The Department of Defense awarded the Georgia Institute of Technology (Georgia Tech) a $17.3 million cybersecurity research contract to establish a science around cyber attribution, the university said Nov. 29.
The research program will be led by researchers at Georgia Tech in collaboration with other academic institutions and companies. The project expects to create an attribution framework called Rhamnousia, based on the Greek goddess of Rhamnous and the spirit of divine retribution.
“We should know who our friends are and who our enemies are in the cyber domain. We owe it to the people of this country to objectively reason about the actors attacking systems, stealing intellectual property and tampering with our data. We want to take away the potential deniability that these attack groups now have,” Manos Antonakakis, an assistant professor at the college’s School of Electrical and Computer Engineering and the project’s principal investigator, said in a statement.
While attributing attacks to specific persons or groups can be partially achieved today, it is a manual process involving skilled investigators taking weeks or months. The Rhamnousia program expects to accelerate the process and provide scientific reasoning and hard evidence about the guilty parties, Georgia Tech said.
The research program will use data science and engineering techniques to filter through existing and new data sets to find relevant information.
“Using a variety of data sets and analytical techniques, we can distill the information that will be useful to identifying the virtual cyber actors. These bad actors have to use the network and computer systems, and they have to interact with sources. They are leaving crumbs behind, and we can leverage those,” Antonakakis added.
He explained that the project will use machine learning and algorithms to scale up and optimize the forensic analysis for attribution. This will help companies and the government protect against bad actors in a systematic and scientific way.
Michael Farrell, chief scientist of the Cyber Technology and Information Security Laboratory at the Georgia Tech Research Institute (GTRI), highlighted that deterrence is exceedingly difficult if one cannot identify the adversary. “Attribution is the linchpin for deterrence in cyberspace, and the U.S. government is in need of a repeatable and releasable way forward,” he said.
More rapid identification is also important to cyber victims because the motive of attackers can suggest the kind of information they seek, the damage they are capable of, and what defenders can do to minimize impacts.
Ultimately, the researchers hope to enable a quicker response that cuts off attackers more quickly. Technologically, the project has three specific area development goals:
- Efficient algorithmic attribution methods to convert the research team’s experience with manual attack attribution to tensor-based learning methods, allowing expansion of existing efforts to create a science of attribution and traceback;
- Actionable attribution where the application of the algorithms will produce attribution reports to be shared with the attribution community;
- And historic public attack datasets brought together into a single distributed environment.
This cyber attribution project will include experts from Georgia Tech’s School of Electrical and Computer Engineering, College of Computing, and the GTRI.