P-CORE: Privacy Enhanced Coordinated Enterprise Defense via Temporal and Topological Representation Learning
Funding Agency: Defense Advanced Research Projects Agency (DARPA)
Dates: 08–MAY–2018 through 07–May–2022
PIs: Malathi Veeraraghavan, Jack Davidson, Donald Brown
Real-world attack campaigns have become more sophisticated, coordinated, and destructive over time. We have seen attack campaigns, such as the WannaCry ransomware campaign, affect hundreds of thousands of computers. Also, Advanced Persistent Threat (APT) attacks proceed stealthily and have successfully gained footholds and remained undetected in victim organizations for months and sometimes years.
Today, inter-organizational cooperation and global coordination are used primarily for sharing threat intelligence about attacks after they have occurred. For example, when an attack is detected by one organization, Indicators of Compromise (IoCs) are disseminated to other organizations so that the latter can add corresponding entries to their fire-walls and intrusion detection systems. However, this solution does not leverage global coordination to detect attacks, when in fact, such coordination could make it easier to detect new attack variants and zero-day vulnerabilities.
The objective of this project is to develop distributed algorithms to detect live zero-day attacks, as early as possible, through global analysis that leverages the power of big data, collected at multiple organizations. Our hypothesis is that such an inter-organizational globally coordinated effort will expose attacks within a short time frame when the attacks are still largely invisible to any single organization.
The fundamental research problem lies in detecting zero-day cyber attacks from anomalies in network traffic data and host logs, collected by multiple enterprises, in the face of two constraints: (i) Privacy considerations that prevent a complete sharing of enterprise data with the global-analysis provider, and (ii) Challenges in handling the large volume of data collected by multiple enterprises. The novel features in our proposed P-CORE solution are: (i) Online (stream-mode) machine learning models for early detection of fast attacks; (ii) Generalized deep learning models that can detect new (previously-unseen) attacks when provided a broad set of features; (iii) Application of privacy-preserving federated deep neural network learning methods for global attack detection without requiring enterprises to send their data to the global repository; and (iv) Applications of emerging High-Order Network (HON) representations used in network science to the cybersecurity domain. To the best of our knowledge, we are the first to propose these 4 approaches for global attack detection.