Presentation is loading. Please wait.

Presentation is loading. Please wait.

Parallel Autonomous Cyber Systems Monitoring and Protection

PublishAnne Anthony Modified over 6 years ago

Similar presentations

Presentation on theme: "Parallel Autonomous Cyber Systems Monitoring and Protection"— Presentation transcript:

1 Parallel Autonomous Cyber Systems Monitoring and Protection
December 8, 2009 Revision 1 Chris Archer

2 Cyber Challenges Zero-day exploits always provide new tactics for adversaries. Current heuristic methods only respond to known tactics. The time lag for heuristic methods catching up to new exploits is a huge window of opportunity for bad things to happen. This challenge overlaps into “traditional IT” – it is difficult to see a problem arising until it is too late. New tools are needed that can react at the speed of the network to previously unknown threats and problems.

3 Application and Extension of Unsupervised Clustering to Cyber Applications
Unsupervised clustering has been developed to allow autonomous organization of large amounts of data into hierarchical groups of similar data The addition of new information-based distance metrics (based on IG, et al) to existing unsupervised clustering will allow us to find the needles in the haystack. Because of the scalability improvements (developed under NG IRAD) and parallel nature, we can process extremely large volumes of data quickly. Approach will adapt to information content – not based on heuristic approaches that become outdated. Potential for orders of magnitude of improvement in time required to react to new and changing threats and failures.

4 Application 1: Parallel Unsupervised Clustering Tree for Autonomous Firewall Packet Inspection
Shallow and Deep Packet Distance Metrics Multilayer Data-Driven Clustering Course Packet Clustering Increasing Parallelism Fine Packet Clustering Fine Packet Clustering Finer Packet Clustering Finer Packet Clustering Finer Packet Clustering Alerts Cluster Recognition and Uniqueness Metric Thresholding Packet Management

5 Packets and Data Time t Time t+D Normal, Known Information
Something new develops: *Problem *Attack *New Pattern of Usage Continuous Data Flow

6 Finding Needles in Large Haystacks
Information Metrics separate out data of different characteristics. Auto-summarization is based on clusters: Large clusters get summarized often Small clusters do not get summarized No more hiding in the data. Use a prototocol with a lot of traffic to hide OR Use a distributed approach: Won’t work: the information content of the packets will be different and will separate out. Overwhelm the processing so it falters: Highly parallel, efficient implementation can process large amounts of data Failure modes can even be designed to fail ‘gracefully’

7 Deep and Shallow Pack Distance Metrics
Shallow Metric Based on Header Information Ports, IP Addresses, Length, Flags Deep Distance Metric based on Packet Content More expensive metric can be utilized in lower levels which are conducted in parallel Can include content information metrics Separation of the two leads to a highly parallel implementation Possible fast/cheap implementation using CUDA on Nvidia Graphics Cards

8 Application 2: Autonomous Log Monitoring
Northrop Grumman Proprietary Level 1 Application 2: Autonomous Log Monitoring Computers Log Server Multilayer Data-Driven Clustering Line-by-line Logs Cluster Recognition and Uniqueness Metric Thresholding Program Summary Purpose: To Provide a top-level summary of key program positions and performance areas that are deemed significant for review Definitions: Accomplishments: Recent activities, milestones, highlights, or events Challenges: Items that could significantly impact program Quality, financial/technical performance, delivery, or Customer Satisfaction. Customer/Contract Issues: Open Customer issues or actions items, Contract/funding/GFE issues, “who owes who what”. Focus: Near term actions/plans (next 90 days) Process: Enter listed fields. References: IPRS User Guide Automated System Management Alerts

9 Experiment Plan: Application 1 – Firewall Segment
Need a source of data Time tagged for artificial streaming Packet captures would be ideal Real data is better / Simulated data may be possible to generate Develop and test detailed shallow and deep packet distance metrics Set up unsupervised clustering code for autonomous hierarchical clustering Run data to generate clusters and uniqueness metrics Conclusion: We should be able to find the interesting features automatically Proof of concept should allow easy transition into a system prototype

10 Experiment Plan: Application 2 – Log Segment
Need a source of data OR use MiSTICKE Lab to generate a real data stream Time tagged for artificial streaming Tune existing text-based distance metrics to log content, as needed Set up unsupervised clustering code for autonomous hierarchical clustering Run data to generate clusters and uniqueness metrics Conclusion: We should be able to quickly and easily find unique system events. Easily transitioned into a system prototype.

11 11

Download ppt "Parallel Autonomous Cyber Systems Monitoring and Protection"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.

A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
1 Applications of Data Mining in Banking Maria Luisa Barja Jesús Cerquides Ubilab IT Laboratory UBS AG.

1 Applications of Data Mining in Banking Maria Luisa Barja Jesús Cerquides Ubilab IT Laboratory UBS AG.
The Northwestern Mutual Life Insurance Company – Milwaukee, WI Application Monitoring Jeremy Kalsow.

The Northwestern Mutual Life Insurance Company – Milwaukee, WI Application Monitoring Jeremy Kalsow.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
PROS & CONS of Proxy Firewall

PROS & CONS of Proxy Firewall
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.

Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
ShopKeeper was designed from the ground up to manage your entire fleet maintenance operations … from 1 user to 100, including full security features that.

ShopKeeper was designed from the ground up to manage your entire fleet maintenance operations … from 1 user to 100, including full security features that.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Event Metadata Records as a Testbed for Scalable Data Mining David Malon, Peter van Gemmeren (Argonne National Laboratory) At a data rate of 200 hertz,

Event Metadata Records as a Testbed for Scalable Data Mining David Malon, Peter van Gemmeren (Argonne National Laboratory) At a data rate of 200 hertz,
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.

1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,

1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,
Wire Speed Packet Classification Without TCAMs ACM SIGMETRICS 2007 Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison)

Wire Speed Packet Classification Without TCAMs ACM SIGMETRICS 2007 Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison)

Similar presentations

Ads by Google