Oak Ridge lab takes a new tack on 'big security'
Oak Ridge National Lab is developing a number of cybersecurity tools that use advanced machine learning to counter cyber threats.
The lab was the victim of one of the most notable breaches of 2011, after which it was offline for more than a week. A successful phishing attack infected its network with what a spokesperson called a “very sophisticated” piece of malware apparently designed to steal information from the lab’s network. E-mail and Internet access at the lab were shut down until the infection could be identified and removed.
One tool under development looks for data being sent from inside an enterprise by insiders, leveraging data from each host on the network to identify bad behavior. Profiles of normal user behavior can be created relatively quickly and signatures for exfiltrating data can be recognized. Behavior that is flagged as suspicious or malicious can be diverted to a honeypot environment where the user is isolated but actions can be studied.
To hackers, government users are phish in a barrel
A team of three researchers with expertise in machine learning have worked on and off for about three years to produce the Attack Variant Detector. The AVD tool builds on existing algorithms to detect malicious patterns, using machine learning to determine what types of behavior are normal and what is anomalous. “It’s not a complete build from the ground up,” Gillen said.
AVD is intended to operate on a large scale, looking for malicious activity directed at the enterprise from the outside. Because it is working in an expanded environment, scale and speed become more important. Gillen said the team is confident of its ability to ramp up its speed.
“Our biggest problem right now is false positives,” he said — wrongly identifying traffic as possibly malicious. This is a critical metric of success because in order for a tool to produce intelligence that can be acted upon immediately and automatically, it must severely limit the amount of legitimate activity that is blocked. Otherwise it could do more harm than good.
AVD now has proven itself capable of detecting 80 percent of bad traffic that has been missed by other tools, “which we are very pleased with ,” Gillen said. “But we’re trying to get the false positives down to 10 percent or lower.”
Gillen didn’t say exactly what the false positive rate is now, except that it is significantly above the 10 percent threshold.
Although the AVD project still is in the prototyping stage and some basic engineering still is being done on it, advances in its capabilities at this point are coming more from tweaking the software rather than making substantial changes. “It’s a matter of tuning the features we want, doing a lot of work on the triage,” that will let a variety of algorithms produce a consensus conclusion about behavior, he said.
Oak Ridge is not building commercial products, but when the technology is advanced beyond the prototype stage, it can be licensed to companies for commercialization.
AVD as it is envisioned now would operate much like a more traditional Intrusion Detection System, gathering its data for analysis at a single point in the network. Although the analysis of larger amounts of data could be scaled up with increased computing power, the more vexing problem again is bringing together data in a timely way that has been gathered from multiple sensors on a national or even global scale.
Is this practical? “That’s an interesting research challenge,” Gillen said, indicating that it might be some time yet before it enters the realm of the practical.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.