Publications Details
Proactive Defense for Evolving Cyber Threats
There is great interest to develop proactive methods of cyber defense, in which future attack strategies are anticipated and these insights are incorporated into defense designs; however, little has been done to place this ambitious objective on a sound scientific foundation. Indeed, even fundamental issues associated with how the “arms race” between attackers and defenders actually leads to predictability in attacker activity, or how to effectively and scalably detect this predictability in the relational/temporal data streams generated by attacker/defender adaptation, haven’t been resolved. This LDRD project addressed many of these challenges and the results are briefly summarized here. We have characterized the predictability of attacker/defender coevolution and have leveraged our findings to create a framework for designing proactive defenses for large (organizational) networks. More specifically, this project applied rigorous predictability-based analytics to two central and complementary aspects of the network defense problem – attack strategies of the adversaries and vulnerabilities of the defenders’ systems – and used the results to develop a scientifically-grounded, practically-implementable methodology for designing proactive cyber defense systems. Briefly, predictive analysis of attack strategies involved first conducting predictability assessments to characterize attacker adaptation patterns in given domains, and then used these patterns to “train” adaptive defense systems capable of providing robust performance against both current and (near) future threats. The problem of identifying and prioritizing defender system vulnerabilities was addressed using statistical and machine learning to analyze a broad range of data (e.g., cyber, social media) on recently detected system vulnerabilities to “learn” classifiers that predict how likely it is that, and how soon, new vulnerabilities will be exploited. A variety of cyber threat case studies were developed and investigated throughout the project, one selected from the cyber security research community and one that is more comprehensive and of higher priority to SNL and to external national security partners. A sample of research results and application of this methodology are included in this report (as a series of peer-reviewed publications). For ease of reference the title and SAND number are included below.