There has been a rapid escalation of targeted cyber-attacks, called Advanced Persistent Threats (APTs), on high-profile enterprises. These skilled attacks routinely bypass widely deployed protection mechanisms. Existing second-line cyber defenses (e.g., intrusion detection systems) are helpful, but they often generate a flood of information that overwhelms cyber analysts. Moreover, analysts lack the tools to piece together attack fragments spanning multiple applications and/or hosts. This project will hence focus on developing the principles, techniques, and tools for accurate attack detection and real-time reconstruction of attacker activities across large enterprises.
Many intellectual challenges arise in APT campaign reconstruction, including: (a) developing a wide range of policy-based, anomaly-based and signature-based attack detectors, (b) connecting the dots in the presence of unreliable detectors, (c) scaling to large enterprise networks, and (d) resisting adversarial manipulation. To overcome these challenges, this project will explore several novel directions, including (i) domain-specific languages for cyber attack detection and forensics, (ii) novel detection techniques that leverage natural language descriptions of recent attacks, (iii) alternative dependence propagation semantics that mitigate dependence explosion, and (iv) mapping attack steps to the high-level objectives ("kill-chain") of APT actors.
Cyber technologies are inextricably woven into the fabric of today's society. Repeated cyber attacks undermine the society's trust in this fabric. Even in purely economic terms, worldwide cybercrime led to $600 billion in losses in 2017 (Source: McAfee). This project will help arrest these downward trends. It will also educate graduate, undergraduate and K-12 students through cybersecurity coursework, research, and outreach activities. Enhanced participation of women and minorities will be targeted through alliances with partners, including the National Center for Women & Information Technology, Governor's State University, and Chicago Public Schools. Project-related data, results, publications and tools will be made available through the web sites of the research laboratories collaborating on this project: http://seclab.cs.stonybrook.edu/ and http://sisl.lab.uic.edu/.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
