FY2010 - Oak Ridge National Laboratory
FY2010 - Oak Ridge National Laboratory
FY2010 - Oak Ridge National Laboratory
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Director’s R&D Fund—<br />
<strong>National</strong> Security Science and Technology<br />
mitigate the advantages attackers gain through intrusion by identifying malicious behaviors on each host<br />
computer. It is expected to provide the capability for an organization to detect and respond to<br />
unauthorized exfiltration attempts.<br />
Mission Relevance<br />
Data exfiltration is a pressing government and commercial concern. There are numerous publicly reported<br />
instances of sensitive data being stolen from both government and industry entities and either exposed<br />
publicly or funneled to groups that will maliciously exploit the data. Unlike other tools that focus on<br />
detection at the network perimeter, this work focuses on a host-based exfiltration detection system that<br />
analyzes behaviors of users and processes. It addresses a need for exfiltration detection within a targeted<br />
network, should an intruder successfully breach the perimeter defense. To date, there are no host-based<br />
tools that automate both the reliable detection of data exfiltration activities and the invocation of the<br />
dynamic honeypot response.<br />
The successful completion of this research will position ORNL and DOE to become a leader in data loss<br />
prevention. The data exfiltration detection and dynamic honeypot elements of this work support the<br />
mission of the Cyber Security Protection Program in DOE's <strong>National</strong> Security Department, the Cyber<br />
Security Program Area of the Department of Homeland Security's Command, Control and Interoperability<br />
Division, as well as the newly formed U.S. Cyber Command.<br />
Results and Accomplishments<br />
During this first year of the project, we focused on the data exfiltration detection and response<br />
capabilities. The paragraphs below summarize the accomplishments in each of these areas.<br />
Unauthorized data exfiltration detection. With the wealth of data that is available on a computer host, we<br />
investigated three different approaches to characterizing anomalous behaviors in users and processes.<br />
The first approach dealt with the analysis of host log files and extracting relevant data from the volumes<br />
of log messages produced during a computer’s operation. We developed and implemented an algorithm<br />
that leverages s-grams and temporal clustering to identify those significant events in host log files. On<br />
average, the algorithm discarded 99.2% of the log file data while still identifying the relevant log<br />
messages. An invention disclosure for this algorithm is in development.<br />
Our second approach to exfiltration detection was to extract and analyze data at the kernel level of<br />
computer operation in order to characterize user and process behaviors. We developed and implemented a<br />
model for identifying anomalous user behaviors by analyzing sequences of system calls. The model<br />
characterizes normal behaviors by maintaining a library of normal sequences and alerts on sequences that<br />
are not captured in the library. This approach was tested and found to be a viable discriminator of<br />
anomalous user and process behaviors. A conference paper has been submitted detailing the results.<br />
Our third approach was focused on a method to fuse data from multiple sensors into a reliable detector of<br />
unauthorized data exfiltration behaviors. The challenge in this piece is to discriminate data exfiltration<br />
behaviors from normal behaviors. Progress made with this fusion approach includes the development and<br />
implementation of a large-scale complex temporal pattern discovery algorithm that is driven by an<br />
evaluation of discrimination power. Evaluation of this algorithm’s performance is expected in the coming<br />
year of work.<br />
Active response through dynamic honeypots. The focus for the active response element of this work was<br />
to develop the software infrastructure for performing real-time response actions. Our approach to active<br />
response for data exfiltration events is to secure the sensitive data by quarantining malicious user<br />
148