CAREER: Reasoning under Uncertainty in Cybersecurity

职业：网络安全不确定性下的推理

• 批准号: 0954138
• 负责人: Xinming Ou
• 金额: $ 42.97万
• 依托单位: Kansas State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-03-01 至 2016-03-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0954138&HistoricalAwards=false
• 关键词: CAREER; Reasoning; under; Uncertainty; Cybersecurity

Cyber security, like security in the physical world, relies upon investigation methodologies that piece together dispersed evidence spread across multiple places, and come to a conclusion on what security breaches have happened and how they happened. While effective evidential reasoning based on manual analysis are used in the physical world by law-enforcement agencies, in the cyber world we need automated reasoning methodologies to handle the automated cyber attacks against our nation's information infrastructures every day. This research aims at discovering and developing such automated reasoning methodologies. The problem is difficult due to the uncertain nature of such reasoning, which is compounded by the characteristics of cyber attacks.The uncertainty in cyber security comes from two sources. The first is the uncertainty from not knowing the attacker's actions and choices. Since hackers are essentially invisible in the cyberworld, we have to rely upon various types of sensors that report symptoms of potential attacks. The second source of uncertainty comes from these sensors. Since in most cases the symptoms of cyberattacks significantly overlap with symptoms from benign network activities, it is not possible to rely on a single sensor to give an absolutely correct judgment on whether an attack has happened and succeeded. A key question is how to use these imperfect sensors to conduct reasoning so that one can come up with almost certain conclusions regarding a system's security status. This challenge of reasoning under uncertainty is not new. In the past four decades computer science researchers have developed an array of reasoning models and methods for uncertainty, especially in the area of artificial intelligence. However, the emergence of cyber threats poses a newchallenge to this problem. The existing methodologies typically require a knowledge-engineering process to build a knowledge model for the problem domain. This has worked reasonably well with the more static and well-behaved problem domains such as disease diagnosis. A key difference between these problem domains and cyber security is that the latter has to deal with an activemalicious attacker who will try to break whatever assumptions made in the reasoning model. For this reason, the knowledge model for cyber security cannot be static because then they can be easily evaded. What will be an effective and practical knowledge engineering approach to handle the uncertainty in cyber security is the biggest open problem that needs to be answered from theresearch.This research adopts an empirical, bottom-up approach to tackle the above challenges. Instead of starting from the existing theories, the PI will start from empirical study on how a human security analysts would reason about cyber events and try to capture the essence of the reasoning in the process. Then, the PI will carry out this empirical study by running intrusion detection sensors on production networks and work with system administrators to understand and reason about the alerts. The next step is to develop a reasoning model that simulates the human reasoning process, and apply the automated reasoning engine on fresh new data to see how it fares. In this spiral theory development process the PI can always make sure that the methodologies are applicable to real cyber-security analysis and constantly find gaps in the model that reveal what will be the most appropriate theories and how to apply them in this problem. The eventual goal is to find the right theoretical framework for reasoning under uncertainty in cyber-security, and validate such theories through repeatable experiments on data from production systems.This research is tightly integrated into the PI?s education efforts both for students and targeted at the society at large. The empirical nature of the research provides a valuable venue for dialogue between security practitioners and researchers, which will result in a two-way education process: students working on the project can acquire the essential skills of applying advanced knowledge to a practical problem; and security practitioners like system administrators can learn the state-of-the art in cyber security technology through collaborative work with the research team. The empirical study carried out from the research will provide endless data and examples to refresh the materials of the cyber-security courses taught by the PI. New courses with a focus on uncertainty in cyber security defense will be developed. There will be a number of undergraduate students who take part in the research efforts, which will provide a unique education experience for them. Moreover, the test-bed infrastructure produced from the research will also be used as an education platform for the general public about cyber-security problems, with the help of the out-reach programs already established at Kansas State University.

网络安全与物理世界的安全一样，依赖于将分散在多个地方的证据拼凑在一起的调查方法，并得出关于发生了什么安全漏洞以及它们是如何发生的结论。虽然执法机构在物理世界中使用基于人工分析的有效证据推理，但在网络世界中，我们需要自动推理方法来处理每天针对我们国家信息基础设施的自动网络攻击。本研究旨在发现和发展这样的自动推理方法。由于这种推理的不确定性，加上网络攻击的特点，这个问题很难解决。网络安全的不确定性来自两个来源。首先是不知道攻击者的行动和选择的不确定性。由于黑客在网络世界中基本上是不可见的，我们必须依赖各种类型的传感器来报告潜在攻击的症状。第二个不确定性来源来自这些传感器。由于在大多数情况下，网络攻击的症状与良性网络活动的症状明显重叠，因此不可能依靠单个传感器来绝对正确地判断攻击是否发生并成功。一个关键的问题是如何使用这些不完美的传感器进行推理，以便人们可以得出关于系统安全状态的几乎确定的结论。这种在不确定性下进行推理的挑战并不新鲜。在过去的四十年里，计算机科学研究人员已经开发了一系列的推理模型和方法的不确定性，特别是在人工智能领域。然而，网络威胁的出现对这一问题提出了新的挑战。现有的方法通常需要一个知识工程的过程来建立一个知识模型的问题域。这对于更静态和行为良好的问题域（如疾病诊断）来说工作得相当好。这些问题域与网络安全之间的一个关键区别是，后者必须处理一个活跃的恶意攻击者，他将试图打破推理模型中的任何假设。出于这个原因，网络安全的知识模型不能是静态的，因为这样它们就很容易被规避。如何用一种有效而实用的知识工程方法来应对网络安全中的不确定性是本研究需要回答的最大问题，本研究采用了一种实证的、自下而上的方法来应对上述挑战. PI将从实证研究开始，而不是从现有的理论出发，研究人类安全分析师如何对网络事件进行推理，并试图在此过程中捕捉推理的本质。然后，PI将通过在生产网络上运行入侵检测传感器来执行此实证研究，并与系统管理员一起理解和推理警报。下一步是开发一个模拟人类推理过程的推理模型，并将自动推理引擎应用于新鲜的新数据，看看它的效果如何。在这个螺旋式的理论发展过程中，PI总是可以确保这些方法适用于真实的网络安全分析，并不断发现模型中的差距，揭示什么是最合适的理论以及如何将它们应用于这个问题。最终的目标是找到正确的理论框架推理下的不确定性在网络安全，并验证这些理论通过可重复的实验数据从生产系统。中国的教育工作既面向学生，又面向整个社会。该研究的实证性质为安全从业人员和研究人员之间的对话提供了一个有价值的场所，这将导致双向教育过程：从事该项目的学生可以获得将先进知识应用于实际问题的基本技能;系统管理员等安全从业人员可以通过与研究团队的协作学习最先进的网络安全技术。从研究中进行的实证研究将提供无尽的数据和例子，以刷新PI教授的网络安全课程的材料。将开发以网络安全防御的不确定性为重点的新课程。将有一些本科生参加研究工作，这将为他们提供独特的教育体验。此外，在堪萨斯州立大学已经建立的外联项目的帮助下，研究产生的测试平台基础设施也将被用作公众关于网络安全问题的教育平台。