Cyber Analytics

Challenges and Solutions for Computer Security

Glenn A. Fink, Ph.D.Adaptive Systems Focus LeadInformation and Infrastructure Integrity Initiative (I4)

PNNL-SA-64942

What is Cyber Analytics?

PNNL-SA-64942

Cyber, adj.: Of or relating to computers and computer networksAnalytics, n.: The science of analysis

Science: Knowledge about a system based on comparing observations to theoretical modelsAnalysis: The process of arriving at a decision based on observable facts (data)

Cyber Analytics: Formal: Observing computer and network data, and quantifiably comparing it to theoretical behavioral models to support decision-makingInformal: Understanding the behavior of computers and computer networks from the data they generate

Cyber Analytics is one of four cornerstones for sound, secure computer infrastructures

PNNL-SA-64942

Anticipate and estimatepotential impact of change.

Scalable self-defending informationand infrastructures.

Increase confidence in informationand infrastructure integrity.

Decision-making using predictiveanalysis to support action.

CyberAnalytics

AdaptiveSystems

PredictiveDefense

TrustworthyEngineering

Distinctive characteristics of Cyber Analytics

PNNL-SA-64942

Cyber data is massive, real-time, streaming, and often not stored

Cyber protocols are relatively simple and low entropy

The cyber analyst is often on or near the front lines combating intruders and enacting protection measures

Cyber Analytics tells the story embedded in host and network data

PNNL-SA-64942

10101010011010010

Visualization and analysis

Host Data

Network Data

sysl

og

Event log

Service logs

Access records

Perform

ance m

etrics

Process traces

Syste

m ca

ll tra

ces

Packet tracesNet

flow

s

IDS

Alar

ms

IDS A

lerts

Multi-host data

The BuzzWeb Blogs

TwitterVendors

News

Official bulletins

Problems:

Massive Data

9

You are here.

500,000,000 records per day and growing!

Site 1 Security

Team

Analysis Center 1

Agency 1

Collaboration

Data exchange

Legend

Site 2 Security

Team

Site 3 Security

Team

Site k-1 Security

Team

Analysis Center 2

Analysis Center j-

1

Analysis Center j

Agency i

Site k Security

Team

US-CERT

(Einstein)

Problems:

Slow propagation

4+ day transit time!

Solutions:

Multi-scale analysis

Processors, processes, signals

Computers, routers, devices

Networks and Internets

Solutions:

Large Displays

Solutions:

Decentralized Analysis

Humans supervise top-level agents (Sergeants) that are in charge of entire enclaves

Sergeants inform humans and set policies for lower level agents

Mobile Sensor agents identify potential problems on machines and communicate via “pheromone”

Sentinel agents at each machine interpret policy and investigate Sensor findings

Distributed Analysis: The Cooperative Infrastructure Defense

PNNL-SA-64942

Demonstration

PNNL-SA-64942

The Road Ahead for Cyber Analytics

Resources neededDedicated, standard ranges, freely availableReference data sets

Science advances neededPredictive scienceComplex-adaptive science

Social/legislative agendaCooperation and collaborationLaws governing use of shared data setsPrivacy protection laws

PNNL-SA-64942

Conclusions

PNNL is making strides defining the research area of cyber analyticsPNNL is investing internal money into solving key cyber analytics problems such as

Automated distributed collection and analysis of cyber dataEnvironments that support human collaborative analysis and resolution of emerging cyber threats

35

Anticipate and estimatepotential impact of change.

Scalable self-defending informationand infrastructures.

Increase confidence in informationand infrastructure integrity.

Decision-making using predictiveanalysis to support action.

CyberAnalytics

AdaptiveSystems

PredictiveDefense

TrustworthyEngineering