Research
Sample Current Research Projects
Emulytics
The Emultyics / Operating Systems Intelligence project is collecting data from a wide variety of websites for analysis. The analysis ranges from analyzing specific types of hardware to compare the rate of vulnerabilities by device type and vendor to analyzing frequently publishing cybersecurity experts predictions to determine the best prognosticators of major cybersecurity events. We are specifically collecting and analyzing threats to traditional and non-traditional information technology systems. In addtion, we are analyzing various online sources to attempt to identify anti-language in cybersecurity. This work is being explored collaboratively with and partially supported by Sandia National Laboratories.
The goal of this effort is to automate the gathering of threat information, processing of the information with the explicit goal of improving the recreation of the APT:
- Tools
- Techniques
- Procedures
Some of the initial tasks that NMT is exploring:
- Develop tools (webcrawler) to gather threat information from the internet in an automated
fashion.
- Pull relevant related information from differing sources and find other sources that are related (such as twitter handles, blogs, …) and crawl sites.
- Developing algorithms to use this information for deeper associations, techniques to see who is referencing these sites/documents/tagging documents, relationships to users/accounts/…, and develop a methodology to continually gather information, find interesting “new topics” such as new APT 32 or new CVEs and kick off new information gathering.
- Develop tools to post process the information from the sources to extract key threat IOC information.
- Develop tools to post process the information to pull out CVEs and discover if there are any POC code related to the actor campaigns, identify what application / service was exploited and if it’s downloadable
- Develop tools to post process the information to extract techniques and procedures from the threat reports
- Develop tools to post process the information to begin mapping context of the TTP
to the MITRE ATT&CK matrix
Enterprise-Wide Cybersecurity
Enterprise-Wide Cybersecurity involves analyzing data across individual computer events and traffic in an enterprise to better secure the collective of all machines in the enterprise. This large scale work is being explored collaboratively with Sandia National Laboratories and the Institute for Complex Additive Systems Analysis.
The research project involves integration of the advanced technologies.
- A threat removal system to automate the movement of recognized threats from an enterprise network to a virtual standin (an advanced honeynet system) using software defined networking. This system full instruments the virtual standin to collect threat intelligence. Threats can be identified manually and submitted by system administrators or via the process identification system.
- A process identification system to use process models to recognize threat as they arrive in the enterprise network, which will then send the threat identification to the threat removal system.
- An intelligent system to use threat intelligence collected by the threat removal system to automate generation of new threat models for the process identification system.
Research Overview
Dr. Lorie Liebrock's research interests focus on issues related to cybersecurity. Her overriding interest is in enterprise-wide cybersecurity to improve large scale cybersecurity. She has worked with numerous students on a variety of issues in cybersecurity from analysis of impact of legal and policy changes on organizations, to metrics for determining the effectiveness of classifiers on applied problems, to forensics, enterprise-wide cybersecurity, and emulytics. Her approach to cybersecurity research integrates the transdisciplinary breadth of cybersecurity - from computer science, to policy, to psychology.
She has also done significant research in parallel computing. One long term focus is on using problem topology during compilation. In particular, the use of topology to automate data distribution and allow application of regular application optimizations to partially regular problems. She has developed algorithms for automatic distribution of irregularly coupled regular mesh (a.k.a. composite grid or multiblock) problems, e.g., aircraft aerodynamics and water-cooled nuclear reactor simulations, via the use of problem topology. For use with these automatic distribution algorithms, she has developed a program template and a set of style guidelines for these applications that allow automatic transformation of an application code with no notion of data distribution into a standard High Performance Fortran program with complete distribution specification.