Entropy-Trust-Homology Operational Security (ETHOS™)

The ETHOS™ method is used for securing trust based on the information exchanged between the different nodes of a sensor network.  The initiative investigated various trust metrics and algorithms to define a set of trust metrics that use information entropy as the basis for calculating the reputation of particular nodes.

In this U.S. Air Force Research Laboratory (AFRL) – Wright-Patterson AFB funded effort KBSI developed an Entropy-Trust-Homology Operational Security (ETHOS™) method for securing trust that is based on the information exchanged between the different nodes of a sensor network.  Trust entropy metrics are created based on both the patterns of information entropy flow between nodes and on usage behavior.  Usage behavior includes both user behavior (user monitoring) as well as CPU behavior (process monitoring).  Each node in the system creates a set of trust metrics that corresponds to the set of directly observable neighboring nodes.  A trust metric that reflects the reputation of a particular node could then be calculated by the direct and indirect querying of nodes in the network.

The ETHOS™ research effort investigated various trust metrics and algorithms with the goal of defining a set of trust metrics that use information entropy as the basis for calculating the reputation of particular nodes.  Algorithms that modify trust values on the fly and that are able to share information concerning node reputation throughout the network were also researched.

Sensor networks gather and exchange large amounts of information.  Even small, mesh-based sensor networks with loose interconnections could easily produce data in the order of several gigabytes per day.  We explored graph based data mining (GDM) and homological techniques for processing and filtering large data sets.  GDM originated out of efforts to develop graph compression algorithms by detecting common sub patterns in graphs and efforts to detect function from protein shapes in the human genome.  This analysis provided frequency statistics of network traffic patterns over time that can be used to detect covert threat activity.  Homological techniques have their inception in the study of comparative genomics.  One of the main thrusts of comparative genomics is the establishment of a correspondence between genes in different organisms.  Homological algorithms are designed for traversing large amounts of binary-like (GATC) data to find minute and non-random variations.  The ETHOS™ technology will use these capabilities to traverse large amounts of usage data and detect the differences in usage and communication patterns.

The ETHOS™ method addresses the functions of Security Information Management Systems (SIM), Event Correlation Systems (ECS), IDS, Intrusion Prevention Systems (IPS), and vulnerability analysis.  Commercial products that could be developed from the ETHOS method include an intrusion detection system based on the data mining of entropy data and a trust metric simulator.  The intrusion detection system could include a variant of KBSI’s Personal Data Prospector (PDP®) data exploration and Business Intelligence tool suite for the detailed analysis of results and for generating reports of the results.

Phase II Development

webbanner_dataminingdiscforeIn Phase II of the initiative, KBSI is extending the ETHOS™ method and using it as the foundation for designing and configuring an ETHOS™ experimental framework and Wireless Sensor Network (WSN) test environment.  These components will provide:

  • Trusted-sensor network modeling and simulation;
  • Experimental design framework for cross-validating simulation results with data mining, graph data mining, homological analysis;
  • TinyOS based node configuration and simulated WSN assembly;
  • A sensor-motes hardware brassboard WSN environment for ETHOS testing of the trust-based algorithms.

The ETHOS™ method that enabled node-to-node communication behavior observation and provides the technology’s robust monitoring and trust metric determination, will also be developed in Phase II.  The method’s node-trust metrics are aggregated to determine a trust baseline that the nodes then use to route information and alert neighboring nodes of unusual behavior.  Using the baseline metrics, the network can reroute data around malicious nodes and take into account, for example, standards of energy efficiency, location awareness, and quality of service.  The ETHOS approach is highly resistant to new variants of attacks and does not require a priori signature analysis, certificate authorities, or a centralized policy structure.