Security Research

University Research Group Takes on State-Sponsored Computer Attacks

• By Dian Schaffhauser
• 03/11/10

A group of university researchers that found success in taking over control of a major criminal botnet to learn how it operates has been funded to develop a system that can automatically identify attacks on the Internet. The researchers, who form the Computer Security Group at the University of California, Santa Barbara, recently received a five-year grant of $6.2 million from the United States Army Research Office to lead a consortium that also includes the UC Berkeley and Georgia Institute of Technology.

The goal of the multi-institutional research is to develop a system of "situational awareness," which can automatically identify attacks on the Internet, assess the potential damage of attacks, identify responses, and predict future threats. A particular interest will be creating techniques and tools for addressing state-sponsored attacks.

"Every kind of information you can think of--including state secrets--exists on a computer somewhere," said Richard Kemmerer, professor of computer science. "Unless that computer is locked up with no connection to the outside world, there's a chance of that information getting compromised." Kemmerer is one of the UC Santa Barbara group's core faculty members on the project.

The research team has set several initiatives for its security research:

• Techniques for analyzing network activity automatically to obtain a real-time view of how the network is being used;
• Analysis techniques for extracting relationships in the network;
• Development of two frameworks, one to identify the targets of cyber attacks and estimate the impact of a successful attack and the other to provide an easy-to-understand view of the network's status and to learn about attacks while they're happening; and
• Creation of models of adversary behavior to help predict the effects of future attacks.

The UC Santa Barbara team made headlines when it took control of Torpig, a major botnet that had control of 180,000 Windows computers, primarily in the United States and Europe. This feat, which lasted for 10 days in early 2009, allowed the researchers to monitor the botnet's collection of 70 GB of data, including information from online bank accounts, credit and debit card accounts, and e-mail accounts. The researchers collaborated with the FBI and other law enforcement agencies, as well as with the banks and financial institutions involved, to notify the owners of the compromised accounts.

That research work was funded by a National Science Foundation grant to study the workings of the "underground economy."