Center for Cybersecurity Analytics and Automation

National Science Foundation (NSF) Industry-University Cooperative Research Centers (IUCRC)

Aerial View of the George Mason Fairfax Campus

About the Center

Mission

The mission of the Center for Cybersecurity Analytics and Automation (CCAA) is to build the critical mass of inter-disciplinary academic researchers and industry partnerships to undertake pre-competitive research that addresses the current and future challenges of analytics and automation. The research objectives are focused on improving enterprise IT system management, security, resiliency, service assurability and performance, and on the application of innovative analytics and automation solutions to complex networked systems. The applicable domains for this research include complex enterprise IT environments, Cloud and data centers, hybrid cyber-physical systems, smart critical infrastructures, mission-oriented networks (sensor-actuator networks), software defined networks, social networks, and mobile systems. CCAA will support and train top-quality graduates with knowledge and experience in this field.

Challenges

With the increasing sophistication of cyber-attacks, cyber warfare has become a major threat to national security. Despite the progress made in cybersecurity in both research and industry, the state of the art is still far from providing sufficient protection not only for Internet enterprise services but also for critical infrastructure services, such as in the financial and energy sectors. Evidently, cyber risk has been growing faster than cyber defense innovation, due to at least the following five challenges: (1) exponential increase in the attack surface of systems as a result of the proliferation of connected devices, such as IoT devices; (2) dependency on human-in-the-loop as a major bottleneck in security analysis; (3) lack of metrics to assess the effectiveness of security analytics; (4) lack of automated or semi-automated decision-support and decision-making tools to help dynamically characterize cyber risk posture, and create mitigation strategies; and (5) lack of an adaptive framework for integrating sense-making and decision-making against evolving cyber adversaries.

Cyber Defense Automation: State of the Art

The CCAA community has fully recognized that state-of-the-art technologies are still far from addressing these challenges. First, most of the existing cybersecurity solutions focus on prevention and detection alone, and very few address deterrence/deception, mitigation, and recovery, which are important for critical infrastructure protection. Second, the state of the art so far provides short-term cybersecurity automation and orchestration solutions by allowing users to manually combine known procedures, tools, and techniques in order to respond to known threat actions. To overcome this defense stitching approach, CCAA's objective is to address long-term security automation challenges and enable automatic creation and adaption of new strategies for countering novel attack tactics and techniques — both proactively, by dynamically analyzing cyber threat intelligence, and reactively, by analyzing operational cyber artifacts. This long-term approach includes automatic generation of courses of action of new defense strategies by utilizing or adapting existing cyber defense capabilities. This autonomous cyber defense approach for auto-resilience enables cyber systems to intelligently observe, analyze, understand, adapt, and react to cyber-attacks in real-time, with minimal human assistance. The autonomous cyber defense approach should be an inherent and built-in capability of cyber systems, rather than add-on services. Third, the current state of the art of security automation and orchestration focuses solely on including/integrating a wide range of defense technologies in the defense fabric, but little effort has been made to ensure that these different technologies are integrated cohesively and operate consistently based on the cyber mission. Considering a large number of various defense actions that can be potentially executed simultaneously, security automation should provide assurance that mission integrity will be preserved. Users' confidence and adoption of cybersecurity automation are highly dependent on the ability of these systems to provide provable safety properties of cybersecurity automation.

What CCAA can Offer

To address the above challenges and innovation gap, it is essential to develop robust analytics and automation that can sustain cyber missions against evolving, sophisticated attacks. CCAA includes experts in formal and data-driven cybersecurity to address these challenges by advancing cyber defense on multiple fronts:

  • Enabling robust and scalable sense-making for dynamic and predictive cyber risk analytics using large-scale heterogeneous cyber artifacts (e.g., logs, alerts, traffic traces, incident reports, STIX reports).
  • Enabling adaptive and autonomic decision-making for creating defense strategies and courses of action that are provably correct and operationally safe using mission requirements, security policies and guidelines, and system and cyber infrastructure configurations.
  • Making resilience and agility inherent properties of cyber and cyber physical systems to enable real-time deterrence, deception, and mitigation. We define system resilience as “the ability of the system to deter (pre-attack), resist (during attack), mitigate/recover (post-attack) in order to maintain the overall integrity and availability of services within an acceptable range”.

As a result, CCAA ambitious goal is to enable the next generation of self-aware, intelligent, and agile cyber systems that can proactively and reactively defend against novel attacks, with minimal human involvement, by automatically generating new defense strategies in real time.