A Step Towards a Science of Cybersecurity

Securing cyber systems is paramount, but cyber defenders lack evidence-based techniques required to make high-consequence decisions. SCIRE was founded in 2021 to lead research partnerships that address the technical challenges surrounding this problem, building on the work of Sandia’s SECURE Grand Challenge. SECURE laid the foundation for a rigorous, evidence-based approach to cybersecurity, leveraging the unique experimental capability provided by Emulytics (scalable, virtualized environments for modeling cyber systems). By integrating Emulytics, uncertainty quantification (UQ), and stochastic programming into workflows, this approach produces quantitative knowledge concerning a target system, enabling substantiated risk assessment and risk mitigation. Sandia has also developed robust analytic techniques that can accommodate sparse and missing data, heavily-tailed uncertainties, and limitations of Emulytic predictions.

Why do we need SCIRE?

Cybersecurity experimentation on live environments is costly, time consuming, and disruptive (if not impossible). Thus, these tests provide sparse knowledge about complex cyber systems, and provide limited ability to answer “what if” questions: “What is the best way to defend our network?” “In creating defenses, which attacks should concern us as being most disruptive to this system?”

With SCIRE, enabling technologies for emulation and analysis in virtualized environments are beginning to coalesce to vastly improve our ability to develop, test, and deploy cybersecurity strategies. Our distinguished computer scientists and experts in statistical modeling have learned to design experiments that provide insight into the dynamics and interactions in a cyber system. In simple systems, results of these experiments can directly answer “what if” questions. In complex cyber systems, novel statistical methods for UQ are needed to understand complex interactions. Such statistical characterizations can then be used to explore alternative defense strategies.

Learn more about SCIRE’s three research thrusts:

Predictive Cyber Emulation

Developed at Sandia, Emulytics is a state-of-the-art tool set to define cyber-experiment models and testbeds at scale for complex, distributed systems. These systems present challenges related to high-dimensionality, sparseness of data, and expensive forward models. Thus, it is still poorly understood how representation fidelity impacts predictive capabilities in real-world cyber systems, especially in situations with unknown/unobserved or pervasive threats where only the effects are observable. SCIRE utilizes Emulytics methods that scientifically address the well-posedness and fidelity of our models and testbeds under deep uncertainty in the threat space. Our in silico laboratory has enabled reproducible and replicable results for a variety of testbed states and threats to produce inputs for characterizing uncertainties. Additionally, emulation of threat mitigation strategies and extreme scenarios has been used to characterize risk management options.

Uncertainty Quantification

Our UQ capabilities assess the confidence in computational predictions given a variety of information streams –  including models, experimental data, boundary conditions, and expert opinion. Cyber systems present unique research challenges in terms of model validation due to the presence of discontinuous and discrete outputs, the necessity for effective network inference for unknown network structures and topologies, and the tractability of high-dimensional structural and model uncertainties. We have developed a set of capabilities to perform validation and forward propagation of uncertainties – including configuration parameters and threats – to handle discreteness and discontinuities, dimension reduction, and multi-level multi-fidelity representations. These methods for scenario generation and uncertainty distributions produce data for our stochastic adversarial optimization models. Through UQ, we perform sensitivity analysis, drive experimental design, and develop reduced order models as inputs in emulation to develop abstractions that are cheaper than the full fidelity models, but still sufficient to properly represent the effects of uncertainties for forward UQ.

Stochastic Adversarial Optimization

Sandia developed and utilizes scalable, general-purpose decision-making capabilities for the risk management of both known and unknown cyber threats. The current state-of-the-art in adversarial optimization consists of domain specific models and algorithms that generally assume perfect knowledge on the part of the adversary, perfect execution of adversarial attacks, simultaneous attack vectors, known outcomes of specific attacks, and perfect execution of defender response. The simplest problems are strongly NP-hard, and there is a current lack of well-established solution procedures even for simplified models. SCIRE applies a suite of scalable stochastic adversarial optimization techniques to address (a) structural and design uncertainties, (b) parametric uncertainties, (c) unobservable uncertainties that naturally arise in cyber, and (d) temporally structured attacks. This allows us to identify a set of alternative plausible cyber models against which we can probabilistically devise and evaluate threat mitigation approaches – ultimately helping determine optimal investment and runtime defense strategies for interdicting potential future adversarial threats. These risk management strategies can then be evaluated for performance with emulation.