Network Science and Cybersecurity

Terms like “Science of Cyber” or “Cyber Science” have been appearing in literature with growing frequency, and influential organizations initiated research initiatives toward developing such a science even though it is not clearly defined. We propose to define the domain of the science of cyber security by noting the most salient artifact within cyber security—malicious software—and defining the domain as comprised of phenomena that involve malicious software (as well as legitimate software and protocols used maliciously) used to compel a computing device or a network of computing devices to perform actions desired by the perpetrator of malicious software (the attacker) and generally contrary to the intent (the policy) of the legitimate owner or operator (the defender) of the computing device(s). We further define the science of cyber security as the study of relations—preferably expressed as theoretically-grounded models—between attributes, structures and dynamics of: violations of cyber security policy; the network of computing devices under attack; the defenders’ tools and techniques; and the attackers’ tools and techniques where malicious software plays the central role. We offer a simple formalism of these key objects within cyber science and systematically derive a classification of primary problem classes within cyber science.

Anomaly-based intrusion detection has been pursued as an alternative to standard signature-based methods since the seminal work of Denning in 1987. Despite the length of time for which it has been studied, the high level of activity in this area, and the remarkable success of machine learning techniques in other areas, anomaly-based IDSs remain rarely used in practice, and none appear to have the same widespread popularity as more common misuse detectors such as Bro and Snort. We examine a potential cause of this observation, the “semantic gap” identified by Sommer and Paxson in 2010, in some detail, with reference to several common building blocks for anomaly-based intrusion detection systems. Finally, we revisit tree-based structures for rule construction similar to those first discussed by Vaccaro and Liepins in 1989 in light of modern results in ensemble learning, and suggest how such constructions could be used generate anomaly-based intrusion detection systems that retain acceptable performance while producing output that is more actionable for human analysts.

Intrusion detection and alert correlation are valuable and complementary techniques for identifying security threats in complex networks. Intrusion detection systems monitor network traffic for suspicious behavior, and trigger security alerts. Alert correlation methods can aggregate such alerts into multi-step attacks scenarios. However, both methods rely on models encoding a priori knowledge of either normal or malicious behavior. As a result, these methods are incapable of quantifying how well the underlying models explain what is observed on the network. To overcome this limitation, we present a framework for evaluating the probability that a sequence of events is not explained by a given a set of models. We leverage important properties of this framework to estimate such probabilities efficiently, and design fast algorithms for identifying sequences of events that are unexplained with a probability above a given threshold. Our framework can operate both at the intrusion detection level and at the alert correlation level. Experiments on a prototype implementation of the framework show that our approach scales well and provides accurate results.

Investigative data mining involves organizing, sorting, clustering and segmenting of data to detect and predict criminal behavior. Many of these tasks can be aided by the use of neural networks- Cognimem’s CM1 K cognitive memory being a practical and commercially available example. One can construct a vector of various attributes and compare this against known errant behavior. Profiles can be constructed by criminologists, compared and flagged within predefined limits. Cognitive memory can accelerate this process.

The history of computing devices goes back to the invention of the abacus in Babylonia in the sixteenth century BC. In the three and a half millennia which followed, a variety of calculating devices were introduced, some of them stunningly sophisticated but all sharing a common limitation: a device could store data only as long as programs for the data manipulation remained in the mind of the user.

Next-generation high-performance computing processors have a pressing need to expand their computation capabilities to support massively parallel applications. Moreover, conventional Von Neumann based architectures cannot meet these complex computational demands. Neuromorphic architectures, which improve the efficiency and robustness of complex computations by emulating the behavior of biological processes in hardware, offer a viable alternative solution. In this chapter, we discuss the design criteria and challenges to realize such architectures using emerging memristor technology. In particular, the memristor models, synapse circuits, fundamental processing units (neural logic blocks) for the neuromorphic architectures, and hybrid CMOS/memristor neural network (CMHNN) topologies using supervised learning will be presented for different benchmarks.

In recent years, the field of nanoelectronics has yielded several nanoscale device families that exhibit the high device densities and energy-efficient operation required for emerging integrated circuit applications. For example, the memristor (or “memory resistor”) is a two-terminal nanoelectronic switch particularly well suited for applications such as high-density reconfigurable computing and neuromorphic hardware. In addition to increased device densities and energy-efficient operation, nanoelectronic systems are also subject to a high degree of variability, often seen as a negative for conventional circuit designs. However, in terms of implementing certain security primitives, variability is a feature that can be harnessed to improve security and trust in integrated circuits. The focus of this chapter is the utilization of nanoelectronic hardware for improved hardware security in emerging nanoelectronic and hybrid CMOS-nanoelectronic processors. Specifically, features such as variability and low power dissipation can be harnessed for side-channel attack mitigation, improved encryption/decryption and anti-tamper design. Furthermore, the novel behavior of nanoelectronic devices can be harnessed for novel computer architectures that are naturally immune to many conventional cyber attacks. For example, chaos computing utilizes chaotic oscillators in the hardware implementation of a computing system such that operations are inherently chaotic and thus difficult to decipher.

Intelligent mobile devices are now commonplace in daily life. A large amount of sensitive information is stored on these devices, raising severe concerns regarding data security. In this work, we propose a novel user classification and authentication scheme for mobile devices based on continuous gesture recognition. The user’s input patterns are collected by the integrated sensors on an Android smartphone. A learning algorithm is developed to uniquely recognize a user during their normal interaction with the device while accommodating hardware and biometric features that are constantly changing. Our experimental results demonstrate a great possibility for our gesture-based security scheme to reach sufficient detection accuracy with an undetectable impact on user experience.

Nanotechnology research is an enabling field and is closely aligned with advances in neuromorphic architectures, energy efficient computing, and autonomy efforts. The development of neuromorphic circuits leverages a mixture of proven CMOS technologies with experimental devices and architectures that pose significant challenges for integration and fabrication. This chapter examines the pressures pushing the development of unconventional computing designs for size, weight, and power constrained environments and briefly reviews some of the trends that are influencing the development of solid-state neuromorphic systems. Later sections provide high level examples of selected approaches to hardware design and fabrication.

Cyber attacks have evolved from operational to strategic events, with the aim to disrupt and influence strategic capability and assets, impede business operations, and target physical assets and mission critical information. With this emerging sophistication, current Intrusion Detection Systems (IDS) are also constantly evolving. As new viruses have emerged, the technologies used to detect them have also become more complex relying on sophisticated heuristics. Hosts and networks are constantly evolving with both security upgrades and topology changes. In addition, at most critical points of vulnerability, there are often vigilant humans in the loop.

Kernel Control-flow Modifying Rootkits are the most common kernel rootkits and pose the most threat to system security. Existing host-based and Virtual Machine Monitor (VMM) based techniques have limitations in security and suffer from system performance overhead. We propose a VMM-based framework to detect control-flow modifying kernel rootkits in a guest Virtual Machine (VM) by checking the number of certain hardware events that occur during the execution of a system call. Our technique leverages the Hardware Performance Counters (HPCs) to securely and efficiently count the monitored hardware events. By using HPCs, the checking cost is significantly reduced and the temper-resistance is enhanced.

The Big Data environment is the pivot for the organization of purposeful behavior in Artificial and Natural systems. This situation could be addressed with the concept of bounded rationality, according to which only a relatively small part of the whole information is essential while the rest of the information seems tangential. The suggested “Big Data” computational model utilizes all the available information in a shrewd manner by manipulating explicitly a small portion of data on top of an implicit context of all other data. Practical realization of this scheme for Artificial Intelligence employs a novel technique for on-the-fly clusterization of Big Data streams. Natural Intelligence also must incorporate data streaming, as had been established by the phenomenon of “Penfield movies”. It is encouraging to evaluate this approach to Natural Intelligence, as well as for the general paradigm of the organization of biological information processing. Such kind of a consideration leads to the view of the physical world as an Internet of Things, which materializes in the framework of the Holographic Universe. The paper discusses details of this representation of the physical world and its possible corroboration. As to the organization of the brain, it appears that the presented model captures its cardinal operational feature of employing the unconsciousness. In particular, this refers to mental disorders, like neuroses, schizophrenia, and autism. Being incorporated in the suggested computational model for Big Data, the indispensable property of unconsciousness materializes through extracorporeal organization of biological memory with the suggested physical organization of the Internet of Things. Models of the brain without certain emergent unconsciousness are inadequate for handling the Big Data situation.

Intrusion detection systems in mobile networks tend to generate a high rate of false alarms, leading to poor intrusion detection performance and affecting adversely the computing, storage, and network resources of systems. To mitigate the adverse impact of false alarms on intrusion detection and bandwidth utilization, this chapter presents a novel real-time alert aggregation technique and a corresponding dynamic probabilistic model for mobile networks. This model-driven technique collaboratively aggregates alerts in real-time, based on alert correlations, bandwidth allocation, and an optional feedback mechanism. The idea behind this technique is to adaptively manage alert aggregation and transmission for a given bandwidth allocation. This adaptive management allows the prioritization and transmission of aggregated alerts in accordance with their importance. The performance results of the proposed technique are obtained by running simulations on the data collected from an enterprise-scale production network intrusion detection system. Simulation results have shown a reduction of 99.92 % in the amount of alerts and a reduction of an average of 51 % in disk and bandwidth utilization, depending on the amount of raw packet capture data included in the aggregation.

We describe a method to convert web-traffic textual streams into a set of documents in a corpus to allow use of established linguistic tools for the study of semantics, topic evolution, and token-combination signatures. A novel web-document corpus is also described which represents semantic features from each batch for subsequent analysis. A (American-English) lexicon is used to create a canonical representation of each corpus whereby there is a consistent mapping of each TermID to the corresponding lexicon-word or token. Finally, representation of a corpus member as a ‘document’ is accomplished by combining the (http) request string with the concatenation of all responses to it. This representation thus allows association of the request string tokens with the resulting content, for consumption by document classification and comparison algorithms.

This chapter describes machine learning and visualization algorithms developed by the Center for Exceptional Computing, a Department of Defense research laboratory. The author hopes that these tools will advance not only cyberspace defense related applications, but also a number of other applications where cognitive information processing can be integrated.

Agent-based decision aids can improve their performance by mining domain knowledge captured in cognitive domain ontologies (CDOs). The CDOs can be specialized to represent knowledge from any of a large variety of domains, including network security. Search algorithms mine data from these CDOs using constraints. While complex CDOs increase the capabilities of decision agents, they are computationally expensive to mine. Complex CDOs can function as powerful decision aids if they can be processed in realistic time frames. To achieve this, it is necessary to parallelize and accelerate the CDO knowledge mining algorithms. This chapter introduces CDOs and examines how they can be transformed into constraint networks for processing on high performance compute platforms. The constraint networks were solved using a parallelized generate and test exhaustive depth first search algorithm. Two compute platforms for acceleration are examined: Intel Xeon multicore processors, and NVIDIA graphics processors (GPGPUs). This chapter shows that 1 NVIDIA Tesla C2070 GPGPU can provide a speed-up of 100 times over 1 Xeon CPU core for the search algorithm. The scaling of the algorithm on a high performance GPGPU cluster achieved estimated speed-ups of over 1,000 times.

The chapter covers three approaches to emulate a memristor-based computer using artificial neural networks, and we describe how a memristor computer could be used to solve Cyber security problems. The memristor emulation neural network approach was divided into three basic deployment methods: (1) deployment of neural networks on the traditional Von Neumann CPU architecture (2) software based algorithms deployed on the Von Neumann architecture utilizing a Graphics Processing Units (GPUs), and (3) a hardware architecture deployed onto a field-programmable gate array.