Active Intrusion Prediction and Response for Computing Devices on the Internet

互联网上计算设备的主动入侵预测和响应

• 批准号: RGPIN-2017-04755
• 负责人: Samarabandu, Jagath
• 金额: $ 1.75万
• 依托单位: University of Western Ontario
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2020
• 资助国家: 加拿大
• 起止时间: 2020-01-01 至 2021-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=711207
• 关键词: Active; Intrusion; Prediction; Response; Computing

Computing infrastructure in Canada as well as across the world are increasingly under attack from intruders attempting to steal information that is safety, business and privacy critical. Such intruders are often backed by criminal enterprises or nation-state actors and are technically very sophisticated with plenty of resources. In 2015, British insurance company Lloyd's estimated the world-wide loss due to cyber crime USD $500 billion. By 2019, this is expected to quadruple to $2 trillion. A crucial weapon in the fight against this worsening crisis is an engineering solution to detect network intrusions and deploy countermeasures. Current intrusion detection systems work by monitoring network activity and looking for activity patterns that match known attack steps. Often, this results in detection after the attack has taken place and response is limited to recovery operations instead of thwarting an ongoing attack. This proposal aims to develop innovative solutions for intrusion detection and response that far surpass the state-of-the-art in following ways: a) generate many possible attack scenarios when an initial stage of an intrusion is detected, b) deploy additional monitoring tools that are specifically designed to gather evidence to confirm or deny these attack scenarios, c) plan defensive measures that can effectively counter the most likely scenarios and d) deploy these defensive measures in a way that is is least disruptive while continually evaluating the situation as above. Long term vision is to develop intelligent intrusion response systems that are aware of the security situation within the next decade. The short term objectives in this proposal that are designed to achieve the above goals include developing a novel way to represent intrusion events that can capture high-level intent as well as low-level network activity, recognizing combinations of intrusion events that are part of a larger attack and deploying these tools within a framework that allows building situational awareness. In the long term, this proposal aims to develop algorithms that can predict impending penetrations based on identification of ongoing attacks and develop countermeasures that can thwart these predicted attacks. A highlight of the proposed research is the development of algorithms that can learn from past attacks as well as setup decoy targets and dynamically change the network paths to divert attacks away from critical systems. The latter will also allow gathering crucial data about these attacks that will be used to design better detection tools in the future. Information security is becoming a critical need for the foreseeable future and innovative approaches as well as highly trained professionals are needed to meet the looming challenges. This program will train the engineers with necessary background as well as with hands-on experience, who will be able to fill this critical and growing need.

加拿大和世界各地的计算基础设施越来越多地受到入侵者的攻击，这些入侵者试图窃取安全、业务和隐私关键信息。这些入侵者通常得到犯罪企业或民族国家行为者的支持，技术非常先进，拥有大量资源。2015年，英国保险公司Lloyd's估计网络犯罪造成的全球损失为5000亿美元。到2019年，这一数字预计将翻两番，达到2万亿美元。对抗这一日益恶化的危机的关键武器是检测网络入侵并部署对策的工程解决方案。 当前的入侵检测系统通过监视网络活动并寻找与已知攻击步骤相匹配的活动模式来工作。通常，这会导致在攻击发生后进行检测，并且响应仅限于恢复操作，而不是阻止正在进行的攻击。该提案旨在为入侵检测和响应开发创新的解决方案，这些解决方案在以下方面远远超过最先进的水平：a）当检测到入侵的初始阶段时，生成许多可能的攻击场景，B）部署专门设计用于收集证据以确认或否认这些攻击场景的附加监视工具，c）计划防御措施，以有效应对最有可能发生的情况; d）以破坏性最小的方式部署这些防御措施，同时不断评估上述情况。长远目标是在未来十年内开发出能够感知安全形势的智能入侵响应系统。 本提案中旨在实现上述目标的短期目标包括开发一种新的方法来表示入侵事件，该方法可以捕获高级意图以及低级网络活动，识别作为较大攻击的一部分的入侵事件组合，并在允许构建态势感知的框架内部署这些工具。从长远来看，该提案旨在开发算法，可以根据对正在进行的攻击的识别来预测即将发生的渗透，并制定可以阻止这些预测攻击的对策。拟议研究的一个亮点是开发算法，这些算法可以从过去的攻击中学习，并设置诱饵目标，动态改变网络路径，以将攻击从关键系统转移出去。后者还将允许收集有关这些攻击的关键数据，这些数据将用于在未来设计更好的检测工具。 在可预见的未来，信息安全正成为一项关键需求，需要创新的方法以及训练有素的专业人员来应对迫在眉睫的挑战。该计划将培养具有必要背景和实践经验的工程师，他们将能够满足这一关键和不断增长的需求。