Cyber Terrorism/Crime Investigation Framework
In 2004, in what is now known as Incident 216, an attacker from a foreign country launched a series of attacks against hosts in U.S. government, higher education, and commercial institutions, in addition to similar institutions abroad. This intruder installed SSH trojans, harvested usernames and passwords, and used them to gain further privileges and access to other systems. In many cases the intruder managed to carry out these activities without disrupting the system, which allowed him/her to proceed undetected.

Responding to attacks like Incident 216 can be difficult and time-consuming, requiring investigators to acquire and analyze large amounts of data across a wide range of distributed systems. While system administrators at these sites are often very cooperative, they often lack the skills or time necessary to assist the investigation effectively. As a result, lead investigators often must walk sites individually through the process of data gathering on their local systems, in addition to collecting, managing, and analyzing the data. And even investigations themselves can be compromised: at one point during the investigation of Incident 216, it became clear that the intruder was even monitoring the investigators' email. As encrypting email between users is easier than encrypting user-to-group email, communication became much more difficult.

Motivated by cases like Incident 216, NCASSR's project team of software component developers and software integration engineers will, in 2006-2007, be working collaboratively with the FBI to design and build a fully integrated cyber investigation system that leverages previous NCASSR-supported work and expertise. At the end of Year 4, the project will result in a functional prototype that demonstrates the effectiveness of this system in the investigation of a real-world cyberterrorism case example.

Specifically, we envision this system having the following architectural components:
  • A problem solving environment that provides a convenient user interface to data management services, tool selection, and provides audit logs of all activities so that steps can be documented and retraced.

  • Tools for data analysis, including analysis tools that use statistical and machine learning techniques to do a detailed analysis and discovery of patterns and anomalies, visualization tools that simplify complex data in a graphical format, and data transformation tools for such things as format conversions, error correction, privacy enhancement, and more.

  • A secure collaboration environment that supports secure communications, the formation of virtual investigation teams, group discussion space, information sharing, display sharing, and all the typical capabilities a collaborative environment supports.

  • Scenario-specific development that will integrate the various components into a unified prototype cyber terrorism investigation framework. In addition, this effort will develop a scenario specific user interface that allows the domain experts to utilize the framework’s capabilities. Finally, this effort will validate, document, and orchestrate the demonstration of the prototype.
 
Project Leads
Randy Butler, NCSA
Von Welch, NCSA
Mike Freemon, NCSA

Return to Projects list


The National Center for Advanced Secure Systems Research NCASSR) at the University of Illinois at Urbana-Champaign (UIUC) is a multi-institutional cybersecurity research team. NCASSR focuses basic and applied research necessary to develop next generation information security technologies that address national cybersecurity needs. NCASSR is led by the National Center for Supercomputing Applications (NCSA) and supported by funding from the Office of Naval Research (ONR).


SELS 0.7 released
Secure Email List Services (SELS) is an open source software for creating and developing secure email list services among user communities.
 
Strong community engagement strengthens cybersecurity research and development
NCASSR-supported exploratory research at NCSA and elsewhere has sparked additional external funding and development opportunities as well as successful deployment and adoption by users ranging from the defense sector to state law enforcement to the utilities industry.
 
NCASSR Collaborator Goes To Washington
Carl Gunter, a professor in the University of Illinois Department of Computer Science and a project lead on NCASSR-supported work involving adaptive, secure messaging, recently spoke to an audience of congressional staffers and lobbyists on Capitol Hill regarding ways to address a variety of critical cybersecurity issues in areas such as healthcare and energy distribution.