FY2010 - Oak Ridge National Laboratory
FY2010 - Oak Ridge National Laboratory
FY2010 - Oak Ridge National Laboratory
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Director’s R&D Fund—<br />
<strong>National</strong> Security Science and Technology<br />
05281<br />
Distributed Computational Intelligence for Active Response<br />
to Cyber-Threat<br />
Louis Wilder, Erik Ferragut, Craig A. Shue, Brent Lagesse, and Chris Rathgeb<br />
Project Description<br />
Computer and network attacks continue to grow exponentially, and the insider threat has become<br />
widespread. Currently, the intrusion detection system is the mitigation technique used to thwart these<br />
attacks. Misuse detection is the most common type of method used by the system. Yet, these systems are<br />
limited in their ability to detect zero-day attacks and suffer from high false positives. Additionally, they<br />
have poor scalability and have little or no situational awareness.<br />
Our project goal is to develop a unique capability in anomaly detection and active response to intrusions<br />
in Internet Protocol networks using both statistical host-level learning of normal user behavior and<br />
distributed computational intelligence for near-real-time reaction. This extends traditional intrusion<br />
detection tools by employing advanced probabilistic modeling to advance the statistical analyses.<br />
Quantified normal behaviors are shared ontologically within a hierarchical learning framework that will<br />
allow distributed monitoring, comparison, and storage of normal usage profiles. The framework also<br />
reacts to perceived threats (e.g., isolating network elements, or actively reconfiguring system components<br />
to prevent intrusion spread). This kind of analysis and defense capability is an indispensable aid for<br />
system administrators. It also provides users the ability to monitor system behaviors with previously<br />
unavailable detail.<br />
Mission Relevance<br />
DOE is responsible for the integrity and protection of the nation’s energy delivery systems, where cyber<br />
attacks may cause extreme consequences to public health and safety and the nation’s economy. DOE’s<br />
substantial cyber assets, its international visibility, its mission, and its open research make it a target for<br />
cyber attacks.<br />
This research aligns directly with the missions of DOE, the Intelligence Advanced Research Projects<br />
Activity, the Intelligence Community, and the Department of Homeland Security (DHS). These agencies<br />
are eager for tools to help analyze and detect suspicious anomalous activities. The research will help<br />
establish a capability that is essential for long-term cyber-space security and will establish ORNL as a<br />
leader in an area of cyberspace security traditionally deemed too difficult to solve. Additionally, the<br />
capability provides a novel application of sensor fusion that does not currently exist at any of the<br />
laboratories.<br />
Results and Accomplishments<br />
The resulting research has produced a prototype software framework that employs temporal ontologically<br />
based information in our anomaly detector for distributed intrusion detection with an active response. The<br />
framework provides algorithms that combine elements of learning, adaptation, and evolution to address<br />
the analysis and correlation of intrusion data.<br />
While researching the ontology-based approach, we discovered that using Latent Dirichlet Allocation as a<br />
method for classifying anomalous behavior over port events was viable for network monitoring. In<br />
addition, distinguishing whether anomalous behavior is malicious or benign has been a grand challenge;<br />
we have initiated an investigation of using Petri Nets to model this behavior and to provide a solution.<br />
144