SBIR-STTR Award

Many existing network intrusion detection systems (IDS) employ expensive deep packet inspection (DPI) andsophisticated pattern matching algorithms to spot evidence of known threats in the network traffic. WhileIDS are a valuable component of a defense-in-depth strategy, they often require significant compute power,tend to miss new (previously unknown) threats, run on heavy hardware, may require access to high-bandwidth external cloud-based threat analysis services, and can be energy-hungry. Clearly, these systems cannot meet the desirable properties of a modern, accurate, adaptive, and highly portable cyber-protection kit.To address the shortcomings of existing IDS, we propose to build HULCK, a novel lower-size, low-weight,low-power cyber-protection system that provides accurate network anomaly detection and threat prioritization. HULCK will consist of three main components: (i) one or more Miner devices that can be deployed at the edge and inside the mission network to observe and summarize all network traffic; (ii) an Analytics module that receives and aggregates the summarized network traffic information coming from the Miners, and that applies advanced anomaly detection and threat prioritization algorithms inspired by collective classification methods in machine learning; and (iii) an Intel module that provides threat intelligence and threat attribution capabilities.Network Anomaly Detection,Threat Prioritization,Threat Detection,Threat Forensics,Cyber,cyber protection team,Cyber Protection Kit

Traditional network-based intrusion detection systems (IDS) are mostly limited to using expensive deep packet inspection (DPI) and sophisticated pattern matching algorithms to spot evidence of known threats in network traffic. While IDS are a valuable component of a defense-in-depth strategy, they often require significant compute power, can be energy-hungry, run on heavy hardware, may require access to high-bandwidth external cloud-based threat analysis services, and tend to miss new (previously unseen) threats. Clearly, these systems cannot meet the desirable properties of a modern, accurate, adaptive, and highly portable cyber-protection kit. The primary goal of this proposal is to develop a novel “near plug-and-play” (i.e., easy to setup and run) cyber-protection system that will enable CPTs to quickly identify network communications related to threats currently present in the network under investigation. Our technical approach will be based on the PIs’ extensive academic research and industry experience on network-based threat detection and defense and will make use of efficient traffic models and analysis methods to accurately detect anomalous network behaviors with minimal storage, bandwidth, and compute power. The proposed solution aims to allow CPTs to promptly locate the sources of malicious traffic inside a network and to significantly accelerate threat containment and neutralization efforts. Besides providing novel real-time network threat detection capabilities, the proposed cyber-protection system will also provide access to external advanced threat correlation and attribution capabilities recently developed by co-PI Dr. Manos Antonakakis under the DARPA Enhanced Attribution program (https://www.darpa.mil/program/enhanced-attribution). These threat intelligence and attribution capabilities will be available to CPTs at mission time, and will be designed to operate in low-bandwidth, high-latency environments. When needed, the proposed threat detection system will also be able to operate autonomously, in deployment environments in which access to external threat intelligence is not at all possible (e.g., in case of zero bandwidth or insurmountable constraints imposed by existing network policies). Furthermore, threat intelligence capabilities will be available to CPTs after mission, to improve postmortem forensic investigations and threat attribution.