ADAPT: An Analytical Framework for Actionable Defense Against Advanced Persistent Threats

Abstract

Short work statementThe team will develop a new theoretical cyber security framework for dynamic adversarial cyber interaction based on control and dynamical system theories. The proposed research and development of framework for actionable defense against APTs will be carried out by four main thrusts, namely, (i )A nalytical representation and decomposition of APTs, (ii )L ocal interaction and attack variant identification, (iii )S ystem-level adversarial cyber interaction, and (iv )T esting and validation of the theory against observation.ObjectiveThe goal of this collaborative research effort is to develop a new encompassing scientific framework with a novel games underpinning that tightly incorporates real-world parameters and observations for analytically representing adversarial cyber interactions. Advanced persistent threats (APTs) infiltrate cyber systems over an extended period of time and compromise specifically targeted data and/or resources through a sequence of stealthy attacks, and often have multiple variants. Currently, there is no scientific framework to represent APTs, understand the effectiveness of cyber defenses, or develop an actionable cyber defense.ApproachThe team proposed to develop a new approach for theoretical foundation for dynamic adversarial attacker ~ defender interaction in cyber space based on control and dynamical systems. The first research thrust will focus on the research and development of an analytical middleware that provides a time varying representation of the adversarial actions, which will then be used to construct more realistic models of the adversarial cyber interactions and defense strategies. The second research thrust will investigate and develop local games that realistically describe the adversarial cyberinteraction for different attack stages. Since there may be multiple possible local games at each attack stage, they will research and develop methodologies for computing the convergence rate based on gathered information and transitioning to the local game with the fastest convergence rate. The defense strategies will be made robust to uncertainty in adversary capabilities and adversarial deception via adversarial learning techniques. They will formulate parametrizations of the local interaction games, which will characterize and enable the analysis of multiple APT variants within a single framework. The third research thrust will leverage and compose the local interaction models to research and develop a framework for system-level adversarial cyber interaction. They will investigate and develop methods for composing adversary actions at multiple time scales, as well as composition of sequential and simultaneous attacks. These composed localinteractions will be used to formulate global (system-level) games, in which each strategy corresponds to a set of local games to be played, thus leading to a game-of-games structure. The fourth research thrust will build test cases of real-world APT scenarios to evaluate their proposed framework. They will test how these scenarios can be decomposed into individual steps, and how the entire APT can be modeled as a game-of-games based on the local decomposition. Empirical measurements of APT behaviors, and in-depth testing and evaluation, will be performed using the DETERlab cybersecurity testbed. Proposed defenses will be implementedon platforms including the Apache Spark distributed computation environment and tested against a large APTdatabase that has been compiled by the Pis.Overall merits & ONR mission relevanceIf successful, this MURI will develop new approaches and foundations for more accurate, realistic, and actionable analysis, understanding, and the derivation for optimized strategies for adversarial interactions in a dynamic environment. This foundation will enable more accurate analysis for strategy and plan for cyber security posture for supporting Navy~s mission.

Document Details

Document Type

DoD Grant Award

Publication Date

Aug 12, 2016

Source ID

N000141612710

Entities

Tags