New ways to detect network attacks sooner

Army researchers may have figured out how to detect bad actors earlier in their attacks, which will help better defend Defense Department networks.

Cyber intrusions are currently detected by analysts who monitor data transmitted from the defended network’s detection sensors to central analysis severs. The process requires so much bandwidth that most systems only send analysts alerts or summaries, which means some intrusions go undetected.

Now, researchers with Army Research Laboratory and Towson University found that compressing the traffic allowed analysts to detect intrusions earlier in the transmission process.

"This strategy should be effective in reducing the amount of network traffic sent from the sensor to central analyst system," Sidney Smith, an ARL researcher and the study's lead author, said. "Ultimately, this strategy could be used to increase the reliability and security of Army networks."

Next on Army researchers’ agenda is to incorporate network classification and additional compression techniques to reduce the amount of traffic transmitted to central analysis systems to under 10% of original volume while losing less than 1% of cybersecurity alerts.

ARL's research echoes a recurring DOD theme that emphasizes network protection and the need for cybersecurity throughout the entire organization.

For example, DOD hopes to boost funds to cyber forces in the 2020 defense spending bill -- a move that’s in lockstep with the overall government budget. And back on the research side, the Defense Advanced Research Projects Agency is looking to solve cyber problems with tactics such as cyber hunting on an enterprise scale, conducting hackathons and building an air-gapped system to protect data at rest.

This article was first posted to FCW, a sibling site to Defense Systems.