US Department of Energy Developed Cyber Attack Detection System

US Department of Energy Developed Cyber Attack Detection System

ORNL cybersecurity researchers in a demonstration event to showcase the Akatosh (Credit: Oak Ridge National Laboratory)

A team of researchers at the US Department of Energy's (DOE's) Oak Ridge National Laboratory (ORNL) has developed Akatosh, a security analysis tool that works in conjunction with standard software to detect significant irregularities in computer networks.

"Akatosh is a system that provides deeper context to existing IT infrastructure designed to solve security problems," said Jared Smith, a cybersecurity researcher in ORNL's Computing and Computational Sciences Directorate (CCSD) who developed the new technology. "It gives you a historical look of what's changing on a computer over time."

This new resource coordinates with intrusion detection systems (IDSs), which monitor computer networks for private companies, government facilities, and academic institutions and set off alerts in response to abnormal activity. IDSs tend to trigger false alerts, forcing cybersecurity analysts and IT professionals to manually search the network for changes.

"Any organization with a lot of people using computers will get thousands of alerts a day, and someone has to sift through them," Smith said. "The typical tools available provide a bunch of data that analysts have to look at to decide whether or not the system has actually been breached."

Akatosh periodically takes snapshots of host systems on the network during everyday operations and establishing a baseline, then taking another snapshot each time an IDS alert occurs. By comparing these snapshots, Akatosh can immediately show changes that transpired leading up to and during a cyber event. Automating the process of sorting through IDS alerts reduces the time and cost required to identify the source of a security incident and neutralize the threat.

The system summarizes relevant changes and sends a report to the network administrator to quickly determine whether the changes indicate the presence of a legitimate security threat. The ability to accurately determine the validity of IDS alerts in real time means analysts can begin mitigating the negative effects of malware attacks, phishing emails, and other cybersecurity problems as soon as they appear.

To demonstrate Akatosh's dynamic capabilities, the team recently traveled to San Francisco for RSA, the largest security conference in the country. They also attended US Department of Homeland Security (DHS) summits in New York and Washington, DC. "We actually use real malware and show how, once it spreads across the machine, we can see how it changes and pinpoint the problem," Smith said.

 

[Source: phys.org]