DEFENSE R&D OUTLOOK
Next Move
ANTICIPATION IS A BIG PART OF CYBERSECURITY By Eric Tegler
P
rotecting America’s defense communication and data networks from cyberattacks is a ceaseless game of chess. As renowned chess champion Emanuel Lasker said, “When you see a good move, look for a better one.” A contingent of the defense cybersecurity research community is doing just that. While a major portion of research and development remains focused on passive defenses for software and embedded systems, there is another thread that is increasingly focused on quantifying the activity and understanding the behavior of cyber adversaries to develop more effective countermeasures. This research is expected to yield ideas and cybersecurity approaches that will have to be absorbed by the government’s technology integrators and the military as fast as possible. When building networks and systems robust enough to allow warfighters to function effectively, the next move is always critical.
Together, they conceived the CAF as a tool to score the agility of cyber attackers and defenders. You can think of it as a measuring stick, a framework to help government and industry organizations visualize how well (or how poorly) they outmaneuver attacks. One valuable source of cyberattack data comes from “Snort Alerts.” Snort is an intrusion detection system designed to detect and alert users to irregular activities within a network. In widespread use, Snort provides real-time traffic analysis and packet logging, just the kind of data meant to be plugged into the CAF. The CAF team began by taking four terabytes of packet capture (PCAP) data from the National Cyber Defense Collegiate Competition, using it as a control to input into the framework, then iterating the data as new Snort updates and versions (community and subscription rules) were issued.
The Cyber Agility Framework: Data Science Meets Cybersecurity
PHOTO COURTESY OF UTSA
After about 10 minutes chatting with Jose Mireles – a Department of Defense (DOD) cybersecurity expert who co-developed what’s called the “Cyber Agility Framework” (CAF) as part of his thesis at the University of Texas at San Antonio (UTSA) – I said, “This looks like what would happen if a data scientist rocked up to a cybersecurity problem.” “Exactly,” he said. In the simplest terms, the CAF is a set of mathematical equations that analyze any data set. In this case, the data is cyber attack alerts. Mireles is part of a broader collaborative including Dr. Shouhuai Xu, director of the Laboratory for Cybersecurity Dynamics and computer science professor at UTSA, UTSA student Eric Ficke, and researchers at Virginia Tech, the U.S. Army Combat Capabilities Development Command (CCDC) Army Research Laboratory (ARL), and the U.S. Air Force Research Laboratory (AFRL).
Opposite page: The CAF project, funded by the U.S. Army Research Office, is the first framework to score the agility of cyber attackers and defenders. Right: Jose Mireles co-developed the Cyber Agility Framework (CAF) as part of his master’s thesis at the University of Texas at San Antonio (UTSA). Mireles collaborated with UTSA colleagues as well as researchers from Virginia Tech, the U.S. Army Research Laboratory, and the Air Force Research Laboratory.
59
