The project objective is to investigate current and new attack vectors using data from both the traditional security ecosystem and beyond the organization perimeter. Beyond the organization perimeter, there is a wide variety of Internet infrastructure data maintained by third parties and that is accessible through freeware or subscription-based web APIs and repositories, including DNS, WHOIS, BGP routing, IP geolocation, IP/domains’ blacklist, malware file connection, user’s devices, and users’ digital fingerprints/footprints. A new graph model called activity and event network (AEN) model has been developed to capture and analyze in real-time relevant data from the above sources for the purpose of detecting and analyzing long-term and stealth attacks in computing and Cyberphysical networks.
The AEN framework uses large dynamic uncertain graphs to model and observe an interrelated network of activities and events over a period and across a broad set of hosts and identify known and hidden attack patterns.