SNICH

Sensor Network Intelligent Corruption Hunter (SNICH) 

Accomplishments

What is it: SNICH is defensive cyber tool that passively monitors mission-critical sensor streams to counter adversarial deception, detect and communicate the evidence of anomalies, ensure information confidence and mission resiliency. 

Why we need it:  Mission Defense Teams and Air Surveillance Operators are overwhelmed by the volume and velocity of incoming sensor data and lack the cognitive bandwidth to identity adversary attempts to modify, inject or remove sensor data in an attempt to subvert and distract operators from the mission.

Who Cares: The need for increased cyber situational awareness is driven by the EADS/WADS Commanders’ 2017 year-end report to USNORTHCOM CC and, more recently, in a memorandum to Air Combat Command, Pacific Air Forces, and COMD 1 CDN Air DIV from NORAD, Director of Operations, MAJ-GEN Christopher J. Coates dated 18 JAN 2018.  The statements by senior leaders are clear; there is an immediate requirement for technology to ensure data integrity and mission resiliency.

Accomplishments to date:  

  • SNICH version 1.2 is installed and running on the EADS network
  • Over 62 different anomaly types are detected including:
    • Targets outside radar FOV, previously unseen in FOV, and spatial anomalies
    • ACP errors, radar parrot count, and parrot relative to target validation
    • CD2 message and ECGP payload replay detection
    • ECGP Frame and Message validation: unknown ARTCC, SiteID, pairings, codes, invalid fields, etc.
    • Radar Search and Beacon range, field validation, parity errors, etc.
    • Radar Search RTQC, Strobe, Status, Data Verification and Weather message validation
    • IP Header unknown source, destination, ports, protocols (whitelist capability)
    • Network control message validation: PIM, SNMP, ARP, OSPF, ICMP, TCP/UDP headers, MAC address, etc.
    • Message sequence, ordering, and timestamps anomalies
  • The Machine Learning and Deep Learning models detect anomalies previously unknown or have not occurred previously – a Zero Day Anomaly
  • The SNICH API is complete and can provide anomaly information and data confidence information to Air Surveillance Operators using RS4, BCS-F, Pathfinder, etc.
  • Documentation includes User Guide, Quick Start Guide, SRS, and System Test Plan
  • SNICH has incorporated an agile development process based on iterative stakeholder review, design, develop and test cycles

Technical Innovation: 

  • Three software components running in parallel detect evidence of cyber influence
    • Rule Based Analytics – Validate messages conform to documented ICD and RSDB parameters.
    • Machine Learning – Flags radar messages which are inconsistent with historical norms for a specific ARTCC and site.
    • Deep Learning – Detects packet sequences which have been injected or removed (both message counts and message content).

SNICH employs three approaches in parallel to detect nefarious cyber influence: 1) Rule based analytics which ensure sensor traffic conforms to interface specifications.  2) Machine learning (ML) algorithms which identify individual frames of anomalous sensor network traffic. 3) Deep learning (DL) algorithms which detect anomalies in a sequence of frames.  The machine learning algorithms learn what is normal based on training with historical data. The innovative combination of these three approaches ensures both simple and sophisticated cyber-attacks can be detected.

Key capabilities:

  • Provide critical sensemaking capability to counter emerging threats in the cyber domain that result in impacts to NORAD Air Defense Operations.
  • Determine validity of target position and trajectory data which is required to prevail and maintain air superiority.
  • Leverage machine learning computing techniques to identify nefarious behaviors and indicators of cyber influence.
  • Determine mission readiness of cyber assets based on sensor data and attack vector analysis.
  • Provide collaborative visualization of cyber mission threats and strength of corresponding defenses.
  • Preserve corporate knowledge of mission constraints or threats and their effects across the organization/enterprise.
  • Real-time visibility and mission-level impact analysis as countermeasures against attacks launched by sophisticated adversaries whose actions would otherwise be detected only after damaging mission readiness.

Future Work:

  • Western Air Defense Sector (WADS) deployment
  • Advanced Battle Management System (ABMS) – SNICH has been developed as an extensible and modular capability and well suited to ensure data resiliency in ABMS sensors.
  • Long Range Radar data transmission checks
  • ASTERIX, “All Purpose STructured EUROCONTROL Radar Information Exchange”
  • Automatic Dependent Surveillance–Broadcast (ADS-B)