U.S. Army Research, Development and Engineering Command
Cyber Security CRA Overview
Professor Patrick McDaniel
Cyber Security (CSEC)
Collaborative Research Alliance
A Collaborative Alliance between ARL, CERDEC, Academia, &
Industry to advance the foundation of cyber science in the context
of Army networks
 Develop a fundamental understanding of
cyber phenomena (incl human aspects)
 Fundamental laws, theories, & theoretically
grounded & empirically validated models
 Applicable to a broad array of Army
domains, applications, & environments
2
Cyber Security CRA
Key Attributes
 Alliance to advance cyber science:
Collaboration between Government
& Consortium integral to CRA
success
 Emphasis on theoretical
underpinnings with validated
models in Army context
 Accelerating Transition to Practice

Subject matter experts at ARL enable
accelerated transition into operational
environments thru active involvement in research
& operations

CERDEC enables the maturation of promising
research & accelerated transition to industry &
PMs/PEOs
3
Cyber Security Science
Challenges
Grand Science Challenges:
 Joint study of inter-related areas of cyber-security
 Understanding human dynamics: defense and attack
 Strategic & tactical networks
Domain
 Heterogeneous & convergent networks
Army-unique Challenges
 Large attack surface
 Army must:
 Relatively disadvantaged assets

Use & defend networks that it neither owns
nor directly controls

Construct mission networks with a variety of
partners & allies
 Large scale & high dynamics
 Advanced persistent threats
 Close proximity with threats

Adapt to rapidly changing technologies,
tactics, & threats
 Disadvantaged users

Maintain situation awareness across complex
networks
 Must work through contested
and compromised environments
4
Towards a Cyber Science
 Scientific understanding should manifest itself in models that:

Are mathematically formulated, developed from first principles

Explicitly & formally specify assumptions, simplifications & constraints

Involve characteristics of threats, defensive mechanisms & the defended
network (including quantifiable attributes of the human)

Are at least partly theoretically grounded & yield experimentally testable
predictions

Are experimentally validated
This effort is not focused on the creation of new cyber defenses!
5
Cyber Security CRA Strategy
Technical Approach:
Trans-disciplinary; Emphasis on
understanding human attackersdefenders-users; Experimentation to
validate models
Impact: Create fundamental
understanding of cyber science
encompassing risk, agility, detection and
the underlying human dynamics
Funding:
CORE: ~$3M/year for basic research
ENHANCED (unfunded): $500K/$1M per
year for 6.1/6.2 research
Consortium cost-share $587K/year
PI Expertise:
Cyber-security, systems, theory, human
factors, psychology, networking
Universities
ARL
CRA
Leadership
CERDEC
Industry
Teaming:
Collaborative teams co-led by PIs
from government, academic and
industry partner organizations
Accelerate transition to practice via
close partnering with SMEs at ARL
and CERDEC
6
CSEC CRA Leadership
Prof. Patrick McDaniel
CRA Program Manager (PM)
Professor, Penn State University
Chair, IEEE TC on Security and Privacy
Co-Directory, Systems and Internet Infrastructure Security Laboratory
Area Edit, Secure Systems, IEEE Security and Privacy Magazine
Dr. Ananthram Swami
CRA Collaborative Alliance Manger (CAM)
Army Research Laboratory
ST, Network Science
IEEE and ARL Fellow
Steering Board, IEEE-Transactions on Network Science and Engineering
7
Area Leads
• Risk
• Jean Camp (Indiana)
Hasan Cam (ARL)
• Detection
• Srikanth Krishnamurthy (UCR)
Ananthram Swami (ARL)
• Agility
• Prasant Mohapatra (UCD)
Lisa Marvel (ARL)
• Human Dynamics
• Lorrie Cranor (CMU)
Norbou Buchler (ARL)
8
CSEC CRA TEAM
• University PIs
• Penn State :
• CMU :
• Indiana :
• UC Davis :
• UC Riverside :
Jaeger, La Porta, and McDaniel
Bauer, Christin, Cranor, and Gonzalez
Bertenthal, Camp, and Henshel
Levitt, Mohapatra, and Su
Krishnamurthy, Madhyastha, and Neamtiu
• ARL Researchers
• Buchler, Cam, Erbacher, Kott, Marvel, Rivera, Swami,
Torrieri, Vaughn
• CERDEC Researchers
• Cansever, Hesse, Murawsky, Shahid
9
CSEC CRA Vision
Motivated by key challenge:
Given a security and environmental state, what
cyber-maneuvers best mitigate attacker actions
and maximize mission success?
Goal: Develop a rigorous science of cyber-security that will:
a) Detect the threats and attacks present
Situational Awareness
(DETECTION)
in the environment and assess risks
b) Understand / predict users, defenders
and attackers actions
Risk Assessment
(RISK)
c) Alter the environment to securely
achieve maximal mission success
rates at the lowest resource cost while
Optimal
Response?
maximizing cost to adversary
Outcome: Dictate and control the
evolution of cyber-missions in the presence
of adversarial actions
Reconfiguration
(AGILITY)
10
Cyber Security CRA
Research Focus
Develop an understanding of cyber
phenomena:
 Fundamental laws, theories, & theoretically grounded
& empirically validated models
 That can be applied to a broad range of Army
domains, applications, & environments
Research Areas
 Risk: Theories & models that relate fundamental
properties of dynamic risk assessment to the properties
of dynamic cyber threats, Army’s networks, & defensive
mechanisms
 Detection: Theories & models that relate properties &
capabilities of cyber threat detection & recognition to
properties of malicious activity
 Agility: Theories & models to support planning &
control of cyber maneuver in network characteristics &
topologies
Cross Cutting
Research Issue
 Human dimensions:
Theoretical understanding of
the socio-cognitive factors that
impact the decision making of
the user, defender, & adversary
11
Cyber Security CRA
Research Interrelationships
 Risk, Detection, & Agility are intricately linked & co-evolving
 Human dimensions are key to understanding decision making of the user,
defender, adversary as they relate to Risk, Detection, & Agility
 Agile cyber maneuver
can reduce risk
 Agility makes risk
assessment more difficult
& uncertain
 Identification of risks may
trigger maneuvers
Human Dynamics
Cross-Cutting
Research Issue
 Analysts evaluate risk to
make cyber security decisions
 Risk is diminished with
stronger detection
 Improved detection increases
confidence in risk assessment
Trans-disciplinary approach
to cyber security research
 Higher tolerance for risk can
lower detection requirements
 Agility can hinder accurate timely detection
 Agility degrades analyst ability to identify/correlate events
 Inaccurate threat detection can cause maneuver flapping
12
Research Areas and Cyber-Science
 Risk
 Develop theories and models of risk
assessment in cyber-environments
that combine:
a) system and network risk
b) human oriented risk
 Detection
 Develop theories and models of
detection that provide:
a) what is the most likely threat
b) what impact will it have
c) the confidence in the process
• Agility
•
Develop theories and models of system
agility that reason about:
a) the universe of security-compliant
maneuvers and end-states
b) the impacts of maneuvers on
humans and outcomes
• Human Dynamics (CCRI)
•
Develop theories and models of users
behavior in cyber-environments that:
a) classify user intent and capability
b) predict how a user will react to stimuli
c) induce mitigating adversarial behavior
 Experimentation: validation of science
 Validate theories and algorithms via user and system experiments
 Team internal and BAA partner driven
 Using large-scale test-beds, e.g., DoD GENI, NCR, DETER, etc.
 Operations Model provides a framework for Risk, Agility, and Detection
13
CRA Area and Task Structure
Operations
Detection
O1
Operation Model Development
D1
Design of Diagnosis-enabling Detection
O2
Operation Taxonomy and Scenario Development
D2
Effectively Involving Defenders and Users
D3
Managing Cost in Evidence Collection
D4
Effective Monitor Placement
D5
Continuous Detection Reconfiguration
D6
Introspective Detection
Risk
Year 1
Year 2+
Agility
R1
User, Defender, and Attacker Risk Models
A1
Characterizing the Maneuver Space
R2
System and Network Risk Models
A2
Optimization of Tasks and System Configuration
R3
Conceptualizing and Quantifying Risk
A3
Capturing End-State Dynamics
R4
Communicating Risk
A4
Using Instance-Based Learning for Realism
R5
Risk Optimization
A5
Enhanced Threat Scenarios
R6
Collaborative Risk Models
A6
Model-Based Conf. Generation and Verification
R7
User/Defender/Attacker Feedback Models
A7
Stealth Games
Human Dynamics
Validation
14
Operations Model
Develop formal structures for reasoning about cyber-maneuvers and
security goals & strategies
Mathematical representations must be decomposable and composable
in ways that make analysis tractable & answer questions such as
– What is the state of the network/system?
• Who are users, defenders, and adversary?
• What is the state of the user/defender/adversary?
• Are the systems available and secure?
• Are attacks in progress?
• What are the relative risks in the environment?
Situational Awareness
(DETECTION)
Risk Assessment
(RISK)
Optimal
Response?
– Should we alter the environment and how?
• What outcomes are “globally” optimal?
Reconfiguration
(AGILITY)
• What are the available cyber-maneuvers?
• Which maneuvers maximize outcomes while minimizing cost?
15
Operations Model
The operation model provides
a common framework for
Risk and Agility
Continuous optimization of the environment based on models of
attackers, defenders, the environment
• Operation survivability is achieved by altering the security configuration and
network capabilities in response to detected adversarial operations and
situational needs of users and resources and tools available to defenders.
• Cost and risk metrics are used to select optimal strategies and
configurations that maximize success probabilities while mitigating
adversarial actions.
• Models of user, defender, and adversarial behaviors, actions and needs are
used to derive the operation state, as well as to identify those configurations
that increase the probability of operation success.
16
Example Operation Model: Lost Assets
Scenario: Insurgents capture Sergeant Hill's
AN/PSN-13 DAGR (Defense Advanced GPS
Receiver), his AN/PRC-148 MBITR, and PFC
Stark’s AN/PRC-148 MBITR.
Outcomes: Prevent devices or data therein from
being used by insurgents to penetrate or disrupt
command and control.
Detection: Human-scale reporting, “last gasp”
measures, network monitoring.
Risks: Exfiltration of sensitive intelligence and credentials from devices.
Disruption of communications among other cooperating devices
Agility: Remote zeroing of devices, revocation of credentials. Where
device state is unknown, quarantine until better detection state known.
Rekeying of multiparty session keys, changing frequency hopping.
Effort: Team of 12 undergrads working with Alliance PIs on
implementation and visualization
17
5 and 10 Year Goals
• By year 5
• Develop a theory of cyber-security built on operation models. The
science and models should produce the capability to:
• (a) accurately assess current and predict future system states
and (b) posit reconfiguration activities that increase success
rates of operations, and (c) decrease success rates of
adversarial missions.
• By year 10
• Validate foundational principles of a science of cyber-security. The
science and models should produce the capability to:
• (a) perform the continuous optimization of the mission
network environment, and (b) dictate and control the evolution
of missions, adversarial actions and threats.
18
CRA Collaboration Plan
• Cross-team and cross thrust collaboration will be supported by
multi-homed PIs from Universities, ARL, and CERDEC:
• Yearly week-long boot camps
• CRA Infrastructure provides a mechanism for collaborative
research and experimentation, and archival cra.psu.edu
• Joint development, planning and execution of research by
consortium and government scientists
• Will work closely with BAA partner for experimental validation of
research, and for transition to ARL and CERDEC and OGA
19
Summer Undergraduate Research Program
• 2014 : 12 top Junior and Senior students recruited from the
Computer Science and Engineering Program
• Hired as CRA researchers
• Working on operations model development, tools
• Summer program will support rotation of the students to ARL/CERDEC
facilities
• May – Aug 2014
• Develop CRA relevant research
• ARL/CERDEC Mentorship
• Long term: support transition of CRA students to graduate programs
20
FY14 Events / Visits / Staff Exchanges
Key Events:
20 Sept 2013
9-11 Dec 2013
10 Feb 2014
01 Apr 2014
18 Apr 2014
11-14 Aug 2014
Award
PI Meeting , ARL, ALC
Visit to ARL/HRED, CERDEC
Today’s formal launch
Student team to visit ARL
CRA collaboration Bootcamp
Short visits: already 9 visits between ARL, CERDEC, and PI
organizations, many more planned
Planned Staff Rotations: 1 week long rotation already from ARL to
Penn State, 8 PI and 3 post doc commitments for Spring/Summer 1-2 week
rotations between organizations, 12 undergraduates for summer rotation to
ARL
21
Conclusions
“Science is the systematic classification of experience.”
- Philosopher George Henry Lewes (1817-1887)
• The CSEC CRA Team has been working for six
months to plan and begin executing an approach to
address one of the grand challenges of a generation
• This effort will found the science that enables the
Army to protect is critical assets and users in future
cyber- and physical battlefields …
• … and will serve as a model for joint collaboration
on scientific problems.
22
THANKS!
Develop the theoretical underpinnings for a
Science of Cyber Security
U.S. Army Research, Development and Engineering Command
Way Ahead
McDaniel (PM) & Swami (CAM)