Cyberspace includes a wide range of physical networks, storage and computing devices, applications, and users with different roles and requirements. These can be grouped into three layers: Physical, Logical, and Cyber-persona layers. Securing and protecting such complex and dynamic cyberspace resources and services are grand challenges. This project aims at developing a multi-layer anomaly behavior analysis of all components associated with each cyberspace layer and how they interact with each other in order to achieve superior capabilities in characterizing their normal operations and proactively detect any anomalous behavior that might be triggered by malicious attacks. In this project, we will develop a Multi-Layer Anomaly Behavior Analysis (MLABA) technology that is a true alternative to the existing security technologies. Our methodology to develop the proposed MLABA is based on a holistic approach that will continuously monitor, analyze, and diagnose the operations of all cyberspace layers in an integrated manner. For each layer, we will develop innovative data structures that can be used to accurately characterize the normal behavior of a resource, application or user to integrate the behavior of each layers to overcome the main limitations of anomaly behavior analysis and take proactive actions to stop cyberattacks propagation.
Benefit: The anticipated results upon successful project will be a set of tools that are critical to demonstrate the feasibility of the proposed HSPS system. Specifically, this will include the following tools/capabilities that will be demonstrated at the end of Phase I: * Monitoring, Filtering, and Logging tool to collect data about cyber environment. * Innovative data structures to accurately characterize the current state and next state of cyber systems and end points. * Application Behavior Analysis (ABA) to show how our Anomaly Behavior Analysis (ABA) methodology can be applied to analyze the behavior of cyber environments and their end points and protect them from any type of attacks (e.g., zero-day attacks). * Applying risk and impact analysis for creating evaluation metrics to determine the cost value * Automated and semi-automated actions to mitigate the attacks including zero day attacks. The demonstration of these capabilities at the end of Phase I indicates that the AVIRTEK research team has all the expertise, and the required technologies to implement a fully functional MLABA system in Phase II and also deploy it to potential DoD clients.
Keywords: cyberattack, cyberattack, Self-Adaptive, Anomaly Behavior Analysis, cybersecurity, Multi-layer, Machine Learning, proactive protection
