MITRE's cybersecurity research focuses on the advanced cyber threat. Our research projects are motivated by real-world problems encountered by MITRE and our sponsors. We are developing techniques to disrupt, deceive, and deter cyber adversaries, build information systems that are both trustworthy and resilient and ensure agile command and control of cyberspace operations. Key focus areas include network security, mobile security, cloud security, mission assurance and resiliency, deception and denial, and cyber analytics.
The Technology Transfer Office transitions MITRE-developed technologies to companies that make them available for public use. This enables others to benefit from our research. (MITRE Research Program)
MITRE's cybersecurity research portfolio includes over 30 projects. Summaries of several key projects follow:
Desktop Demilitarized Zone:
The Desktop DMZ research team is increasing cybersecurity by using virtualization technology to provide a desktop environment that operates in a multitrust zone environment.
The Desktop DMZ automatically initiates a browser on a virtual machine when a user clicks on an Internet website link from a browser or other application running on a desktop system. Since the virtual machine is seamlessly integrated into the user's environment, there are minimal behavioral changes required by the user. This DMZ-based virtual machine securely "transmits" the browser window back to the enterprise-connected computer with minimal risk to the host from any malware. The user continues to see a "normal" browser window on his machine. Any malware that is potentially brought back remains on the DMZ-connected disposable computer, which in turn is periodically re-instantiated to a "clean state" to flush the malware. The Desktop DMZ provides an integrated capability to transfer and print files discovered on the riskier Internet zone on existing enterprise resources. By using a persistent list of allowable capabilities, the Desktop DMZ provides a user with customization capability while retaining the ability to regulate configurations using enterprise policies. For enterprise administrators, the system provides a differential patching mechanism to enable patching from a centralized patch library.
References:
Nakamoto, G.; Schwefler, J.; Palmer, K.; Desktop Demilitarized Zone, MILITARY COMMUNICATIONS CONFERENCE, 2011 - MILCOM 2011 , vol., no., pp.1487-1492, 7-10 Nov. 2011.
Exploit Latent Information to Counter Insider Threats (ELICIT):
ELICIT is a prototype designed to help identify and investigate malicious insiders—insiders who operate within their privileges, but outside the scope of their duties.
Traditional detection approaches have not been effective in detecting adversaries after they breach an organization's perimeter, compromising internal networks. With this accomplished, attackers can leverage their "insider" access, using compromised user accounts to gather and exfiltrate sensitive data. To detect this behavior, we believe, based on our experiences with insider threat detection, that organizations must understand how their users interact with internal information and leverage what they know (context) about both users and information, to identify suspicious patterns.
Our ELICIT detection approach identifies masqueraders based on their patterns of information use. We leverage the indicators developed through ELICIT and build others to characterize user information gathering patterns. User behavior, as measured by these indicators, is like a signal. We look for departures from user information-use signals to spot adversaries using the same account for malicious purposes.
To test our concept, we have studied the information gathering patterns of insiders in a large, real-world organization. We believe our approach turns the table on the adversary, taking advantage of the organization's superior understanding of how users behave to spot masqueraders who, until they learn account norms, run the risk of behaving in a detectable manner. This approach adds an additional layer (post-compromise detection) to a defense-in-depth strategy, raising the bar for adversaries.
References:
M.A. Maloof and G.D. Stephens, ELICIT: A System for Detecting Insiders Who Violate Need-to-Know, Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, Volume 4637, Springer, 2007, pp. 146-166.
Deanna D. Caputo, Greg Stephens, Brad Stephenson, Megan Cormier, Minna Kim: An Empirical Approach to Identify Information Misuse by Insiders (Extended Abstract), Recent Advances in Intrusion Detection (RAID), pp. 402-403, 2008.
Deanna Caputo, Marcus A. Maloof, Gregory D. Stephens, Detecting Insider Theft of Trade Secrets, IEEE Security & Privacy 7(6), pp. 14-21, 2009.
Video: Marc Brooks, Kerry McKay, Leveraging Internal Network Traffic to Detect Malicious Activity: Lessons Learned, Presentations at International Conference on Cyber Security (ICCS) and Purdue CERIA Seminar, 2012.
Featured Items
Honeyclients:
The honeyclient technology developed under this research activity can help any organization protect against compromises by enhancing their advanced warning and threat reporting capabilities.
Honeyclients are dedicated systems that drive client-side applications to access remote content to determine if the content is malicious. MITRE’s operational honeyclients are virtual machines that drive multiple versions of several different web browsers to various websites to determine whether they are attempting to exploit the browsers with unknown vulnerabilities. The intent is to discover and collect new malware variants, and identify previously unknown malicious websites to prevent compromises to real client systems in the enterprise.
Honeyclients detect malicious websites that cause client compromises by performing real-time anomaly detection of the file system, registry, and process information within the virtual machine. During normal browsing, the browser makes "benign" changes to the virtual machine. These changes are codified as lists of acceptable parameters. Therefore, when browsing unknown websites, any activity that does not fall within these lists is deemed malicious.
A distributed architecture has been developed that allows multiple honeyclients on different networks to report back to a central repository with their results and obtain their workload assignments.
Featured Items
Resilient Architectures for Mission and Business Objectives (RAMBO):
The RAMBO research team focuses on enabling mission assurance through resiliency.
Resiliency is the ability to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation. This research activity is exploring new ideas and techniques that enable fight-through capabilities through a secure resilient architecture. The RAMBO lab developed under this research activity provides a venue for continuously developing, improving, integrating, and demonstrating resilience strategies and technologies for transition to MITRE and sponsor infrastructures. Multiple capabilities, scenarios and techniques have been explored and demonstrated in the RAMBO lab.
Featured Items
Resiliency Assessment:
This research team has defined a cyber resiliency assessment methodology, which consists of a cyber resiliency framework, a process for assessing cyber resiliency, and a representative set of metrics that can be used in an assessment.
Engineering and operational decisions to improve cyber resiliency need to be supported by suitable metrics and assessment processes. The framework and set of metrics developed under this research activity are designed to be extensible, tailorable, and thus applicable to a broad range of organizational users.
Featured Items
Securing Databases through Encryption:
The goal of this research is to enable users to perform relational database management system (DBMS) query processing directly on a database in its fully encrypted form, addressing risks such as advanced cyber attacks against DBMS servers and the exposure of sensitive data to third-party clouds.
This research activity has developed a prototype piece of middleware called DataStorm that transparently fields an application/user query, rewrites it for execution in a fully encrypted DBMS, then decrypts and returns the correct final answers to the application/user without noticeably degrading performance. Using DataStorm, plaintext data and the encryption keys are never exposed at the database server. DataStorm leverages specialized forms of encryption to perform SQL operations on ciphertext.
References:
Kenneth P. Smith, Ameet Kini, William Wang, Chris Wolf, M. David Allen, Andrew Sillers: "Intuitive Interaction with Encrypted Query Execution in DataStorm," ICDE 2012, pp. 1333-1336.
System Measurement and Attestation Capabilities (SMAC):
The SMAC research team is developing methods to detect advanced cyber threat presence on end hosts within key firmware, operating system, and application regions.
The methods developed under the SMAC research activity are combined in a prototype called Checkmate, which collects measurements of key system components at the firmware and operating system levels, beginning with the boot process, and safely transmits them to a remote verification server to be analyzed. Current versions of Checkmate use a combination of software- and hardware-based attestation to ensure integrity of the Checkmate system and the data it sends. It detects advanced attacks both at the Windows XP operating system level (rootkits) and at the BIOS level (bootkits). It is deployed on ~100 systems within MITRE. Future plans include operational improvements and application integrity verification features.
Featured Items
|