Palantir has already attracted interest from a broad variety of potential users in academia, industry, and government, and in the next several months the development team anticipates working closely with system administrators at NCSA and FBI cyber crime specialists to enhance the framework's usability.