Cost-Sensitive Online and Automated Intrusion Detection and Forensics Analyses via Adaptive System Reconfiguration - Cyber

Abstract

Cyber attacks are typically anonymous, and impacts may be immediate or dormant and subtle, eluding recognition for years causing damage ranges from inconvenient downtime of personal systems to the life-threatening destruction of critical infrastructures. Therefore, developing an effective and comprehensive cyber security strategy to counter these threats is paramount. In particular, resilient information infrastructures require automated self-aware and scalable cyber security solutions to survive sophisticated and large-scale attack scenarios with minimum manual intervention. The very crucial step in protecting the national critical assets is to develop accurate and efficient situational awareness solutions that provide the Navy personnel with meaningful and concise reports about security incidents in real-time. The objective of this research is to develop the theoretical foundations and practical tools to provide self-awareness and active detection capabilities in complex and critical computing assets. In particular, we propose an online intrusion detection and forensics framework to efficiently determine, at any time instant, the current security state of the system. Real-time provision of accurate security state estimates and automated self-diagnostic capabilities enables system administrators to accelerate attack localization and root-cause analyses remarkably. In general, detecting intrusions and failures efficiently and early enough is a challenging and expensive endeavor. While detection techniques exist for many types of vulnerabilities, deploying them all to catch the small number of bugs or vulnerability exploitations that might actually exist for a given system is not cost-effective. Furthermore, high performance overhead due to detection solutions may help attackers change their behaviors purposefully, once they notice the existence of the monitoring sensors. A theoretically sound and practical method to stealthy and effective identification of individual incidents in an ongoing attack and their correlation is currently lacking. Throughout this project, we will transcend the single vulnerability detection techniques and instead tackle the problem of automated and online multi-sensor self-diagnosis through innovations in intrusion detection, machine learning, dynamic binary rewriting, and stochastic state estimation. We propose a novel and comprehensive two-dimensional system modeling formalism that provides avenues for scalable and efficient handling of security incidents by taking into account the semantic gaps as well as indirect inter-dependencies among triggered sensor alerts. To accelerate the runtime diagnosis analyses, we design a security knowledge base and develop machine learning and static analysis algorithms to capture detailed information about the target system automatically during an offline phase. Armed with our novel modeling formalism and the complete security knowledge base, we develop judicious and mathematically rigorous approaches to automated detection and online forensics analyses. Through the proposed approaches, an accurate state estimate of the system can be inferred efficiently. To optimally update the system configuration according to the state, we propose information-theoretic as well as state-of-the-art dynamic binary rewriting techniques to deploy an appropriate set of security sensors and to automatically remove the need to monitors wherever possible, respectively. As practicality of the proposed algorithms and tools is crucial, the experimental evaluation aspects will not be after-thoughts. Instead, design and evaluation components will evolve together, and we will continuously keep experimenting with adversarial attacks in real-world settings. Consequently, our work results in fundamental research methods and an overall framework that can lead to discernment of buried threads of insurgent activity within critical computer systems.

Document Details

Document Type

DoD Grant Award

Publication Date

Aug 12, 2016

Source ID

N000141512165

Entities

Tags