Multi-layer Resilient Active Cyber Defense - Metrics, Synthesis, Evaluation, and Verification

The unprecedented increase in the sophistication, speed and impact of cyber attacks creates the need to develop active cyber defenses that can proactively and reactively respond to cyber attacks in a timely and intelligently manner to protect the integrity of the cyber mission, even if the system is compromised or under attack. As sophisticated cyber attacks (e.g., APT) are usually multi-stage and multi-tactic, active cyber defense must be resilient to dynamically evolving adversaries by supporting multi-layer and multi-strategy defenses that dynamically adapt to adversaries' actions and mitigate impact at real-time. The principle of multi-layer resiliency has been effectively used in other systems such as car crash management systems, which employ multiple complementing strategies like air bags, seat retention, crash sensors, impact resistance materials, and other technologies to minimize damage due to accidents. By developing a methodology for resilient active cyber defense, we propose to bring this multi-layer and holistic approach into the realm of cyber defense. Our objective in this project is to develop formal models, metrics, automated synthesis and verification for constructing resilient active cyber defense (RACO) that enables three novel capabilities: (1) adaptive deterrence to limit attackers' capabilities during the pre-attack phases, (2) evolving cyber resistance to prevent escalation during attack, and (3) dynamic mitigation for recovering from post-attack damages in a timely manner. Our proposed research considers fighting adversaries in all phases of the attack kill-chain. In addition, our framework allows users for specifying in a high-level their own ACD mechanisms that can then be automatically instantiate as a concrete mechanism and evaluated/benchmarked in a specialized RACD testbed. Moreover, our proposed approach allows users to reason about and extract threat actions and RACD strategies from Cyber Threat to automate the creation of RACD strategies. Although there are a number of active cyber defense techniques proposed (such as cyber mutation, isolation, diversity and redundancy) there is not yet a foundation for formal modeling and specification that allows for composition, measurement, or automated synthesis of the appropriate resilient ACD strategies against highly dynamic attackers. In this project, we will investigate a scientific foundation and develop tools for resiliency-in-depth (RiD) of Active Cyber Defense that will enable measurement and creation of multi-layer resilient ACD for proactive, reactive and post-attack defense. The proposed project will have the following deliverables: (1) Developing a comprehensive measurement framework that includes metrics and a virtual evaluation environment for quantifying and comparing the effectiveness (benefit and cost) of ACD techniques in both proactive and reactive mode with respect to attack kill-chain. (2) Developing formal logic specifications and models to define and synthesize both proactive and reactive ACD mechanisms. (3) Developing reactive control polices (RCP) for resilient ACD that allow for integrating investigation and reconfiguration courses of action, with provable properties such as consistency and convergence. (4) Developing analytics techniques to construct RCP rules by extracting threat-action and courses of action from unstructured text of cyber intelligent sources. (5) Developing resilient-by-construction ACD mechanisms with measurable effectiveness or verifiable properties. In summary, the goal of this research is to develop a formal framework for modeling, measuring, constructing, and composing resilient ACD techniques with guaranteed correctness and effectiveness properties.