Cybersecurity, AI, and Machine Learning
TITLE: Cybersecurity, AI, and Machine Learning
Mentor: Thomas Kaczmarek
Approach Cybersecurity professionals are looking to identify suspicious behavior and take action. Many services provided by operating systems, database management systems, and applications generate logs that allow the performance of the services to be monitored. Logs captured in normal operations can be used to predict normal behavior when filtered through the lens of predictive analytics. Suspicious behavior violates the predicted result. While abnormal behavior may not be the result of a bad-actor abusing the system, it deserves investigation. This is the basis for a suspicious behavior alerting approach referred to as User Behavior Analysis (UBA).
The UBA approach and cyber intelligence more generally are based on an understanding of events that can be inferred from descriptions of individual actions. In the UBA approach the actions are represented by log entries and events are a composition of actions that occur over time. Compositions of events constitute a typical attack by a “bad actor.” For example, gaining access to a system, elevating one’s privileges, and exfiltrating secure information is a typical attack scenario. Higher-level events such as “gaining access” can be accomplished through a number of approaches such as brute-force attacks, man-in-the-middle attacks, or fishing. One can form an ontology of events that are subsumed by the concept of “gaining access.” Event Calculus combined with an ontology of events provides a formalism to describe suspicious behavior and attacks. SIEM and UBA concepts can be used to describe sequences of actions that can be classified as types of events in the identification of attacks and suspicious behavior.
Project Summary and Student Activity
The students engaged in this research will learn about the generation, collection, and analysis of logs using a leading commercial system for capturing security information and analyzing user behavior in our Lab. After learning the basics of Event Calculus and Ontological Reasoning, they will investigate applying machine learning algorithms to characterize user behavior and define kinds of events to characterize normal events and detect suspicious use of services. The process for capturing and storing security information is referred to as Security Information and Event Management (SIEM). SIEM often begins with capturing authentication logs used by the OS to provide access control. Student background
Students should have a basic understanding of machine learning and ideas of threats and risks. Experience with monitoring applications in production and machine learning algorithms is a plus.