A critical component of NTEWS forecast modeling is the accessibility of its findings to officials.

“The heart of our work, from the beginning, has been this idea that we should be able to come up with predictions that we can explain to policymakers, preferably in an elevator pitch,” Subrahmanian said.

The NTEWS project team—which also includes Priyanka Amin, a third-year undergraduate computer science student in Northwestern’s Weinberg College of Arts and Sciences, Chongyang GaoPhD Candidate in Computer Science, NSAIL Senior Research Associate Chiara Puliceand consultant Aaron Mannes — is also trying to predict when attacks are likely to happen and when they won’t so that resources can be allocated appropriately.

Using unclassified and open source data on terrorist groups collected and shared in collaboration with external partners, the NTEWS system will generate predictions and guidance for interpretation. NSAIL will then share the predictions and results in publicly available places such as websites or scientific papers in accordance with its main operating principles.

PLATO: Predicting the lethality of terrorist networks

Past work in a named system Shaping the Effectiveness of the Network of Terrorist Organizations (STONE) studies how to minimize the number of attacks a terrorist network will carry out. However, this requires the ability to predict the number of attacks that a specific network structure will perform. of Predicting Terrorist Organization Lethality Analysis (PLATO) The model predicts the number of attacks a terrorist group will carry out based solely on the structure of its network.

“We want to understand the relationship between network structure and death, and with PLATO, we are able to do that,” Pulice said. “Using machine learning and regressor models, we clearly understand which features of the network are most important, and thus which features we can use as good predictors of death.”

Combining machine learning with techniques from graph theory and social network analysis, the PLATO algorithms were tested on datasets detailing the relationships between members of al-Qaeda and the Islamic State (ISIS).

The PLATO team currently includes Gao, Francesco Parisi (University of Calabria), Pulice and Subrahmanian.

“What we found for both Al Qaeda and ISIS is that operational sub-networks and network leadership are strongly correlated with death,” Police said. “If we operate in one of these two sub-networks, intuitively we affect death.”

NCEWS: Managing AI Vulnerabilities and Cyber ​​Security

NSAIL also focuses on issues related to information, cyber and technology security, including managing vulnerabilities in an enterprise, detecting malware and assessing its spread, managing cyber alerts and preventing intellectual property (IP) theft.

The lab is developing a decision model system called the Northwestern Cyber ​​Early Warning System (NCEWS) to manage two types of cyberattacks – known vulnerabilities, which are typically assigned a common vulnerability and exposure (CVE) number, and vulnerabilities of the day zero. which are flaws in a system or device discovered by hackers and not yet known to the vendor. Approximately 20,000 CVEs are discovered each year.

“What we want to be able to do is look at a CVE and ask ‘Will it ever be used in an attack?'” Subrahmanian said. “If not, maybe you don’t need to worry about it so much. We want to be able to get information about a new CVE and predict whether this vulnerability will be used in an attack and, if so, whether it will be used in an attack tomorrow or a month from tomorrow. This affects the decision you make about what to do with that vulnerability. And, of course, you want to be able to predict how severe the attack is going to be.”

The sooner NCEWS makes these predictions, the more time an organization has to take appropriate action.

Subrahmanian found that, on average, it takes approximately 133 days from the time a vulnerability first becomes known until the National Institute of Standards and Technology (NIST) releases information about its risks. Further, it found that 49 percent of vulnerabilities are used in attacks before NIST updates its national vulnerability database.

“If I’m a bad guy, I just watch what’s going on. I don’t have to reveal my weaknesses,” said Subrahmanian. “I’m waiting for someone else to discover it and then I can build an exploit.”

Building and improving on an earlier system developed by Subramanian, NCEWS uses a set of predictors and a combination of natural language methods and social network analysis to mine ongoing discussions about a particular vulnerability.

“We are able to generate very high results in F1 whether a vulnerability is exploited or not and reasonably in terms of timing and severity,” Subrahmanian said.

Adapting a human health model for cybersecurity, NSAIL also developed a model called DIPS—detected, infected, susceptible, and patched—to predict how badly a network is likely to be affected by a piece of cloud of malware. The team examined false alarm rates to determine what percentage of alarms raised by security products are of real concern, whether the lab can predict which alerts are true, and what percentage of true alarms will be missed.

FORGE: Imposing costs on intellectual property thieves

To address the growing challenge of intellectual property theft, NSAIL is developing projects such as Online Fake Repository Generation Engine (FORGE) and WE-FORGE to generate fake versions of sensitive documents with the intent of imposing costs on an attacker.

“We want to buy time for the defender and frustrate and delay the opponent,” Subrahmanian said. “If an adversary doesn’t know that the network has fakes, then he will spend a lot of time stealing documents and running his design on the wrong one. If the adversary knows that the organization uses fakes, then they have to spend a lot more time in the system, which would hopefully raise a red flag.”