Cyber Security

Cyber Security @ IFT

 A Network Sensor-Based Defense Framework for Active Network Security Situation Awareness and Impact Mitigation Networking technologies have given rise to today’s worldwide social, business, and military networks, and commercial networks in the United States has been growing explosively. Because these networks are vulnerable to various types of attacks, there is an urgent need for cyber security. Cyber-attacks are increasing in frequency, impact, and complexity, which demonstrate extensive network vulnerabilities with the potential for serious damage. For example, an attacker can hack into military sites’ information systems from the cyber network, resulting in significant impact using various attacking techniques, including worm/ malware propagation, botnet, low-rate distributed denial-of-service (DDoS), and various insider threats. State-sponsored hackers are attacking private sector and high-profile government assets online. Organized criminal networks are preying on vulnerable Internet users to make money from identity theft, fraud, and data hostage schemes using the botnets, remotely and stealthy controlled by a master using stepping-stone communication channels. Defending against these cyber attacks calls for the network security situation awareness (SA) through the distributed collaborative monitoring, detection, and mitigation. Such a system should be able to characterize, track, and mitigate security threats in a timely fashion. Note that SA is generally described as “knowing what is going on around the system and within that knowledge of surroundings and being able to identify which events in those surroundings are important”. SA is also a key in the ability to predict the adversary’s intention and important to cyber security.

This Project effort resulted in a prototypical system based on the proposed network sensor-based defense framework for active network security situation awareness and impact mitigation. Our designed system includes four main components: (i) optimally configured and deployed network sensors; (ii) effective anomaly detection algorithms; (iii) a game-theoretic inference engine to conduct impact estimation and evaluation of mitigation strategies; and (iv) a multi-viewer-based visualization. To demonstrate the feasibility of our designed system in real-world practice, we developed a cyber-security testbed with three subnets: outside attackers, a production network with Snort and HoneyD deployed, database servers based on My Structured Query Language (MySQL), Web servers, and simulated insider attackers. In addition, we developed advanced anomaly detection and moving target defense (MTD) techniques to improve system resilience and agility, game theory-enabled impact mitigation and damage assessment, visualization for cyber-security information, and enhanced the testbed to integrate developed modules.

Demonstration

The following shows our enhanced cyber-defense testbed architecture with three-player game-theoretic game analysis module. In detail, the game analysis reasons interactions between attackers, passive sensors, and active sensors. The passive sensor snort acts as one player to interact with an attacker, dynamic strategies are selected when snort is detecting different priority malicious behaviors. A honey net acts as another player (that can be camouflaged in the network) to help passive sensors to detect the cyber-attacks. The use of a Honeynet as a third player in the game model (few research studies or published papers use a three-player model). For the cyber research, game theory is relatively a new application and the use of a Honeynet is a unique aspect of the work that enhances game-theoretic developments over active and passive sensors.