Analytical Forensics Research

The problem of how to comb through large amounts of data produced from a computer network to identify with high-confidence breaches and misuses remains a hard problem in practice. This research aims at designing proper theoretical models and pracitcal tools to help aid a human analyst in this task. A key challenge is how to model the uncertainty inherent in this reasoning process, and how to design technologies that human analysts can easily interact with to drive the investigation process. It is unlikely that this task can be completely automated (we are dealing with human adversaries any way), but the current state of the art certainly has great room for automation. For example, while most enterprise computing environments are proactively monitored for threats and security violations using automated detection engines, the ability to validate reported events as true incidents still requires a non-trivial amount of time and information gathering as well as investment in staffing and training of personnel. To improve an organization's overall reactive security posture and reduce some of the associated costs we propose an investigation model supported by predictive, automated data collection and guided presentation of the resulting information. By modeling the investigative goals and requirements for each event type, this approach can automate proactive data collection actions wherever possible thus reducing the investigation time as well as providing a consistent framework for the monitoring staff. By providing the goals of the alert validation process the framework also reduces the minimum skill required of monitoring staff, thus widening the labor pool to tackle this big-data challenge. By following this method, false positive alerts are more quickly pared down allowing for better utilization of skilled resources by focusing efforts on only those alerts validated as genuine.

Faculty: Collaborators:
  • Dr. Raj Rajagopalan (Honeywell ACS Labs)
  • Dan Moor (HP)
  • Gaurav Shah (HP)
  • Anthony Manassero (HP)
Students: Papers and Presentations: Acknowledgment:
This research is supported by the National Science Foundation under Grant No. 0954138, 1018703, and 1314925, and by HP Labs Innovation Research Program. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.