cyber analytics challenges and solutions for computer security glenn a. fink, ph.d. adaptive systems...
TRANSCRIPT
Cyber Analytics
Challenges and Solutions for Computer Security
Glenn A. Fink, Ph.D.Adaptive Systems Focus LeadInformation and Infrastructure Integrity Initiative (I4)
PNNL-SA-64942
What is Cyber Analytics?
PNNL-SA-64942
Cyber, adj.: Of or relating to computers and computer networksAnalytics, n.: The science of analysis
Science: Knowledge about a system based on comparing observations to theoretical modelsAnalysis: The process of arriving at a decision based on observable facts (data)
Cyber Analytics: Formal: Observing computer and network data, and quantifiably comparing it to theoretical behavioral models to support decision-makingInformal: Understanding the behavior of computers and computer networks from the data they generate
Cyber Analytics is one of four cornerstones for sound, secure computer infrastructures
PNNL-SA-64942
Anticipate and estimatepotential impact of change.
Scalable self-defending informationand infrastructures.
Increase confidence in informationand infrastructure integrity.
Decision-making using predictiveanalysis to support action.
CyberAnalytics
AdaptiveSystems
PredictiveDefense
TrustworthyEngineering
Distinctive characteristics of Cyber Analytics
PNNL-SA-64942
Cyber data is massive, real-time, streaming, and often not stored
Cyber protocols are relatively simple and low entropy
The cyber analyst is often on or near the front lines combating intruders and enacting protection measures
Cyber Analytics tells the story embedded in host and network data
PNNL-SA-64942
10101010011010010
Visualization and analysis
Host Data
Network Data
sysl
og
Event log
Service logs
Access records
Perform
ance m
etrics
Process traces
Syste
m ca
ll tra
ces
Packet tracesNet
flow
s
IDS
Alar
ms
IDS A
lerts
Multi-host data
The BuzzWeb Blogs
TwitterVendors
News
Official bulletins
Site 1 Security
Team
Analysis Center 1
Agency 1
Collaboration
Data exchange
Legend
Site 2 Security
Team
Site 3 Security
Team
Site k-1 Security
Team
Analysis Center 2
Analysis Center j-
1
Analysis Center j
Agency i
Site k Security
Team
US-CERT
(Einstein)
Problems:
Slow propagation
4+ day transit time!
Solutions:
Multi-scale analysis
Processors, processes, signals
Computers, routers, devices
Networks and Internets
Humans supervise top-level agents (Sergeants) that are in charge of entire enclaves
Sergeants inform humans and set policies for lower level agents
Mobile Sensor agents identify potential problems on machines and communicate via “pheromone”
Sentinel agents at each machine interpret policy and investigate Sensor findings
Distributed Analysis: The Cooperative Infrastructure Defense
PNNL-SA-64942
The Road Ahead for Cyber Analytics
Resources neededDedicated, standard ranges, freely availableReference data sets
Science advances neededPredictive scienceComplex-adaptive science
Social/legislative agendaCooperation and collaborationLaws governing use of shared data setsPrivacy protection laws
PNNL-SA-64942
Conclusions
PNNL is making strides defining the research area of cyber analyticsPNNL is investing internal money into solving key cyber analytics problems such as
Automated distributed collection and analysis of cyber dataEnvironments that support human collaborative analysis and resolution of emerging cyber threats
35
Anticipate and estimatepotential impact of change.
Scalable self-defending informationand infrastructures.
Increase confidence in informationand infrastructure integrity.
Decision-making using predictiveanalysis to support action.
CyberAnalytics
AdaptiveSystems
PredictiveDefense
TrustworthyEngineering