Cybersecurity science aims to disarm digital threats

Someday, a military commander will look over a battlefield map to check the position of troops, tanks, artillery emplacements and the enemy, considering every contingency in the complex mission. Then the commander will glance at a monitor that shows the status of the electronic environment -- communications frequencies, computer program security, hacker attacks and the responses to those attacks -- and determine which digital threats require human intervention.

Commanders cannot do this yet, but the ability may not be too far in the future. A collaboration between the Army Research Laboratory and Penn State researchers is striving to develop a science to detect and model cyberattacks and the risks and motivations behind them. The goal is to create a response that can counter the attack and neutralize the attacker in real time.

While the U.S. military knows what to do to protect the physical battlefield, protecting the electronic battlefield is a new problem.

"Today's digital domain is more than just communications," says Patrick McDaniel, professor of computer science and engineering and principal investigator on the cybersecurity cooperative agreement. "The new military relies on sensors for vibration and heat, cameras for visual detection, antennas, a wide variety of digital devices that all run on software. The software and advanced electronics make the military much more effective -- and much more vulnerable."

Cybersecurity map example

An example of a detailed cyber security map of the eastern United States.

Image: Courtesy Patrick McDaniel

Opposing forces that are not in a position to go toe to toe with the U.S. military on the ground can still attack the digital domain. And as the electronics become more complicated, the attackers are getting smarter and smarter.

Developing a science of cybersecurity will not only benefit the military, but users of advanced electronics and software in all walks of life. Cyberattacks on department store credit cards, banking systems and even university grading systems are increasingly frequent, and the need for systems that can identify these attacks and respond rapidly is correspondingly urgent.

McDaniel and his team are initially collecting information to solve the digital domain problem. They are trying to understand the missions, whether they are defensive -- protecting a road or watching a village -- or task oriented, such as collecting and distributing intelligence. They are also looking at offensive missions including jamming radio frequencies or otherwise blocking communications and penetrating enemy computers and networks.

Once that data is collected the team will create scenarios with mission specifics laid out. McDaniel provides an example:

A soldier in the field sees someone who looks suspicious or in some way problematic. The soldier takes a photo and attempts to send it to headquarters for analysis. However, enemy operatives in the field know that intelligence is transmitted frequently in this manner so they try to block the radio frequency or disrupt the signal. The enemy's cyber objective is to stop, alter or slow down the transfer of the image and the resultant return of information to the soldier.


A measured response

Building on the existing science of computing and networks, the researchers will first determine the exact nature of the threat. Is someone monitoring our radio frequencies? Is someone trying to log on to our computers? Was a passkey stolen? Determining exactly what needs to be detected is important, but what is done with that information is critical.

Not all attempts to log on to a system or monitor communications are important. Understanding the risk involved in a given attack determines the necessary counter steps. Corrupted software in essential systems can be a problem, while a massively redundant system with one component affected may not be as important.

Once an attack begins, what is the best way to respond? If someone is interfering with radio frequencies, should that communication channel can be shut down, or simply switched to another frequency?

"It would be great if we had one unified equation to always determine how to do the best thing," says McDaniel. "Unfortunately, we can't know all the impacts and all the outcomes."

He likens the problem to that in medicine. "We have a set of circumstances with an underlying theory. We have the history and so we make an informed decision. That decision is not always correct, but with more information, difficult decisions become easier."

Sometimes, the solution will be obvious: A server observing unusual network traffic from an unknown entity determines it is under attack and filters that traffic. At other times, the solution will be less clear and a set of rules or algorithms are necessary to evaluate the attack and stop it. Sometimes a human operator will need to step in, evaluate the situation and make choices, but those will be well-informed decisions. Still, there may not be a perfect answer.

"We want to provide the military with advisory science of what are possible problems and provide enforceable and reasoned solutions within ranges that they can select from," says McDaniel. "We want to be able to make decisions to drive attackers to a state of ineffectiveness. If a network or computer is under attack, we want to be able to assess the situation, make decisions and alter the environment to prevent the attack from being successful."


Patrick McDaniel is professor of computer science and engineering and principal investigator on the Collaborative Research Alliance "Models for Enabling Continuous Reconfigurability of Secure Missions," and can be reached at pdm12@psu.edu. Core funding for the alliance between the Army Research Laboratory and Penn State is five years with an optional five-year extension. A potential $48.2 million over the 10-year collaboration is possible. Working at Penn State with McDaniel are Thomas La Porta, Distinguished Professor of Computer Science and Engineering, and Trent Jaeger, professor of computer science and engineering. Also participating in the cooperative agreement are Carnegie Mellon University, Indiana University, University of California Davis, University of California Riverside and the Army Research Laboratory.

Contacts: 
Last Updated April 17, 2014