FY2010 - Oak Ridge National Laboratory

More documents

Recommendations

Info

Director’s R&D Fund— National Security Science and Technology mitigate the advantages attackers gain through intrusion by identifying malicious behaviors on each host computer. It is expected to provide the capability for an organization to detect and respond to unauthorized exfiltration attempts. Mission Relevance Data exfiltration is a pressing government and commercial concern. There are numerous publicly reported instances of sensitive data being stolen from both government and industry entities and either exposed publicly or funneled to groups that will maliciously exploit the data. Unlike other tools that focus on detection at the network perimeter, this work focuses on a host-based exfiltration detection system that analyzes behaviors of users and processes. It addresses a need for exfiltration detection within a targeted network, should an intruder successfully breach the perimeter defense. To date, there are no host-based tools that automate both the reliable detection of data exfiltration activities and the invocation of the dynamic honeypot response. The successful completion of this research will position ORNL and DOE to become a leader in data loss prevention. The data exfiltration detection and dynamic honeypot elements of this work support the mission of the Cyber Security Protection Program in DOE's National Security Department, the Cyber Security Program Area of the Department of Homeland Security's Command, Control and Interoperability Division, as well as the newly formed U.S. Cyber Command. Results and Accomplishments During this first year of the project, we focused on the data exfiltration detection and response capabilities. The paragraphs below summarize the accomplishments in each of these areas. Unauthorized data exfiltration detection. With the wealth of data that is available on a computer host, we investigated three different approaches to characterizing anomalous behaviors in users and processes. The first approach dealt with the analysis of host log files and extracting relevant data from the volumes of log messages produced during a computer’s operation. We developed and implemented an algorithm that leverages s-grams and temporal clustering to identify those significant events in host log files. On average, the algorithm discarded 99.2% of the log file data while still identifying the relevant log messages. An invention disclosure for this algorithm is in development. Our second approach to exfiltration detection was to extract and analyze data at the kernel level of computer operation in order to characterize user and process behaviors. We developed and implemented a model for identifying anomalous user behaviors by analyzing sequences of system calls. The model characterizes normal behaviors by maintaining a library of normal sequences and alerts on sequences that are not captured in the library. This approach was tested and found to be a viable discriminator of anomalous user and process behaviors. A conference paper has been submitted detailing the results. Our third approach was focused on a method to fuse data from multiple sensors into a reliable detector of unauthorized data exfiltration behaviors. The challenge in this piece is to discriminate data exfiltration behaviors from normal behaviors. Progress made with this fusion approach includes the development and implementation of a large-scale complex temporal pattern discovery algorithm that is driven by an evaluation of discrimination power. Evaluation of this algorithm’s performance is expected in the coming year of work. Active response through dynamic honeypots. The focus for the active response element of this work was to develop the software infrastructure for performing real-time response actions. Our approach to active response for data exfiltration events is to secure the sensitive data by quarantining malicious user 148
Director’s R&D Fund— National Security Science and Technology sessions, and employ deceptions to keep an intruder engaged, allowing for both the capture of forensic data and the extrusion of nonsensitive or misleading data in lieu of the real data. Our progress in the active response area of this effort includes development of several components of this approach, described as follows. To support the quarantine of malicious remote sessions, we developed a prototype implementation of process migration. Actively running user processes are relocated to a virtual machine where they are insulated from the files they are attempting to steal. In order to deceive the attacker and maintain the illusion that they are working with the real target file system, we developed a prototype for automated file system mirroring that replicates the original file system structure but the mirrored files are 0/null padded. Therefore, once the unauthorized exfiltration is detected, the offending process is re-mapped to the mirrored file system to prevent the extrusion of the sensitive data. To support the forensic analysis of malicious behaviors, we developed a means for host-based forensic data acquisition that leverages the DTrace UNIX real-time probing capability to capture system call data. This provides insight into the system-level operation of malicious users/processes and allows for the identification of exemplar exfiltration behaviors. 05487 Biological Signature Identification and Threat Evaluation System (BioSITES) R. W. Cottingham, T. S. Brettin, S. D. Brown, and D. J. Quest Project Description The United States has a well-established and accomplished multiagency process dedicated to nuclear forensics; there is no parallel process for biological forensics, underpinned by state-of the-art science. BioWatch, the current standard in deployed biothreat detection, cannot detect genetically engineered threats. There is a pressing need for a new system leveraging recent scientific advances to improve threat detection. We propose a new system called BioSITES that will integrate systems biology knowledge repositories with new data collection technologies such as high-throughput sequencing. This will enable the construction of better detectors and provide a basis for mitigation, response, protection, and forensics and therefore a path for future development of BioSITES and biodefense. Newly funded initiatives are establishing ORNL as a leader in knowledgebase development for systems biology research. Further, ORNL projects such as the BioEnergy Science Center were awarded in recognition of the resident expertise in systems biology research and management of such large-scale biological projects. This project leverages these core competencies toward the development of a new kind of biodefense system required to respond to upcoming threats of the 21st century. The BioSITES prototype will demonstrate capabilities that go beyond current deployed systems. Mission Relevance Implementation of the BioSITES prototype will provide the technological foundation that will allow our team to demonstrate capabilities to the Department of Defense (DOD) and the Department of Homeland Security (DHS) that will ultimately improve threat detection, reduce detection costs, and improve response times. This system would be useful for both homeland security and for defending American 149
Page 1 and 2:
ORNL/PPA-2011/1 Laboratory Directed
Page 3:
ORNL/PPA-2011/1 Oak Ridge National
Page 6 and 7:
NEUTRON SCIENCES ..................
Page 8 and 9:
NATIONAL SECURITY SCIENCE AND TECHN
Page 10 and 11:
05887 Controlling the Catalytic Pro
Page 13 and 14:
Introduction INTRODUCTION The Labor
Page 15 and 16:
Introduction projects for next-gene
Page 17 and 18:
Introduction ― Develop new mode
Page 19 and 20:
Introduction To select the best and
Page 21 and 22:
Introduction Fig. 2. Distribution o
Page 23:
SUMMARIES OF PROJECTS SUPPORTED THR
Page 26 and 27:
Director’s R&D Fund— Science fo
Page 28 and 29:
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 53 and 54:
Director’s R&D Fund— Neutron Sc
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
05306 Structure and Structure Evolu
Page 67 and 68:
05404 Asynchronous In Situ Neutron
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Director’s R&D Fund— Ultrascale
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Director’s R&D Fund— Systems Bi
Page 107 and 108:
Director’s R&D Fund— Systems Bi
Page 109 and 110: Director’s R&D Fund— Systems Bi
Page 117: Director’s R&D Fund— Systems Bi
Page 120 and 121: Director’s R&D Fund— Advanced E
Page 135 and 136: Director’s R&D Fund— Emerging S
Page 137 and 138: Director’s R&D Fund— Emerging S
Page 139: Director’s R&D Fund— Emerging S
Page 142 and 143: Director’s R&D Fund— Understand
Page 153 and 154: Director’s R&D Fund— National S
Page 159: Director’s R&D Fund— National S
Page 163: 05573 Rapid Radiochemistry Applicat
Page 166 and 167: Director’s R&D Fund— Energy Sto
Page 176 and 177: Director’s R&D Fund— General Re
Page 178 and 179: Director’s R&D Fund— General de
Page 180 and 181: Director’s R&D Fund— General su
Page 182 and 183: Director’s R&D Fund— General 05
Page 184 and 185: Director’s R&D Fund— General 20
Page 187 and 188: Seed Money Fund— Biosciences Divi
Page 193: Seed Money Fund— Biosciences Divi
Page 196 and 197: Seed Money Fund— Center for Nanop
Page 199 and 200: Seed Money Fund— Chemical Science
Page 205: Seed Money Fund— Chemical Science
Page 208 and 209: Seed Money Fund— Computational Sc
Page 210 and 211:
Seed Money Fund— Computational Sc
Page 213 and 214:
Seed Money Fund— Computer Science
Page 215 and 216:
Seed Money Fund— Energy and Trans
Page 217 and 218:
Page 219:
Page 222 and 223:
Seed Money Fund— Environmental Sc
Page 224 and 225:
Seed Money Fund— Environmental Sc
Page 227 and 228:
Seed Money Fund— Fusion Energy Di
Page 229 and 230:
Seed Money Fund— Materials Scienc
Page 231 and 232:
Page 233 and 234:
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
Page 241 and 242:
Seed Money Fund— Measurement Scie
Page 243 and 244:
Page 245 and 246:
Page 247 and 248:
05858 Fabrication of Ultrathin Grap
Page 249 and 250:
Page 251:
Page 254 and 255:
Seed Money Fund— Global Nuclear S
Page 256 and 257:
Seed Money Fund— Neutron Scatteri
Page 259 and 260:
Seed Money Fund— Reactor and Nucl
Page 261 and 262:
Page 263 and 264:
Page 265:
Page 268 and 269:
Seed Money Fund— Physics Division
Page 270 and 271:
Seed Money Fund— Physics Division
Page 272 and 273:
Seed Money Fund— Research Acceler
Page 275 and 276:
Laboratory-Wide Fellowships— Wein
Page 277 and 278:
Page 279 and 280:
Page 281:
Page 284 and 285:
Laboratory-Wide Fellowships— Wign
Page 286 and 287:
Laboratory-Wide Fellowships— Wign
Page 288 and 289:
Index of Project Contributors Coope
Page 290 and 291:
Index of Project Contributors Mille
Page 292 and 293:
Index of Project Contributors Yang,
Page 294:
Index of Project Numbers 05501 ....
show all

FY2010 - Oak Ridge National Laboratory

Create successful ePaper yourself

Delete template?

Save as template?