Cyber Analytics

1. PNNL-SA-64942 Cyber Analytics Challenges and Solutions for Computer Security Glenn A. Fink, Ph.D. Adaptive Systems Focus Lead Information and Infrastructure Integrity Initiative (I4)

2. What is Cyber Analytics? PNNL-SA-64942 • Cyber, adj.: Of or relating to computers andcomputer networks • Analytics, n.: The science of analysis • Science: Knowledge about a system based on comparing observations to theoretical models • Analysis: The process of arriving at a decision based on observable facts (data) • Cyber Analytics: • Formal: Observing computer and network data, and quantifiably comparing it to theoretical behavioral models to support decision-making • Informal: Understanding the behavior of computers and computer networks from the data they generate

3. PredictiveDefense AdaptiveSystems TrustworthyEngineering CyberAnalytics Cyber Analytics is one of four cornerstones for sound, secure computer infrastructures Anticipate and estimatepotential impact of change. Scalable self-defending informationand infrastructures. Increase confidence in informationand infrastructure integrity. Decision-making using predictiveanalysis to support action. PNNL-SA-64942

4. Distinctive characteristics of Cyber Analytics • The cyber analyst is often on or near the front lines combating intruders and enacting protection measures • Cyber data is massive, real-time, streaming, and often not stored • Cyber protocols are relatively simple and low entropy PNNL-SA-64942

5. Cyber Analytics tells the story embedded in host and network data Net flows IDS Alerts Network Data Packet traces The Buzz Multi-host data News Twitter Host Data Vendors 10101 0100110 10010 Web Blogs Event log Official bulletins Service logs Access records Process traces Performance metrics Visualization and analysis System call traces IDS Alarms syslog PNNL-SA-64942

6. Problems: Massive Data 500,000,000 records per day and growing! You are here. 9

7. Legend US-CERT (Einstein) Data exchange Problems: Slow propagation Collaboration Agency 1 Agency i 4+ day transit time! Analysis Center 1 Analysis Center 2 Analysis Center j-1 Analysis Center j Site 1 Security Team Site 2 Security Team Site 3 Security Team Site k-1 Security Team Site kSecurity Team

8. Solutions:Multi-scale analysis Processors, processes, signals Computers, routers, devices Networks and Internets

9. Solutions:Large Displays

10. Solutions: Decentralized Analysis

11. Distributed Analysis: The Cooperative Infrastructure Defense Humans supervise top-level agents (Sergeants) that are in charge of entire enclaves Sergeants inform humans and set policies for lower level agents Sentinel agents at each machine interpret policy and investigate Sensor findings Mobile Sensor agents identify potential problems on machines and communicate via “pheromone” PNNL-SA-64942

12. Demonstration PNNL-SA-64942

13. The Road Ahead for Cyber Analytics • Resources needed • Dedicated, standard ranges, freely available • Reference data sets • Science advances needed • Predictive science • Complex-adaptive science • Social/legislative agenda • Cooperation and collaboration • Laws governing use of shared data sets • Privacy protection laws PNNL-SA-64942

14. PredictiveDefense AdaptiveSystems TrustworthyEngineering CyberAnalytics Conclusions Anticipate and estimatepotential impact of change. Scalable self-defending informationand infrastructures. Increase confidence in informationand infrastructure integrity. Decision-making using predictiveanalysis to support action. • PNNL is making strides defining the research area of cyber analytics • PNNL is investing internal money into solving key cyber analytics problems such as • Automated distributed collection and analysis of cyber data • Environments that support human collaborative analysis and resolution of emerging cyber threats 35