SaTC: CORE: Small: Scalable Cyber Attack Investigation using Declarative Queriesand Interrogative Analysis
Case Western Reserve University, Cleveland OH
Investigators
Abstract
Recent cyber-attacks that exploit multiple vulnerabilities plague even the most protected companies. This has led to the solutions that ubiquitously monitor system activities as a series of system events, and apply causality analysis to reveal the attack steps through reconstructing the events and their dependencies on the attack as dependency graphs. Nevertheless, existing techniques mainly exploit event time to identify dependencies. This will include many less-important dependencies brought by irrelevant system activities. Moreover, these techniques cannot easily incorporate expert knowledge from security analysts due to limited extensibility, and provide little support to engage security analysts to actively explore the dependencies. The project is expected to make a major positive impact on system security by enhancing attack investigation using system audit logs, and provide contextual information to help intrusion detection systems better prioritize alerts. The project actively involves students from minority and underrepresented groups for research and training experiences. The goal of this proposal is to develop a general query framework to express and extract contextual attack information, by constructing small graphs of attack-relevant events from system audit logs. The project is focused on the following research tasks: (1) build a general infrastructure that computes discriminative weights for dependencies based on various properties of system events to identify attack-relevant events and entry points for attacks; (2) develop a declarative graph query language that provides specialized language constructs to express various formats of causality analysis; (3) devise a scalable interrogative analysis framework that can automatically clarify causality analysis by tracking expressive causal structures for both verified and hypothetical scenarios, enabled by new ``Why'' and ``What-if'' semantics. This project will advance the state of the art in revealing attack provenance from complex systems, on engaging security analysts to interactive and explainable security analytical pipelines, and to gain better understanding of the fundamental and practical challenges for building an effective attack investigation system. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →