WRAITS guest talk: “Empirical studies in cybersecurity”

This talk discusses how cybersecurity data (e.g., incidents, intrusion detection system alerts, network flows and malicious activity against a large range of honeypots) can be analyzed to evaluate the security of organizational networks. Since data are highly sensitive, organizations are reluctant to share them. In many organizations, the security team who can collect such data is not willing to share them even within the organization. The University of Maryland (UMD) plays a significant role in cybersecurity research due to a collaboration between the Office of Information Technologys (OIT) security team and UMD researchers. The result of the collaboration is access to and analysis of all security related data collected on UMD networks. The talk will review some studies conducted using the data provided by OIT. First, organizations face increasing challenges in addressing and preventing computer and network security incidents. Being able to understand and predict trends in incidents can aid an organizations ability to allocate resources for the prevention of such incidents, as well as the evaluation of mitigation strategies. We compared non-homogeneous Poisson process software reliability growth models and time series models with a large set of security incident data. Based on the over 12,000 incidents recorded since 2001, these models were compared for their prediction capability for the number of incidents. Second, security administrators lack network visibility, i.e., they often do not have the tools to monitor their networks in detail. Even though about 40,000 IP addresses are linked to UMD users, the UMD network consists of more than 130,000 IP addresses. We developed a tool called Nfsight that identifies clients, servers, and scanners solely based on network flows. Various heuristics have been applied and combined using a Bayesian method. Nfsight is currently monitoring the UMD network and the security team has integrated Nfsight into their security tool suit- - e. Nfsight has found compromised computers that were undetected by the other security tools used by the security team.