Executive Summary : | The internet has revolutionized the way facilities and operations are managed and accessed remotely, making them vulnerable to cyberattacks. Critical infrastructure such as power grids, nuclear plants, and telecom infrastructure are targets of these attacks. To detect suspicious behavior, it is crucial to monitor the entire network for compromised nodes and correlate activities across all nodes. This involves collecting network logs and analyzing them to automatically detect malicious activities and identify cyberattacks. The objective is to develop artificial Intelligence and Machine Learning (AI & ML)-based algorithms that detect any lateral movement and pivoting that could lead to cyber-attacks. To train these algorithms, rich datasets of malware behavior are needed, which should have granular details about networks, processes, and file events related to the activities of the malware. However, there are no publicly available datasets that provide all this information on a variety of malware. The first goal is to collect malware from various resources and run them in a sandbox environment with custom scripts to collect logs of their network, processes, and file activities by tapping the operating systems at the kernel level. Existing methods for malware detection rely on rule sets, but attackers constantly seek new vulnerabilities and zero-day attacks. To fill this gap, AI & ML-aided algorithms are proposed to work on continuously collected network-wide data logs, co-relate the activities of all nodes, and proactively identify deviations from normal behavior. In summary, the two objectives are to develop an End Point Detection and Response (EDR) system to systemically monitor network activities and develop AI/ML algorithms for automatically detecting lateral movement and privilege escalations using AI & ML-aided algorithms. |