Moises Sudit

Priority-based assignment and routing of a fleet of unmanned combat aerial vehicles

This paper considers the strategic routing of a fleet of unmanned combat aerial vehicles (UCAVs) to service a set of predetermined targets from a prior surveillance mission. Targets are characterized by their priority or importance level, and minimum and maximum service levels that, respectively, represent the lower bound of munitions for destruction and upper bound of munitions to limit collateral damage. Additional constraints to be respected are the payload capacities of the (possibly heterogeneous) UCAV fleet and the range based on fuel capacity and payload transported. The vital aspect of this paper is the integrated optimal utilization of available resources-weaponry and flight time-while allocating targets to UCAVs and sequencing them to maximize service to targets based on their criticality. The complexity of the problem is addressed through a decomposition scheme with two problems: a target assignment problem (modeled as a minimum cost network flow problem) and a vehicle routing problem, which in turn splits into multiple decision traveling salesman problems, one for each UAV. A Tabu search heuristic is developed to coordinate the two problems. Using test problems we establish the applicability of this approach to solve practical-sized problems.

Cyber attack modeling and simulation for network security analysis

Cyber security methods are continually being developed. To test these methods many organizations utilize both virtual and physical networks which can be costly and time consuming. As an alternative, in this paper, we present a simulation modeling approach to represent computer networks and intrusion detection systems (IDS) to efficiently simulate cyber attack scenarios. The outcome of the simulation model is a set of IDS alerts that can be used to test and evaluate cyber security systems. In particular, the simulation methodology is designed to test information fusion systems for cyber security that are under development.

High level information fusion for tracking and projection of multistage cyber attacks

The use of computer networks has become a necessity for government, industry, and personal businesses. Protection and defense against cyber attacks on computer networks, however, are becoming inadequate as attackers become more sophisticated and as the networks and systems become more complex. Drawing analogies from other application domains, this paper introduces information fusion to provide situation awareness and threat prediction from massive volumes of sensed data. An in-depth discussion is provided to define fusion tasks for cyber defense. A novel cyber fusion system is proposed to address specifically the tracking and projection of multistage attacks. Critical assessments of the developed attack tracking and threat projection sub-components are provided with simulation results. This pioneering work elaborates the benefits, limitations, and future challenges of high level information fusion for cyber security.

INformation fusion engine for real-time decision-making (INFERD): A perceptual system for cyber attack tracking

Information fusion engine for real-time decision- making (INFERD) is a perceptual information fusion engine designed and developed for the purpose of cyber attack tracking and network situational awareness. While the original application was cyber orientated, the engine itself is designed to generalize and has been ported to other application environments such as maritime domain awareness and medical syndromic surveillance. Comparisons and contrasts are drawn to the traditional Kalman ground target tracking science, motivating high level architectural modules and presenting the cyber environment complexities and assumptions. Performance results are presented showing success in both detection accuracy and temporal expedience, an important design goal.

Data mining in an engineering design environment: OR applications from graph matching

Data mining has been making inroads into the engineering design environment--an area that generates large amounts of heterogeneous data for which suitable mining methods are not readily available. For instance, an unsupervised data mining task (clustering) requires an accurate measure of distance or similarity. This paper focuses on the development of an accurate similarity measure for bills of materials (BOM) that can be used to cluster BOMs into product families and subfamilies. The paper presents a new problem called tree bundle matching (TBM) that is identified as a result of the research, gives a non-polynomial formulation, a proof that the problem is NP-hard, and suggests possible heuristic approaches.In a typical life cycle of an engineering project or product, enormous amounts of diverse engineering data are generated. Some of these include BOM, product design models in CAD, engineering drawings, manufacturing process plans, quality and test data, and warranty records. Such data contain information crucial for efficient and timely development of new products and variants; however, this information is often not available to designers. Our research employs data mining methods to extract this design information and improve its accessibility to design engineers. This paper focuses on one aspect of the overall research agenda, clustering BOMs into families and subfamilies. It extends previous work on a graph-based similarity measure for BOMs (a class of unordered trees) by presenting a new TBM problem, and proves the problem to be NP-hard. The overall contribution of this work is to demonstrate the OR applications from graph matching, stochastic methods, optimization, and others to data mining in the engineering design environment.

Situational awareness of a coordinated cyber attack

As technology continues to advance, services and capabilities become computerized, and an ever increasing amount of business is conducted electronically the threat of cyber attacks gets compounded by the complexity of such attacks and the criticality of the information which must be secured. A new age of virtual warfare has dawned in which seconds can differentiate between the protection of vital information and/or services and a malicious attacker attaining their goal. In this paper we present a novel approach in the real-time detection of multistage coordinated cyber attacks and the promising initial testing results we have obtained. We introduce INFERD (INformation Fusion Engine for Real-time Decision-making), an adaptable information fusion engine which performs fusion at levels zero, one, and two to provide real-time situational assessment and its application to the cyber domain in the ECCARS (Event Correlation for Cyber Attack Recognition System) system. The advantages to our approach are fourfold: (1) The complexity of the attacks which we consider, (2) the level of abstraction in which the analyst interacts with the attack scenarios, (3) the speed at which the information fusion is presented and performed, and (4) our disregard for ad-hoc rules or a priori parameters.

TANDI: threat assessment of network data and information

Current practice for combating cyber attacks typically use Intrusion Detection Sensors (IDSs) to passively detect and block multi-stage attacks. This work leverages Level-2 fusion that correlates IDS alerts belonging to the same attacker, and proposes a threat assessment algorithm to predict potential future attacker actions. The algorithm, TANDI, reduces the problem complexity by separating the models of the attackers capability and opportunity, and fuse the two to determine the attackers intent. Unlike traditional Bayesian-based approaches, which require assigning a large number of edge probabilities, the proposed Level-3 fusion procedure uses only 4 parameters. TANDI has been implemented and tested with randomly created attack sequences. The results demonstrate that TANDI predicts future attack actions accurately as long as the attack is not part of a coordinated attack and contains no insider threats. In the presence of abnormal attack events, TANDI will alarm the network analyst for further analysis. The attempt to evaluate a threat assessment algorithm via simulation is the first in the literature, and shall open up a new avenue in the area of high level fusion.

Enhancements to high level data fusion using graph matching and state space search

The intent of this paper is to show enhancements in Levels 2 and 3 fusion capabilities through a new class of models and algorithms in graph matching. The problem today is not often lack of data, but instead, lack of information and data overload. Graph matching algorithms help us solve this problem by identifying meaningful patterns in voluminous amounts of data to provide information. In this paper we investigate a classical graph matching technique for subgraph isomorphism. A complete implementation of a heuristic approach (since the problem under consideration is NP-Hard) using an inexact isomorphism technique has been used. The heuristic approach is called Truncated Search Tree algorithm (TruST), where the state space of the problem is constrained using breadth and depth control parameters. The breadth and depth control parameters are then studied using design of experiment based inferential statistics. Finally, a software implementation of the procedure has been completed.

Understanding multistage attacks by attack-track based visualization of heterogeneous event streams

In this paper, we present a method of handling the visualization of hetereogeneous event traffic that is generated by intrusion detection sensors, log files and other event sources on a computer network from the point of view of detecting multistage attack paths that are of importance. We perform aggregation and correlation of these events based on their semantic content to generate Attack Tracks that are displayed to the analyst in real-time. Our tool, called the Event Correlation for Cyber-Attack Recognition System (EC-CARS) enables the analyst to distinguish and separate an evolving multistage attack from the thousands of events generated on a network. We focus here on presenting the environment and framework for multistage attack detection using ECCARS along with screenshots that demonstrate its capabilities.

Real-time multistage attack awareness through enhanced intrusion alert clustering

Correlation and fusion of intrusion alerts to provide effective situation awareness of cyber-attacks has become an active area of research. Snort is the most widely deployed intrusion detection sensor. For many networks and their system administrators, the alerts generated by Snort are the primary indicators of network misuse and attacker activity. However, the volume of the alerts generated in typical networks makes real-time attack scenario comprehension difficult. In this paper, we present an attack-stage oriented classification of alerts using Snort as an example and demonstrate that this effectively improves real-time situation awareness of multistage attacks. We also incorporate this scheme into a real-time attack detection framework and prototype presented by the authors in previous work and provide some results from testing against multistage attack scenarios