National labs look to flip the board on cyber warfare

By Peter Behr | 06/12/2015 08:41 AM EDT

Much as U.S. and British breakthroughs in strategic research were pivotal in World War II, Oak Ridge’s cyber warfare research team and colleagues across the complex of American national laboratories are pushing for esoteric discoveries that will tilt the cyberwar battleground decisively back toward the defense before adversaries are able to launch a “cyber Pearl Harbor.”

Two years ago, hackers broke into computer systems of the Oak Ridge National Laboratory in Tennessee, a crown jewel of the U.S. national security research establishment.

The embarrassing cyber breach, whose source was not publicly identified, resulted in a very limited data loss, officials said.

Its more far-reaching impact was to prompt Oak Ridge researchers to redirect development of a next-generation cybersecurity program called Hyperion, one they view as a potentially game-changing bulwark against advanced cyber campaigns.


The attack "changed how we thought about using Hyperion," says the program’s co-inventor, Stacy Prowell, leader of Oak Ridge’s cyber warfare research team.

"Until then, we thought of it as supporting reverse engineering," the common tactic for detecting and analyzing advanced malware that has gotten into targeted systems, he said.

"Then we saw we can use it to find the patterns" in attack software, even before their dirty work commences, he said.

Working through the Department of Homeland Security’s Transition to Practice program, R&K Cyber Solutions in Northern Virginia licensed the Hyperion project from the Oak Ridge lab and hired some of Prowell’s key Oak Ridge colleagues to take the program public, working from an office in Knoxville, Tenn., not far from the laboratory.

Much as U.S. and British breakthroughs in strategic research were pivotal in World War II, Prowell and colleagues across the complex of American national laboratories are pushing for esoteric discoveries that will tilt the cyberwar battleground decisively back toward the defense before adversaries are able to launch a "cyber Pearl Harbor."

"Lots of folks are concerned with keeping all the bad guys out," Prowell said. "I tend to think that is not possible in general. I’m much more concerned when they get in that they don’t cause serious harm," said Prowell, who earned a Ph.D. in computer science from the University of Tennessee and went from there to Carnegie Mellon University to pursue the ideas that become Hyperion. He joined Oak Ridge in 2009.

The list of high-priority cybersecurity projects at national laboratories documents the labs’ search for unconventional, highly challenging but potentially high-impact breakthroughs.

Johns Hopkins Applied Physics Laboratory has a product, CodeDNA, that can spotlight "families" of malware by detecting close relationships in malware binary code, exploiting the tendency of hackers to build new attacks on earlier code. The approach also supports predictions of what new, "zero-day" attacks could look like.

Digital Ants, created at the Pacific Northwest National Laboratory, mimic the swarming behaviors of ants in their colonies as a strategy for uncovering hidden malware. The technology employs mobile sensors that "roam" within interconnected computers and devices in a network, gathering and evaluating key operational indicators, such as memory or processing activity. When a sensor spots activity out of the ordinary, it leaves behind a digital marker, like the chemical pheromones that ants deposit to mark paths to food. In the software world, the markers attract more sensor attention, and when the swarm reaches a predetermined size, it triggers an alarm, PNNL said.

Sandia National Laboratories’ Weasel Board technology addresses cyber vulnerabilities in PLCs (programmable logic controllers) that manage essential operations at power plants and other energy facilities, including remote terminals that operate electric power grids. According to Sandia’s description of its technology, conventional security systems cannot detect attacks on PLCs, and the PLCs are not monitored for breaches. Weasel Board, when added to a network, analyzes communications between PLCs to spot unusual activity and detect known threats.

Zeroing in on attack operations

In Hyperion’s case, the program does not make a long-shot search for needles of malware code buried in mountainous haystacks of software instructions. It focuses instead on the fundamental computer operations that attackers must carry out to achieve their ends.

For example, a hacker seeking to steal the identity of a program administrator may try to implant a clandestine keystroke logging routine that will copy the unaware user’s sign-on name and password, hide the stolen information somewhere on the victim’s system, and transmit it secretly back to the hacker.

Computer code that carries out such attacks may be disguised, said Prowell.

But the operational steps — implanting, copying, hiding and transmitting — are specific functional directions that software tells a computer to do, and they can be represented as logical equations: "If x=y, do this, and keep doing it until x=something else."

"You get away from bytes to the more literal picture of what is happening. You translate the compiled program into a function that describes what it does," Prowell said. Actions that might be innocent by themselves can have a malicious purpose when put together in a particular sequence that Hyperion’s mathematical analysis can reveal, he added.

The instructions or operational "calls" for key logging are compiled into a formal logic and stored as a catalog of known attacking behaviors called Behavior Specification Units. To scrutinize new programs, Hyperion uses advanced mathematical analysis to look for attacking operations described by the Basic Specification Units.

Prowell draws an analogy to a machinery with a motor, gears and a gear lever. Engineers can write an output equation for the motor, and for the gears. Putting that together creates a set of equations on what the machine is doing in mathematical terms. If the gear lever is moved, the equations produce a different result. Hyperion follows that model in analyzing computer operations that attacks must use.

Richard Linger, one of leading designers of Hyperion, who moved from Oak Ridge to R&K Cyber Solutions, said, "The fundamental difference is that most current [cyber defense] methods are based on the syntax of programs and malicious code, and they operate by scanning code and looking for signatures. Those signatures are very easily subverted.

"Hyperion doesn’t look for things in code, which is a loser’s game. We use the semantics of the individual program instructions to compute the behavior of the code."

‘In the trenches’

R&K Cyber, which had just 12 employees and $3 million in annual sales when it licensed Hyperion, must force its way into a fast-growing cyber defense market stocked with competition. But Linger said Hyperion gives it an edge. "It positions R&K as having a technology that is not generally available in the marketplace, and what we believe is a next-generation approach," Linger said.

Company founder Joseph Carter said the program is not challenging to deploy. "If they want to adopt it as a managed service, they won’t need to have any expertise. If they want to apply it on their own, we will be able to train their guys in two to three weeks in how to utilize the technologies."

Hyperion’s development has been a formidable challenge, Prowell said. "Everything about this is really hard. … The hardest part is representing faithfully the way that each instruction works on the computer. It’s not all that well specified. Sometimes the specs are wrong, and there are so many of them."

Hyperion was successfully piloted with DHS and an unidentified U.S. intelligence agency, R&K Cyber Solutions said. “We are in the trenches with government agencies, dealing with their malicious code,” Linger said.

"I’m making no guarantees about once-and-for-all security, but once we know this is how an attack works, I can easily find it every place it exists," Prowell said.