analysis of einstein plan

Posted by punzalan at 2020-04-16

Analysis of Einstein plan


1、 Planning background

2、 Organization

3、 Deployment process

4、 Key technologies

5、 Deployment mode

Einstein plan is a huge intrusion detection and defense system. It is deployed at the federal government network exit and some operators' network exits connected with the federal government network to achieve the goal of monitoring the federal government network access traffic, timely detecting malicious acts and emergency response. The system is developed by US-CERT (4-level department under DHS) and handed over to nccic (National Cybersecurity and communications integration center, 3-level department under DHS) for 7 * 24-hour overall security operation, relying on Einstein system for war threat analysis, emergency response and other work.

1. Political background

DHS (Homeland Security Department of the United States) was established on November 25, 2002. It is a ministerial unit resulting from the new terrorist attacks on September 11, 2011. It is the largest government restructuring since the establishment of the Department of defense in 1947. The Department is mainly used to respond to: terrorist attacks and non military attacks in cyberspace in the United States, and provide adequate defense and emergency response. 9.11 incident had a great impact on the security concept of the United States. Just one month after the incident, the Patriot Act was passed quickly, which granted intelligence and law enforcement agencies greater autonomy in tracking and intercepting communications. In July 2002, the U.S. House of Representatives passed the Cyber Security Enhancement Act Act), which emphasizes that when national security is threatened, information such as telephone number, IP address, e-mail title can be obtained without authorization; in 2008, the United States Council passed amendments to the foreign intelligence Supervision Act (FISA), which authorizes private companies to cooperate with the government to expand the scope of supervision. Most of the monitoring projects leaked by Snowden in June 2013 (the author's special topic "thinking on the construction of data-driven cyberspace combat platform" describes the U.S. monitoring projects in detail) are directly related to the adjustment of U.S. policy in this period.

The establishment of Einstein plan is also to prevent the occurrence of 9.11 events in cyberspace. It is based on the homeland security act of 2002, the Federal Information Security Administration Act and the homeland security presidential order No.7 issued on December 17, 2003 Started by critical infrastructure identification, prioritization and protection (hspd-7).

In March 2013, with the completion of enhanced cyber security services, James Clapper, director of national intelligence of the United States, issued a report saying that the threat from cyberspace has surpassed terrorism and become the main threat facing the United States. This is the first time since September 11 that the United States has officially assessed that terrorism is no longer the number one threat to the United States.

2. Technical background

The main task of Einstein system is to protect the federal government's network security. As the two major killers of Cyberspace Security, viruses and vulnerabilities, are the main defense objects of Einstein system. Since the two threats appeared in the United States in the late 1980s and the late 1990s (Nimda virus and IIS RDS security vulnerability (cve-1999-1011)), the corresponding defense technologies are mainly controlled by a group of antivirus software manufacturers and firewall manufacturers.

In the field of anti-virus manufacturers, Symantec, McAfee and trendmicro were born in the late 1980s. These three manufacturers rely on the first mover advantage of Internet development in the United States, resulting in huge domestic market demand, good financing ability brought by the surging vitality of the capital market, and the layout radiation of the global market, which make them develop into the Bureau enterprises in the field of anti-virus, and accumulate a large number of advanced technologies and research ideas of virus killing.

In the field of firewall, it mainly includes NetScreen, Fortinet, PaloAlto network and fireeye, which were born in the late 1990s. They are not only the giant enterprises in this field, but also represent the advanced technology direction in different periods. For example, NetScreen was born in 1997, mainly relying on ASIC special chip to solve the problem of large traffic concurrent processing brought by information superhighway; Fortinet was born in 2000, mainly relying on flow reduction detection technology, to solve the problem of malicious behavior detection in the application layer such as email virus; PaloAlto Network was born in 2005, mainly relying on app IDTM, user ID and content ID technologies to solve the problem of malicious behavior detection in niche protocols such as SNS; fireeye was born in 2004, mainly relying on sandbox front, behavior analysis and other technologies to solve the problem of unknown threat discovery.

On the other hand, with the promotion of TiC plan and the development of Einstein system, Einstein system can not only satisfy the local blocking of viruses and vulnerabilities, but also needs to collect the security logs of a large number of security devices (such as firewalls, IDS, IPS, etc.) and conduct serial analysis to output macro security analysis. This requires the Siem capabilities of arcsight and Splunk.

From the end of 1980s to the beginning of 2000 in the United States, a series of technologies accumulated by a series of related enterprises, such as virus killing, malicious behavior detection, serial analysis, etc., ensure the reliable landing of NetFlow, DFI, DPI and other detection and analysis technologies applied in Einstein plan.

1. Organization structure of DHS participating in Einstein program

The project Einstein is a large-scale federal government network intrusion detection and defense system, which is in the charge of DHS and the cooperation of DoD and NSA. Two of DHS's 26 departments (STD and nppd) have specifically undertaken the construction and operation and maintenance of the project. Among them, the science and Technology Bureau (STD) focuses on medium and long-term research, while nppd focuses on current and short-term engineering project implementation. In the project of Einstein, the division of labor between the two is: STD summarizes and defines the main security issues (such as security requirements definition, security area division, etc.); nppd takes solving these issues as the goal, relies on its subordinate network security deployment (NSD) to design and develop the security functions, and nccic performs the overall security of the delivered system Full operation. The specific organizational structure of the construction units is shown in the following figure:

2. NSA's capability support for Einstein program

A piece leaked in Snowden was called NSA training course material on computer network According to the top secret documents of operations, in order to protect the global information grid (GIG) of the U.S. military and assist in the execution of cyberspace operations, the U.S. has distributed Cyber Defense tasks to three units, including the U.S. cyber warfare command (uscybercom), the Navy cyber Operations Command (ncdoc) and the Department of Homeland Security (DHS). The three units rely on their own system linkage to jointly ensure Cyberspace Security.

In terms of the three application support systems, the network warfare command relies on the massive data intercepted by XKS, prism, marina, uncleon, treasuremap, quantum, auroragold, camperdata, fornsat and other plans (for details, please refer to the author's related article "thinking about the construction of data-driven cyberspace combat platform"); ncdoc relies on Hawkeye platform; DHS relies on Einstein plan The established detection and defense system.

According to the analysis of relevant data, the core iPS technology of einstein-3 is developed by NSA and has been applied to the protection of gig network (code tutelage, red dot in the lower right figure). The combination of the two technologies lies in that NSA provides a set of signature to identify specific attacks. It can be speculated boldly that from the beginning of einstein-3, its system has been integrated into the military's network warfare and intelligence warfare system, realizing the real-time sharing of threat intelligence.

The deployment and implementation of Einstein plan is mainly divided into three stages:

Introduction: in this stage, IDS and IPS are widely deployed for federal government network, and flow based analysis technology (DFI) is implemented

Objective: abnormal behavior detection and local trend analysis


·Worm detection, especially can form a cross departmental regional worm infection trend map

·Abnormal behavior detection, which is mainly based on * flow technology (E1 Core Function)

·US-CERT can provide configuration management suggestions to relevant departments according to security analysis

·Trend analysis can help the federal government to form a local trend map

Introduction: this stage is mainly to carry out tic plan and increase malicious behavior analysis ability

Target: malicious behavior detection and general trend analysis


·Federal network centralized access, reducing network exports from 4500 + to about 50;

·Malicious behavior detection, mainly based on DPI Technology

·Trend analysis can help the federal government form an overall trend chart

Introduction: in this stage, nccic (national security operation center) is mainly set up, and sensors are put in front of some ISPs (such as VeriSign, at & T) and intrusion prevention technologies are added

Target: malicious behavior detection and general trend analysis


The traffic is intercepted on a larger scale. Through the concept of ticap, the sensor is put in front of the ISP to monitor the traffic related to or concerned about the government network;

Professional safety operation, through the establishment of nccic, closely integrate technology, process and people (PPT)

Intrusion real-time defense, through the iPS technology developed by NSA, can directly regional malicious attacks

The specific process is as follows:










Federal government official network


Two thousand and three

Two thousand and five

(block 1.0) includes network traffic information ("NetFlow") of centralized data storage.


Two thousand and five

Two thousand and eight

(block 2.0) intrusion detection system to access network traffic and detect malicious activities;

(block 2.1) safety accident and incident management (Siem), to realize data synthesis, association and visualization;

(block 2.2) expand the scale of threat information visualization and provide information sharing and cooperation mechanism


Two thousand and ten

Two thousand and twelve

(block 3.0) intrusion prevention system

Private network


Two thousand and eleven

Two thousand and thirteen

ECs was initially introduced by DoD as DIB and delivered to DHS as jcsp in 2012, and developed into jscp, DECS and recent ECs. ECS has three similar capabilities planned by Einstein.

1. Key technical points of E1 stage

The essence of this stage is based on the flow analysis technology (DFI) to carry out abnormal behavior analysis and detection and overall trend analysis, specifically, DFI technology based on * flow data. The most typical * flow here is NetFlow, in addition to sFlow, jflow, ipfix, etc.

Analysis of DFI technical features:

Fast processing speed, no unpacking operation, comparison between Zhixu and flow model;

The maintenance cost is low, because the flow model has little change, there is no need to consider the new application;

The recognition rate is high but rough, because only the flow model is identified, so the recognition rate is very high, but also relatively rough.

NetFlow format description:


Source address | destination address | source autonomous region | destination autonomous region | inflow interface number | outflow interface number | source port | destination port | protocol type | number of packets | number of bytes | number of streams

NetFlow detected abnormal traffic:

DOS, DDoS, network worm traffic, and other malicious traffic (such as a large number of TCP connection requests generated by scanning tools)

2. Key technical points of E2 stage

The essence of this stage is the malicious behavior analysis based on the deep packet analysis (DPI) technology, that is, the in-depth analysis of 13 types of information such as "source IP, destination IP, source port, destination port, protocol type, packet number, byte number, connection start time, connection duration, connection end time, sensor number, data flow direction, initial flag bit" of traffic.

The specific workflow is as follows:

·The sensors deployed at each ticap exit conduct DPI analysis locally, detect malicious behaviors through signature and behavior technologies, and generate alarms;

·Alert, flow records and related data messages are sent to US-CERT for in-depth analysis by the engineering safety analyst;

·US-CERT is responsible for the audit and maintenance of the sensor feature library;

·All information collected by US-CERT shall be kept for 3 years.

Analysis of Di technical characteristics:

·The processing speed is slow, because it needs to unpack one by one and match with the background feature library;

·Because of the high maintenance cost and the new application, the background feature library must be updated accordingly;

·The recognition rate is low but detailed, because there will be new applications that are not recognized, but the application of recognition will be analyzed very carefully.

3. Key technical points of E3 stage

The essence of this stage is based on the abnormal traffic detection technology (DFI technology based on * flow) and malicious behavior detection technology (DPI Technology) in the strong two stages, combined with the special attack features (signature) accumulated from NSA's many years of network attack and defense experience, deployed to the front sensor, to detect and block malicious attacks.

Since this phase started in 2010, NSA (National Security Administration) and DOD (Ministry of Defense) have explicitly joined in, so there is less information in this phase. According to Snowden's leaked data, the output of this phase (code name: tutelage) has been deployed to the border of the military's gig network.

4. Overall technical analysis

Einstein system is very large, but it can be divided into two parts as a whole:

·The front-end part, that is, the sensor part of the interface with the Internet, whether it is through tic access to ISP, or through the IP service hosted by the NetWorx contract of the Federal Bureau of general affairs;

·In the back-end part, nccic is responsible for the security operation center of operation.

In the front end, DFI technology and DPI technology based on * flow are mainly applied, while Siem technology can be applied in the back end. The whole distributed front-end and centralized back-end are integrated to form a situation awareness system. However, the Einstein system, which is still gradually improving, can be said to be a real large-scale situation awareness system. In fact, Einstein project is a good combination project led by the government and participated by commercial manufacturers.

When analyzing the Einstein plan, we should not only analyze the technology it adopts, but also see how the deployment mode is implemented. Deployment is very important. Once the deployment is not good, the whole system may not get necessary information, and analysis becomes passive water. When it comes to the deployment of Einstein system, we must talk about the TiC (trusted Internet access) plan launched by DHS in 2008 (the same period as E2), which is also the year when CNCI plan was officially implemented, focusing on the integration of Internet access of federal network. Since E2, the deployment of sensors is closely related to tic, and tic plan involves the upgrading and transformation of the entire U.

The figure above shows the conceptual model of tic. The whole tic includes three parts: the outer region, the tic region and the inner region. Einstein sensors or IPS are deployed between the tic region and the external region. Note that public services are deployed in the tic area. We can compare tic to a DMZ area, but it is more complex.

The figure above shows the conceptual deployment architecture of tic. According to different colors, the traffic is divided into four types, that is, the network area is divided into several levels according to the security level:

·Access to agency

·Ticap (access supplier)


Due to the centralized access implemented by TiC plan, different government departments (D / a) may access the same ticap, so the traffic can be divided into:

·Orange: different departments, unified flow between TICAP

·Blue: flow through sensor

·Green: traffic between different ticaps in the same department

·Black: flow between ticaps

Text /DustinW

The army and the people build the network national defense and defend the common online home