Cyber Grammar Representations for Attack Meta-Monitoring including Analysis and Response (CyGRAMMAR)
Aircraft pose a special challenge for cybersecurity: If a breach were to occur, flight operations cannot simply be turned off midair to attend to forensic analysis. Once penetrated, attacks can wreak havoc. Cyberattacks can have devastating consequences such as capture of aircraft, manipulation of intelligence data, or loss of life.
“Security professionals are increasingly realizing that you can’t just build a big wall around assets; you have to have a means of watching systems on the inside. As a result, aviation manufacturers are now designing monitors into onboard aircraft systems looking for signs of malicious behavior. Cyber test engineers can also add monitors to the systems they’re testing to gain additional visibility into a system’s internal behavior.”
Dr. Terry Patten
Principal Scientist and Principal Investigator on the CyGRAMMAR effort
Although monitors can now have greater visibility into a system’s internal behavior, the large volume of alerts can create a new problem: Which ones are false alarms and which are worth pursuing? Since not every piece of data generated is problematic, “operators need some way of being able to take the data produced by a dozen monitors and understand the big picture,” Patten says.
To make sense of monitor data, Charles River Analytics is building upon its years of research in using linguistic principles to identify and analyze cyberattacks. “The theory is that individual behaviors might be normal, but when they occur in specific sequences, that reveals that there’s malicious activity underway,” Patten says. Grammars can make sense of complex sequences of observations.
Odineye™, a commercial product from Charles River Analytics, determines which cyberattacks are possible against a specific system based on its architecture and properties.
The CyGRAMMAR project takes Odineye a step further, using grammars to analyze the dynamic internal behavior of systems as revealed by monitors. The resultant technology, a cyber meta-monitor, can be used either for real-time, in-flight protection against cyberattacks or as cyber-testing technology.
Cyber meta-monitor technology can be used in both military and commercial applications. “As monitors become more common in cyber defense and testing, the demand for cyber meta-monitor technology will increase,” Patten predicts.
This material is based upon work supported by the United States Air Force Research Laboratory (AFRL), AFWERX, AFRL/RGKB under Contract No. FA8649-21-P-1579. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Air Force Research Laboratory.