This article is featured in the Spring 2019 edition of Discovery, Florida Tech’s research magazine. To view this edition and Florida Tech’s archive, click here.
Threats to the security of computer systems networks are constantly changing and evolving in response to advances in computer network defense practice and capabilities. Maintaining this balance in favor of network defenders is becoming increasingly difficult, as the scale, scope, complexity and volume of computer attacks continue to increase beyond the capabilities of conventional cyber defense tools and human operators.
Florida Tech is advancing the state-of-the-art in cybersecurity, conducting research that reduces the information and work overload on human network defenders using artificially intelligent automation to handle many tasks, while elevating the network defender into the role of guiding and directing a number of automated defenses. This research integrates autonomous cyber defense, machine learning, artificial intelligence, biometrics, and human-computer interaction to expand the capabilities and effectiveness of human network defenders to make the job of the attackers more difficult, expensive and, ultimately, ineffective.
Autonomous Cyber Defense
When viewing the security of any infrastructure, cybersecurity professionals such as Florida Tech’s Dean of the College of Engineering and Science, Marco Carvalho, look at the many areas that need to be addressed. Carvalho said they start by differentiating protecting a single infrastructure and protecting a collection of infrastructures. An example of this is the national critical infrastructure, such as the military and power grids. While they are a collection of national assets that work together, they also have their own infrastructure that needs to be analyzed individually. Florida Tech’s research investigates building fast, intelligent systems that can adapt and scale to address both of these areas.
“Our research focuses on the development of the infrastructure and capabilities that allow a network of intelligent sensors and defenses to work together – either within an organization or between organizations – to collect information, make decisions and take appropriate security actions autonomously. By distributing security information across enterprises, we can take advantage of the successes and failures in defenses made by others without having to withstand the attack ourselves,” Carvalho said.
However, Carvalho also notes the difficulty in moving to a system that accounts for multiple enterprises. For example, if a credit card transaction company takes an action against an attack, that decision may be felt by an airline. Florida Tech addresses this problem by creating automated capabilities using artificial intelligence and machine learning that enables continual improvement, that is managed by a “command and control” system directed by the network operator. This architecture allows organizational defenses to scale and address attacks quickly. With electronic attacks taking a fraction of a second according to Carvalho, it is important to have an automatic approach to security. Distributing the security response across infrastructures can radically reshape the cyber defense environment, enabling protection of enterprises from threats they have not yet seen and detecting coordinated attacks earlier and with greater accuracy.
Florida Tech’s approach can dramatically increase the defensive capabilities of organizations and reduce the overload of computer network defenders. This innovative approach has led to success, as the school received a $1.6 million, three-year award from the Department of Homeland Security’s (DHS) Science and Technology Directorate. The new funding builds on previous work funded by DHS.
The advancement of artificial intelligence, better known as AI, has also adapted to new threats while also interacting with humans. With the ability to learn and figure out user behaviors, even simple things like the time and location of when a user logs into a work computer remotely is analyzed. Going a step further, biometrics, such as fingerprint and face recognition as seen on iPhones, are able to strengthen the authentication who the user is beyond a password. Michael King, associate professor in the department of Computer Engineering and Sciences, has been deeply involved with biometrics since 2002.
King has seen the technology evolve, going from gaining access to computer systems and buildings in controlled settings to being developed to identify potential terrorists in surveillance footage after the Sept. 11, 2001, attacks. Recently, King has seen increasing interest in the user behavioral component being factored into biometric technology, such as how a device is used once the user has been authenticated. Known as soft identifiers, research is looked at into being able to allow and continually authenticate user access on factors other than an iris or face.
When looking at cybersecurity, King looks at three fronts: How can the accuracy and security of biometrics be improved; and what information is available online that may be used to provide an enhanced view of a person’s identity and what information should be better protected in the interest of privacy. With much more personal information available online, King researches how deep an identity goes.
“There are some of the more traditional categories relative to biographic data, such as name, date of birth and social security number, that many people are aware of and make a concerted effort to protect. But with the advancement of mobile technologies and social media, third parties can now derive tremendous insight into a person’s behavioral activities. It’s important to characterize how the availability of such data affects cybersecurity and privacy.”
Building on research conducted with Carvahlo, Thomas Eskridge specializes in human-automation interaction. Eskridge and his team are working on ways to better control the autonomous security system and work on strengthening security as a team rather than an individual.
“There are two basic ways to exert that control. One is to have the automation tell the human what it’s doing, so those are visualization systems, and the other is the human to tell the automation what to do, what context it’s in and how to work, which are knowledge representation systems,” he said.
Both of these methods are critical to allow human network defenders to understand the capabilities and limitations of available defenses, and to direct automated responses to current and predicted attacks.
“The biggest issue facing autonomous cybersecurity systems is that they don’t have context,” he said. “An automated system is going to look at its network and say, ‘I see another failed login attempt by a user, so I’m going to block this user and report him to the other organizations in my security group.’ While this is the appropriate action to take in most situations, it doesn’t know if there are other conditions that might change the response.”
For example, there are times when a network operator does not want to block malicious users right away, such as to gather more information about the threat. Florida Tech is building interfaces where the network operator can identify contexts and update the automated system to operate within these contexts, enabling robust and resilient protection of the network infrastructure.
Through the use of advanced automation, integrative biometrics and adaptive human-machine interaction, Florida Tech is leading a new wave of cybersecurity that will adjust and adapt to – as well as shape – cyber security operations in an ever-changing climate.