Breadcrumb

  1. Home
  2. Research
  3. Programs
  4. CHASE: Cyber-Hunting At Scale

CHASE: Cyber-Hunting At Scale

 

Summary

Networks within the United States and abroad face increasingly broad-spectrum cyber threats from numerous actors and novel attack vectors. 

Malicious activity also crosscuts organizational boundaries, as nefarious actors use networks with less protection to pivot into networks containing key assets. Detection of these threats requires adjustments to network and host sensors at machine speed. Additionally, the data required to detect these threats may be distributed across devices and networks. 

In all of these cases, the threat actors are using technology to perpetrate their attacks and hide their activities and movement, both physical and virtual, inside DoD, commercial, and Internet Access Provider (IAP) networks.

Enterprise-sized networks present challenges in terms of both their size and distributed structure. Today’s state-of-the-art commercial tools do not directly address the scale and speed needed to provide the best defense for multiple networks. Networks lack robust mechanisms to collect, share, and respond to threat intelligence. 

Data required to detect and characterize malicious activities may be diffused and may be located across network and endpoint devices. Further, cyber-relevant data (including data that may contain information useful for detection and characterization) routinely exceeds total available storage, bandwidth, and analysis capability, often by several orders of magnitude. Of data that is able to be stored, only some is currently analyzed, and of all alerts generated, only a fraction are threat related. 

Storage and processing limitations abound, so cyber defenders require tools that strategically direct resources toward the data that actually contains information about threats. Current commercially available tools may output thousands of alerts and false positives per day that often cannot be verified due to a lack of processing capacity. Static data retention policies sometimes result in the deletion of relevant data prior to investigation. 

Additionally, current tools may neither proactively detect novel attack vectors nor detect coordinated attacks distributed across multiple organizations. Traditionally, cyber defense technologies focus predominantly upon either host data or network data. Malicious activity, however, crosscuts networks and hosts. Real-time detection of threats within or across very large enterprise networks is not simply an issue of scale, but also a challenge due to the variable nature of malicious activities and their presentations.

The CHASE program seeks to develop automated tools to detect and characterize novel attack vectors, collect the right contextual data, and disseminate protective measures both within and across enterprises. CHASE aims to prototype components that enable network owners to reconfigure sensors and disseminate protective measures at machine speed with appropriate levels of human supervision. 

CHASE technologies will explore real-time investigations of potential cyber threats through adaptive data collection. Threat detection algorithms developed under CHASE may be tailored to characterize and react to specific classes of threats in the context of different data types and data sources. Additionally, these algorithms may work in concert to determine probabilities of the reality of threats, as well as indicate requirements for additional data that should be collected. As such, the goal of CHASE is to develop foundational technologies for detection, characterization, and strategic data management. 

Enhanced threat detection may cue the generation of automated protective measures. CHASE will focus on protective measures that a network owner has the authority to execute within their own environment, as well as measuring the accuracy and efficiency of threat detection techniques.

 

Contact