Deception with emulation is a very good idea to protect our systems. Not like former security strategies designed to keep the attacker outside our systems, which are sometimes powerful but maybe will attract the attacker to invest more efforts in order to break into the system. Deception with emulation can make the attacker feel that they are successful and stop attacking voluntary. It is better to pierce the balloon to exhaust the air until the balloon explodes.

But there are some issues we should consider in the application of emulation.

First, how to make the fake system look like a real system. The blog post said if we assign a variable to the ip address respond, the attacker can never know whether it is a emulation shell or real system. However, If we just generate some information and store in the emulation system, next time the attacker will find out that the data is same as last time. So, we should generate data regularly to keep the fake system looks dynamic. To accomplish this goal, the quality of the data generated is important.

However, there is another problem if we use this approach. For example, if the attacker wants to break into the database system of Amazon, in order to verify whether the system is fake, he may intentionally order one product from Amazon and check whether the order exists in the database. If not, it must be a fake system.

This becomes a dilemma.

One solution is to encrypt all the verifiable data. Of course, this can confuse the attacker and slow down the attack. However, it’s costly to encrypt data in real system since it will greatly affect the system performance. And if the attacker knows that we only encrypt emulation system. This approach collapse by itself.

What is cyberconflict? There is not a clear, official definition of cyberconflict yet. Based on my understanding, cyberconflict is political motivated conflict between two or more nations in order to disrupt opponents’ digital systems and protect own systems. Not like traditional kinetic warfare, cyberconflict is conducted by engineers and scientists. Cyberconflict can happen at anytime and finish in a short time. This requires the defender to effectively detect the attack and respond to it quickly.

What is damage assessment? Damage assessment can be divided into two aspects. The first is defensive damage assessment. It analyzes when the attack happened, the magnitude of the damage caused and the approach of the attacker(can this happen again?). The second is offensive damage assessment. it is from the attacker’s point of view. It analyzes the damage caused in the opponent’s system and elicit feedback from the system to see if we need attack again or can break into the system again in the future.

For example, if one found his house has been broken in. From his point of view(DDA), he wants to know when did the burglary happen, what did the burglars take and how did they come in. From the burglars’ point of view, they want to know what can be taken from the house, did the owner find out and did he replace the older lock wich a more powerful one and can they break into the house again.

Damage assessment is very important in both sides of cyberconflIct. Without damage assessment, the defender will have more severe lose and the offender will waste much time and money with no return.

In the defender’s side, when an attack is detected, damage assessment can help them to find out which part of the system is damaged and the other parts of the system can no longer rely on the information, at least temporarily. When a cyberconflict happens with military conflict. The damage assessment can tell the commander the lose in the military capability caused by the atttack and the commander can understand the ir situation in the war and make better decision. What’s more, by analyzing the strategy the attackers using, the defender can evaluate whether the damage can happen again in the same place, or, in other places of the system, there are potential possibility to be attacked again using the same strategy .

In the offender’s side, damage assessment can help them know the damage caused in the opponent’s side and thus they can know whether the attack is successful or not. And by eliciting feedback from the victim system, the offender can know whether the defender has set up an efficient way to fix the damage or not. If not, maybe they can attack the opponent again using the same strategy or even attack another part of the opponent’s system that has the similar defense strategy.

These are all benefit of damage assessment in a cyberconflict and they are in low level(in the context of a particular conflict). However, when we have the damage assessment information of many attacks(no matter from the defender or the offender), we can integrate these information together and from a higher level we can understand the macroscophic damage of cyberconflict can be caused. For example, can cyberconflict coerce the economic system of a nation? What’s the power of cyber attack in a large-scale conflcit between countries? Is it more effective than nuclear weapon? Understanding the impact of cyberconflict and our own capability in the cyberconflict can also help the government make better decision of the political strategy. For example, to sign a treatee of not to use cyberconflcit or not.

All in all, damage assessment is very important in cyberconflcit. It is the metrics of cyberconflcit. With out damage assessment, we cannot know the power and impact of cyberconflict. Just like we need to calculate the Return of Investment after we commit an investment. Otherwise the investment is meaningless.

Ma zhi-jun; Chen li; Zhang yi-zhen, “BDA information management and decision support based on DW,” Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2007. SNPD 2007. Eighth ACIS International Conference on , vol.2, no., pp.384-387, July 30 2007-Aug. 1 2007

DOI 10.1109/SNPD.2007.364

Since I have worked as an DW intern, this paper prompts some very interesting questions.

Since we have many systems in battle damage assessment, with the sharp increase of data, it will be very hard to analyze damage with so many systems. The traditional RDBMS can only provide superficial information. We cannot do in-depth analysis such as the subtle relationship between data. The result is that we have huge amount of data but most of them are useless. The problem is called “data rich, knowledge poor”. The second problem is that because our existing systems are developed by different people at different time, the data format in each system is also different. And also, there must be some incorrect data during system bugs, wrong operation by people or some other reasons. The quality of data will greatly influent the result of data analysis. By using data warehouse, one obvious pros is that we can integrate all the information from seperated systems together and provide a uniform view for the users, like the commander.

But there are some other problems of using data warehouse in battle damage assessment.

The first problem is that since data warehouse integrates all the information needed to do battle damage assessment, will it become a major attack target of our enemy? Nowadays, most commercial data warehouses have at least one backup system in case of earthquake, hurricane and some other disasters. But in military usage, even you have back systems, the enemy can attack both of them. Since our analysis is totally based on one node — the DW, the risk is very high.

Second, almost all data warehouses around world are doing analysis based on historical data. In the other word, today is Sep 14th, we will update the date generated on Sep 13th into DW today. Because it is costly to continiously update DW whenever new data is generated or old data is modified. As far as I know, only Walmart’s DW has the ability to analyze what products are out of stock dynamically. But it is only a small portion of the data warehouse not the whole. So, is it practical to update DW from time to time in BDA?

In Ma’s paper, they argue that storing sleeping data is meaningless and we should detect and delete sleeping data. I am not sure whether we need old data in BDA since I am new to this area. But according to my understanding of DW and the definition of DW, their argument is wrong. Data warehouse in non-volatile which means that there are a lot of query and upsert(update and insert) operation in DW, but we seldom delete date from DW. One of the purpose of data warehouse is to record all the changes of the data in the history. This is one significant difference between DW and RDBMS. For example, if we have a table recording the balance of a user, in RDBMS, we only record the current balance of the account, however, in DW, if the user have balace of $200 at first and then spends $100, we will not update 200 to 100, we will add one row store the new value, which is 100. The old row, represent the change of balance in the history.

What is Cyberconflict?

According to James Mulvenon, the deputy director for advanced studies and analysis in the Defense Group Inc.’s Center for Intelligence Research and Analysis. “Cyberconflict is the conduct of large-scale, political motivated conflict based on the use of offensive and defensive capabilities to disrupt digital systems, networks, and infrastructures, including the use of cyber-based tools”. In other words, the battlefield of the cyberconflict is the Internet, no soldier dies because of the conflict. The attack is from invisible forces.

In the foreseeable future, large scale war will not happen around the world. But it does not mean we are safe. One characteristic of cyberattack is asymmetric which means that armed with technology, small country could also start a battle against powerful large state.

What are the possible methods for attacking?

First, someone maybe will conduct a attack to affect the economic system. America cannot afford to being attacked in the New York Stock Exchange system.

Second, our civilian infrastructure maybe attacked. For instance the attack can cause the disconnection of Internet. Because of the importance of Internet today, this will also cause huge damage.

Third, to incite the civilians through Internet. An easy way to accomplish this way is to post information against the current party or government on the World Wide Web. In China, this problem is severe. People often receive emails including URLs which direct them to some websites about the ‘crime’ of CPC. Chinese government has setup a firewall to filter this kind of websites. But the following problem is whether the government’s defense influenced the civilian liberty.

What’s more, the directest way is by attacking the military facilities. Like in a battle, the attacker can manipulate the command and thus mislead the troop and decrease the battle capability.

So, there is an urgent need to pay attention to the subject of cyberconflict. What are the possible risk of the existing systems? How can we setup powerful defense mechanisms? how can we effectively assess the damage after an information incident?

These are all related to cyberconflict studies. And I am very interested in this area, this blog wii be a track of my progress in this area.