{"606177":{"#nid":"606177","#data":{"type":"news","title":"Faster Detection, Cleanup of Network Infections are Goals of $12.8 Million Project","body":[{"value":"\u003Cp\u003ECybersecurity researchers at the Georgia Institute of Technology have been awarded a $12.8 million contract to develop fundamentally new techniques designed to dramatically accelerate the detection and remediation of infections in local and remote networks. Using novel machine learning techniques that take advantage of large datasets, the researchers will develop ways to detect network infections within 24 hours \u0026ndash; before invaders can do serious damage.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe technical goal for the new system, dubbed \u0026ldquo;Gnomon,\u0026rdquo; is to detect changes in individual computer systems by analyzing suspicious network traffic that appears weeks or months before any evidence of malicious software \u0026ndash; or malware \u0026ndash; can be identified. As a proof-of-concept, the researchers will work with two major U.S. telecommunication companies and several petabytes of data in basic research aimed at detecting signals of malicious activity on their networks.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EFunded by the Defense Advanced Research Projects Agency (DARPA), the four-year award is part of the agency\u0026rsquo;s Harnessing Autonomy for Countering Cyberadversary Systems (HACCS) program. Beyond rapid detection of infections, the project will also accelerate the cleanup after such infections, creating a clearer pathway in a process known as remediation.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;A compromise becomes a breach only if the original infection remains undetected long enough for the adversaries to do damage,\u0026rdquo; said \u003Ca href=\u0022https:\/\/www.ece.gatech.edu\/faculty-staff-directory\/manos-antonakakis\u0022\u003EManos Antonakakis\u003C\/a\u003E, an assistant professor in Georgia Tech\u0026rsquo;s \u003Ca href=\u0022http:\/\/www.ece.gatech.edu\u0022\u003ESchool of Electrical and Computer Engineering\u003C\/a\u003E and the project\u0026rsquo;s co-principal investigator. \u0026ldquo;If you look at the major breaches that have occurred, you see that the adversaries were in the systems for months. We want to identify them in a matter of hours to contain the infection before any real damage can be done.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe new techniques to be developed will address the realization that network attacks cannot be completely blocked by existing defenses and malware-based detection systems. Dynamic intelligence will be a key feature of the system, with the intent of creating a continuously-updated dossier of every address in IPv4 space.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Gnomon will search for illicit behavior in computer systems and network signals that indicate the start of an infection,\u0026rdquo; said \u003Ca href=\u0022http:\/\/www.iisp.gatech.edu\/michael-farrell\u0022\u003EMichael Farrell\u003C\/a\u003E, chief strategist at the \u003Ca href=\u0022http:\/\/www.gtri.gatech.edu\u0022\u003EGeorgia Tech Research Institute\u003C\/a\u003E (GTRI), and the principal investigator on the program. \u0026ldquo;We\u0026rsquo;ll use our experience with taking down botnets \u0026ndash; networks of infected computers \u0026ndash; to accelerate the detection and remediation process. It\u0026rsquo;s imperative to evolve our view of the internetwork infrastructure at the same pace that the threat evolves.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003ETo protect millions of computers on the networks of the two companies, the researchers must find ways to identify troubling behavior on individual IP addresses without endangering the privacy of individuals. Among the signs of trouble are communications with network locations known to house malicious activity. Such communication is necessary for malicious groups to control computers that have been compromised, and to move data stolen from them.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;If you know where the infecting groups are located, you can very easily exclude most of the benign activities occurring on the network,\u0026rdquo; Antonakakis said. \u0026ldquo;We need to be able to identify what has changed in computers throughout the network, understand why the change has happened, and determine whether that change can be attributed to benign or malicious activity. This is a groundbreaking new approach to network security that will require tremendous computing power and infrastructure.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EEver since the first viruses hit computers in the 1980s, cybersecurity has seen rapid evolution of detection and attack tactics. The success of Gnomon will likely drive adversaries to new attack techniques that may be more complex \u0026ndash; and expensive \u0026ndash; than existing activities. Making cyberattacks more costly to launch may reduce the profit from such activities, making them less attractive.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;If we can clean up our networks faster and more efficiently, that will increase the cost of the attack, making the adversaries work harder,\u0026rdquo; Antonakakis said. \u0026ldquo;If you raise the cost of an attack, the return on investment becomes smaller, while the risk of getting identified becomes higher. We would like to make the business of an attack so unprofitable and so risky for the adversaries that it will not make sense for them to conduct major operations in our networks.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003ESuccess in developing new techniques with the first two telecommunication companies could open the door for scaling up Gnomon to other large networks in industry \u0026ndash; and to U.S. government systems.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Not only will deployment have an obvious benefit of improved hygiene for a significant portion of the U.S. internet infrastructure, but the public-private partnership will allow us to provide valuable feedback throughout the HACCS program on the sort of prototypes that will be necessary to have true business and mission impact in the real world,\u0026rdquo; Farrell said. \u0026ldquo;The goals are very ambitious, but if we\u0026rsquo;re successful, we\u0026rsquo;ll be able to close the gap between an infection and remediation.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThis program is the latest interdisciplinary research collaboration in cybersecurity at Georgia Tech, orchestrated by the \u003Ca href=\u0022http:\/\/www.iisp.gatech.edu\/\u0022\u003EInstitute for Information Security \u0026amp; Privacy\u003C\/a\u003E (IISP). In addition to the School of Electrical and Computer Engineering and GTRI, the project will include Professor Brian Kennedy from Georgia Tech\u0026rsquo;s School of Physics.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAttribution of malicious cyber activity is an established research thrust at Georgia Tech, and this new contract builds on the early success of another Department of Defense (DoD) sponsored program to enhance attribution. The \u0026ldquo;\u003Ca href=\u0022http:\/\/www.rh.gatech.edu\/news\/584327\/17-million-contract-will-help-establish-science-cyber-attribution\u0022\u003ERhamnousia\u003C\/a\u003E\u0026rdquo; program is now a $25.3 million contract being led by the same research team of Farrell and Antonakakis.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cem\u003EThis material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under contract number HR001118C0057. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA).\u003C\/em\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EResearch News\u003Cbr \/\u003E\r\nGeorgia Institute of Technology\u003Cbr \/\u003E\r\n177 North Avenue\u003Cbr \/\u003E\r\nAtlanta, Georgia\u0026nbsp; 30332-0181\u0026nbsp; USA\u003C\/strong\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EMedia Relations Contact\u003C\/strong\u003E: John Toon (404-894-6986) (jtoon@gatech.edu).\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EWriter\u003C\/strong\u003E: John Toon\u003C\/p\u003E\r\n","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003ECybersecurity researchers at the Georgia Institute of Technology have been awarded a $12.8 million contract to develop fundamentally new techniques designed to dramatically accelerate the detection and remediation of infections in local and remote networks. Using novel machine learning techniques that take advantage of large datasets, the researchers will develop ways to detect network infections within 24 hours \u0026ndash; before invaders can do serious damage.\u003C\/p\u003E\r\n","format":"limited_html"}],"field_summary_sentence":[{"value":"Georgia Tech has received a $12.8 contract award to accelerate detection of network infections."}],"uid":"27303","created_gmt":"2018-05-14 23:21:03","changed_gmt":"2018-05-14 23:22:44","author":"John Toon","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2018-05-14T00:00:00-04:00","iso_date":"2018-05-14T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"606175":{"id":"606175","type":"image","title":"Countering network threats","body":null,"created":"1526339229","gmt_created":"2018-05-14 23:07:09","changed":"1526339229","gmt_changed":"2018-05-14 23:07:09","alt":"Cybersecurity graphic with binary code","file":{"fid":"231194","name":"cybersecurity-101.jpg","image_path":"\/sites\/default\/files\/images\/cybersecurity-101.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/images\/cybersecurity-101.jpg","mime":"image\/jpeg","size":914652,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/cybersecurity-101.jpg?itok=e_r0Aqjd"}},"606176":{"id":"606176","type":"image","title":"Computer servers","body":null,"created":"1526339409","gmt_created":"2018-05-14 23:10:09","changed":"1526339409","gmt_changed":"2018-05-14 23:10:09","alt":"Computer server room","file":{"fid":"231195","name":"servers-058.jpg","image_path":"\/sites\/default\/files\/images\/servers-058.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/images\/servers-058.jpg","mime":"image\/jpeg","size":1046871,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/servers-058.jpg?itok=Wp4-S4gp"}}},"media_ids":["606175","606176"],"groups":[{"id":"545781","name":"Institute for Data Engineering and Science"},{"id":"430601","name":"Institute for Information Security and Privacy"},{"id":"1188","name":"Research Horizons"}],"categories":[{"id":"135","name":"Research"},{"id":"153","name":"Computer Science\/Information Technology and Security"},{"id":"147","name":"Military Technology"}],"keywords":[{"id":"177979","name":"cybersecurity. network"},{"id":"7772","name":"malware"},{"id":"10660","name":"infection"},{"id":"9167","name":"machine learning"},{"id":"173795","name":"Manos Antonakakis"},{"id":"177980","name":"Michael Farrell"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"},{"id":"39431","name":"Data Engineering and Science"},{"id":"39481","name":"National Security"}],"news_room_topics":[{"id":"71881","name":"Science and Technology"}],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003EJohn Toon\u003C\/p\u003E\r\n\r\n\u003Cp\u003EResearch News\u003C\/p\u003E\r\n\r\n\u003Cp\u003E(404) 894-6986\u003C\/p\u003E\r\n","format":"limited_html"}],"email":["jtoon@gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}