Networks and systems owned by DoD and DOE are particularly attractive targets for cyberattacks by highly skilled and organized adversaries. Current intrusion detection products are mainly limited to detection of previously seen attacks, and cannot cope with new types of attacks that can be crafted by such adversaries. Moreover, these products are typically overwhelmed at low network speeds (below 100Mbps), and thus are not applicable to modern high-speed networks that operate at gigabit rates. This project will develop an approach for detecting novel attacks with low false alarm rates by combining specification-based and anomaly-based intrusion detection approaches with advanced statistical, machine-learning, and data-mining techniques. Advanced data structures and algorithms will be used to speed up the compute-intensive operations. Phase I will focus on developing capabilities for identifying attacks and their origin from the output of an anomaly detector. Data-reconciliation, data-mining, and model-based event correlation techniques will be used to build these capabilities.
Commercial Applications and Other Benefits as described by the awardee: Target customers for the attack-identification software would include DoD, DOE, governmental and commercial institutions that administer critical infrastructures (such as banks, power distribution, and law-enforcement), and high-speed network providers (such as ISPs and backbone network providers). These customers are not satisfied with the 'after-the-fact' protection offered by today's products
