U.S. Army Research Laboratory has established a Collaborative Research Alliance, or CRA, which will include an alliance of ARL, U.S. Army Communications-Electronics Research, Development and Engineering Center, academia and industry researchers to explore the basic foundations of cyber science issues in the context of Army networks. ARL cyber research efforts will increasingly focus on developing the models, methods, and understanding to overcome existing barriers to the realization of effective cyber fires and maneuvers in a tactical environment. This journal issue explores those efforts.
Articles In This Issue
Cyber Science and Technology at the Army Research Laboratory
The U.S. Army Research Laboratory (ARL) received the first salvos in the battle for cybersecurity as early as three decades ago. In terms of technology history, it was an astonishingly long time ago. Before most people ever heard of the Internet. Before there were web browsers. Long before the smartphones. Back in 1986, the laboratory withstood attacks by Markus Hess, a Soviet-sponsored hacker who had successfully penetrated dozens of U.S. military computer sites. In his bestselling book, The Cuckoo’s Egg, the pioneering U.S. cyber defender, Cliff Stoll, describes how he monitored the hacker’s networks activities in the fall of 1986: “He then tried the Army’s Ballistic Research Lab’s computers in Aberdeen, Maryland. The Milnet took only a second to connect, but BRL’s passwords defeated him: he couldn’t get through” (Stoll 1989).The Cyber Security Collaborative Research Alliance: Unifying Detection, Agility, and Risk in Mission-Oriented Cyber Decision Making
For military networks and systems, the cyber domain is ever-increasingly contested and congested space. Defenders of these systems must fight through adversary action in complex tactical and strategic environments. Just now completing its third year, the Cyber-Security Collaborative Research Alliance has sought to develop approaches for understanding and countering adversaries. The goal of this work is to develop a new science of cyber-decision making in military networks and systems. In this article we introduce the conceptual framework for this new science and consider its core research elements of detection (situational awareness), risk (measurement and assessment), and agility (adapting systems to evolving threats); overlaying this is the human dimension of users, defenders and attackers. We conclude by articulating a vision for future military cyber-operations.Machine Learning and Network Intrusion Detection: Results from Grammatical Inference
Machine learning for network intrusion detection is an area of ongoing and active research (see references in [1] for a representative selection), however nearly all results in this area are empirical in nature, and despite the significant amount of work that has been performed in this area, very few such systems have received nearly the widespread support or adoption that manually configured systems such as Bro [2] or Snort [3] have. As discussed in [1], there are several differences between more conventional applications of machine learning and machine learning for network intrusion detection that make intrusion detection a challenging domain; these include the overwhelming class imbalance (see [4] for a detailed discussion of this issue), the high asymmetry in misclassification costs, the difficulty in evaluating the performance of an intrusion detection system, and the constantly changing nature of network attacks.Synergistic Architecture for Human-Machine Intrusion Detection
Modern day detection of cyber threats is a highly manual process where teams of human analysts flag suspicious events while using assistive tools such as Bro and Snort. It is the analysts’ ability to discern suspicious activity and authority to make decisions on threats that place humans into central roles in the threat detection process. However, over-reliance on human ability can lead to a high volume of undetected threats. As the tempo, diversity and complexity of cyberspace threats continues to increase, this shortcoming can only worsen. Therefore, there is a need for a new detection paradigm that is largely automated but where analysts maintain situational awareness and control of the process. We propose a synergistic detection process that captures the benefits of human cognition and machine computation while mitigating their weaknesses. The analyst provides context and domain knowledge, and the machines provide the ability to handle vast data at speed.Risk Analysis with Execution-Based Model Generation
Analyzing risk is critical throughout the software acquisition lifecycle. System risk is assessed by conducting a penetration test, where ethical hackers portray realistic threat on real systems by exploiting vulnerabilities. These tests are very costly, limited in duration, and do not provide stakeholders with “what-if” analyses. To alleviate these issues, system models are used in emulation, simulation, and attack graph generators to enhance test preparation, execution, and supplementary post-test analyses. This article describes a method for developing models that can be used to analyze risk in mixed tactical and strategic networks, which are common in the military domain.Security of Cyber-Physical Systems
Cyber Physical Systems (CPSs) are electronic control systems that control physical machines such as motors and valves in an industrial plant. In a networked environment, the security of the physical machines depends on the security of the electronic control systems, but cybersecurity is not typically the main design concern. The main concern for CPSs is the availability of the physical machines governing operations. As CPS owners continue to install remote network control devices and incorporate an increasing number of insecure Internet-of-Things (IoT) devices in their industrial processes, the underlying security of their operations becomes increasingly vulnerable. This article outlines current cybersecurity issues of CPSs and potential concerns for future CPS designers and operators. Secure future CPSs are necessary for keeping our critical infrastructure safe.Information Security Continuous Monitoring (ISCM)
The ability for commanders to know and understand an organizational attack surface, its vulnerabilities, and associated risks is a fundamental aspect of command decision-making. In the cyberspace domain, ongoing monitoring sufficient to ensure and assure effectiveness of security controls related to systems, networks, and cyberspace, by assessing security control implementation and organizational security status in accordance with organizational risk tolerance and within a reporting structure designed to make real time, data-driven risk management decisions are paramount.