A Cyber Awareness Framework for Attack Analysis, Prediction, and Visualization

Description

Cyber networks have evolved into a ubiquitous infrastructure, and the Internet has become a mission-critical asset for the DoD and its partners. To assure the availability of these large-scale networks and their resources, it is necessary to maintain situation awareness of the current status of the networks during 24/7 operations. To achieve these goals, one needs to develop technologies and tools that include the assessment of the impact of observed attacks as well as predicting potential future steps of the adversary based on incomplete information. It is also necessary to have techniques that help security officers understand the impact of countermeasures in response to threats. In particular, one needs to ensure that security officers are not overwhelmed by information, so that they can make effective decisions even in high-stress situations.

This research is to develop novel situation awareness theories and techniques to obtain an accurate view of the available cyber-assets and to automatically determine the assets required to carry out each mission task. Based on this information, we will automatically assess the damage of attacks, possible next moves, and the impact on the missions. We will also model the behavior of adversaries to predict the threat of future attacks to the success of a mission. Finally, we will present the status of the current missions and the impact of possible countermeasures to a security officer, using a semantically rich environment. Each of these technologies will be integrated into a coherent cyber-situation awareness framework.

Our technical approach is based on five main thrusts:

1. Theoretically sound yet practical techniques to automatically analyze network event data will be used to get an up-to-date view of the available cyber-assets.
2. Comprehensive analysis techniques will be developed to automatically extract dependency relationships (either manifest or hidden) between cyber-missions and cyber-assets.
3. A cyber-situation awareness framework, which builds on previous alert correlation work, will associate ongoing attacks with the affected cyber-assets that are needed to successfully complete a mission and to get an accurate understanding of the impact of cyber-attacks.
4. Models of adversary behavior will be developed to help predict the effects of future attacks that can be launched to prevent a cyber-mission from completing successfully.
5. Novel cognitive science techniques will be leveraged to produce a semantically-rich, easy-to-grasp view of the cyber-mission status and to improve large-scale attack comprehension and response under duress.

   People

   UCSB

   • R. Kemmerer.
   • G. Vigna.
   • C. Kruegel.
   • T. Hollerer.
   • J. Hespanha.

   Berkeley

   • V. Paxson.

   GaTech

   • J. Shamma.

   Acknowledgments

   This research was supported by the Army Research Office, under agreement W911NF-09-1-0553.