Adam Stotz

High level information fusion for tracking and projection of multistage cyber attacks

The use of computer networks has become a necessity for government, industry, and personal businesses. Protection and defense against cyber attacks on computer networks, however, are becoming inadequate as attackers become more sophisticated and as the networks and systems become more complex. Drawing analogies from other application domains, this paper introduces information fusion to provide situation awareness and threat prediction from massive volumes of sensed data. An in-depth discussion is provided to define fusion tasks for cyber defense. A novel cyber fusion system is proposed to address specifically the tracking and projection of multistage attacks. Critical assessments of the developed attack tracking and threat projection sub-components are provided with simulation results. This pioneering work elaborates the benefits, limitations, and future challenges of high level information fusion for cyber security.

INformation fusion engine for real-time decision-making (INFERD): A perceptual system for cyber attack tracking

Information fusion engine for real-time decision- making (INFERD) is a perceptual information fusion engine designed and developed for the purpose of cyber attack tracking and network situational awareness. While the original application was cyber orientated, the engine itself is designed to generalize and has been ported to other application environments such as maritime domain awareness and medical syndromic surveillance. Comparisons and contrasts are drawn to the traditional Kalman ground target tracking science, motivating high level architectural modules and presenting the cyber environment complexities and assumptions. Performance results are presented showing success in both detection accuracy and temporal expedience, an important design goal.

Situational awareness of a coordinated cyber attack

As technology continues to advance, services and capabilities become computerized, and an ever increasing amount of business is conducted electronically the threat of cyber attacks gets compounded by the complexity of such attacks and the criticality of the information which must be secured. A new age of virtual warfare has dawned in which seconds can differentiate between the protection of vital information and/or services and a malicious attacker attaining their goal. In this paper we present a novel approach in the real-time detection of multistage coordinated cyber attacks and the promising initial testing results we have obtained. We introduce INFERD (INformation Fusion Engine for Real-time Decision-making), an adaptable information fusion engine which performs fusion at levels zero, one, and two to provide real-time situational assessment and its application to the cyber domain in the ECCARS (Event Correlation for Cyber Attack Recognition System) system. The advantages to our approach are fourfold: (1) The complexity of the attacks which we consider, (2) the level of abstraction in which the analyst interacts with the attack scenarios, (3) the speed at which the information fusion is presented and performed, and (4) our disregard for ad-hoc rules or a priori parameters.

Enhancements to high level data fusion using graph matching and state space search

The intent of this paper is to show enhancements in Levels 2 and 3 fusion capabilities through a new class of models and algorithms in graph matching. The problem today is not often lack of data, but instead, lack of information and data overload. Graph matching algorithms help us solve this problem by identifying meaningful patterns in voluminous amounts of data to provide information. In this paper we investigate a classical graph matching technique for subgraph isomorphism. A complete implementation of a heuristic approach (since the problem under consideration is NP-Hard) using an inexact isomorphism technique has been used. The heuristic approach is called Truncated Search Tree algorithm (TruST), where the state space of the problem is constrained using breadth and depth control parameters. The breadth and depth control parameters are then studied using design of experiment based inferential statistics. Finally, a software implementation of the procedure has been completed.

Understanding multistage attacks by attack-track based visualization of heterogeneous event streams

In this paper, we present a method of handling the visualization of hetereogeneous event traffic that is generated by intrusion detection sensors, log files and other event sources on a computer network from the point of view of detecting multistage attack paths that are of importance. We perform aggregation and correlation of these events based on their semantic content to generate Attack Tracks that are displayed to the analyst in real-time. Our tool, called the Event Correlation for Cyber-Attack Recognition System (EC-CARS) enables the analyst to distinguish and separate an evolving multistage attack from the thousands of events generated on a network. We focus here on presenting the environment and framework for multistage attack detection using ECCARS along with screenshots that demonstrate its capabilities.

Real-time multistage attack awareness through enhanced intrusion alert clustering

Correlation and fusion of intrusion alerts to provide effective situation awareness of cyber-attacks has become an active area of research. Snort is the most widely deployed intrusion detection sensor. For many networks and their system administrators, the alerts generated by Snort are the primary indicators of network misuse and attacker activity. However, the volume of the alerts generated in typical networks makes real-time attack scenario comprehension difficult. In this paper, we present an attack-stage oriented classification of alerts using Snort as an example and demonstrate that this effectively improves real-time situation awareness of multistage attacks. We also incorporate this scheme into a real-time attack detection framework and prototype presented by the authors in previous work and provide some results from testing against multistage attack scenarios

Measuring situational awareness and resolving inherent high-level fusion obstacles

Information Fusion Engine for Real-time Decision Making (INFERD) is a tool that was developed to supplement current graph matching techniques in Information Fusion models. Based on sensory data and a priori models, INFERD dynamically generates, evolves, and evaluates hypothesis on the current state of the environment. The a priori models developed are hierarchical in nature lending them to a multi-level Information Fusion process whose primary output provides a situational awareness of the environment of interest in the context of the models running. In this paper we look at INFERDs multi-level fusion approach and provide insight on the inherent problems such as fragmentation in the approach and the research being undertaken to mitigate those deficiencies. Due to the large variance of data in disparate environments, the awareness of situations in those environments can be drastically different. To accommodate this, the INFERD framework provides support for plug-and-play fusion modules which can be developed specifically for domains of interest. However, because the models running in INFERD are graph based, some default measurements can be provided and will be discussed in the paper. Among these are a Depth measurement to determine how much danger is presented by the action taking place, a Breadth measurement to gain information regarding the scale of an attack that is currently happening, and finally a Reliability measure to tell the user the credibility of a particular hypothesis. All of these results will be demonstrated in the Cyber domain where recent research has shown to be an area that is welldefined and bounded, so that new models and algorithms can be developed and evaluated.

Situation Awareness of multistage cyber attacks by semantic event fusion

In this paper, we present strategies for real-time Situation Awareness of multistage cyber-attacks by utilizing heterogeneous sensor event streams. A flexible and practically usable attack modeling approach based on network connectivity and attack progression semantics is used to produce multistage attack templates. Events in live alert streams are correlated based on their semantics and the attack templates to provide analysts with effective perception, comprehension and projection of likely attacks and their progression. The techniques form the basis of the Event Correlation for Cyber Attack Recognition System (ECCARS), which is tested and validated extensively with realistic datasets.

Intelligence Exchange (IntellEx)

The networking of modern day systems and organizations have become more prevalent and necessary as the problems now focused upon by the Department of Defense have strongly shifted from massive force on force confrontations to small group asymmetric and guerilla tactics. Actionable information which would provide decision makers with the greatest knowledge gain is not geographically or organizationally centric. This poses a problem for current stovepipe systems in two respects. Firstly, centralized processing of the enormous amount of data which is being collected is not feasible because of communication and computational bandwidth restrictions. Secondly, these local processing systems do not share information, so events which are globally relevant and locally insignificant will never be accredited with the importance they deserve. This paper introduces Intelligence Exchange (IntellEx), a system supporting transparent information dissemination for knowledge gain in distributed fusion processes. The system, which is in its basic research phase, is being developed for the purposes of maritime domain awareness or MDA. This paper will show how the problem characteristics of MDA would benefit from a global sharing of intelligence and how the system architecture of IntellEx is being designed to accomplish these goals. The paper will detail how multiple distributed instances of fixed process expert systems such as Information Fusion Engine for Real-time Decision Making (INFERD) can exchange intelligence transparently with zero modification to the expert system itselfand little or no additional human modeling or input.

On the Optimization of Information Workflow

Workflow management systems allow for visibility, control, and automation of some of the business processes. Recently, nonbusiness domains have taken an interest in the management of workflows and the optimal assignment and scheduling of workflow tasks to users across a network. This research aims at developing a rigorous mathematical programming formulation of the workflow optimization problem. The resulting formulation is nonlinear, but a linearized version is produced. In addition, two heuristics (a decoupled heuristic and a greedy randomized adaptive search procedure (GRASP) heuristic) are developed to find solutions quicker than the original formulation. Computational experiments are presented showing that the GRASP approach performs no worse than the other two approaches, finding solutions in a fraction of the time.