To better safeguard digital information, a team of researchers at the Department of Energy’s Oak Ridge National Laboratory (ORNL) has developed Akatosh, a security analysis tool that works in conjunction with standard software to detect significant irregularities in computer networks.
“Akatosh is a system that provides deeper context to existing IT infrastructure designed to solve security problems,” said Jared Smith, a cybersecurity researcher in ORNL’s Computing and Computational Sciences Directorate who developed the new technology. “It gives you a historical look of what’s changing on a computer over time.”
This new resource coordinates with intrusion detection systems (IDS), which monitor computer networks for private companies, government facilities, and academic institutions and set off alerts in response to abnormal activity. IDSs tend to trigger false alerts, forcing cybersecurity analysts and IT professionals to manually search the network for changes.
Any organization with a lot of people using computers will get thousands of alerts a day, and someone of course has to sift through them. Smith said Akatosh can save time and resources compared with the typical tools available that provide a bunch of data that analysts have to look at to decide whether or not the system has actually been breached.
Akatosh periodically takes snapshots of host systems on the network during everyday operations and establishing a baseline, then taking another snapshot each time an IDS alert occurs. By comparing these snapshots, the system can immediately show changes that transpired leading up to and during a cyber event. Automating the process of sorting through IDS alerts reduces the time and cost required to identify the source of a security incident and neutralize the threat.
“At a technical level, we can see whether passwords are being extracted, whether files are being copied, and we know how these things are potentially threatening because they weren’t happening before we got an alert,” Smith said. “That’s where we’re able to provide context.”
The system summarizes relevant changes and sends a report to the network administrator to quickly determine whether the changes indicate the presence of a legitimate security threat. The ability to accurately determine the validity of IDS alerts in real time means analysts can begin mitigating the negative effects of malware attacks, phishing emails, and other cybersecurity problems as soon as they appear.
To demonstrate Akatosh’s capabilities, the team recently traveled to San Francisco for RSA, the largest security conference in the country. They also attended Department of Homeland Security (DHS) summits in New York and Washington. The team use real malware in their demonstrations, which shows how it changes once it spreads across a machine, which assists in identifying the problem.
Funding for Akatosh comes from ORNL’s Global Security Directorate under Work for Others for the DHS Transition to Practice Program, which helps showcase new technologies and foster partnerships between product developers and potential commercial partners. Several companies have shown interest in licensing Akatosh after observing promising demonstrations.