Correlation analysis of fleet information warfare center network incidents

Abstract

The Navy's Intrusion Detection process is currently reactive in nature. It is designed and programmed to detect and provide alerts to the Fleet Information Warfare Center (FlWC) of suspicious network activity while it is in progress, as well as to record/store data for future reference. However, the majority of activity taking place within and across Naval networks is legitimate and not an unauthorized activity. To allow for efficient access and utilization of the information systems sharing the network the Intrusion Detection Systems must be set at a level that filters out activity deemed as normal or non%hostile, while still providing an appropriate level of security. With this filtering in place an IDS system will not register all suspicious activity, and may not detect mild and seemingly harmless activity. When increasing security, limits must be imposed upon access. This thesis examines FIWC network incident data from 1999 to see if a correlation can be drawn between United States visibility in the foreign media during 1999 and the occurrence of suspicious network incidents. A positive correlation may provide advance-warning indicators that could lead to the development of a procedure for increasing security posture based on the current environment. These indicators would provide a more proactive method of defense, significantly reduce potential damage caused by hostile network incidents and provide for more efficient network activity.