Index | Research | Teaching | Students | Pubs | Project Information |


Cybersecurity Quantification Lab (CyQL)

The research conducted in CyQL focuses on quantifying cybersecurity. The research team has conducted various empirical studies using security data collected in-house and across the world. The research team collaborates closely with the university Division of Information Technology Security and Policy team. The security data is collected in-house, and consist of incidents, intrusion alerts, network flows and malicious activity towards/from target computers. Furthermore, at various organizations across the world, we collect malicious activity towards/from target computers. We are also collaborating with of the Department of Criminology and Criminal Justice at UMD to conduct specific empirical experiments related to criminological theories.

Research projects per security dataset

Incident Data: We have applied Non-Homogeneous Poisson Process (NHPP) software reliability growth (SRG) models, time series models, and epidemiological models.

Intrusion Alerts: We have 1) introduced a method that ranks potentially corrupted computers based on imperfect intrusion event data, and 2) evaluated this method based on the dataset.

Network Flows: We combined network flows with incidents and intrusion alerts to collect contextual information about attacks and to learn about attack techniques. We translated this knowledge about attack techniques into signatures and anomaly profiles to build a flow-based intrusion detection system. This research led to a tool, called Nfsight, which has been published as an open source application and is now used by the university security team in production.

Malicious Activity towards/form Target Computers: We have a large farm of target computers that consists of several hundreds of IP addresses, a combination of physical and virtual hosts, a tunneling solution to collect traffic from multiple institutions, and a reliable workflow to thoroughly instrument the targets, to rapidly re-image compromised machines, and to store attack traffic using secure and redundant storage solutions. This framework has been used to conduct a variety of empirical studies, including learning about attacker behavior, categorizing rogue software being installed, and understanding attack motivation.