On Friday, May 12, 2017, the WannaCry cryptoworm made its first appearance. It exploited a vulnerability in the Microsoft Windows operating system to break into computers, encrypt their data and post ransom notes.

Within a day, the code was reported to have infected more than 230,000 computers in over 150 countries. It shut down National Health Service hospitals in England and Scotland. FedEx, Spain’s Telefonica and Honda were among the hundreds of companies also affected. Although virtually none of the victims paid the ransom, the economic losses from the attack are estimated to have reached several billion dollars.

“Real world attack campaigns have become more sophisticated, coordinated and destructive over time,” said Professor Malathi Veeraraghavan, of the University of Virginia’s Charles L. Brown Department of Electrical and Computer Engineering. “Attacks like WannaCry are only the tip of the iceberg. There are other, more stealthy and more damaging approaches that can remain undetected in victim organizations for years.”

Working with UVA Computer Science Professor Jack Davidson, Professor Donald Brown of the Department of Engineering Systems and Environment, and UVA Information Security Engineer Jeffrey Collyer, Veeraraghavan has secured a nearly $7.6 million contract from the Defense Advanced Research Projects Agency (DARPA) to detect these broad-spectrum cyber threats almost immediately after they are launched.

“We aim to develop distributed algorithms that will detect live zero-day attacks,” Veeraraghavan said.

Strength in Numbers

As the name WannaCry illustrates, the prevailing method that cybersecurity companies around the world use to protect against intrusions is to view viruses and worms as specific entities and to focus on identifying the malicious code. Once an attack is detected by one organization, indicators of compromise are sent to other groups, which can then add corresponding information to their firewalls and intrusion detection systems.

This approach has a number of drawbacks, however. As in the case of WannaCry, this approach is retrospective. Only after malicious code is identified can computer security experts check network traffic for its signature. To compound this problem, it takes time for these threats to be visible locally.

Veeraraghavan and her colleagues are attempting something much more subtle. They want to be able to detect the telltale traces of an intrusion, rather than identify the intrusion itself, and this approach requires them to gather much more data. In essence, they want to harness the type of global coordination now used to report attacks to detect them.

“Our hypothesis is that such an interorganizational, globally coordinated effort will expose attacks quickly when they are still largely invisible to any single organization,” Veeraraghavan said.

Monitoring Data While Preserving Privacy

To do this, they will monitor data from host computers logs, authentication attempts and network traffic from multiple enterprises, and subject this data to optimized machine learning techniques capable of detecting the anomalies that are the first sign of an intrusion.

“We will first begin by establishing normal behavior and then look for anomalies relative to that behavior,” Veeraraghavan said.

In addition to managing the ongoing analysis of an extremely large volume of data, a key challenge for the team is preserving privacy. To address this issue, the team will develop deep neural network learning methods that do not require enterprises to send their data to a global repository.

“We have set ourselves a very ambitious challenge,” Veeraraghavan said, “but the benefits of early detection make it worth the effort. And we have assembled a team with the talent and expertise to be successful.”

UVA Engineering’s Research Innovation Awards, led by Executive Dean Pamela Norris and designed to provide a starting point for new collaborations, helped seed this project. Also, the project is related to the University’s Cyber Innovation & Society Initiative, supported by the office of UVA’s Vice President for Research Melur K. “Ram” Ramasubramanian. The initiative aims to understand cyber systems and their effects on society, to understand the risks and consequences of cyber attacks on those systems, and to ensure such systems operate and collect data in secure and dependable ways.

“Initiatives such as the Cyber Innovation & Society and the Research Innovation Awards are creating bridges between researchers that are enabling new and exciting work,” Davidson said.

In addition to the four principal investigators from UVA, the group led by Veeraraghavan includes research scientists Alastair Nottingham and William Hawkins, graduate and undergraduate students, and collaborators from Virginia Tech, Northeastern University and CCRI, a Central Virginia-based data science and software engineering company.

(DARPA distribution statement: Approved for public release, distribution unlimited.)