Situational Awareness using Graph Evaluation (SAGE)

Current situational awareness methods on DoD networks focus on collecting ever-increasing amounts of network generated data while the resources to analyze it remain relatively fixed. The deployment of the Global Information Grid (GIG) will exacerbate this problem in expanding the size of defense networks by orders of magnitude while simultaneously increasing the mission criticality of these networks. In an attempt to address this problem, defense organizations have purchased commercial Security Information Management systems (SIMs) which collect and normalize the alert data into a relational database for further analysis. This convenient data organization has not increased situation awareness of monitored networks. There are no automated processes that can take advantage of these stores of collected information. Our solution, Situational Awareness using Graph Evaluation (SAGE), uses Social Network Analysis based statistical analysis, Graph Pattern Matching, and security domain ontologies in an innovative way to take advantage of terabyte sized SIMs to provide actionable intelligence and situational awareness. We will leverage our Army Research Lab funded Graph Matching Intrusion Detection System for detecting tactically coordinated attacks, as well as our Air Force Research Lab funded NETWAR for detecting strategic coordinated attacks and the DARPA funded TMODS project for detecting Terrorist Modus Operandi.