Adaptive Threat Management Tool for Cyber‐based SystemsYahya Javed, Tawfeeq Shawly, Muhamad Felemban, and Arif Ghafoor

URL (http://multimedia.ecn.purdue.edu/AIMS.html)

Objective: Develop resilient Cyber‐based System (CBS) by incorporating an adaptive threatmanagement mechanism throughout the life cycle of such system from design throughrecovery from cyber attacks.

Application Layer

Network Layer

Traffic Log Service LogNetwork Access Control 

Policy Base 

Firewalls

Offline Analysis

Real‐timeAnalysis

Intrusion Detection 

IDS Alerts 

CBS RecoveryRecovery Protocol 

Knowledgebase

Repair Manager

Threat Response

Attack Progress Prediction

Online Dependency Analyzer 

Damage Container

Response Policy Generation and Deployment

Intrusion Boundary Manager

Cyber Network/System Topology

Cyber Threat Mapper

Cyber‐based Dependency Analyzer

IB Demarcation for CBS

Database/Information Layer

Offline Analysis

Real‐timeAnalysis

Audit Log

Access Control and Authentication  

Database System

Cyber‐based SystemSystem Architecture

System Components 1. Intrusion Detection 2. Intrusion Boundary (IB) Manager

• Damage confinement• Scalability

3. Threat Response4. CBS Recovery

Adaptive Threat Management System

Proposed Solutions1. Adaptive Intrusion Management      

System (AIMS) for big datacenters2. Adaptive Threat Management  (ATM) 

for CBS

Solution Methodology 1. Development of a real‐time HMM‐based intrusion detection 2. Development of firewall policy‐based response and recovery 

playbook3. Development of a risk‐aware partitioning mechanism for scalable 

detection, response, and recovery4. Development of an ATM prototype for testing and validation

ATM

d

b

hj

k

f

l mg

c

f

f

f

f

d

d,a d,g

d,a,b

d,g,f

d,a,b,c

d,e

d,e,f

min, ∈

1

| |

 

(b) Cost function for IB partitioning 

0.20.25

0.4

0.30.5 0.2

0.5

0.4

0.20.7

0.3

0.8

0.75

0.7

0.8

0.2

0.7

0.5

0.30.5

0.9

0.90.7

0.4

0.75

(a) Functionality dependency graph of CBSwith IB partitioning

(c) Attack graph

Set of boundary objects 

Solution Methodology1. IB demarcation as a metrics‐driven optimization problem for 

damage confinement2. Development of an efficient intrusion response and recovery 

mechanism for malicious transactions3. Development of malicious workload benchmarks for 

performance evaluation

AIMS

min, ∈

| | 

(b) Cost function forIB Demarcation 

d i

j

h

nk

ea

b c

f

g

l m

(a) Data dependency graph withIB Demarcation

(c) Performance results

Set of boundary objects 

Acknowledgement: This work is supported in part by a grant from the Northrop Grumman Corporation and National Science Foundation Grant IIS‐0964639.