Supercomputing and Computation

SHARE

A Scalable Framework for Cyber Attack Discovery and Situational Understanding (SITU)


Problem Statement:

  • Cyber attacks cost commercial and governmental organizations vast dollar amounts, result in stolen intellectual property, and reveal state secrets that endanger lives
  • Discovering novel and sophisticated cyber attacks and providing situation awareness are ongoing problems in computer network defense
  • Analysts maintain continually evolving mental models that allow them to differentiate between malicious and benign traffic, but current systems do not exploit this knowledge
  • Current attack discovery systems typically focus on a single type of data, even though some sophisticated attacks can only be identified from looking at multiple data sets.
  • Current systems focus technologies at identifying attacks, but provide little in the way of helping analysts make rapid decisions

Technical Approach:

  • Anomaly detection - unsupervised, probabilistic modeling of data for different contexts allows the system to model behavior at multiple scales
  • Event classification - supervised machine learning algorithms allow users to incorporate their own domain knowledge into the system
  • Information visualization - real-time event visualization provides an understanding of why events are anomalous and malicious to furnish users with the information to make decisions

Benefit:

  • More accurate and timely attack discovery than current systems
  • Builds on the strengths of both human analysts and the processing capabilities of algorithms
  • Immediately usable without any labeling due to unsupervised anomaly detection
  • Integrated domain expertise through labeling of events and configuration of models
  • Understanding of why events are anomalous or malicious to support decision making
ASK ORNL

We're always happy to get feedback from our users. Please use the Comments form to send us your comments, questions, and observations.