The goal of the detection thrust is to develop theories and models that relate properties and capabilities of cyber threat detection and recognition processes/mechanisms to properties of a malicious activity, and of properties of Army networks. More concretely, the goal is to determine whether there is an ongoing cyber-threat that can negatively affect the operation and provide assessments on: (i) what is the most likely threat; (ii) what impact will it have on the operation (e.g., leakage of data, system breakdown, etc.) in terms of increase in cost or decrease in payout; and (iii) the confidence in the process (based on evidence collected). Detection is influenced by (i) the actions of the attacker, and (ii) the dynamics of the environment (which can itself influence the attacker to behave in certain ways). The CRA’s efforts in detection to date have been focused on three areas addressing the needs of operations: (a) advancing traditional intrusion detection, (b) understanding defender’s decision processes, and (c) developing a science of evidence collection.
Note that collection of data and transmission to a central fusion center can place demands on already constrained communications media in tactical networks. Even collecting and local processing may pose challenges in the often energy and computing constrained environment. Strategic networks may have greater resources, but support a larger diversity of operations. One of the key investigations within the CRA is the calibration of detection apparatus based on the resource cost for the target (tactical or strategic) as based on an understanding of operational requirements.
The operational model uses inputs from intrusion detection systems to infer the model state. However, current systems are limited in their accuracy and false-positive rates . The team is looking at several alternate models and scientific challenges to traditional detection. One alternate model developed within the CRA is diagnosis-enabling intrusion detection (DEID) . Departing substantially from traditional signature and anomaly-based detection, DEID infers high level attacks and effects using correlations, automated reasoning, and forensic techniques. In DEID: (i) A large volume of data that encompasses all levels of operation at each node (human actions, sensors, applications, OS, network behaviors) and across a multitude of monitors is collected. (ii) The observed, correlated evidence are examined and an attempt is made to map them onto expected correlated behaviors derived from the models of both the system and human actors; the mappings allow the determination of normal/attack behaviors with high accuracy (diagnosis). (iii) If the system is unable to map the observed correlated behaviors to known attacks (e.g., may be a zero-day attack) appropriate information is exported to the human defenders.
Another effort seeks to expand and formalize the science of detection by exploring the vulnerabilities and countermeasures inherent to the underlying machine learning algorithms upon which most detection systems are based. In particular, we are developing intrusion detection techniques that will be robust in the face of adversaries, work with limited information, and greatly reduce the attack surface that adversaries may leverage undetected. For example, we have developed novel algorithms and defenses for adversarial samples—adversarially crafted detection sensor inputs that use model error to bypass detection . In defining the new science of this area, we introduced a taxonomy formalizing the space of adversaries targeting deep neural networks used for classification tasks . We then investigated the case of source-target misclassification: forcing the targeted classifier to misclassify samples from any source class into any chosen adversarial target class. Our algorithms exploit a precise understanding of the sensitivity of the mapping between inputs and outputs using the forward derivative—the Jacobian of the model learned by the DNN classifier. Adversarial saliency maps build on the forward derivative to compute a score indicating the likelihood that each input component contributes to the adversarial goal of source-target misclassification. Perturbations are iteratively selected using adversarial saliency maps and added to the sample until it becomes adversarial—misclassified by the deep neural network. We extend that work to create defense against such attacks . The intuition is to make the models learned by deep neural networks smoother to increase the average minimal perturbation magnitude an attacker needs to introduce to craft adversarial samples. This minimal perturbation characterizes a neighborhood around points in which the model’s decision is constant, which in turn defines a robustness metric for detection models. We proposed the use of defensive distillation to increase model robustness. Thus, distilled models are harder to attack: adversarial samples need to be more perturbed in order for the model to misclassify them. We are applying similar approaches and validation techniques to other ML techniques and measuring the resilience of detection systems again these attacks.
A challenge for intrusion detection systems is the integration of hard-earned information relevant to an attack, but that is not measurable at run time. Recent advances by CRA PIs in Learning Using Privileged Information (LUPI)  provide some insights.
Beyond the detection algorithms, the CRA is exploring the “evidence” collection processes and systems—the quality of any detection system is critically defined by the completeness and accuracy of its sensor inputs. There are several challenges addressed by the CRA in configuring evidence collection in military systems. First, monitor placement is often ad hoc and accidental. Large, complex environments can contain thousands of devices and services with subtle interactions and behaviors. How one places sensors in these environments is key to getting an accurate vision of the environmental state. The team is studying measures of coverage and developing algorithms for sensor placement (minimal number, optimal locations), e.g., . The team is exploring several strategies including max-coverage, min-resource, and game-theoretic strategies for placement algorithms. Such algorithms are being developed both as static and dynamic placements —the latter of which is a form of system agility discussed below.