New Weapon to Fight Cyber Crime

This evolution, however, may include developing cyber terror capabilities. According to experts, a major key in winning the war on terror is information management; therefore, terrorists will try — if they haven't already — to crash U.S. and worldwide information systems.

A way to help fight cyber terror is through forensic analysis of information systems — to look for clues of an attack, and to figure out the method used. (Whenever a system is attacked, there will always be some kind of footprint or "artifact" — something will have been changed, leaving behind a clue.) Unfortunately, this kind of analysis can be slow, expensive, and inconsistent.

However, SAIC is working on an independent research and development project that could change this. We are building a logic system that can quickly tell you what sort of attack it was, what tools — such as worms and viruses — were used, and if the attack was successful.

Called the computational artifact-tool inference engine (CATIE), our application looks for generalized indicators of a compromise and then executes a situation-specific inference based on its theoretical knowledge of attack tools and techniques, and based on real computer artifacts collected from the system in question.

Although the methodology — Bayesian networks — for the inference, has been around for several years, SAIC has developed cutting-edge algorithms to build the networks to analyze cyber attacks. (The algorithms enable the Bayesian networks to make decisions through probabilistic reasoning — a scientific domain related to machine learning or "artificial intelligence.")

A particular network built for a particular problem is very customized and proprietary. So, SAIC had to study many attacks and then construct general inference networks.

This approach contrasts with the standard labor-intensive way of doing cyber forensics, which involves taking a bit-by-bit image of an entire hard disk, which can run dozens of gigabytes. In addition, our application differs from antivirus systems in that we can pick up attacks by unknown tools. In this regard, SAIC scientists believe SAIC has no clear competitors.

The SAIC application is designed to be deployed to customer sites; so, customers can run it anytime, whether they suspect their systems or not. The results might tell a user to look closer at 'system x' because, for example, it gives a probability of.6 or .7 that it has been compromised, and here is the evidence.

The key, according to the director of SAIC's Rapid Solutions Lab, is that CATIE can identify evidence of an attack, which enables the customer to take the appropriate action. In addition, because our system analyzes the data, the customer will not have to pay a consultant to do so. However, SAIC is then in the position to do the response engagement if a customer's system has been attacked.

Two government agencies have agreed to pilot CATIE, and there is the possibility of commercial organizations also running the application.

Related Information

• Software