THIS IS A CONTINUATION OF N00014-14-1-0468 A Tale of Two Systems; Bridging Statistical Learning and Formal Reasoning for Cyber Attack Detection

Abstract

PROJECT SUMMARY Motivation. Cyberinfrastructures are facing increasing threats from advanced cyber attacks such as Advanced Persistent Threats (APTs). To prevent or minimize loss of critical data assets or damages to critical cyber facilities, it is essential to detect and investigate such attacks in real time. An effective cyber attack detection system should satisfy the following requirements: (1) It monitors and detects signs of attacks in real time and at early stage of an attack; (2) It is able to detect zero-day attacks with no existing signatures; (3) It should achieve high detection accuracy; and (4) It should be able to trace back and reason about system/program behavior to understand the provenance and ramifications of an attack. Meanwhile, we observe that many existing attack/anomaly detection systems fall into one of the following two categories: (a) symptom-based anomaly detection via statistical learning of network or end-host level “symptoms”; and (b) behavior-based anomaly detection and tracing via formal causal reasoning of runtime program behaviors. Unfortunately, no system in category (a) or (b) is able to satisfy all four requirements listed above. Proposed Research. Recently, a new vision – called “Learn-2-Reason” – has been proposed to bridge the camps of statistical learning and formal reasoning for more effective decision-making. The vision advocates letting two systems – one from each camp – operate side-by-side and influence, interact with and hence improve each other by sharing their inputs and exchanging their knowledge, achieving the best of the two camps while mitigating their limitations. We propose to instantiate, investigate, and advance this vision for more timely, accurate, and accountable cyber attack detection for enterprise environments. To realize the vision, we will first develop two attack detection systems: System A which is based on statistical learning with network and end-host monitoring data; and System B which is based on formal causal reasoning with program execution event logs. We will then bridge the semantic gap between them so that their inputs and knowledge bases are well-aligned for mutual collaboration and knowledge exchange. Finally, we will develop a federation of Systems A and B, with specific interactions between them. The federation will achieve greater detection capability than each of the systems alone. Furthermore, each system’s knowledge and capability will evolve following the federation’s operation. Innovative Claims and Impacts. This research is among the first to instantiate and advance the vision of “Learn-2-Reason” in a concrete application domain (cyber attack detection). To the best of our knowledge, there has been no prior research effort that involves federating statistical learning and formal reasoning based systems for attack/anomaly detection. In addition, Systems A and B themselves reflect technical novelty in their own right. More specifically, System A is among the first to combine unsupervised and supervised learning models for anomaly detection, based on multiple sources of monitoring data. System B’s two-level (per-program and systemwide) causal model achieves higher accuracy for attack detection and tracing, compared with other causal reasoning-based systems. Broader impacts of this research include the following: (1) Models, theories, and software artifacts from this research will help elevate DoD’s strategic defense capability against emerging cyber attacks such as the APT. (2) This research will provide valuable experience and guidance for instantiating the “Learn-2-Reason” vision in other military or civilian application domains, such as autonomic navigation, rescue robotics, and self-management of computers and networks. (3) This research creates unique synergies that bring together researchers from multiple disciplines, including cybersecurity, machine learning, and software engineering.

Document Details

Document Type

DoD Grant Award

Publication Date

Jun 03, 2016

Source ID

N000141612155

Entities

Tags