Butler, Slagell and Withers of NCSA win an NSF award for $499,206 along with co-PIs Ravi Iyer of UIUC and Jim Marsteller at PSC. This work will bring a new security appliance and tools for sharing and using intelligence to the many Science DMZ communities supported by NSF.

Abstract

This research is expected to significantly enhance the security of campus and research networks. It addresses the emerging security challenge of open, unrestricted access to campus research networks, but beyond that it lays the foundation for an evolvable intelligence sharing network with the very real potential for national scale analysis of that intelligence. Further it will supply cyber security researchers with a rich real-world intelligence source upon which to test their theories, tools, and techniques. The research will produce a new kind of virtual security appliance that will significantly enhance the security posture of open science networks so that advanced high-performance network-based research can be carried out free of performance lags induced by more traditional security controls.

This research will integrate prior research results, expertise and security products from from both the National Science Foundation and the Department of Energy to advance the security infrastructure available for open science networks, aka Science DMZs. Further the effort will actively promote sharing of intelligence among science DMZ participants as well as with national academic computational resources and organizations that wish to participate. Beyond meeting the security needs of campus-based DMZs, the effort will lay the foundation for an intelligence sharing infrastructure that will provide a significant benefit to the cybersecurity research community, making possible the collection, annotation, and open distribution of a national scale security intelligence to help test and validate on-going security research.

One of CyberSecurity's newest leaders, Alex Withers, wins a $499,136 award from the National Science Foundation to bring research from Professor Ravi Iyer's DEPEND group to production use.

Abstract

The cyber infrastructure that supports science research (such as the cyberinfrastructure that provides access to unique scientific instrumentation such as a telescope, or an array of highly distributed sensors placed in the field, or a computational supercomputing center) faces the daunting challenge of defending against cyber attacks. Modest to medium research project teams have little cyber security expertise to defend against the increasingly diverse, advanced and constantly evolving attacks. Even larger facilities that have with security expertise are often overwhelmed with the amount of security log data they need to analyze in order to identify attackers and attacks, which is the first step to defending against them. The challenges of the traditional approach of identifying an attacker are amplified by the lack of tools and time to detect attacks skillfully hidden in the noise of ongoing network traffic. The challenge is not necessarily in deploying additional monitoring but to identify this malicious traffic by utilizing all available information found in the plethora of security, network, and system logs that are already being actively collected. This project proposes to build and deploy, is needed in research environments, an advanced log analysis tool, named AttackTagger, that can scale to be able to address the dramatic increase in security log data, and detect emerging threat patterns in today's constantly evolving security landscape. AttackTagger will make science research in support of national priorities more secure.

AttackTagger will be a sophisticated log analysis tool designed to find potentially malicious activity, such as credential theft, by building factor graph models for advanced pattern matching. AttackTagger will integrate with existing security software so as to be easily deployable within existing security ecosystems and to offload processing and computational work onto better suited components. It can consume a wide variety of system and network security logs. AttackTagger accomplishes advanced pattern matching by utilizing a Factor Graph model, which is a type of probabilistic graphical model that can describe complex dependencies among random variables using an undirected graph representation, specifically a bipartite graph. The bipartite graph representation consists of variable nodes representing random variables, factor nodes representing local functions (or factor functions , and edges connecting the two types of nodes. Variable dependencies in a factor graph are expressed using a global function, which is factored into a product of local functions. In the practice of the security domain, using factor graphs is more flexible to define relations among the events and the user state compared to Bayesian Network and Markov Random Field approaches. Specifically, using factor graphs allows capturing sequential relation among events and enables integration of the external knowledge, e.g., expert knowledge or a user profile.