| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | September 16, 2015 |
| Latest Amendment Date: | April 28, 2016 |
| Award Number: | 1526383 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Kevin Thompson
kthompso@nsf.gov (703)292-4220 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | October 1, 2015 |
| End Date: | September 30, 2019 (Estimated) |
| Total Intended Award Amount: | $666,960.00 |
| Total Awarded Amount to Date: | $666,960.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
1 LOMB MEMORIAL DR ROCHESTER NY US 14623-5603 (585)475-7987 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
1 Lomb Memorial Drive Rochester NY US 14623-5603 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Network attacks are increasingly complex and fast-evolving. A single attack may use multiple reconnaissance, exploit, and obfuscation techniques. This project investigates how to extract critical attack attributes, synthesize novel attack sequences, and reveal potential threats to critical assets in a timely manner. The project uses machine learning techniques to simultaneously identify new attack types and observed events that could identify those attacks. The Transition-to-Practice component in the project includes a three-phase plan to provide a positively reinforced and measurable cycle to develop, evaluate, and refine a prototype system in real-world environments. This significantly broadens the engagement of security practitioners and student teams, who will be planning and executing attacks to test the prototype system. The outcome of this research will provide timely comprehension and anticipation of critical attack strategies, offering the practitioners a solution to level the playing field against sophisticated attackers.
Specifically, this work develops an online semi-supervised learning framework to capture both spatial and temporal features of attack strategies. An attack behavior model is a collection of feature probability distributions. The attack features are used to synthesize attack sequences via Monte-Carlo simulation. The attack sequences along with an ensemble prediction are then used to reveal potential threats to critical assets in the network. The project will be evaluated on real-world attack data as well as synthetic network attacks. An extensive outreach plan includes course module development, a mid-project workshop to engage security researchers and practitioners, and a summary panel in an international conference.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
After several iterations of research, development, analysis, and practitioner engagements, this project created a novel unsupervised learning system that automatically find relevant intrusion alerts to form cyber attack models. Each of these models presents unique attack behaviors (Where, How, When and What) and assists in predicting future and alternative attack scenarios. The system - ASSERT - consists of several sub-modules that process unlabeled intrusion alerts in near-real-time manner to perform:
- Context-driven formation of attack behavior units, called aggregates.
- Dynamic generation, update, and merging of attack models using the aggregates.
- Comparative and visual analytics of the critical attack models to enhance timely cyber situation awareness.
The novelty of ASSERT is multi-faceted. First, its overall process is motivated by both Bayesian learning and clustering, where each new aggregate is dynamically assessed to either match to an existing model or generate a new model without a priori knowledge. Since the system assumes no prior expert knowledge on what attack behaviors might exist, the feature domains of Where, How, When, and What are treated as non-parametric histograms, and require computational efficient means to assess the empirically generated models. After extensive research, the process adopts information theoretical approach, namely cross-entropy, Kullback-Leibler divergence, and Jensen-Shannon divergence to assess the inter-model divergence and intra-model coherency. In addition, the system developed a novel entropy redistribution method to account for new (never-before-seen) attack features. This approach is important in forming meaningful cyber attack models where new attack features constantly arise. The use of information theoretical measures gives a closed-form means to achieve computational efficiency as well as a consistent treatment in assessing the attack models throughout the process.
In addition to ASSERT, this projected investigated and developed a mutual information constrained Generative Adversarial Network (GAN) model to learn the interdependencies between intrusion alert features and able to generate comparable synthetic alerts given moderate amount of data. For both the GAN model and ASSERT, the research team developed a reference Macro/Micro Attack Stages model that is used to map the large number and continuous growing of intrusion alert signatures to attack stages that reflect adversary intended actions. This attack stage reference model is developed based on the various industry intrusion kill chains and MITRE ATT&CK framework.
With the technology developed, this project advocates proactive cyber defense where correlated intrusion observables may be used to provide timely comprehension of attack scenarios. The technology developed under this project will disrupt SOC analyst workflows. However, if deployed and used properly, could enhance analysts' situation awareness and make better and quicker informed defense decisions in the wake of ever-increasing cyber attacks. In addition to disseminating in academic venues, PI Yang has purposefully reached out to practitioners and international audiences to obtain a broad spectrum of feedback and to broaden the impact of the project. PI Yang's outreach efforts include organizing a conference panel, presenting in industry-driven webinars, NATO and Transition-to-Practice workshops, and international campus visits in Taiwan, United Kingdom, Czech Republic, and Italy. Through the broad spectrum of dissemination and outreach effort, the project offers significantly more opportunities to expose cybersecurity professionals and international audiences with the advanced and disruptive research conducted in this project.
This project involved a total of 28 undergraduate and graduate students, including 7 women students and 2 hard-of-hearing students. This significant group of students, though many of them contributed to the project over a brief time period, e.g., part time over one or two semesters, is much larger than a typical NSF project does. Most of these students have opportunities in not only research and development, but also engagement of practitioners in the cybersecurity fields as well as obtain feedback for the value propositions of their research. The students who have graduated are now working in a broad spectrum of industry, government and academic institutions, bringing their experiences in cyber attack modeling to their work place. The PIs also added/enhanced modules and exercises across four RIT courses and for summer school lectures.
This project has an emphasis on transition-to-practice, where engagements of practitioners through Collegiate Penetration Testing Competition (CPTC), Rochester BSIDES, and other local events were planned from the get-go. The project involvement in CPTC 2016-19 helped demonstrate how the pen-testing competition benefits data driven cybersecurity research and curriculum development. CPTC is now an international event and RIT has invested in creating a Cyber Range as part of Global Cybersecurity Institute to continue the growth of CPTC and associated research projects. As the ASSERT project evolves and matures, the research team began to demonstrate its prototype to potential users. In the final year of the project, the research team has begun the deployment and analysis of ASSERT with CACR and OmniSOC in Indiana University. PI Yang and his research team expects to continue the advancement of ASSERT to provide timely, trusted and usable predictive intelligence to SOC analysts.
Last Modified: 12/16/2019
Modified by: Shanchieh J Yang
Please report errors in award information by writing to: awardsearch@nsf.gov.
