Researchers at the Army Research Lab (ARL) within the U.S. Army Combat Capabilities Development Command and Towson University are collaborating on an effort to make intrusion detection alerts more useful to cybersecurity teams by making it possible to include more actionable intelligence within those alerts.
One of the inherent challenges with any type of alert is the intrusion detection platform that generates it can process only a limited amount of data. Researchers at ARL and Towson University are trying to develop an approach to compressing that data in way that would make possible to include more information within any alert that gets generated. Most alerts today are little more than a summary describing a potential issue.
Research presented at the recent International Multi-Conference on Complexity, Informatics and Cybernetics conference by ARL and Towson University suggests it should be possible to compress network traffic without losing the ability to detect and investigate malicious activity. Sidney Smith, an ARL researcher and the study’s lead author, said this capability would make it possible to attach more detailed information to any alert, which would then make it much easier for cybersecurity teams to prioritize alerts based on the malware identified.
Smith noted that today a lot of malware is missed by intrusion detection systems because they are limited to analyzing data early in the transmission process. As it happens, however, researchers are finding malware often doesn’t manifest itself until much later in the transmission process. Being able to compress that data being collected also would go a long way toward identifying malware attacks hidden in the backend of a transmission, said Smith.
The next goal now is to combine lossless compression techniques with a classification system to reduce the amount of traffic that needs to be transmitted to the central analysis systems to less than 10% of the original traffic volume, while losing no more than 1% of cybersecurity alerts, said Smith.
Most cybersecurity teams today suffer from a chronic case of alert fatigue. So many alerts are generated that many cybersecurity teams become inured to them, only to find out later that one of the thousands of alerts being generated really was indicative of a cybersecurity attack. While there’s a lot of research and development effort being applied to machine learning algorithms to identify patterns in all that alert data, the problem is that those alerts first need to be centrally aggregated on some type of big data platform. Cybersecurity teams, however, need actionable intelligence that they can act on in real-time, which means a more efficient way of analyzing data needs to be found.
It’s probable that, given all the attention being paid to cybersecurity these days, the ARL and Towson University are not the only research team working on this issue. But as a government entity, the ARL appears willing to share its findings as part of an effort to enhance cybersecurity for all. It may be a while before that research finds its way into platforms and services that cybersecurity teams can implement, but at the very least progress is being made in terms of understanding how malware gets past existing defenses.