Internet Measurement and Attack Modeling

The United States Computer Emergency Readiness Team (US-CERT) is charged with providing response support and defense against cyberattacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry, and international partners. Research in internet measurement will address the need for better understanding of connectivity among Internet Service Providers (ISPs). Associated data analysis, such as geographic mapping, will improve the understanding of peering relationships and thus provide a more complete view of network topology, which will help to identify the infrastructure components in greatest need of protection. In conjunction with this work, research in attack modeling will allow critical infrastructure owners/operators to predict the effects of cyberattacks on their systems, particularly in the areas of malware and botnet attacks, a growing area of concern (ref Conficker and Stuxnet attacks), and situational understanding and attack attribution. “Attack protection, Prevention and Pre-emption,” and “Automated Attack Detection, Warning and Response,” are documented requirements found in the “Federal Plan for Cyber Security and Information Assurance Research and Development,” a report co-authored by S&T and other program customers.

Approach

IMAM Focus Areas

Resilient Systems and Networks
Modeling of Internet Attacks
Network Mapping and Measurement

The technical approach for Internet Measurement is to improve the system used to collect network traffic information to provide scalable, real-time access to the data as it is being collected from around the globe. This data is being improved by increasing both the number of data collectors and the number of data points being monitored. In order to build a more complete map of the Internet, the effort will build upon previous research projects, which have built large research platforms capable of Internet measurements from points across the globe.

Internet-scale emulation of observable malware, specifically botnets and worms to help identify weaknesses in the malware code and how it spreads or reacts to outside stimuli
New approaches in malware and botnet detection, identification and visualization, and automated binary analysis
Malware Repository Creation and Sharing – Collaborative detection may involve privacy-preserving security information sharing across independent domains. This may involve sharing malware samples, metadata of a sample, and/or experiences with appropriate access controls
Robust Security Against operating system exploits, such as binary-exploit malware targeting the operating system
Remediation of systems infected at levels ranging from the user level down to the root level, possibly including built-in diagnostic instrumentation and virtual machine introspection providing embedded digital forensics

Performers and Program Documents

Resilient Systems and Networks

Prime: Naval Postgraduate School - Methodology for Assessment of Security Properties

Prime: Raytheon BBN Technologies - Real-time Protocol Shepherds (RePS)

Modeling of Internet Attacks

Prime: Columbia University - Project Doppelganger

Prime: Georgia Tech Research Corp - Comprehensive Understanding of Malicious Overlay Networks
Subs: Dissect Cyber, Internet Systems Consortium Inc., Global Cyber Risk, Georgia Tech Research Institute, Open Information Security Foundation

Prime: University of Southern California - Retro-Future
Subs: Colorado State University, Los Alamos National Laboratory