Charles River Analytics received a Small Business Innovation Research (SBIR) contract from the Air Force Research Laboratory (AFRL) to improve cyber resiliency of aircraft systems. Cyber Grammar Representations for Attack Meta-Monitoring including Analysis and Response (CyGRAMMAR) is the result of this effort.
Aircraft pose a special challenge for cybersecurity: If a breach were to occur, flight operations cannot simply be turned off mid-air to attend to forensic analysis. Once penetrated, attacks can wreak havoc. Cyberattacks can have devastating consequences such as capture of aircraft, manipulation of intelligence data, or loss of life.
“Security professionals are increasingly realizing that you can’t just build a big wall around assets. You need a means of watching systems on the inside,” says Dr. Terry Patten, Principal Scientist at Charles River Analytics and Principal Investigator of CyGRAMMAR. As a result, Patten says, “aviation manufacturers are now designing monitors into onboard aircraft systems that look for signs of malicious behavior.” Cyber test engineers can also add monitors to the systems they’re testing to gain additional visibility into a system’s internal behavior.
However, the large volume of alerts generated by these monitors creates a new problem: Which alerts are false alarms and which are worth pursuing? Since not every piece of data generated is problematic, “we need to automate the process of analyzing the data produced by many monitors to understand the big picture,” Patten says.
To make sense of monitor data, Charles River Analytics is extending its years of research in using linguistic principles to identify and analyze cyberattacks. “The theory is that individual behaviors might be normal, but when they occur in specific sequences, that reveals that there’s malicious activity underway,” Patten says. Grammars can make sense of complex sequences of observations.
Odineye™, a commercial product from Charles River Analytics, determines which cyberattacks are possible against a specific system based on its architecture and properties.
The CyGRAMMAR project takes Odineye a step further, using grammars to analyze the dynamic internal behavior of systems as revealed by monitors. The resultant technology, a cyber meta-monitor, can be used either for real-time, in-flight protection against cyberattacks or as cyber testing technology.
Cyber meta-monitor technology can be used in both military and commercial applications. “As monitors become more common in cyber defense and testing, the demand for cyber meta-monitor technology will increase,” Patten predicts.
This material is based upon work supported by the United States Air Force Research Laboratory (AFRL), AFWERX, AFRL/RGKB under Contract No. FA8649-21-P-1579. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Air Force Research Laboratory.