Active Intrusion Prediction and Response for Computing Devices on the Internet

互联网上计算设备的主动入侵预测和响应

• 批准号: RGPIN-2017-04755
• 负责人: Samarabandu, Jagath
• 金额: $ 1.75万
• 依托单位: University of Western Ontario
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2018
• 资助国家: 加拿大
• 起止时间: 2018-01-01 至 2019-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=664181
• 关键词: Active; Intrusion; Prediction; Response; Computing

Computing infrastructure in Canada as well as across the world are increasingly under attack from intruders attempting to steal information that is safety, business and privacy critical. Such intruders are often backed by criminal enterprises or nation-state actors and are technically very sophisticated with plenty of resources. In 2015, British insurance company Lloyd's estimated the world-wide loss due to cyber crime USD $500 billion. By 2019, this is expected to quadruple to $2 trillion. A crucial weapon in the fight against this worsening crisis is an engineering solution to detect network intrusions and deploy countermeasures. ***Current intrusion detection systems work by monitoring network activity and looking for activity patterns that match known attack steps. Often, this results in detection after the attack has taken place and response is limited to recovery operations instead of thwarting an ongoing attack. This proposal aims to develop innovative solutions for intrusion detection and response that far surpass the state-of-the-art in following ways: a) generate many possible attack scenarios when an initial stage of an intrusion is detected, b) deploy additional monitoring tools that are specifically designed to gather evidence to confirm or deny these attack scenarios, c) plan defensive measures that can effectively counter the most likely scenarios and d) deploy these defensive measures in a way that is is least disruptive while continually evaluating the situation as above. Long term vision is to develop intelligent intrusion response systems that are aware of the security situation within the next decade.***The short term objectives in this proposal that are designed to achieve the above goals include developing a novel way to represent intrusion events that can capture high-level intent as well as low-level network activity, recognizing combinations of intrusion events that are part of a larger attack and deploying these tools within a framework that allows building situational awareness. In the long term, this proposal aims to develop algorithms that can predict impending penetrations based on identification of ongoing attacks and develop countermeasures that can thwart these predicted attacks. A highlight of the proposed research is the development of algorithms that can learn from past attacks as well as setup decoy targets and dynamically change the network paths to divert attacks away from critical systems. The latter will also allow gathering crucial data about these attacks that will be used to design better detection tools in the future.***Information security is becoming a critical need for the foreseeable future and innovative approaches as well as highly trained professionals are needed to meet the looming challenges. This program will train the engineers with necessary background as well as with hands-on experience, who will be able to fill this critical and growing need.

加拿大以及世界各地的计算基础设施正越来越多地受到入侵者的攻击，这些入侵者试图窃取安全、商业和隐私关键信息。这些入侵者通常得到犯罪企业或民族国家行为者的支持，在技术上非常复杂，拥有大量资源。2015年，英国保险公司劳合社估计，全球因网络犯罪造成的损失达5000亿美元。到2019年，这一数字预计将翻两番，达到2万亿美元。对抗这一日益恶化的危机的关键武器是检测网络入侵并部署对策的工程解决方案。当前的入侵检测系统通过监控网络活动和寻找与已知攻击步骤相匹配的活动模式来工作。通常，这导致在攻击发生后才进行检测，并且响应仅限于恢复操作，而不是阻止正在进行的攻击。本建议旨在发展创新的入侵检测和响应方案，在以下方面远远超过最新的技术水平：A)在检测到入侵的初始阶段时生成许多可能的攻击场景；b)部署额外的监控工具，专门用于收集证据以确认或否认这些攻击场景；c)计划可以有效应对最可能出现的场景的防御措施；d)在持续评估上述情况的同时，以破坏性最小的方式部署这些防御措施。长期目标是在未来十年内开发出能够感知安全形势的智能入侵响应系统。***本提案旨在实现上述目标的短期目标包括开发一种新颖的方式来表示入侵事件，这种方式可以捕获高级意图和低级网络活动，识别作为更大攻击一部分的入侵事件的组合，并在允许建立态势感知的框架内部署这些工具。从长远来看，该提案旨在开发能够基于识别正在进行的攻击来预测即将发生的渗透的算法，并制定能够阻止这些预测攻击的对策。提出的研究的一个重点是算法的发展，可以从过去的攻击中学习，以及设置诱饵目标和动态改变网络路径，以转移攻击远离关键系统。后者还将允许收集有关这些攻击的关键数据，这些数据将用于未来设计更好的检测工具。***在可预见的未来，资讯保安正成为一项重要的需求，需要创新的方法以及训练有素的专业人员来迎接即将来临的挑战。该计划将培养具有必要背景和实践经验的工程师，他们将能够填补这一关键和不断增长的需求。