A Data-Driven Approach to Security Science

In security more than in other computing disciplines, professionals depend heavily on rapid analysis of voluminous streams of data gathered by a combination of network-, file-, and system-level monitors. The data are used both to maintain a constant vigil against attacks and compromises on a target system and to improve the monitoring itself. While the focus of the security engineer is on ensuring operational security, it is our experience that the data are a gold mine of information that can be used to develop a greater fundamental insight and hence a stronger scientific basis for building, monitoring, and analyzing future secure systems. In order to facilitate timely and accurate detection and response to attacks several challenges must be addressed: 1. Challenge of navigating through a vast amount of data generated by security monitoring tools. 2. Challenge of conducting timely forensics and providing tools to extract and correlate information about the attack and its progress. 3. Challenge of validating and benchmarking the security monitoring infrastructure and the system resiliency to accidental errors and malicious attacks.