Cyber-TA Project Web Site
  Web Portal
Software Releases
Private Project Page

  Cyber-Threat Analytics


  2006 Research Agenda Overview

In 2006, the Cyber-TA project will continue to pursue advances toward privacy enabled global-threat monitoring.   We are expanding the project to include a consortium team that brings together outstanding researchers in all key areas of information security that Cyber-TA will encompass.    We are bringing together well-established researchers from eight academic institutions that are actively engaged in the development of key innovations that will allow Cyber-TA to deliver new results in all of our research thrust areas.  The team working on the Cyber-TA project represents a wealth of experience from a variety of sources:

  • Paul Barford (University of Wisconsin)
  • Dan Boneh (Stanford University)
  • Linda Briesemeister (SRI International)
  • Steven Cheung (SRI International)
  • Roger Dingledine (Moria Research Labs)
  • Joan Feigenbaum (Yale University)
  • Ray Granvold (Promia)
  • Wenke Lee (Georgia Tech. Institute of Technology)
  • Karl Levitt (University of California, Davis)
  • Peter Neumann (SRI International)
  • Peng Ning (North Carolina State University)
  • Livio Ricciulli (Force-10 Networks)
  • Marcus Sachs (SRI International)
  • Amit Sahai (University of California, Los Angeles)
  • Vitaly Shmatikov (University of Texas, Austin)
  • Dawn Song (Carnegie Mellon University)
  • Paul Syverson (Naval Research Laboratories)
  • Johannes Ulrich (SANS Institute)
  • Al Valdes (SRI International)
  • Brent Waters (SRI International)
  • Vinod Yegneswaran (SRI International)
  • Jian Zhang (SRI International)

During 2006. the Cyber-TA team will focus on four primary research thrusts:  Data and traffic anonymity, privacy-preserving data analysis through encrypted computation, large-scale malware analysis and attack mitigation strategies, and systems design and deployment through SRI’s Cyber-TA-sponsored Threat Operations Center. The following is a brief summary of these activities.

Data and Traffic Anonymity

We are building anonymization and sanitization operations for all major security log data types, with a special emphasis on understanding how field-level anonymization can provide strong privacy while minimizing its impact on the analytical utility of published logs. We are also using the Tor low-latency onion-routing network to develop countermeasures to traffic-flow-based methods (and thus prevent linking contributors to their data submissions). We plan to extend Tor to increase its resistance to application-specific timing and statistical attacks.

Encrypted Computation

We are exploring the application of emerging developments of query, search, and comparison operations on encrypted data for use in the collaborative analysis of high-sensitivity end-node security logsWe are extending attribute-based encryption methods that provide finer-grained methods of access control than traditional cryptosystems. For  example, we envision logging systems that label encrypted data with descriptive attributes (e.g., IP addresses, ports, user identities) and encrypt these attributes in such a way that a mediator can selectively compute private keys that will decrypt only on those log entries where a certain criterion (i.e., an IDS signature) is met by the associated attributes.  We hope to develop intrusion detection systems that can analyze fully encrypted security logs for policy and misuse violations without decrypting log content, adjusting and refining these policies well after the data has been encrypted and stored. Such systems represent a radical break from current approaches that require full access to sensitive logs to isolate a relative few suspicious records.

Malware Analysis and Mitigation

We are studying the fundamental features of large-scale intrusion phenomena captured in various security logs or observed indirectly through multilog analyses, alternative client-side statistics, or metadata extraction. Our emphasis will be on live high-volume repository correlation that goes beyond standard intensity-based measurements and other single-attribute distribution patterns (such as attacked port statistics or source-address blacklisting).  For example, we are developing contributor-side correlation applications that characterize local malicious activity through data structures and statistics, with the repositories providing consensus publishing of malware behavior, content signatures, and other malware-related traffic sequences that can be used to detect internal malware infections.    We are exploring group coordination schemes to publish and distribute consensus threat countermeasure data, schemes for helping sites detect emerging malware and botnet behavior from internal sources, honeynet-driven attack classification, and privacy-preserving self-to-world comparative views of log production patterns relative to the contributor pool.

Operations and Commercial Transition

We are releasing our research prototypes via open source software and working on some new core capability demonstrations; we’ll deploy an academic release of our core privacy-preserving alert collection infrastructure across our consortium partner sites later this year. As discussed previously, we have progressed this study to the point of developing and deploying a reference system implementation that provides IDS and firewall log collection and anonymization, source-anonymity-preserving log distribution through an onion-routing infrastructure, a large-scale data repository implementation, and a Web-based repository portal that provides remotely controllable data query and analysis services. This initial privacy-preserving threat reconnaissance center is currently undergoing test deployment, with future open source software releases to follow early next year.