Analytical Forensics Research
The problem of how to comb through large amounts of data produced from a computer network to identify with high-confidence breaches and misuses remains a hard problem in practice. This research aims at designing proper theoretical models and pracitcal tools to help aid a human analyst in this task. A key challenge is how to model the uncertainty inherent in this reasoning process, and how to design technologies that human analysts can easily interact with to drive the investigation process. It is unlikely that this task can be completely automated (we are dealing with human adversaries any way), but the current state of the art certainly has great room for automation. For example, while most enterprise computing environments are proactively monitored for threats and security violations using automated detection engines, the ability to validate reported events as true incidents still requires a non-trivial amount of time and information gathering as well as investment in staffing and training of personnel. To improve an organization's overall reactive security posture and reduce some of the associated costs we propose an investigation model supported by predictive, automated data collection and guided presentation of the resulting information. By modeling the investigative goals and requirements for each event type, this approach can automate proactive data collection actions wherever possible thus reducing the investigation time as well as providing a consistent framework for the monitoring staff. By providing the goals of the alert validation process the framework also reduces the minimum skill required of monitoring staff, thus widening the labor pool to tackle this big-data challenge. By following this method, false positive alerts are more quickly pared down allowing for better utilization of skilled resources by focusing efforts on only those alerts validated as genuine.
Faculty: Collaborators:- Dr. Raj Rajagopalan (Honeywell ACS Labs)
- Dan Moor (HP)
- Gaurav Shah (HP)
- Anthony Manassero (HP)
- Designing Forensic Analysis Techniques through Anthropology . Sathya Chandran Sundaramurthy. Presented at the NSPHD track of New Security Paradigms Workshop (NSPW), 2013.
- Investigative response modeling and predictive data collection. Dan Moor, S. Raj Rajagopalan, Sathya Chandran Sundaramurthy, and Xinming Ou. The seventh IEEE eCrime Researchers Summit (eCrime'12), Las Croabas, Puerto Rico, USA, October, 2012.
This research is supported by the National Science Foundation under Grant No. 0954138, 1018703, and 1314925, and by HP Labs Innovation Research Program. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.