Sometimes hackers have an advantage on the network 'playing field' but that edge may soon be tipped toward those protecting enterprise network systems.
Shanchieh Yang, a faculty-researcher at Rochester Institute of Technology, was recently awarded grant funding from the National Science Foundation and National Security Agency for two cyber security projects. They are intended to get ahead of attackers by understanding early warnings to prevent high-impact actions from happening, and by extracting important characteristics of these warnings and transforming them into a preemptive, tactical system.
Yang, professor of computer engineering in RIT's Kate Gleason College of Engineering, received $666,960 from the National Science Foundation for "Synthesizing novel attack strategy for predictive cyber situational awareness." He also was awarded $173,500 from the National Security Agency for "Modeling and simulation of adversary behavior and moving target defense." Both projects began this fall.
"One of the things important to me was that we shouldn't be just detecting attacks. We should be trying to find out what the key attributes are--and how do we characterize these attributes of behaviors and forecast them for the future--because the playing field is very tilted toward the hackers," said Yang. "The defense is always much, much more behind than the offense. So, if we can create a way to know the behavior before it starts, then I think you level the playing field."
In the NSF project, Yang and co-researchers are developing ASSERT--Attack Strategy Synthesis and Ensemble Predictions of Threats--to characterize attack patterns and combinations of exploit behaviors that attackers use. The team will investigate and develop an algorithmic framework to recognize attack strategies in their early stage to enable the prediction of critical threats to enterprise networks before they happen. This would be the key element of the ASSERT system--to enhance predictive cyber situational awareness for security analysts.
There is demand in knowing how to recognize and capture these strategies early on, Yang said. Cyber attacks to enterprise networks have evolved to where both attackers and security analysts use complex strategies to confuse and mislead one another. Critical attacks consist of multiple techniques to achieve the goal of cyber espionage and sabotage. Detection alone is no longer sufficient, Yang said.
The algorithm will generate "attack models" that differentiate one attack strategy from another that can then be extrapolated to reveal additional attack scenarios that may or may not be known before, Yang explained. He compared the process to a tunable knob, where key characteristics of attack strategies would be 'tuned' to synthesize and simulate plausible attack scenarios and end results to help analysts obtain better situational awareness.
Partners on the NSF grant include Michael Kuhl, professor of industrial and systems engineering in RIT's Kate Gleason College of Engineering, and an expert on simulation, modeling and operations research, and Daryl Johnson and William Stackpole, both associate professors in the Department of Computing Security in RIT's Golisano College of Computing and Information Sciences. Johnson and Stackpole are experts in computer forensic technologies, information assurance and covert channel analysis. They will organize several student network "penetration testing" events to help gather data on characterizing system attacks and to test ASSERT. It is an element of the transition-to-practice option for the NSF grant, where the team must demonstrate robust use of ASSERT in real-world environments.
Simulating attack scenarios and developing Moving Target Defense models are the focus of Yang's National Security Agency grant. Government and defense organizations such as the NSA are charged with protecting the nation from cyber attacks, and to be able to comprehensively analyze attack scenarios against advanced network defense technologies in a timely manner would give them an edge, said Yang. Commercial and university systems can also benefit from this type of network attack simulation system.
"Imagine a system that can produce comprehensive sets of multistage, coordinated attacks by efficiently simulating a variety of adversarial behaviors and skill sets against different configurations of Moving-Target-Defenses or other active cyber-defense techniques," Yang said. "Such a system will finally bring an unprecedented advantage to security analysts, by enabling early assessment of risks due to new or even unknown attack strategies versus advanced cyber-defense technologies. The early assessment will be critical to enhance, not only the effectiveness of automated risk detection and mitigation, but also the knowledgebase and awareness of security analysts. Both network attacks and defense today are dynamic; always changing, not static."
Yang began in this field in 2005 as part of a faculty team invited to the Air Force Research Lab to work on cyber situational awareness and modeling attack behaviors. Today, he'll lead several RIT undergraduate and graduate students on developing the cyber security models for each of the projects. The challenge, he said, is to find an algorithm, a modeling framework, that is adaptive, well beyond network analysts playing catch up or just reacting to security incidents.
"Our research is in the forefront of cyber security research, bringing a capability to effectively capture, synthesize, and simulate network attack strategies. It is a great opportunity for students to gain in-depth knowledge and skill sets in the areas of Big Data and cyber security, which are much needed in the workforce today. We are just starting to build an "army of students" to attack this problem."