CORRELATING NETWORK SERVICES WITH OPERATIONAL MISSION IMPACT

Jeffrey E. Stanley, Robert F. Mills, Richard A. Raines, Rusty 0. BaldwinAir Force Institute of Technology

Wright Patterson AFB, OH

ABSTRACT

Correlating network events (device failures, network at-tacks, etc.) with mission or operational impact has tradi-tionally been an ad hoc, manually intensive process. Inthis paper, we present a solution to the problem of corre-lating network events with the effect on the overall mis-sion. Our approach is based on best practices identified inthe Information Technology (IT) Infrastructure Library,which provides a framework for aligning IT services withthe customer's operational requirements. Our solution,the Mission Service Automation Architecture (MSAA), cor-relates network traffic flows to operational capabilitiesusing configuration management databases and independ-ent software agents that encapsulate IT service manage-ment codes into network packet headers. Further, theMSAA automates and enhances the capability of networkmonitoring, access, and configuration mechanisms andprovides increased levels of network security, awareness,performance, and control.

INTRODUCTION

Historically, the role of IT was a support function to helpmake organizations more efficient. IT was viewed as a"back office" support function, and IT investments wereoften made in an ad hoc, uncoordinated manner, with littlethought about how well these investments supported theoverarching business or mission. This mindset haschanged significantly over the last decade. IT is no longerviewed as a utility, but as a strategic asset that not onlysupports key business strategies, but enables new ones [1].

This trend is true in both the commercial and the govern-ment/military sectors. Industry continues to develop novele-business and e-commerce solutions, which in turn openup new business frontiers in the "new economy". The De-partment of Defense (DoD) concept of network centricwarfare is very similar and emphasizes the key role of ITin enabling and delivering "better synchronizing effects in

Authors are with the Department of Electrical and Computer Engineering, U.S.Air Force Institute of Technology, 2950 Hobson Way, Wright-Patterson AFB,OH 45433.

The views expressed in this article are those of the authors and do not reflectthe official policy or position of the United States Air Force, Department ofDefense, or the U.S. Government.

the battlespace, achieving greater speed of command, andincreasing lethality, survivability, and combat responsive-ness" [2].

The continuing integration of IT into military and businessoperations has raised the stakes for those tasked with man-aging and providing information technology (IT) services.In an era where the business is IT-enabled, IT failures canbe catastrophic, rather than merely annoying or inconven-ient. This is especially a problem when there is not a clearlinkage between the underlying IT infrastructure and theIT-enabled business processes that are being supported.

When an IT service is lost, disrupted or otherwise de-graded, it is difficult to analyze the specific impact theevent has on the mission because the links to the custom-ers' particular missions and/or business services are notreadily known. It is also difficult to determine the scope ofthe immediate impact of an outage, because the particularusers affected by the outage are not readily known.

To compound matters, the IT providers and end-usersspeak different languages. The operational communityspeaks in terms of "time-over-target", "engagement areas",and "effects based operations." IT organizations, on theother hand, tend to be IT-focused instead of customer-focused. As such, IT personnel talk in terms of "bits persecond", "bandwidth and throughput", and "network la-tency"...arcane terms that mean nothing to the operationalcommander who only wants to know "so what?" whenthere is a network event.

In this paper, we present ideas on how improving the link-ages between IT services and military operations wouldsolve the problem of understanding the impact of networkevents on ongoing missions and bridge the gap betweenthe operators and the IT providers.

IT SERVICE MANAGEMENT CONCEPTS

Our proposed solution resulted from an in-depth study ofcurrent management concepts concerning the successfulemployment of IT services, in both the private sector andmilitary domains. In the commercial sector, a businessservice is any process, transaction, or service that is centralto how a company conducts business and generates reve-nue. Some military support functions map well to thebusiness sector, such as financial management, human re-

1 of 7

sources, and security administration. More traditionalmilitary functions would also include command and con-trol (C2), intelligence, surveillance and reconnaissance(ISR), and tactical strike operations.

For example, consider an aircraft sortie. Related missioncapabilities (business services) supporting the mission in-clude mission planning, air traffic control, loading ofequipment and/or weapons, and coordinating communica-tion between the command post and the air operations cen-ter. Clearly, there are many IT services communicationsnetworking, databases, and file transfers to name a few-that support these mission functions. The challenge is es-tablishing the link between various IT services to the sup-ported mission services. It is the authors' belief that the ITInfrastructure Library (ITIL) provides insight into solvingthis problem.

ITIL was introduced by the former British Central Com-puter and Telecommunication Agency in 1989. Basically acollection of best practices, ITIL was developed to help ITorganizations evolve from a reactive, best-effort mindset toa more proactive, measured, customer-oriented approachto providing IT services. While efforts to improve the ef-fectiveness of IT service management (ITSM) existed pre-viously, ITIL represents the first attempt to develop a com-plete ITSM methodology and has become the de factostandard for ITSM. The British Office of GovernmentCommerce revised ITIL and re-released it in 2001.

Though not as detailed as the ITIL specification, BritishStandard 15000 is built upon the ITIL specification andprovides a formal standard for implementing the mainconcepts of ITIL [3], [4]. Figure 1 presents the manage-ment processes required by the BS 15000 standard toachieve IT service management success.

Service Delivery Processes

Capacity Management

Service Continuity andAvailability Management

ReleaseProcesses

ReleaseManagement

Service LevelManagement

Information SecurityManagement

Service Reporting Budgeting and Accountingfor IT Services

Control ProcessesConfiguration Management

Change Management

Resolution Processes

Incident Management

Problem Management

RelationshipProcesses

BusinessRelationshipManagement

SupplierManagement

network events with operational mission impact are theideas of (1) strategic alignment and (2) configuration man-agement. To assess the impact of any network event to abusiness (mission) service, the relationships between ITservices and business processes must be known. This in-formation must be formally documented, recorded, andshared with those who plan, implement, and maintainthose services. This would occur as part of the alignmentprocess.

IT SERVICE ALIGNMENT

Our objective is to align IT services with the supportedmission services. Only then can we effectively and effi-ciently predict the impact of network events on the overallmission. Alignment ensures that (1) IT services add valueto the organization, and (2) any risks associated with im-plementation of new capabilities are mitigated, therebypreserving value [5].

Alignment is achieved by identifying all IT services thatsupport and affect IT-enabled mission capabilities. Notethat this is a bidirectional challenge. First, IT personnelrequire a thorough understanding of the mission functionsand how they are related. Second, operators (users) mustunderstand how their activities make use of the IT infra-structure. Without this knowledge, it is very difficult forIT personnel to deliver meaningful performance informa-tion to operational commanders. It is also difficult tomake strategic investment decisions when these linkagesare not well understood.

Figure 2 illustrates the concept of IT Governance and howIT service management principles are used to achievealignment at the lower levels in the organization. Figure 3depicts the same concept as it would apply to the Depart-ment of Defense and its implementation of Joint Vision2020 and network centric warfare.

Figure 1. British Standard BS 15000

Two main points considered from the analysis of ITSMliterature for designing a method to efficiently correlate

Figure 2. IT Governance and IT Service Management

2 of 7

underlying concept that forms the basis of the MSAAmodel is to use the CMDB to maintain the interrelation-ships among services, components, and users, as shown inFigure 4. The MSAA solution first requires that all IT-enabled business services for which impact analysis is tobe provided are identified and given a unique service IDcode. Next, we require that all enabling IT components(devices, applications, processes, procedures) that are nec-essary to provide quality service are identified and are alsogiven a unique component ID. Specific methods for doingthis are presented in [6] and [7].

Figure 3. Joint Vision 2020 / Network Centric Warfare

CONFIGURATION MANAGEMENT DATABASE

After services are identified and aligned, IT componentsand devices that enable these services should be identifiedand brought under configuration control. Configurationmanagement starts with policies defining what constitutesa configuration item and the level of detail to be recordedfor its components. These configuration items should berecorded and the relationships between items also docu-mented. This is necessary not only to conduct problemmanagement, but to perform impact assessment for effec-tive capacity planning, and change management.

The BS 15000 code of practice specifies all configurationitems be uniquely identified and recorded in a configura-tion management database (CMDB). The CMDB plays acritical role in our vision for correlating IT events withoperational mission impact, as will be discussed later.

As with any other database, the CMDB should be activelymanaged and verified to ensure readability and accuracy.The status of configuration items, their versions, location,related changes, problems, and associated documentationmust be visible to those who need it for the CMDB to bemost useful [3:19-20]. However, write/update accessshould be limited to maintain integrity of the database.

Note that the CMDB database itself does not need to beone large database hosted in a central location. In fact, it isonly necessary that the appropriate records can be sharedand correlated when necessary. This suggests that effi-cient distributed system design and implementation tech-niques could be used. For example, web services couldprovide this functionality, where multiple local databasesexchange information using standardized web messageswhen needed.

MISSION SERVICE AUTOMATIONARCHITECTURE

In this section, we develop a Mission Service AutomationArchitecture (MSAA) which will allow efficient correla-tion of IT events and to operational mission impact. The

Service Se-rviceProisioring DeniverylDepartmnent Engineers

Interfac7e] lInterfce I

Servie 1Ds. C;ompon:enat lDs,Alignment Relationships

40% 4 Ar---i

CMDB

Impact Correlation:Serice Reportng

HelplDesk

InteXrI

Figure 4. CMDB Operation

The operation of the CMDB is best described in the fol-lowing examples. Suppose there is an interface to theCMDB which is located in the Service Provisioning de-partment. Every time the IT organization agrees to (or istasked to) provide an IT service to a customer, they popu-

late the CMDB with all necessary service level agreement(SLA) information (e.g., service rates, times, quality ofservice, maintenance schedules etc.) and include a uniqueservice ID code for each service provided in the SLA, in-cluding what business process or mission capability theservice supports.

The engineers in the Service Delivery department now

begin planning how to provide the service. As they pro-

cure and install necessary equipment, circuits, hardwareand software to provide the service, they record each item(component ID) through their interface to the CMDB, in-cluding component configuration information, specifica-tions, and costs. In some cases, the component ID can alsobe stored directly in the device itself.

The service ID codes associated with each component can

be obtained by sending a request to the CMDB. Likewise,

3 of 7

WrkgroupMalnoagr

Inteace

UserlDs,Access Rights

II

-S

Management

I Interfaee

the Service Provisioning department can now receive thedetails of all service components and aggregate servicecosts by querying the CMDB for the desired service-related components.

The end-user organization maintains a connection to theCMDB as well and populates it with user ID information.When a new user requests access to any services coveredunder a specific SLA, the local CMDB interface requestsinformation relating to the applicable service ID codes forthat SLA. Further requests to the CMDB provide all asso-ciated end-user applications or equipment informationwhich can be used by the local administrator when settingup user permissions and access rights for the new user.

Once the CMDB has been populated with these ITSMcodes, we begin to see how it can be used to monitor andcorrelate services, components, and users in real time.Monitoring is accomplished using configuration agentsthat reside on the managed devices in the network, and canbe described as follows.

First we consider how service information can be capturedin real time. Many network applications perform softwarelicense management. When an application is executed, itregisters with a license server to obtain a floating license,as shown in the lower part of Figure 5. License manage-ment is a form of configuration management; its intent isto ensure only a certain number of authorized users areable to use an application (service). Another example ofhow service ID information can be monitored in real timeis the Service Location Protocol, in which applicationsquery a directory agent for a list of registered services.

ComponentInstallation

IP and Component IDRegistration

Authentication &User ID registration

User

CMDB

Software License &RegisteredService ID RegistrationComponent Sei

Figure 5. Service ID Assignment and Registration

Figure 5 shows how a request by the configuration agent tothe CMDB server can provide the appropriate ITSM code

for that application. A relevant set of credentials must beprovided to the CMDB server to receive the service IDcode. For example, this could include the name of the ap-plication executable. The CMDB record, which containsinformation about the application, must have a field thatmatches the credentials supplied to the CMDB so that arequest for service ID can be matched based on a query ofthe database using the credentials supplied.

The user ID code could be obtained in a similar method, asshown in the middle path in Figure 5. Assuming that theuser ID code registration process is integrated with thenetwork access and authentication mechanisms, the operat-ing system could obtain the user ID upon login by query-ing the CMDB or authentication server. The agent sendinginformation would request the user ID code informationfrom the operating system.

Finally, component IDs can be registered in much thesame way that IP addresses are registered using dynamichost control protocol (DHCP). During component installa-tion, a request containing a predefined set of credentials,such as a hardware address or component serial number, issent to the CMDB, and the database responds with thecomponent ID along with all of the services associatedwith that device. This is shown in the top part of Figure 5.Although the service ID information is not necessarilyneeded, it can be useful in providing increased configura-tion control and security.

In this manner, the ITSM codes can be automatically as-signed and maintained in the CMDB. Each code is storedby the configuration agent running on the device and isavailable for retrieval when requested.

MAPPING FAILURES TO SERVICE IMPACT

Assuming the information in the CMDB is current andaccurate, we begin to realize the goal of correlating net-work events and mission impact. Queries of the CMDBwill provide information on (1) services available via thenetwork, (2) network devices and components (hardwareor software) supporting those services, and (3) users whoare allowed to access those services. The next step is toinject the ITSM codes into the network to facilitate auto-mated (and real time) impact analysis.

Consider an example of a network interface failure. Topo-logical information indicating the location of the networkdevice could limit the scope of the impact to a limited sub-set of users inside the device's boundary, or identify themost heavily affected user group.

However, a service (mission) is affected by the failure onlyif there is no other device that can provide access to thesame service. Furthermore, users are affected only if theywere trying to use the service at the time the device failed.

4 of 7

A promising solution to this challenge is to include meta-data about services and users directly in the packets andconnections. When a particular network link fails, packetsbegin to queue at neighboring routers. A list of serviceIDs and user IDs for traffic flows in the queues would in-dicate explicitly the immediate impact of the outage.

There are several ways in which the ITSM codes could beincluded in the network data. One example would be touse the destination options field in the Internet Protocolversion 6 (IPv6) packet header [6]. Note that the codes donot need to be implemented as separate fields. A singlecode could be derived by combining the service and user

IDs using a reversible encoding algorithm. All that is re-

quired is that the service ID and user ID be extracted frompackets traversing the network.

Flow tables would be created throughout the network sim-ply by reading the appropriate fields of each packet andstoring that information locally. Many current networkmanagement protocols already include the capability toperform advanced performance metric collection. Unfor-tunately, the inability to relate these metrics to specificusers and services often results in statistics that are mean-

ingless to many high-level managers and commanders.Including the ITSM codes therefore offers the capability toimmediately identify supported services and users. It alsoprovides a rich context from which to provide meaningfulservice performance reporting and network status visuali-zation, as described in the next section.

TRAFFIC FLOW ANALYSIS

Table 1 lists information typically used to describe a net-work traffic flow. This data is contained in networkpacket headers and can therefore easily be extracted as thepackets propagate through the network.

filing, service capacity and availability planning andanalysis, accounting and financial management [8], net-work situational awareness visualization [9] [10], intrusiondetection [11], and finally, information security manage-

ment capabilities [12].

Figure 6 illustrates of the utility of traffic flow analysis fornetwork situational awareness displays. The figure con-

tains network flows plotted with source and destination IPaddress at the base, and destination port on the verticalaxis. Each point in this space represents a distinct trafficflow. Traffic visualization can quickly identify malicioustraffic flows, such as port scans, host scans, and networkworms. It is easy to quickly identify the attacking range ofIP addresses, the IP address of the victim machine, and therange of targeted ports because this information can beread from the coordinates of the attack plot.

Port#

Port Sca'n-.....-

Destination IP Address

Denial ofService Attack

Source IP Address

Figure 6. Traffic Flow Visualization ofDDoS Attack

Similarly, Figure 7 shows how traffic flow analysis can beused to visualize resource utilization. Inbound and out-bound traffic flows are easily identified, and user groups

appear as clusters in a small IP address range. Color-coding and other visualization methods could be used toquickly identify heavily used applications (ports) and IPaddresses.

Po

Tools can monitor and profile traffic flows to understandand better manage network traffic and services. By exam-

ining and processing information contained in the packets,many relationships between devices and the IT servicessupported by the network can be deduced. In addition toservice discovery and monitoring, flow analysis has appli-cation for enhancing automated capabilities of other ITservice management functions. This includes enhance-ments to application monitoring, user monitoring and pro-

Frt# ~~~~~-------------

_hon Com iec~tion ~s_i

Outbound Coinnections_,-_-_-_I.-------_

USser Groulp_ 0~~~

e-- ------

-A

lDestinlation,: IP Ad&XessSouice IP

Figure 7. Network Status and Resource Utilization

5 of 7

Table 1. Typical Traffic Flow RecordSource IP AddressDestination IP AddressStart TimeEnd TimeSource PortDestination PortIP ProtocolBytesNumber of Packets

What is missing from these visualizations, however, is theability to quickly correlate port information to supportedbusiness services and IP addresses to particular users.Correlating these traffic flows to their supporting opera-tional capabilities and users still remains a manual process.Including ITSM codes in network packet headers wouldmake this correlation explicit, providing rapid and conciseoperational impact analysis, performance reporting, andsituational awareness.

IMPLEMENTATION CHALLENGES

Probably the biggest challenge to our proposed architec-ture lies in creating and maintaining the CMDB databases.While most people realize the value of rigorous configura-tion management controls, the sad reality is that configura-tion management generally falls low in the IT priorityqueue. Too often, change management processes repre-sent speed bumps in the path of progress, and there is moreinterest in getting things done quickly and cleaning up thepaperwork after the fact.

During our research, we studied established DoD and AirForce network management doctrine and mapped themagainst the ITIL standards defined in BS15000 (Figure 1).Several critical service delivery management, release man-agement, and relationship management processes as de-fined in BS15000 are not mentioned at all. Further, con-figuration and change management processes arementioned in established doctrine, but they are generallynot well defined, nor are these processes mature in manyAir Force IT organizations.

On the positive side, resolution management (incident andproblem management) processes are discussed in depthand tend to be more mature in military IT organizations.Not surprisingly, information security management proc-esses are also quite mature in the context of the BS15000framework.

Our findings indicate that military IT organizations arevery good at securing the network and resolving problems.Implementing the concepts identified in this paper, how-ever, will require significant effort in maturing our IT ser-vice management processes. ITIL and IT Governanceconcepts are gaining momentum. As leaders embrace theidea that IT is no longer a support function but critical totheir operations, change management will likely receivemore attention in the future.

SUMMARY

In this paper, we presented an overview of the MissionService Automation Architecture (MSAA) model for per-forming rapid assessment operational mission impact as aresult of network events, such as device failures, networkworms, etc. Our approach uses a configuration manage-

ment database, configuration agent applications, and ITservice management code encapsulation to correlate net-work components and traffic flows to operational servicesand users.

The success of the MSAA will require many changes inthe way military organizations currently conduct networkmanagement and configuration control. If implemented,however, it will use, integrate, and enhance the capabilitiesof many existing management and information assurancetechnologies, providing rapid impact analysis, relevantperformance reporting, and accurate network situationalawareness.

REFERENCES

[1] J. N. Luftman, P. R. Lewis, and S. H. Oldach, "Trans-forming the Enterprise: The Alignment of Business andInformation Technology Strategies," IBM Systems Jour-nal, Vol 32, No. 1, 1993.

[2] Arthur L. Money, Assistant Secretary of Defense(C31). "Report of Network Centric Warfare: Sense of theReport." Report to the Congress, Section 934 of the De-fense Authorization Act for FY01. March 2001. Online athttp://www.dod.mil/nii/NCW/ncw_sense.doc.

[3] British Standards Institution. "IT service management-Part 1: Specification for service management," London,Tech. Rep. BS 15001-1:2002 (27 September 2002).

[4] British Standards Institution. 'IT service management -Part 2: Code of practice for service management," London,Tech. Rep. BS 15000-2:2003 (22 January 2003).

[5] M. Salle. "IT Service Management and IT Govern-ance: Review, Comparative Analysis and their Impact onUtility Computing," Hewlett-Packard Company, Palo Alto,Tech. Rep. HPL-2004-98 (2 June 2004).

[6] J. E. Stanley. "Enabling Network Centric WarfareThrough Operational Impact Analysis Automation." Mas-ter's Thesis, Air Force Institute of Technology, WPAFBOH: 2005

[7] S. Ramanathan, D. Caswell and S. Neal. "Auto-Discovery Capabilities for Service Management: An ISPCase Study," Hewlett-Packard Company, Palo Alto, Tech.Rep. HPL-1999-68 (May 1999).

[8] The Cooperative Association of Internet Data Analysis(CAIDA). "FlowScan Analysis," University of CaliforniaSan Diego, 7 Feb 2005. Online at http://www.caida.org/tools/utilities/flowscan/analysis.xml.

[9] G. W. Manes, J. Dawkins, S. Shenoi and J. C. Hale."Identifying and tracking attacks on networks: C31 dis-plays and related technologies," Proceedings of SPIE,5071 :105-1 13 (2003).

6 of 7

[10] R. Bearavolu, K. Lakkaraju, W. Yurcik and H. Raje."A visualization tool for situational awareness of tacticaland strategic security events on large and complex com-puter networks," in MILCOM 2003 - 2003 IEEE MilitaryCommunications Conference, 850-855 (Oct 2003).

[11] H. Kim, I. Kang and S. Bahk. "Real-time visualiza-tion of network attacks on high-speed links," Network,IEEE, 18:30-39 (2004).

[12] J. Dunn. "Security Applications for Cisco NetFlowData," SANS Institute, (23 July 2001) 5 Feb 2005. Avail-able online at http://www.sans.org/rr/whitepapers/com-merical/778.php.

7 of 7