Cyber Risk Assessment for Threatened Environments (CRATE)


Cyber warfare is fought today on an asymmetric battlefield in which the odds are often stacked in favor of an agile and anonymous adversary. Existing defensive technologies such as antivirus, intrusion detection, and code hardening toolchains can only partially level the field. Technical gaps in these defensive technologies are evidenced (1) by the typically large latencies between the occurrence of cyber-attacks and their eventual detection and remediation; and (2) by the failure of existing technologies to perform mission-centric threat impact analysis.

CRATE provides new tools and techniques to extract real-time human-actionable intelligence about the mission-level impact of cyber events detected within complex architectures.


A CRATE concept of operation is shown below in Figure 1. The diagram depicts three core capabilities of the CRATE system. Firstly, CRATE provides a framework for gathering large quantities of real-time metrics generated by cyber-sensors on disparate hosts. Secondly, CRATE uses machine learning to identify cyber-events within the metric streams and aligns these events to the lifecycle of a cyber-attack. Finally, CRATE utilizes this alignment to determine the mission-level severity and impact of the attack—for example, a mission that depends heavily on near real-time ISR would be severely impacted by a Denial of Service (DoS) attack against services providing that capability.

CRATE combines top-down and bottom-up modeling paradigms. CRATE’s top-down approach leverages industry-standard Mandatory Access Control (MAC) technologies such as AppArmor and SELinux and assumes that high-fidelity models of correct behavior are specified formally as engineering and design artifacts. When behaviors not explicitly allowed in these top-down models are observed, the system generates logs which are treated by CRATE as indicative of anomalous behavior, even when those behaviors are performed by privileged users.

Acknowledging the difficulty of specifying complete top-down models (and to address the possibility of resultant false positive anomaly detections), CRATE also incorporates a bottom-up noise reduction approach that learns correct behaviors by applying machine learning to sensor values and identifies aberrations observed during sliding windows of time.

CRATE provides visualizations and metrics that enable the operators of mission-critical cyber systems to answer the questions:

  • What non- mission-essential behaviors are occurring within my cyber infrastructure?
  • Are the systems on which deployed services execute behaving as expected?
  • Are observed anomalous behaviors indicative of cyber-attack or might they be benign?


Similarly, CRATE allows the mission operators to answer the question:



CRATE provides the following innovations over existing technologies:

  1. CRATE is designed from the ground up to be cloud-friendly. CRATE monitors software systems at the service granularity and in a manner amenable to deployments that leverage virtualization and containerization. CRATE does not assume the existence of monitoring components on network infrastructure (routers, switches, firewalls, etc.) since stakeholders in cloud use cases frequently do not manage the infrastructure on which they deploy services. Instead, CRATE relies only upon lightweight monitoring within the virtual machines and containers used to run critical services.
  2. CRATE is useful for detecting sophisticated attacks. A sophisticated attack is one that attempts to exploit a vulnerability in a service (e.g., buffer overflow, remote code execution) instead of merely denying access to the service without compromising the host on which it runs (e.g., HTTP flood). Whereas the latter can be easily detected by monitoring simple metrics such as the number of open TCP connections, the former is much harder to recognize without fine-grained models of correct system behavior. Because it models the inter- and intra-host interactions of resources and processes, CRATE is able to recognize attacks that may be entirely ignored by other tools.
  3. CRATE provides mission impact analysis, unlike other tools which are system-oriented. CRATE uses models to map problematic cyber-events to their impact on missions along the dimensions of Confidentiality, Ingegrity, and Availability (the CIA triad). The inclusion of the confidentiality and integrity dimensions greatly enhances the utility of the tool for threat mitigation and impact analysis (e.g., CRATE can tell operators whether sensitive mission-critical data has been accessed by an attacker).