Characterization Model for Defense Adaptability
Principal Investigator: C Hughes
Technical Advisor: G Fink, Adaptive Systems Focus Area
The Characterization Model for Defense Adaptability (CMDA) project's goal is to show that the innate characteristics of network data, initially packet capture data, can be observed, measured and grouped into meaningful clusters. Cluster formation and attributes may yield the identities of the entities that underlie these clusters. CMDA will 1) develop data driven clustering algorithms, 2) produce transform functions that yield candidate traffic-generating entities, and then 3) compare and validate these transforms and the derived entities with known truth via synthetic traffic generation models. CMDA supports the awareness and prevention DHS functions by helping create a dynamic characterization of normal behavior in systems and networks that can be used to detect malicious activity early. One project goal is to measure the "human-ness" of entities on a continuum that will separate human from automated activity on networks. Another goal is to adaptively derive a pattern language to characterize network activity that can be effectively compared to a given set of policies in real time. The value judgments a given policy passes on the entities found on the network can be used to dynamically adjust access control mechanisms.
Current approaches to detecting novel (or zero day) attacks on digital enterprises often depend upon traditional anomaly detection, protocol deviations, or a combination of the two. Anomaly-detection approaches typically begin by characterizing the normal behavior of users (through the processes they run) within a specific environment. This characterization is then compared to observed behaviors to identify any that deviate from the norm. Behavior in this context usually means observations of network traffic generated by human interaction with applications, or monitoring of host-based activity generated by such human interactions.
A parallel technique is used for characterizing activity that is not so directly drawn from human interaction, such as a host's operating system or other automated processes.
While such approaches have been reasonably effective in the past, they are known to be subject to training-based attacks. Opponents are able to escape detection if they can skew the characterization of "normal" behavior to incorporate elements of their intended misuse; observations of their behavior would then fit within the normal profile. Such attacks have long been known to be theoretically possible, but implementing them was not easy: in most cases, skewing a normal characterization would have required long term activity on the part of an insider, or direct modification of the actual security system characterization. Nowadays, it is potentially feasible to achieve this skew effect without internal access, in far less time and with far less access and knowledge of defenses by leveraging very large scale attack systems (such as botnets). Alternately, the Russian Attacker case might be considered a variant of this approach ; in that situation, numerous dummy corporations were used in cyberfraud, and they combined together to "simulate" a rich economic system rather than a small team of attackers. Because the usefulness of anomaly detection is expected to deteriorate, if novel attacks are to be anticipated in time to intervene, it will be necessary to use a method that does not depend upon behavior characterization that can be skewed from the outside. The proposed research examines a new approach to predicting novel attacks through the identification, observation, and characterization of the underlying network entities and rather than focusing on observations of the surface behavior of those who use a network. These network entities should be less subject to the skew effect; since they are not constructs based on the behavior of the use of the system but rather on the identification of the network actors supporting the infrastructure regardless of how it is used. Network entities will be identified by observing the actual integrated working of a target digital information infrastructure and inductively classified. This approach, again likely in combination with protocol deviation and possibly in combination with traditional anomaly detection, will reduce the likelihood of an attacker being able to launch a novel assault without detection through skewing characterizations of normality.