Active Computer Network Defense

A Presidential Commission, several writers, and numerous network security incidents have called attention to the potential vulnerability of the Defense Information Infrastructure (DII) to attack. Transmission Control Protocol/Internet Protocol (TCP/IP) networks are inherently resistant to physical attack because of their decentralized structure, but are vulnerable to CNA. Passive defenses can be very effective in forestalling CNA, but their effectiveness relies on the capabilities and attentiveness of system administrators and users. There are still many measures that can be taken to improve the effectiveness of passive defenses, and one of these is active defense. It can be divided into three categories: preemptive attacks, counterattacks, and active deception. Preemptive attacks show little potential for affecting an adversary's CNA capabilities, since these are likely to remain isolated from the Internet until actually beginning their attack. Counterattacks show more promise, but only if begun early enough to permit all preparatory activities to be completed before the adversary's CNA is completed. Active deception also shows promise, but only as long as intrusions can be detected quickly and accurately, and adversaries redirected into "dummy" networks. Active and passive defense measures can work synergistically, to strengthen one another.