ARES

Autonomic Recognition of Events and Sources

A significant problem in information security is the difficulty in attributing specific network events to an individual or organization when the attacker is taking active measures to hide their identity.  This problem transends most of information security.  Authentication and access control control procedures assume that accurate identification is possible.  While effective intrusion detection approaches may detect malicious activity the attribution of that activity is beyond the scope of that technology.  Just as difficult as effective attribution is the attempt to determine the level of sophistication of an event.  An elite attacker may "play dumb" in order to pass as an unimportant user in a complex distributed system.  

This problem is one that is currently of significant concern to network administrators and security professionals in general, and the U.S. intelligence community in particular.  The identification of one or more viable approaches will serve as the basis for doctoral dissertations for students and research funding for NSU.  


Student Research

Claudio Taglienti: Applying hierachical temporal memory to the problem of identifying attackers that attempt to elude detection during multiple entries into a protected system. (Idea Paper approved)

John Diallo: Attack predictability (pre-Idea Paper)

Stephen Mujeye: Identifying attackers attempting to hide (pre-Idea Paper)




Potential Areas of Research
What are the indications of an attacker attempting to avoid identification?  What tracks could be observable in the network traffic and/or system calls?

Can we "forward track" (predict future activity of the attacker based on their behavior)?  Prediction of the activity of a maquerading attacker may allow for detection even when the presence of an attacker is unknown.

How do we track multiple attackers that are attempting to hide at the same time?  Assume that they are working in concert to make individual identification more difficult.

Note: Research on backtracking attackers is no longer supported.


The ARES group is open to students currently in coursework and those in the dissertation process who have no current research problem to work on.  Students in coursework, especially those taking DCS/DCIS/DISS 898, will work on some aspect of the problems listed above.  Dissertation students can select any of those areas listed as the basis for their dissertation research problem, or propose another related area of investigation.  

A preliminary literature list is available.  The list of research articles, including student publications, will be updated regularly.  


All interested students should contact Dr. Cannady ASAP to indicate their interest in this research.  

Dr. Jim Cannady

cannady@nova.edu
706.248.4250