Abstract

The threat encompassing the critical computing infrastructure nations depend upon has shifted. A new dynamic of adversaries leveraging a playbook of highly sophisticated, organized, and well funded cyber attacks has emerged. These adversaries penetrate networks using exploits, tools, and techniques that are not detected by traditional client and network security software. Compromised networks stand to lose irreparable amounts of sensitive information and trade secrets if confidentiality is lost. The threat has shifted, but detection and response mechanisms have largely remained the same. They have maintained the same largely ineffective result these advanced adversaries count on.

To counter this, the development and implementation of a client based relational indicator database schema was researched and designed. This schema represents information that, when aggregated over time, signifies an archive of actionable intelligence. The relational model contains tables of client snapshots, each of which are correlated to their respective subset of indicator metadata consisting of differing types of system information. A complete proof of concept implementation was developed using an agent based reporting structure. The agent, named CAITO (Collector of Actionable Intelligence for Threat Observations), reports relevant system information to a database using the developed schema. CAITO is also capable of processing administrative instructions by accessing a remote XML based configuration file. A front-end web portal was also developed to demonstrate the facilitation of analyst queries with the derived dataset. The technical implementation is designed to be integrated into any Microsoft Windows environment. It may be deployed as a Microsoft Self Installer through Active Directory to clients as a Windows based service.

Publication Date

10-26-2010

Document Type

Thesis

Student Type

Graduate

Degree Name

Networking and System Administration (MS)

Advisor

Yin Pan

Advisor/Committee Member

Eric Hutchins

Advisor/Committee Member

Jason Koppe

Campus

RIT – Main Campus

Share

COinS