Autonomic Cyber Security (ACS): A paradigm shift in cyber security
By Salim Hariri
Current security analysis, detection and protection systems are mainly static and manually intensive. At the same time, the complexity of networked computing systems, their dynamic behavior, and the availability of many heterogeneous devices that are static and mobile make these tools incapable to accurately characterize current states, detect malicious attacks, and stop them or their fast propagation and/or minimize their impacts. In contrast to static, manual and labor intensive, heuristic analysis, and control and management approaches, we are developing a paradigm shift based on autonomic computing principle inspired by human nervous systems shown in Figure 1.
In autonomic management, the cyber infrastructure and services would be seamlessly managed (self-management) with little involvement by users and system administrators to adopt policies and control algorithms to meet their performance requirements (self-optimize), reconfigure to tolerate hardware and/or software faults (self-heal), and stop and/or mitigate the impacts of threats and cyberattacks (self-protect). The salient features of this paradigm are its capabilities to deliver:
-Integrated monitoring, analysis, and management solutions that are required to develop the ACS framework to allow cyber-infrastructure reasoning that is required to achieve self-diagnostic and self-managed systems. This will lead to cyber superiority operations for critical missions that can be resilient to cyberattacks, hardware/software failures and/or accidents (natural or malicious);
-Prediction of system operations and behaviors that uses data mining, information theory, and statistical techniques to aggregate and correlate monitored features to detect and predict accurately any anomalous behavior that might have been triggered by attacks, faults and/or accidents or disasters; and
-Automated management solutions that will lead to significant operational cost reduction and will also provide timely responses to anomalous events to stop and/or prevent rapid propagation of attacks/faults and mitigate their impacts on normal system operations and services.
In the development of ACS, our objective is to integrate our Anomaly Behavior Analysis (ABA) methodology to perform data-driven analytics on operations of cyber components. This involved the development of runtime models to identify normal/malicious behaviors. To handle the exponential growth in data complexity, heterogeneity and size, we will use Big Data analytics engine to improve accuracy and scalability. Figure 2 shows the ACS development approach. First we monitor an entity that could be an infrastructure, an application, or almost anything. The results of cyber component analytics is the creation of cyber DNA components such as Resource-Cyber DNA, Data-Cyber DNA, Application-Cyber DNA and User-Cyber-DNA data structures. Our big data analytics engine (e.g., Spark platform) handles the data processing. Hadoop Distributed File System (HDFS) handles data management and resource management. The results from the Big Data Analytics are passed to the Unified Alert System where the alerts are logged and recommendations are displayed on the GUI. Finally, the policies of management determine what automated or semi-automated actions to take.