Internet Measurement and Attack Modeling

US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners. Research in internet measurement will address the need for better understanding of connectivity among Internet Service Providers (ISPs). Associated data analysis, such as geographic mapping, will improve the understanding of peering relationships and thus provide a more complete view of network topology, which will help to identify the infrastructure components in greatest need of protection. In conjunction with this work, research in attack modeling will allow critical infrastructure owners/operators to predict the effects of cyber attacks on their systems particularly in the areas of malware and botnet attacks, a growing area of concern (ref Conficker and Stuxnet attacks), and situational understanding and attack attribution. “Attack protection, Prevention and Pre-emption,” and “Automated Attack Detection, Warning and Response,” are documented requirements found in the “Federal Plan for Cyber Security and Information Assurance Research and Development,” a report co-authored by S&T and other program customers.

IMAM Focus Area

Technical Approach

The technical approach for Internet Measurement is to improve the system used to collect network traffic information to provide scalable, real-time access to the data as it is being collected from ISPs around the globe. This data is being improved by increasing both the number of data collectors and the number of data points being monitored. In order to build a more complete map of the Internet, the effort will build upon previous research projects, which have built large research platforms capable of Internet measurements from points across the globe.

1. Internet-scale emulation of observable malware, specifically botnets and worms, with goals including helping to identify weaknesses in the malware code and how it spreads or reacts to outside stimuli
2. New approaches in malware and botnet detection, identification and visualization, and automated binary analysis
3. Malware Repository Creation and Sharing – Collaborative detection may involve privacy-preserving security information sharing across independent domains. This may involve sharing malware samples, metadata of a sample, and/or experiences with appropriate access controls
4. Robust Security Against operating system exploits, such as binary-exploit malware targeting the operating system
5. Remediation of systems infected at levels ranging from the user level down to the root level, possibly including built-in diagnostic instrumentation and VM introspection providing embedded digital forensics