368-a framework for adaptvie immune response for cyber ... · unclassified 1 unclassified!! air: a...
TRANSCRIPT
UNCLASSIFIED
UNCLASSIFIED
1
AIR: A Framework For Adaptive Immune Response for Cyber Defense
Paul Biancaniello1, Gary Holness2, Jonathan Darvill1, Matt Craven1, Patrick Lardieri1
1Lockheed Martin Advanced Technology Laboratories
3 Executive Campus, Cherry Hill, NJ 08002
{paul.biancaniello, jonathan.darvill, matthew.craven, patrick.j.lardieri}@lmco.com
2 Department of Computer and Information Sciences Delaware State University 1200 N. DuPont Highway
Dover, DE 19901 [email protected]
Corresponding Author: Patrick Lardieri [email protected] Date Submitted: December 19, 2011
UNCLASSIFIED
UNCLASSIFIED
2
Intellipedia Article The advantage in cyber defense currently belongs to the attacker. That is, an attacker needs merely a single success while system defenses must operate flawlessly. Criminals learn from unsuccessful cyber-attacks and alter their tactics in an effort to thwart defenses in an ever-escalating race between the exploitation and defense of system vulnerabilities. A game-changing approach to cyber defense must address the attacker’s advantage by adapting to meet evolving attack vectors. Artificial Immune Systems (AIS) describes a nascent research area concerning the development of computational algorithms for recognition of evolving patterns based on biological models for the vertebrate immune system. The biological immune system possesses key qualities that are attractive for cyber defense including (1) recognition of known intruding antigens; (2) ability to learn about previously unknown antigens and their variants; (3) elimination of antigens; and (4) quick recognition and response. In the research community, Artificial Immune Systems have enjoyed a number of application successes in Cyber Defense including web-server behavioral anomaly detection, network intrusion detection, the detection of malicious code execution, and operating system call monitoring. Beyond traditional pattern recognition algorithms, AIS approaches adapt their recognition to keep pace with evolving patterns. Cyber security warrants adaptive systems. In a world where attack vectors are continually evolving, traditional largely static computer security mechanisms cannot cope. In dynamic environments, adaptation becomes a necessary requirement for pattern recognition to track with changing attack vectors. The nature of these dynamics concerns both changes to the environmental context as well as changes in the ways in which intruders attempt to prosecute their exploits. Current AIS approaches to cyber security pair together pattern recognition elements with an encoding for mitigating actions. By this approach, when an AIS pattern recognition element detects attack behavior, the corresponding action is invoked. Such condition action rules are user specified and require the construction of a potentially large rule base to be effective for even moderately sized networks. A data-driven approach that is able to learn the appropriate mitigating action would eliminate the need for a large rule-base and scale to complex networks by adapting learned responses to the prevailing context. The overall goal of the AIR project is the exploration of a novel Cyber Security method that interfaces between adaptive pattern recognition offered by AIS algorithms and behavior-based control from the field of robotics. The purpose of this research is the investigation, design, prototype, and evaluation of a method for adapting the mitigating response in an AIS-based Cyber Security system.
UNCLASSIFIED
UNCLASSIFIED
3
Abstract
Cyber security warrants adaptive systems in a world where attack vectors are continually evolving. Current AIS approaches to cyber security pair pattern recognition elements with encoding for mitigating actions. With this approach, when an AIS pattern recognition element detects attack behavior, the corresponding action is invoked. We present a framework and proof of concept implementation for the composition of Adaptive Responses in Artificial Immune Systems for the cyber domain. Our approach combines behavior-based sensing, adaptive pattern recognition, active maintenance of immunological memory, and robot control synthesis to achieve adaptation in the response action for evolving pattern detection. We believe that the integration of techniques from robot control synthesis along with adaptive AIS pattern recognition methods, including active maintenance of immunological memory, can be effective for attacks characterized by evolving attack vectors. We test our system against a class of zero day attacks involving vulnerabilities in a popular PDF reader in a data-exfiltration scenario. Results demonstrate its utility in an environment with significant background noise and concurrent system activities. This motivates future work on expanded attack vectors and scenarios.
1. Introduction Artificial Immune Systems (AIS) have enjoyed a number of application successes in Cyber Defense including web-server behavioral anomaly detection, network intrusion detection, the detection of malicious code execution, and operating system call monitoring (Gabrielli et al., 2006; Hoffmeyr and Forest, 1999; Watkins, 2000; Hoffmeyr, 1999; Dasgupta, 2007; Blachandran et al., 2006, Kim et al., 2005, Forrest et al., 2008). Beyond traditional pattern recognition algorithms, AIS approaches adapt their recognition to keep pace with evolving patterns. Cyber security warrants adaptive systems. In a world of continually evolving attack vectors, traditional largely static computer security mechanisms cannot easily cope. Therefore adaptation becomes a necessary requirement for pattern recognition in dynamic environments. The nature of these dynamics concerns both changes to the environmental context as well as changes in the ways in which intruders attempt to prosecute their exploits. Current AIS approaches to cyber security pair together pattern recognition elements with an encoding for mitigating actions. By this approach, when an AIS pattern recognition element detects attack behavior, the encoded action is invoked. Such condition action rules are user specified and require the construction of a potentially large rule base in order to be effective for even moderately sized networks. A data-driven approach that is able to learn the appropriate mitigating action would eliminate the need for a large rule-base and scale to complex networks by adapting learned responses to the prevailing context. We present an approach, the Adaptive Immune Response (AIR), which combines AIS pattern recognition with Robot Control Synthesis in an architecture that adapts its mitigating response to the prevailing context. To the best of our understanding, ours is the first body of work that employs behavior learning techniques from the robotics community with AIS-based cyber-security.
UNCLASSIFIED
UNCLASSIFIED
4
The overall goal of the AIR project is the exploration of a novel Cyber Security method that interfaces between adaptive pattern recognition offered by AIS algorithms and behavior-based control from the field of robotics. The purpose of this research is the investigation, design, prototype, and evaluation of a method for adapting the mitigating response in an AIS-based Cyber Security system. In the sections that follow, we present background material, introduce the general AIR architectural framework, describe the design of our proof of concept system, and discuss the first results. 1.1 Artificial Immune Systems Artificial immune system algorithms for negative selection have been used in anomaly detection algorithms in the cyber domain. Another fundamental immunological principle, clonal selection, became a key algorithmic approach in artificial immune systems (Forsdyke, 1995). Clonal selection refers to the process by which lymphocites (B-cells) are selected in response to the quality of their ligand binding to an antigen. A seminal work in this regard was Forrest et al. (Forrest et al., 1993). A second major research area in AIS clonal selection concerned the implementation of algorithms for unsupervised learning (deCastro and Von Zuben, 2000; deCastro and Von Zuben, 2002) as well as supervised learning (Watkins et al., 2004). These approaches bear similarity to instance-based statistical learning, Learning Vector Quantization, and Self-Organizing Maps. More recent work challenged the utility of randomization in Clonal selection approaches grounded in evolutionary algorithmic principles (McEwant and Hart, 2000; Stibor and Timmis, 2007). This work focused on the B-cell selection process using a predator-prey model that constructs sparse approximations from an over-complete basis using a scheme that resembles projection pursuit. Research exploring the role of randomization in AIS pattern learning algorithms reinforces the point that one should balance the immunological metaphor with sound computational and mathematical approaches (Stibor and Timmis, 2007). The immune system must recognize and respond to a vast array of antigens with which it has not previously come into contact. Immunological memory is used to trigger faster responses for the cases where either an antigen or one of its variants is subsequently encountered (Forsdyke, 1995). Because B-cells undergo cell division when stimulated by an antigen, their relative proportions within a large population of B-cells become a sophisticated type of memory encoding the history of encountered antigens. As the antigen level subsides, the high affinity members of the B-cell population decreases, leaving behind a sub-population of memory cells (Forsdyke, 1995). Therefore, the active maintenance of memory cells is an important mechanism for remembering antigen patterns. 1.2 Robot Control Synthesis Popular methods for the defense of modern networks is based on the notion that one can correctly specify the system’s behavioral policies a priori. These assumptions take the form of condition/action rules that initiate prescribed responses based on specifications by a human
UNCLASSIFIED
UNCLASSIFIED
5
designer. Perfect defense would require the evaluation of all possible sensory input states and pairing them with a response from the set of all possible actuator outputs; a certain impossibility. We turn to the control basis from the robotics community for a solution. Attackers in low and slow exploits alter their tactics over time while trying to evade detection by hiding their actions within the noise of normal system operation. Low signal-to-noise combined with non-stationary dynamics makes cyber security against such attacks particularly difficult. Because our goal in the cyber domain is for more reactive responses and because non-stationary dynamics can render obsolete the underlying world model of a planning system, we use a control theoretic approach. The control basis approach developed by Huber and Grupen builds upon behavior-based behaviors (Brooks, 1986) and Henderson’s logical behaviors with the of a control basis (Huber and Grupen, 2000; Henderson and Grupen, 1990; Henderson and Shilcrat, 1984). A control basis “function” consists of a set of sensorimotor resources attached to an objective potential function through a feedback controller. A basis control objective can be thought of as a basis of attraction in an abstract space of all the possible behaviors of which a robot is capable. A control basis then is a set of basins of attractions that provide coverage over the space of behaviors. Rather than enumerate tasks as combination of simple units of behavior, the control basis provides a sparse representation of task space. Performing tasks in the control basis framework means sequencing of controllers in the basis. Beyond reactivity, because the controllers’ objectives are specified by goal references, a control basis framework offers a natural description of goal directed behavior. 1.3 Behavior Based Sensing Signature-based recognition methods require a number of comparisons of binary strings with a database of known signatures that grows exponentially with the length of the binary sequence. Popular security products such as McAfee and Norton Utilities fall into this category. Another class of approaches to Cyber defense makes use of system logs and rules that define patterns associated with malware. These rules rely on the expertise of a network operator. Because this approach can only recognize exploits for which rules exists, exploits outside of the network operator’s understanding will remain undetected. Such is the case for zero-day attack vectors. The popular Snort intrusion detection system falls into this category of systems (Roesch, 1999). We used a behavior-based approach in representing the program execution that derives from the OS-level APIs. Our sensors are written in C++ and instrument the OS kernel running in privileged mode through the kernel logging system (Figure 1). Our system consists of four sensor types derived from system call APIs. These include a process sensor, network sensor, file sensor, and directory sensor. A process sensor detects process creation, deletion, starting and stopping resulting in the generation of ProcessEvent messages. A network sensor detects receiving information over a socket (reading) or sending information over a socket (writing), resulting in the generation of NetworkEvent messages. A file sensor detects file creation, file deletion, reading a file, and writing a file resulting in the generation of FileEvent messages. Because system call APIs for manipulating directory structures can be different from those for files, we chose to separate the behaviors of file manipulation from those of directory manipulation. Therefore, a directory sensor detects the creation of a directory entry,
UNCLASSIFIED
UNCLASSIFIED
6
deletion of a directory entry, the reading of a directory entry, and the writing of a directory entry resulting in the generation of DirectoryEvent messages. Each event message type has semantics of the form “an operation was performed on a set of resources.” For example, for a DirectoryEvent, an operation of CREATE would include resource information consisting of the directory name, username, and time when the directory was created. The resource information is contained in the DirectoryEvent as payload along with the operation.
Figure 1. Behavior-based sensing compresses complex patterns of data into
fundamental system call API level behaviors that operate on system resources. Behavior-based sensing produces event streams consisting of an event type,
operation, and system resource payload information. An event sequence contains contextual information useful for uncovering the context in which system
activities have occurred 2. AIS Architecture Our architecture, the Adaptive Immune Response (AIR) System, combines behavior based sensing, adaptive pattern recognition, immunological memory, and control synthesis into a cohesive whole that learns to recognize evolving patterns of behavior and adapts its response in mitigating those behaviors in the cyber security domain (Figure 2). Behavior based sensing reduces the space of signatures by abstracting forensic data in terms of high level behaviors
Figure 2. The AIR architecture combines behavior-based sensing, adaptive pattern recognition, immunological memory, and control synthesis to achieve a system that learns to respond quickly and
adapt its response to evolving cyber threats.
UNCLASSIFIED
UNCLASSIFIED
7
typically exposed at the operating system API level. Because all software must employ OS-level APIs, this approach is descriptive for a broad class of malware (Wagener et al., 2008). Moreover, a behavior-based approach to sensing provides critical forensic information that can be used later to uncover malicious workflows. Behavior-based sensors instrument the operating system APIs and output a stream of events consisting of an encoding of the behavior performed by major system calls. In addition to the behavior, these events include payload information describing the system resources upon which the behavior was performed. In our architecture, we use Negative Selection to build models for self non-self recognition and Clonal Selection to implement immunological memory. Clonal selection actively adjusts relative proportions of the constituent B-cell sub-populations based on the prevailing affinity landscape. Using this approach, clonal selection actively evaluates the antigenic environment and adjusts memory stochastically. As a result, when it encounters antigens (malware) that bear similarity to one encountered in the past, the system response occurs more rapidly. Additionally, the stochasticity endows the system with the ability to recognize antigens that were previously unseen. Control synthesis consists of a control-basis approach to implementation of system behaviors. The selector responsible for determining the schedule for running controllers is based on the notion of antonyms. That is, a detected malware behavior will give rise to a controller that affects the opposite operation. Consider an example where a process that was reading information (downloading) from the network is detected. Using the antonym would invoke a controller that disallowed writing (uploading) to the network. The AIR architecture combines these key capabilities into a system that recognizes evolving malicious behaviors and adapts its response to mitigate them. We describe our AIR architecture in greater detail as well as results from an early prototype implementation. 2.1 Behavior Based Data Representation Input data for this project will take the form of host events (e.g., network events, file events, directory events, process events). In our implementation, shape space took the form of string representations of the event type and operation. Additional payload information included a text description of the system resources implicated in the operation. A compact representation of shape-space could include the unaltered string representation or a hashing of the strings to a finite number of hash values. A B-cell takes the form of a wrapper class containing a receptor tuple. The receptor tuple represents a sequence of host events. Take, for example, in an event sequence that is five events long (<Event1, Event2, Event3, Event4, Event5>, each event consists of an event type, an operation, and a set of attributes based on the available payload data (Table 1). Suppose a user starts Adobe Acrobat™ Reader by clicking on a PDF link in a web page. The user’s Adobe Acrobat™ Reader software starts and the PDF is displayed. Lets further suppose that the user notices his Acrobat Reader is out of date, so he does a software update that downloads the new version. Finally, the user is done reading the PDF document so he closes Acrobat™ Reader. So Acrobat™ Reader stops and exits. This results in the generation of the following events:
UNCLASSIFIED
UNCLASSIFIED
8
Table 1. Event types, operations, and payload for LM Host Event Sensors Event Type Operations Payload
Network READ, WRITE Source IP, destination IP, source port, destination port, username, time
Directory READ, WRITE, CREATE, DELETE Host, username, directory name, destination, time
File READ, WRITE, CREATE, DELETE Hostname, username, filename, destination filename, time
Process CREATE, DELETE, START, STOP Username, program name, time
1. Start Acrobat Reader: [ProcessEvent/START; command, username, time]. 2. Loads PDF file: [NetworkEvent/READ, username, srcIP, srcPort, destIP, destPort,
time]. 3. PDF file cached: [FileEvent/CREATE, username, filename, time]. 4. Software update: [NetworkEvent/READ, username, srcIP, srcPort, destIP, destPort]. 5. Software saved: [FileEvent/CREATE,username, filename, time] 6. Software update executed: [ProcessEvent/START; command, username, .time]. 7. User exits: [ProcessEvent/STOP; command, username, time].
Associated with each element of the tuple is a comparator operator used to compute distance measures. The B-cell employs the comparator operators at each position of its receptor tuple to compute an affinity measure between it and event sequences observed on the host. 2.2 Adaptive Pattern Recognition: Negative Selection Pattern recognition elements (B-cells) are initialized by a hybrid B-cell generation procedure that begins with a biased bootstrapped sample of the observed training data (known as normal activity). The biased sample is used to ensure that the recognition elements provide adequate coverage in recognizing host events across shape-space. Over a series of rounds, the generation process then grows its sample in shape space outward from the bootstrap using stochastic diffusion. Each round includes a pruning step that eliminates recognition elements that have high affinity (match) to the normal activity data. After the B-cell generation process completes, the result is a set of initial receptor tuples that are employed as an ensemble of mini-recognizers that will be trained to recognize data elements (or antigens) in the wild. B-cells that have been through Negative Selection but have not had experience in the wild are considered naïve. This means that naïve B-cells have not been exposed to antigens outside of Negative Selection. A naïve B-cell has the ability to discriminate between self and non-self, but does not yet reflect the history of experience due to exposure to antigens in the wild. 2.3 Immunological Memory: Clonal Selection The naïve B-cells are presented with testing data expressed in shape-space. Over a window of time, the affinity measuring the degree of match between each naïve B-cell receptor and data elements (workflows) is computed and accumulated. For the AIS Pattern Recognition
UNCLASSIFIED
UNCLASSIFIED
9
Component, a high affinity indicates that the current activity it is witnessing is atypical of the data used in training. B-cells whose affinities exceed a threshold, are activated and enter clonal selection. Clonal selection is a noisy replication procedure that causes the creation of B-cells with antibody receptor tuples that are slightly altered from the original parent B-cell. Those B-cells with higher affinity receptor tuples for the atypical activity in question are chosen for further replication. Over iterations of this process, B-cells with novel receptor tuples with either increased or decreased sensitivity are produced. This expansion of the B-cell population results in more effective recognition of atypical activity. Our current implementation uses dynamic programming to find the longest common subsequence between B-Cells and workflows. The algorithm is robust to insertions, which in the case of workflows are extraneous events within a sequence. For example, the longest common subsequence between [a, b, c, d] and [a, e, b, c] is [a, b, c] – the “e” is ignored in the second sequence. Intuitively, this means that a B-Cell will have a high match or affinity for workflows even if the workflow involves additional steps (events) that are not present in the B-Cell. The important point is that the sequence of B-Cell events are found somewhere within the Workflow. Especially responsive B-cells become memory cells associated with a lower affinity threshold and require less stimulation in order to trigger the clonal selection process during future intrusions. This short-circuits the learning process so that memory B-cells respond more quickly to future data elements that are similar to those that previously triggered an immune response. In AIR, B-cell activation is cumulative. This means that a B-cell increases its activation level as events arrive if they satisfy the event sequence to which the B-cell is tuned. Suppose a B-cell is tuned to a 4-event sequence Network/READ, File/WRITE, File/EXECUTE, File/READ. Suppose a B-cell’s activation level begins at zero and can take on values in the closed interval [0, 1]. If a sensed event of Network/READ arrives, the B-cell’s activation level goes to 0.25. Some number of event arrivals later, a File/WRITE arrives and the B-cell’s activation level goes to 0.5. Upon a File/EXECUTE, the B-cell’s activation level goes to 0.75. If the B-cell’s activation threshold was 0.75, once this occurs, the B-cell is now activated and it begins Clonal selection. 2.4 Adaptive Response: Control Synthesis Basis behaviors can range from a single action such as closing a port through complex high-level actions such as maintaining fair bandwidth usage. Associated with each B-cell is an underlying behavioral sequence (the receptor tuple) for which the B-cell has maximum affinity. This behavioral sequence describes a locale in state space. When a B-cell becomes activated, its corresponding locale is selected, and a hash-function is called that selects a bin. Within the selected bin is a set of controllers assigned from the control basis. As a result of the hash operation, the controllers are parameterized using information from the given context and run to convergence. In our proof of concept implementation, running to convergence for singleton actions means running them to completion. Controllers are sequenced or scheduled using a prioritization scheme. A process we call the calculus is a run-time procedure that is responsible for determining the prioritization and, ultimately, the scheduling of control bases. The calculus is run over a given behavior sequence (or context) resulting in a prioritization for each of the basis
UNCLASSIFIED
UNCLASSIFIED
10
behaviors in the bin. For the AIR project, we used the following controller prioritization scheme implemented in the calculus:
• Controller whose behavior is closest to being the opposite of a sensed Event is selected as a candidate for scheduling. For example, if the event was a File/READ, a controller that modifies the File/WRITE privileges for the user or file is selected.
• Calculus evaluates events in sequential order. For example if an event sequence contains a Network/READ, File/WRITE, then File/READ, the calculus evaluates the events in the sequential order in which they occur.
• The controller selection associated with the most recent event in an event sequence receives a higher priority than earlier events. For example, if an event sequence contains a Network/READ, File/WRITE, and File/READ, the controller selection for the File/READ will receive the highest priority, followed by the controller selection for the File/Write, and lastly the controller selection for the Network/READ
In the AIR prototype, only singleton controllers are scheduled to run. The selected control action will be the controller with the highest priority. Basis behaviors form the repertoire of skills that collectively represent the possible corrective actions one can take in defending the system against intrusive behavior. The space of corrective actions consists of combinations of control basis functions sequenced by priority weights. In the AIR project prototype, we implemented the following basis behaviors (Table 2). Table 2. AIR basis behaviors
Basis Behavior Parameters Effect NetworkOpController payload Opposite of sensed network behavior FileOpController payload Opposite of sensed file behaviors ProcessOpController payload Opposite of sensed process behaviors DirectoryOpController payload Opposite of sensed network behaviors Each basis controller is parameterized with the event payload associated with the offending behavior. An event’s payload consists of the system resources associated with the event. For example, the system resources associated with a NetworkEvent would include the source IP address, destination IP address, source port, destination port, username, and operation type (read/write). Given its parameterization, the basis behavior computes the action most opposite to the sensed behavior. This can be used to change an offending action or to restrict permission for the “opposite action.” 3. Experiments We validated the AIR architecture using a class of zero-day exploits. Because zero-day exploits are not, by definition, associated with a priori known pattern signatures, the capabilities of adaptive pattern recognition and response are key in responding to them. We focused on two classes of zero-day attacks concerning a popular PDF file reader. A malicious PDF file can exploit a buffer overflow within the PDF reader software and gain control of the target computer. The compromised system can be recruited as part of a bot-net attack, initiate the disabling of a
UNCLASSIFIED
UNCLASSIFIED
11
critical infrastructure, or become the target of data theft. In our experiment, we focus on the scenario of malware for data exfiltration. On account of difficulty in obtaining malware-logging information from production corporate enterprise networks as well as the operational difficulty of experimenting with malware on a production network, we conducted our experiments by replaying recorded data. This gave us the ability to use real attack information on an isolated test system and also allowed us precise control over the signal to noise ratio between events associated with malicious behaviors and background events associated with normal system behaviors. The test hosts used in our experiments were conducted using Lockheed Martin Advanced Technology Laboratory’s Emulab cluster, a re-useable virtualized test bed environment for rapid deployment and execution of experimental distributed systems. Our experiments consisted of Emulab systems configurations, our behavior based-sensors, test scripts, recorded data, and our AIR implementation. The zero-day attack vector involved an attack on a single system. We instrumented test hosts with our behavior-based sensors, recorded sensor data for a number of zero-day attacks, and created a generator that replays the recorded data. The attack scenarios reflected the types of activities one would expect to observe in a zero-day exploit targeting Adobe Reader ™ as part of a data-exfiltration attack vector. To this end, we constructed a parameterized wrapper for Adobe Reader™ that, based on input, either generates events that would normally occur when running Adobe Reader™, or generates events that would occur if a malicious entity connects to a remote site, downloads another piece of malware, gathers data to be exfiltrated, and transmits the stolen data to a remote site. In both normal and malicious operation, the displayed PDF file appeared to the system’s user to be normal. In the case of malicious operation, the wrapper generates additional system events as though malware was running on the system (Figure 3). The process that Acrobat Reader executes during a software update closely resembles a data exfiltration process (i.e., an external website is accessed, files are downloaded, the users file system is scanned, and data is uploaded to an external site, etc.). The purpose of including executing an Acrobat software update was to test if AIR would “flag” such an update as malicious, given its sequential similarity to a legitimate Zero-Day attack. We tested two different scenario types based on the Adobe Reader example. First, we have a simple scenario in which the user opens our Adobe Reader wrapper with a benign parameter input. The user then activates the built-in Adobe Reader update function to check for a new update. This will generate a legitimate use of the network by Adobe Reader, which will be part of the event stream for the application. Then, when the user closes the file, either the application terminates (in the benign case), or the application goes into "malware" mode and performs the download and exfiltration activities described above (Figure 4). Because these malicious events happen quickly, there is no discernible difference in behavior from the user's perspective. In our second scenario, we include a wider range of normal user activities interleaved with the Adobe Reader activity. In this case, the user also performs web browsing and document editing tasks concurrently. This scenario includes three web browsing activities (using Firefox), three document editing activities (using OpenOffice), and three PDF viewing activities (using our Adobe Reader wrapper). We wrote a set of scripts to drive our generator for this scenario so that we could generate multiple example event streams. In each example, the files and websites to be viewed are the same, but the order of execution is randomized. We have generated scripts that
UNCLASSIFIED
UNCLASSIFIED
12
(a) (b)
Figure 3. The Adobe Wrapper generates normal Adobe Reader behaviors (a). When the control parameter is set to malicious, the
wrapper generates additional malicious behaviors (b).
Figure 4. In our zero-day attack scenario, Acrobat reader is used to open a malicious PDF file that causes the download and execution
of a data exfiltration.
produce both benign and malicious behavior examples for the viewing of PDF documents. In the benign case, the behavior is that of normal Adobe Reader, while in the malicious cases, the behavior is as described above. Also, the generator is directed to check for updates when at least one of the PDF files is opened in both the malicious and benign cases. When malicious behavior is generated, it happens on the same PDF file in every example, though, like all the other events, the order of execution within the example scenario is randomized to ensure that recognition cannot exploit specific event sequence structures.
UNCLASSIFIED
UNCLASSIFIED
13
In all of the attack scenarios described above, we monitored the activity of the host machine before, during, and after the execution of the Zero-Day attack. Long sequences (i.e., workflows) of file open/close/create/read/write, network open/close/read/write, and process start/stop events were collected under a variety of conditions. While training AIR to distinguish “normal” and “malicious” activity, we collected workflows (generated by the host machine) that occur as Windows XP, Firefox, and Acrobat Reader start and process events. We also collected workflows while the user browsed the internet and downloaded files, such as PDFs. All of these datasets represent “normal” user activity and were used to train AIR. For testing AIR, we collected workflows that occurred as the malicious executable was scanning the users file directories and sending data to an external source. Figure 5 depicts the experimental setup. The events were grouped by Workflow Aggregator into contextual workflows based on simple rules. Rules include grouping events that were caused by the same process or the same parent process. The Workflow Aggregator was used to pull out ground truth workflow threads from the event streams. The user’s activity was monitored over the course of a few minutes, and each workflow that was generated ranged from a few hundred to a few thousand events.
Figure 5. Experimental set-up for AIR. Analyses of live
workflows for malicious activity are performed by comparing them to B-cells. Closely matching (or activated) B-cells are used to
compute the appropriate control response for the host machine. The matching B-cells undergo Clonal Selection resulting in
additional B-cells that specialize in recognizing the malicious activity and its variants
In both scenarios, we controlled for the effect of active maintenance of immunological memory by testing the recognition and response performance for naïve B-cells with and without Clonal Selection. A B-cell that has only gone through Negative Selection has not had its relative proportion within the population of B-cells actively maintained by Clonal Selection. In effect, such B-cells have been trained for non-self recognition, but cannot adapt to related future variants and have not developed an immunological memory. All experiments were performed by training the system using 75% of the available events representing normal system behavior and
UNCLASSIFIED
UNCLASSIFIED
14
testing using all of the malicious behavior events and the remaining 25% of the normal behavior events. For both the simple and complex scenarios, we evaluated performance using experimental metrics (Table 3) that describe the data set difficulty, AIR’s ability to detect the attack, the impact of active maintenance of immunological memory, and the appropriateness of the interdiction response. The data-set difficulty is captured through signal to noise ratio representing the proportion of the number of attack events within the set of generated events. In addition, we measure the diversity of behaviors generated as the number of distinct behavior sequences (Table 4). We also describe the response of the B-cell’s during self/non-self recognition during off-line training. Here we are interested both in the number of non-self B-cells produced as well as their preferred response. Finally, we measure the detection rate and response interdiction for both naïve B-cells (after Negative Selection only) as well as B-cells after maintenance of immunological memory (after Clonal Selection). Table 3. AIR experimental performance metrics
We begin with the results for the simple scenario (Table 5). We initialized a population of 10,000 variable length B-cells (40-60 events long) that recognized event sequences ranging in size of 1,000 to 10,000 events in length. After negative selection, 9,000 of the B-cells survived. These naïve B-cells were then tested against the test data-set produced by the randomized event generator seeded by recorded normal and malicious workflows. During clonal selection, each B-cell, when mutated with a stochastic process, produced 2 to10 new B-cell replicates. Upon each iteration of clonal selection, the B-cells that were produced responded to malicious event sequences faster than the parent B-cells from which they were produced, see example below.
UNCLASSIFIED
UNCLASSIFIED
15
Table 4. The Behavior Based sensors were used to generate sequences of user activity (Events) from a host machine. These events were then by a randomized generator to produce background behavior and attack behavior. The events for the sequences used in our experiment ranged from hundreds to thousands. They ran the sensors and collected a number of workflows to seed the randomized generator.
Description Average Number of Events per Workflow
Average Number of Workflows
Run Acrobat reader to view PDF file 1,100 4 Run Acrobat reader to view PDF while retrieving external updates
1,600 5
Run Acrobat reader to view PDF while a Zero Day Attack occurs
2,100 5
Table 5. Results for simple scenario
No B-cells were activated by non-malicious event sequences. In addition, all of the malicious sequences in our test data were recognized by several B-cells. The Zero-Day Attach Scenario ran for a total of 60 seconds where the attack itself started 2 seconds into the scenario. Just after Negative Selection using only naïve B-cells (before Clonal Selection), AIR detected the attack in 15 seconds. The detection was due to 4,000 B-cells that were activated by the attack sequence. After Clonal selection, AIR detected the attack in 13.5 seconds. The detection was due to 20,000 B-cells that were activated by the attack sequence. What this means is that, after clonal selection, AIR was able to detect similar attacks a little bit faster than before (in less time). Using a calculus that computes a response based on the opposite of a sensed behavior, the control learning component was able to adapt its response. As soon as AIR detected an attack, the calculus analyzed the last few events executed by the attack and selected a response to
UNCLASSIFIED
UNCLASSIFIED
16
neutralize them. Because Clonal Selection adapts to recognize variants of an attack, the control synthesis adapts with it. After multiple iterations of clonal selection, AIR’s response adapted and eventually converged to a fixed response. There were three methods of computing a response (1) early response, (2) highest affinity or best match response, (3) and consensus response. An example of the key moments in a malicious workflow consisting of 2700 events appears below. These key moments describe the malicious workflow’s sequence of events. Note that the malicious workflow’s events were interleaved among the events for normal system activities: Process/START/Acrobat.exe > Network/OPEN,READ,WRITE > File/CREATE/ExfilApp.exe > Process/START/ExfilApp.exe > File/OPEN,READ,WRITE > Network/OPEN,READ,WRITE For this workflow, a B-cell (receptor tuple) activated by the malicious workflow appears below.. Process/START/Acrobat.exe > File/OPEN/Acrobat.exe-340E687A.pf > Process/START/cmd.exe > Network/WRITE/166.017.240.045:3128 > File/WRITE/SharedDataEvents-journal > File/READ/SharedDataEvents > Network/READ/166.017.240.045:3128 > Process/STOP/Adobe_Updater.exe > Process/START/cmd.exe > File/READ/SCP.EXE-20D93C6A.pf > File/CLOSE/scp.exe > Process/START/scp.exe > File/CLOSE/cygwin1.dll > Process/START/scp.exe > File/READ/rsaenh.dll > Process/START/ssh.exe > File/CREATE/ExfilApp.exe > Network/READ/127.000.000.001:3862 > Network/WRITE/127.000.000.001:3862 > File/WRITE/ExfilApp.exe > Process/START/ExfilApp.exe > File/READ/ExfilApp.exe > Process/START/cmd.exe > File/CLOSE/WindowsShell.Manifest > ProcessEvent/START/cmd.exe… In this example, the recognized events are denoted using a red font (best viewed in color). The B-cell recognized the malicious workflow after analyzing 2650 out of the 2700 events. It responded by terminating ExfilApp.exe. In other words Process/START/ExfilApp.exe was changed to Process/STOP/ExfilApp.exe, thus interdicting in the process execution. After Clonal Selection, the malicious workflow was recognized after analyzing 2450 out of the 2700 events. Using Clonal Selection for active maintenance of immunological memory, the B-cells responded sooner with a response that changed the file permissions in a way that disallowed the writing of ExfilApp.exe to disk. In other words, File/WRITE/ExfilApp.exe was changed to File/READ/ExfilApp.exe, thus interdicting in the writing of the file. We continue with results for the complex scenario (Table 6). We initialized a population of 1,000 B-Cell recognizers (40 to 6 events long) that recognized event sequences ranging in size from 1,000 to 10,000 events in length. In the complex scenarios, the major difference we observed is a 1% false positive detection rate. This is understandable as there are multiple concurrent workflows occurring as part of normal system behavior. The larger the number of concurrent events, the more permutations possible in the interleaving of event sequences. This increases the space of possible variations and, thus, the regions of shape space that must be provided with coverage by B-cell recognizers.
UNCLASSIFIED
UNCLASSIFIED
17
Table 6. Results for complex scenario
In general, for both the simple and complex scenarios, we found that the response was faster to attacks when Clonal Selection was used in conjunction with Negative Selection and Adaptive Response. We conducted additional experiments to measure reaction-time as a function of the iteration of Clonal Selection for the complex scenario (Figure 6). For these experiments we implemented and measured three different types of system response (1) the strongest response from the B-cell with the highest affinity match to the detected malicious behavior, (2) the quickest response from the first B-cell to detect the malicious behavior, and (3) the most popular response arrived upon by vote among all of the B-cells that detected the malicious behavior.
Figure 6. Reaction time of AIR as a function of
iterations of Clonal Selection
UNCLASSIFIED
UNCLASSIFIED
18
We note two interesting observations from these experiments. First, the reaction-time decreased (faster) to an asymptote as the number of Clonal Selection iterations increased. Secondly, the response selected by AIR adapted as well. After a few iterations of clonal selection and response, AIR settled to a steady-state response that involved the specific subject of the attack, namely ExfilApp.exe. Before settling to a steady-state response, AIR addressed “landmarks” associated with the specific subject of the attack such as closing the port through which it was downloaded. Most interesting in these results is the fact that consensus voting response was to stop the MS command interpreter (cmd.exe) while the quickest response identified the subject of the attack (ExfilApp.exe). Since the command interpreter was the parent process used to invoke ExfilApp.exe, the consensus response is impressive as it is both appropriate as well as a critical “landmark” preceding malware execution. In another experiment, using the complex scenario, we examined the activity of the B-cells as a function of Clonal Selection (Figures 7 and 8). These experiments verified the fact that Clonal Selection does indeed perform active maintenance of immunological memory. A larger proportion of the B-cells (as identified by their B-cell ID along the horizontal axis) became active after 8 iterations or trials of Clonal Selection.
Figure 7. Activation level of naïve B-cells
Figure 8. Activation level of B-cells after Clonal Selection
UNCLASSIFIED
UNCLASSIFIED
19
What these results demonstrate is that before Clonal Selection, roughly half of the active B-cells exceeded the activation threshold needed for Clonal Selection (Figure 7). After Clonal Selection, the activated B-cells went through a process of noisy replication that specialized them to regions of shape-space creating memory for the detected malicious behavior and its variants. Because of this, the majority of the B-cell population exceeds the activation threshold after Clonal Selection (Figure 8). This demonstrates the importance of using self/non-self recognition in conjunction with active maintenance of immunological memory in AIS-based systems for Cyber Security. 4. Discussion We have described our first experiments using Artificial Immune Systems for Cyber Security that combines behavior-based sensing and AIS pattern recognition (Negative Selection and Clonal Selection, Figure 9), with robot control synthesis in a system that adapts its response to malicious behaviors. Moreover, we have tested this system on a class of Zero-Day Attacks. To the best of our knowledge, ours is the first body of work in the research community to combine ideas from Robotics (Control Synthesis) with Artificial Immune System pattern recognition to achieve adaptive response. AIR appropriately and effectively mitigated the zero-day attack we tested both in the simple case and, more importantly, in the complex case consisting of multiple concurrent activities. As can be seen from our results, our system was able to improve its performance using Clonal Selection for the active maintenance of immunological memory as well as adapt its response as clonal selection detected behavioral variants. Given the attacker advantage in Cyber Security, particularly for zero-day attacks, we feel it is not enough to train AIS systems for self non-self recognition. Adaptation is key and the focus of our approach was
Figure 9. Together, Negative Selection and Clonal Selection give us a powerful mechanism that learns self/non-self behavior and maintains an active memory that adapts to recognize variations of learned abnormal behavioral patterns.
Negative Selection Produce mini recognizers (B-‐cells) that distinguish
normal from abnormal activity
Clonal Selection Increases sensitivity to observed abnormal user
activity
Offline Training
Online Testing
Recognizer (B-‐Cell)
Activated Recognizer (Activated B-‐Cell)
Replicated Recognizer (Cloned B-‐Cell)
Process start, network write, …
Network read, file write, …
Add small variations to active recognizer
UNCLASSIFIED
UNCLASSIFIED
20
on adaptation of the learned patterns as well as the interdicting response. Future work will certainly include expanding our experiments to include a wide variety of attack vectors. We are encouraged by our results because this demonstrates an interesting new approach to Cyber Defense. These first experiments raise a number of questions that can be expanded in a number of future research directions and further investigations. The number of B-cells maintained in the population and the degree of replication for each B-cell affect the degree of coverage across variations of antigens in shape-space. Since the purpose of our experiments was to validate our architecture, we did not include a theoretical analysis of the coverage of shape-space afforded by the degree of replication. Future work will include such analysis. A future experiment will uncover how AIR performs under varying signal-to-noise ratios of malicious behaviors to benign background behaviors in regular increments. We believe that the degree of replication will affect how well a given population is able to adapt in environments with increased background noise. While our focus was on a PDF based attack, it is also our future goal to test AIR across a more broad class of zero-day attacks. We observed that active maintenance of immunological memory using Clonal Selection did result in modest improvements in performance. In future experiments, we will explore the relationship between the self/non-self training and the active maintenance of immunological memory. The question we seek to answer is how the incubation period affects long term population dynamics. In essence, the output of Negative Selection serves as an initial condition for the dynamical system maintained by Clonal Selection. These experiments will explore how sensitive different parameterizations of Clonal Selection are to initial conditions. The phenomena on each host across a network are measurably different. No two users at hosts on a network visit the same website or have the same application usage patterns. Future work includes the investigation of an approach for sharing “best practices” across hosts on a network in the form of a kind of vaccination shared among AIR instances on each host. We found control synthesis did adapt the response, but as Clonal Selection continued to run, the response converged onto a particular response over multiple runs of the experiment. We believe that control synthesis from the robotics community is a valuable addition to AIS pattern recognition because it affords the type of flexibility that is needed, particularly during the stages of AIS operation where it has not acquired enough examples to make optimal decisions. Moreover, as we observed in our experiments, the notion of best action may change as the attack evolves or more information is available. In future research we plan to move beyond singleton control actions with methods for selecting and scheduling multiple control actions in a data-driven approach that constructs rudimentary policies for malware interdiction. It is important to note that, with any learning system, there is a tradeoff between representational complexity and learnability. Our choice of representation certainly compresses the representation of behavioral events. Using a hashed representation of event payload data further compresses the behavioral representation, but also presents practical issues concerning tuning the number of hash bins (representational granularity). Scaling the system to longer non-trivial behavioral sequences would require architectural changes such as maintaining separate AIR instances devoted to application groups in an enterprise environment. These interesting architectural issues are beyond the scope of the current experiment. In our proof-of-concept implementation, while
UNCLASSIFIED
UNCLASSIFIED
21
we implemented antonyms for our control basis, the framework is not limited to antonyms. With antonyms, the possible responses are limited to the set of possible operations for each event type. Future work would expand beyond antonyms to regulating types of actions. Our proof of concept system’s sensors returned event information after a system call executes. As such, the recognition and response interdicts future system calls. In our proof of concept implementation, the highest priority controller associated with the hash bin for the activated B-cell was run. The calculus can be easily modified to run a schedule of controllers in priority order. As the B-cell adapts, the priority ordering for the controllers changes. This results in an adapting execution of controllers. Thus the framework supports adaptive response as the prevailing context changes. Acknowledgements The authors thank the reviewers for their thoughtful comments that have helped in strengthening this body of work. The authors gratefully acknowledge the funding agent. The views expressed in this article are the opinions of the authors and do not necessarily represent the views of the sponsoring agency.
UNCLASSIFIED
UNCLASSIFIED
22
References 1. Nicoletta Gabrielli and Marco Rigodanzo, “An Artificial Immune System for Network
Intrusion Detection on a Web Server: First Results,” in Proceedings of the 2nd Italian Workshop on Evolutionary Computation, 2006.
2. Steven Hoffmeyr and Stephanie Forrest, “Immunity By Design: An Artificial Immune System,” in Proceedings of the Genetic and Evolutionary Computation Conference, 1999.
3. Andrew Watkins, “An Immunological Approach to Intrusion Detection” in Proceedings of the 12th Annual Canadian Information Technology Security Symposium, pp447-454, 2000.
4. Steven Hofmeyr, “An Immunological Model of Distributed Detection and its Application to Computer Security,” PhD Thesis, 1999.
5. Dipankar Dasgupta, “Immuno-Inspired Autonomic System for Cyber Defense,” Journal of Information Security Technology, vol 12, issue 4, 2007.
6. S. Blachandran, D. Dasgupta, and L. Wang, “A Hybrid Approach for Misbehavior Detection in Wireless Ad-Hoc Networks,” 2006.
7. Jungwong Kim, Julie Greensmith, Jamie Twycross, and Uwe Aickelin, “Malicious Code Execution Detection and Response Immune System inspired by the Danger Theory,” Adaptive and Resilient Computing Security Workshop, 2005
8. D.L. Chao and S. Forrest, “Information Immune Systems,” International Conference on Artificial Immune Systems, 2002.
9. S. Hofmeyr, S. Forrest, and A. Somayaji, “Intrusion Detection Using Sequences of System Calls,” Journal of Computer Security, vol 6, pp151-180, 1988.
10. S. Forrest, S. Hofmeyr, and A. Somayaji, “Computer Immunity,” Communications of the ACM, vol 40, no. 10, pp 88-96, 1997.
11. H. Inoue and S. Forrest, “Anomaly Intrusion Detection in Dynamic Execution Environments,” New Security Paradigms Workshops, 2002.
12. S. Forrest, S. Hofmeyr, and A. Somayaji, “The Evolution of System-Call Monitoring,” in proceedings of the Annual Computer Security Applications Conference, IEEE Computer Society, pp 418-430, invited papers session, 2008.
13. J. Doyne Farmer and Norman H. Packard, “The Immune System, Adaptation, and Machine Learning,” Physica 22D, pp 187-204, 1986.
14. N.K. Jerne, “Towards a Network Theory of the Immune System,” Annals of Immunology, (Inst Pasteur) 125 C, 1974.
15. D.R. Forsdyke, “The Origins of the Clonal Selection Theory of Immunity,” FASEB Journal 9:164-66, 1995.
16. S. Forrest, B. Javornik, R.E. Smith, A.S. Perelson, “Using Genetic Algorithms to Explore Pattern Recognition in the Immune System,” Evolutionary Computation, vol 11, no 4, pp 521-540, 1993.
17. Andrew Watkins, Jon Timmis, and Lois Boggess, “Artificial Immune Recognition System (AIRS): An Immune-Inspired Supervised Learning Algorithm,” Genetic Programming and Evolvable Machines, vol 3, no 5, pp 29-317, 2004.
18. Leandro N. deCastro and Fernando J. Von Zuben, “The Clonal Selection Algorithm with Engineering Applications,” GECCO Workshop on Artificial Immune Systems and Their Applications, pp 36-37, 2000.
UNCLASSIFIED
UNCLASSIFIED
23
19. Leandro N. deCastro and Fernando J. Von Zuben, “Learning and Optimization Using the Clonal Selection Principle,” IEEE Transactions on Evolutionary Computation, Special Issue on Artificial Immune Systems, vol 6, pp 239-251, 2002.
20. Chris McEwant and Emma Hart, “On AIRS and Clonal Selection for Machine Learning,” in Proceedings of the 8th Annual Conference in Artificial Immune Systems (ICARIS), 2000.
21. T. Stibor and J. Timmis, “An Investigation on the Compression Quality of aiNet,” IEEE Symposium on Foundations of Computational Intelligence, 2007.
22. R.A. Brooks, “A Robust Layered Control System for a Mobile Robot,” IEEE Journal of Robotics and Automation, vol 1, no 2, pp 14-23, 1986.
23. Manfred Huber and Roderic A. Grupen, “A Hybrid Architecture for Learning Robot Control Tasks,” Robotics Today, vol 13, no 4, 2000.
24. T. Henderson and R. Grupen, “Logical Behaviors,: in Proceedings of the Journal of Robotics Systems, vol 7, pp 309-336, 1990.
25. T. Henderson and E. Shilcrat, “Logical Sensor Systems,” Journal of Robotic Systems, vol 1, no 2, pp 169-193, 1984.
26. Richard S. Sutton and Andrew G. Barto, “Reinforcement Learning: An Introduction,” MIT Press, 1998.
27. Norman S. Nise, “Control Systems Engineering,” Wiley, 2007. 28. Ken Dutton, Steven Thomson, and Bill Barraclough, “The Art of Control Engineering,”
Prentice Hall, 1997. 29. Andrew B. Watkins, “Exploiting Immunological Metaphors in the Development of Serial
Parallel, and Distributed Learning Algorithms,” PhD Dissertation, University of Kent, Canterbury, UK, March 2005.
30. Andrew Watkins, “An Immunological approach to intrusion detection,” in Proceedings of the 12th Annual Canadian Information Technology Security Symposium, Ottawa, Canada, June 2000, pp 447-454.
31. Jason Brownlee, “Clonal Selection Theory and CLONALG: The Clonal Selection Classificatin Algorithm (CASA).
32. Jason Brownlee, “Immunos-81 The Misunderstood Artificial Immune System,” Center for Intelligent Systems and Complex Processes, 2005.
33. Jason Brownlee, “Introduction to IDLE The Immunological Inspired Distributed Learning Environment,” Tech Report 8-01, Center for Intelligent Systems and Complex Processes, Swinburne University of Technology, Melbourne, Australia, 2005.
34. Jason Brownlee, “A review of the Clonal Selection Theory of Acquired Immunity,” Complex Intelligent Systems Laboratory, Swinburne University of Technology, Melbourne, Australia, 2007.
35. Jason Brownlee, “The Shape-space and Affinity Landscape Immunological Paradigms,” Complex and Intelligent Systems Laboratory, Swinburne University of Technology, Melbourne, Australia, 2007.
36. Steven A. Hofmeyr and S. Forrest, “Architecture for an Artificial Immune System,” Journal Evolutionary Computation, vol 8, Issue 4, 2000.
37. Wanli Ma, Dat Tran, and Dharmendra Sharma, “Negative Selection with Antigen Feedback in Intrusion Detection,” in Proceedings of 7th International Conference on Artificial Immune Systems, pp 200-209, 2008.
UNCLASSIFIED
UNCLASSIFIED
24
38. Leandro N. deCastro and Fernando J. Von Zuben, “Learning and Optimization Using the Clonal Selection Principle,” IEEE Transactions on Evolutionary Computation, vol 6, no 3, 2002.
39. F.M. Burnet, “A Modification of Jerne’s Theory of Antibody Production using the Concept of Clonal Selection,” CA Cancer Clin, 1976.
40. C. Ronald Kube and Hong Zhang, “Collective Robotic Intelligence,” Second International Conference on Simulation of Adaptive Behavior, pp 460-468, 1992.
41. Stefan Schaal, “Learning Robot Control,” The Handbook of Brain Theory and Neural Networks, 2002.
42. Michael I. Jordan, “Computational Aspects of Motor Control and Motor Learning,” Handbook of Perception and Action: Motor Skills, 1996.
43. Stephen Hart, Shiraj Sen, Shichao Ou, and Rod Grupen, “The Control Basis API - A Layered Software Architecture for Autonomous Robot Learning,” Workshop on Development and Integration in Robotics, IEEE Conference on Robotics and Automation, Kobe, Japan, 2009.
44. Derek J. Smith, Stephanie Forrest, and Alan S. Perelson, “Immunological Memory is Associative” Workshop Notes, Immunity Based Systems, International Conference on Multi-Agent Systems, 1996.
45. Henrik Berg, Roland Olsson, Per-Olav Rusas, and Morgan Jakobsen, “Automated Synthesis of Control Algorithms from First Principles,” in Proceedings of the IEEE/RSJ International Conference on Intelligent Robots and Systems, 2009.
46. Martin Roesch, “Snort-Lightweight Intrusion Detection for Networks,” in Proceedings of LISA 13th Systems Administration Conference, 1999.
47. Gerard Wagener, Radu State, and Alexandre Dulaunoy, “Malware Behavior Analysis,” Journal of Computer Virology, vol 4, no. 4, Springer, 2008.
48. Konrad Rieck, Thorsten Holz, Carsten Willems, Patrick Duessel, and Pavel Laskov, “Learning and Classification of Malware Behavior,” Lecture Notes in Computer Science, vol 5137, Detection of Intrusions and Malware and Vulnerability Assessment, pp 108-125.
UNCLASSIFIED
UNCLASSIFIED
25
Author Biographies Paul Biancaniello: Senior research scientist at Lockheed Martin Advanced Technology Laboratories in the Artificial Intelligence and Brain Inspired Computing research groups, where he has guided several technical programs both internally and contracted. His research focuses on biologically-inspired machine learning in the areas of Hierarchical Spatiotemporal Learning, Multimodal Data Integration, and Large-Scale Network Analytics. Paul earned his PhD in Physics in 2006 at the University of Pennsylvania where he studied Condensed Matter and Polymer Physics. Gary Holness: Assistant Professor in the Department of Computer and Information Sciences at Delaware State University where he is also the inaugural graduate program director and directs the Laboratory for Intelligent Perceptual Systems. His research rests at the intersection of Machine Learning, Machine Perception, Distributed Systems, Robotics, and Statistics. Prior to Delaware State University, Gary was a Lead Research Scientist at Lockheed Martin Advanced Technology Laboratories in the Artificial Intelligence and Brain Inspired Computing research groups. Gary earned his PhD in Computer Science in 2008 at the University of Massachusetts-Amherst where he specialized in Machine Learning, Robotics, Distributed Systems, Statistics, and Computer Vision. At UMass, he was a member of the Machine Learning Lab under the direction of Prof. Paul Utgoff and the Laboratory for Perceptual Robotics under the direction of Prof. Rod Grupen. Jon Darvill: Principal Investigator in the Intelligent Robotics Laboratory at Lockheed Martin Advanced Technology Laboratories. At the Advanced Technology Laboratories, Jon has led a number of projects in neurocomputational modeling, computer vision, statistical modeling, machine learning, world modeling for robots, and cyber security. His research focus is biologically-inspired computing, especially computational models inspired by the brain. Jon earned his Master of Engineering in Computer Science in 2005 and his BS in Applied and Engineering Physics in 2004 at Cornell University. Matt Craven: Senior Member of the Engineering Staff at Lockheed Martin Advanced Technology Laboratories, working in the Advanced Concepts Laboratory. His research interests include networking, computer architecture, and cyber security. Matt holds MS and BS degrees in Computer Science from the University of Pittsburgh. Patrick Lardieri: Senior Program Manager at Lockheed Martin Advanced Technology Laboratories, working in the Advanced Concepts Laboratory. Over his 22 year career Mr. Lardieri has served as technical lead for multiple DARPA, AFRL and ONR applied research programs in automated cyber testing (DARPA NCR), distributed real time computing (DARPA PCES and ARMS), adaptive networking (DARPA SAPIENT), SW producibility (AFRL SPRUCE), and intelligent training (ONR AET). He has published over 20 papers and given multiple invited talks and keynotes at refereed conferences. Mr. Lardieri has participated in several DoD technology policy planning workshops on software producibility and security challenges. Within Lockheed Martin Mr. Lardieri has supported tiger-team reviews and technology transition into key DoD programs including Aegis Open Architecture, DDG-1000, and JSF.