Automated Threat-Hunting System Development Learning Program

Researchers will create a learning program on automated threat hunting and anomaly detection (THAD) operations, developing a system that monitors network traffic, as well as tools with machine learning capabilities to respond to suspicious network traffic.

Funded by the CCI Hub

Project Investigators

• Principal Investigator (PI): Mohamed Gebril, George Mason University Department of CyberSecurity Engineering
• Co-PI: Sherif Abdelhamid, Virginia Military Institute Department of Computer and Information Sciences

Rationale and Background

Ease-of-use, precision of outputs, correlation between systems, and clear communication channels are among the most frequently mentioned as problematic. 

When designing security programs, organizations are increasingly interested in the  implementation of proactive solutions to satisfy security requirements. Threat hunting programs designed to analyze, test, monitor, and secure systems aim to satisfy this trend. 

Methodology

Researchers will enhance threat hunt solutions through the use of open-source  tools from a list of problem areas derived from a set of interviews concerning the topic conducted during a previous CCI funded project. 

They will establish a basis for tool functionality and use continuous development and integration testing to provide a learning experience that simulates the real world.

Projected Outcomes

This project aims to enhance cybersecurity protocols through real-time network traffic  monitoring and incident response, as well as to cultivate a skilled workforce adept at navigating the  complexities of network security. The system developed through this program will be integrated  into workshops hosted at Mason and VMI, with the added goal of serving the surrounding communities. 

Participants will engage in the development of selected system components from the ground up through:  

• System Design and Architecture: Students will learn about the architectural requirements  of a scalable threat detection system, including the integration of software and hardware  components that support high-volume data analysis.  
  
• Development of Detection Rules: Students will develop and refine detection rules that the system will use to identify  suspicious activities by learning to balance sensitivity and specificity to  minimize false positives and false negatives. 
• Real-Time Data Monitoring and Analysis: Students will monitor network traffic in a  controlled environment, apply detection rules in real-time, analyze system  effectiveness, and adjust parameters as needed. 
• Incident Response Creation:Students will craft comprehensive incident cases, documenting anomalies, suspected causes, potential impacts, and suggested mitigation steps.  
• Feedback and Iteration: An iterative feedback loop will allow students  to refine their approaches based on real-world testing and peer reviews.