Research to automate monitoring of cyber attacks

11/01/2010

Constant attack: This is the state the National Center for Supercomputing Applications (NCSA) finds itself in on a regular basis. While the center does have a system to protect against cyber attacks, the functionality is less than optimal.

Zbigniew Kalbarczyk
Zbigniew Kalbarczyk

Enter CSL researcher Zbigniew Kalbarczyk and his three-year, $500,000 National Science Foundation research grant.

Kalbarczyk is working to make the protection system automated, more efficient and more difficult to penetrate. In addition, he wants to create a tool set for early attack detection.

“This system will let us flag attackers at an early stage before they can achieve damage,” said Aashish Sharma, a PhD student on Kalbarczyk’s research team.

Although NCSA currently has a variety of monitoring tools and corresponding detection techniques, they depend on a security team of humans to supervise the system. Kalbarczyk hopes to create an automated process to do this in order to reduce the time between when an attacker breaks in and when the system recognizes the attack and takes action.

The NCSA collects extensive data logs of information from previous attacks. Kalbarczyk will mine through this information, pick out the relevant pieces and analyze them. He will then build a test bed of computers and monitoring tools to model attacks and study the behavior.

After the simulations in the test bed, Kalbarczyk hopes to design a system and bring it out of the controlled environment and into the real world.

“The test bed will be the platform to enhance the protection or the security monitoring, and then we’ll try to move to the real environment,” said Kalbarczyk.

While Kalbarczyk doesn’t think he can completely automate the process, he wants to have only one expert as a final judge instead of a whole team.

NCSA is under continuous attack, not necessarily because attackers want to damage the system, but because they want to use it is as a computing resource. However, while penetrating the system, the attacker can extract files with usernames and passwords, giving them unlimited access to the network. This obviously can cause major problems, and even if the attacker is caught, the incident may require everyone to create new usernames and passwords.

Many companies, such as Boeing, are interested in this research as they need high security systems and cannot risk an attacker penetrating their system. IBM also has a special interest in the research from the perspective of assessing time and money lost when an attacker breaks in, Kalbarczyk said.

“This could eventually be on your laptop, but at the moment we are just looking at larger info structures,” Kalbarczyk said.

Kalbarczyk is the principal investigator on the project. His team also includes co- PI Ravi Iyer, PhD student Hui Li and part-time PhD student Aashish Sharma.