Cyber-Threat Analytics
(Cyber-TA) is a research initiative to accelerate the ability of
organizations to defend against large-scale network threats by creating
the underlying technologies to enable next-generation
privacy-preserving digital threat analysis centers.
We will conduct basic research,
develop prototype implementations of our core concepts, and demonstrate
practical schemes for Internet-scale collaborative digital attack
reconnaissance and mitigation. Our
envisioned next-generation threat analysis centers must support highly
automated threat diagnosis and prioritization, scale to alert volumes
and data sources that characterize attack phenomena across millions of
IP addresses, and rapidly distribute actionable information back to the
broader network community to help mitigate emerging
attacks. However, such centers must also address
fundamental information privacy concerns among the contributor pool.
These privacy concerns may at best limit the participation of, or at
worst expose to harm, those who choose to share highly sensitive
security log content within current collaborative security analysis
frameworks.
We will pursue this initiative with four
primary project thrusts. First,
we will explore practical schemes for Internet-scale collaborative
sharing of sensitive information security log content, while providing
extensive guarantees for contributor anonymity. Cyber-TA
will enable much greater content sharing of even the most sensitive
system and security log content, allowing contributors to release “rich-content” (anonymized) alert information that can
enable new directions in ultra-large-scale repository correlation. Second, we will develop real-time malware-focused
alert correlation analyses, and in particular will explore
contributor-side correlation applications with repository-side
reassembly. Third, we will develop new
threat-warning dissemination schemes to rapidly inform large-scale
multi-enterprise environments of new attack patterns, and will also
explore malware mitigation strategies that take advantage of the
collaborative data correlation performed by analysis centers. Finally, we will operationalize our research
prototypes in open-source software releases, developing capability
demonstrations within a Washington D.C.-based threat operations center,
and perform integration studies with our commercial partners.
Cyber-TA will contribute to the mission
of DoD information data protection in several ways. Our
initiative seeks to overcome fundamental limitations observed in the
current generation of large-scale DoD threat analysis systems. This includes solving the problems of passive
vulnerability disclosure, component equity control, and legitimate
site-local privacy concerns, which have hindered current and past
Computer Network Defense Command and Control (CND C2)
activities. We envision anonymity-enabled rich content
alert collection that will drive several novel schemes for large-scale
malware detection and mitigation. We further believe that
this work is highly applicable to problems that today prohibit the
rapid formation of digital threat analysis centers in a variety of
multi-agency or multi-country coalition network operating scenarios, as
well as supporting the future of national-scale protection services for
the public Internet.
We have selected a consortium team that
brings together outstanding researchers in all key areas of information
security that Cyber-TA will encompass. Our consortium will
be led by the Computer Science Laboratory of SRI, which has an
established history of foundational research in system and network
architecture, information privacy, protocol design, computer and
network intrusion detection, and large-scale alert
correlation. We also bring together well-established
researchers from eight academic institutions that are actively engaged
in the development of key innovations that will allow Cyber-TA to
deliver new results in all of our research thrust areas.
Finally, we will actively develop
and demonstrate prototype instantiations of our concepts, and to this
end we include four small business consortium partners with relevant
security products and services, who will support commercial integration
studies of our solutions into the enterprise security markets.