HACSAW

Abstract

The HPC Architecture for Cyber Situational Awareness (HACSAW) was established by the Department of Defense (DoD) High Performance Computing Modernization Program (HPCMP) to combine a rich computational environment with operationally relevant data to perform cutting-edge cybersecurity research that will increase HPCMP's current and predictive understanding of cyberspace on the Defense Research and Engineering Network (DREN). The data repository created by this unique environment includes the collection of unclassified data sources from the edge of the network (i.e., Internet Access Points) down to the host-level, across more than one hundred (100) different DoD enclaves. Through the application of high performance computing (HPC) resources, HACSAW explores novel and innovative analytical capabilities based on a comprehensive cybersecurity dataset. The integration of HPC within the cyber workflow provides an opportunity for fusion and assessments of disparate data streams and real-time analysis using data science algorithms and machine learning (both structured and unstructured data). Our approach is designed to ultimately leverage HPC resources to significantly reduce the time to respond to changes in the cyber environment from days to minutes.Understanding the operational status of information systems, the missions (friendly and adversary) being pursued, and the threats and vulnerabilities that impact them is essential for effective mission accomplishment. This understanding is referred to as Cyberspace Situational Awareness (Cyber SA). Today's decision makers require meaningful Cyber SA to safeguard sensitive data, sustain fundamental operations, and protect national infrastructure [2]. The need and responsibility of Cyber SA spans multiple organizations within the DoD, across the entire government and in the private sector.The lack of relevant and recent real-world network enterprise data has hampered many cybersecurity research efforts to develop and validate algorithms or methods under realistic conditions. HACSAW has reduced this technical barrier with a development environment that provides computational and data-rich information to researchers to test, develop, model, measure and refine data-driven analytics. This environment is the proving ground for novel ideas, algorithms and approaches that are suitable for large scale execution in a dedicated HPC environment. Currently, HACSAW as an aggregation of over one (1) petabyte of DREN data to include network-based monitoring and intrusion detection results, web content filtering, vulnerability scanning, firewall, sensor health, etc. Context is applied to each cyber event through the use of custom enrichments that provide downstream analytical processes with information that may be useful in determining the nature of the event.During this talk, we will discuss HPCMP's initial approach to addressing Cyber SA through a Call for Proposals (CFP) to the data science, cyber, and HPC communities. Selected collaborators will receive funding for a one-year effort that demonstrates potential for integration into DREN's Cyber SA operational environment and aligns with identified Mission Essential Tasks (METs). METs will ensure decision makers have the understanding necessary to make effective decisions. Such tasks include monitoring, detection, alerting, cyber threat analysis, cyber risk and event analysis, and sharing and collaboration. Initial and future contributions in the areas of modeling and simulation [4], clustering [3] and deep learning [1] are anticipated and results will be shared at a later date.