Jared Holsopple

High level information fusion for tracking and projection of multistage cyber attacks

The use of computer networks has become a necessity for government, industry, and personal businesses. Protection and defense against cyber attacks on computer networks, however, are becoming inadequate as attackers become more sophisticated and as the networks and systems become more complex. Drawing analogies from other application domains, this paper introduces information fusion to provide situation awareness and threat prediction from massive volumes of sensed data. An in-depth discussion is provided to define fusion tasks for cyber defense. A novel cyber fusion system is proposed to address specifically the tracking and projection of multistage attacks. Critical assessments of the developed attack tracking and threat projection sub-components are provided with simulation results. This pioneering work elaborates the benefits, limitations, and future challenges of high level information fusion for cyber security.

TANDI: threat assessment of network data and information

Current practice for combating cyber attacks typically use Intrusion Detection Sensors (IDSs) to passively detect and block multi-stage attacks. This work leverages Level-2 fusion that correlates IDS alerts belonging to the same attacker, and proposes a threat assessment algorithm to predict potential future attacker actions. The algorithm, TANDI, reduces the problem complexity by separating the models of the attackers capability and opportunity, and fuse the two to determine the attackers intent. Unlike traditional Bayesian-based approaches, which require assigning a large number of edge probabilities, the proposed Level-3 fusion procedure uses only 4 parameters. TANDI has been implemented and tested with randomly created attack sequences. The results demonstrate that TANDI predicts future attack actions accurately as long as the attack is not part of a coordinated attack and contains no insider threats. In the presence of abnormal attack events, TANDI will alarm the network analyst for further analysis. The attempt to evaluate a threat assessment algorithm via simulation is the first in the literature, and shall open up a new avenue in the area of high level fusion.

Issues and challenges in higher level fusion: Threat/impact assessment and intent modeling (a panel summary)

Many say that we live in the information age, but in reality if you ask any analyst today they would say we live in the data age. The amount of data being presented and displayed to the analyst is overwhelming - to a point that in many cases they are missing the salient or key activities of interest. Analysts are spending the majority of their time filtering through the data rather than performing analysis. Over the past 10 years, there has been an increasing emphasis on research in higher level fusion or what many are calling situation awareness. In this paper, we describe a collection of research addressing the challenges of enabling situation awareness. We will review our reference model and provide a discussion of a flow through the model to include how we can rank various activities based on their impact and threat. We also provide a number of algorithms that have been implemented and then tested and evaluated using a set of performance metrics.

Enhancing situation awareness via automated situation assessment

The human cognitive process of situation awareness is limited to the amount of data and the level of complexity between the data elements. Situation assessment, encompassing automated threat and impact assessment, shall assist human analysts by estimating the critical activities and objects in an emerging situation. The existing work on situation assessment, while serving its individual purposes, is not driven explicitly by the need to enhance situation awareness. This article provides a summary of various related work, ranging from visualization to algorithmic threat projection, and describes a human-centered framework that associates situation assessment processes and models with requirements needed to enhance situation awareness.

Evaluating Threat Assessment for Multi-Stage Cyber Attacks

Current practices to defend against cyber attacks are typically reactive yet passive. Recent research work has been proposed to proactively predict hackers target entities in the early stage of the attack. With prediction, there comes false alarms and missed attacks. Very little has been reported on how to evaluate a threat assessment algorithm, especially for cyber security. Because of the variety and the constantly changing nature of hacker behavior and network vulnerabilities, a cyber threat assessment algorithm is, perhaps more susceptible that for other application domains. This work sets forth the issues on evaluating cyber threat assessment algorithms, and discusses the validity of various statistical measures. Simulation examples are provided to illustrate the pros and cons of using different metrics under various cyber attack scenarios. Our results show that commonly used false positives and false negatives are necessary but not sufficient to evaluate cyber threat assessment

Designing a data fusion system using a top-down approach

While there are multiple reference models for data fusion, there are no formal processes in which to design a complete fusion system. Even though high-level fusion, i.e., impact and threat assessment, is included in the various models, the majority of data fusion research has focused on low-level data fusion such as sensing and correlation. More importantly, low-level fusion technologies have been designed without detailed consideration of threat and impact assessment requirements. On the other hand, high-level designs are restricted by the available data from low-level systems. This disconnected practice has presented tremendous challenges for designing an effective overall fusion system that would truly enhance situation awareness. This paper proposes a top-down fusion system design process in which the elements needed for situation awareness will drive the design requirements for environment/terrain models, impact and threat assessment, event correlation and tracking, observable definitions, and sensing. The discussion will be complemented with examples from the cyber security domain.

Elements of impact assessment: a case study with cyber attacks

Extensive discussions have taken place in recent year regarding impact assessment - what is it and how can we do it? It is especially intriguing in this modern era where non-traditional warfare has caused either information overload or limited understanding of adversary doctrines. This work provides a methodical discussion of key elements for the broad definition of impact assessment (IA). The discussion will start with a process flow involving components related to IA. Two key functional components, impact estimation and threat projection, are compared and illustrated in detail. These details include a discussion of when to model red and blue knowledge. Algorithmic approaches will be discussed, augmented with lessons learned from our IA development for cyber situation awareness. This paper aims at providing the community with a systematic understanding of IA and its open issues with specific examples.

Mission Impact Assessment for Cyber Warfare

Cyber networks are used extensively by not only a nation’s military to protect sensitive information and execute missions, but also the primary infrastructure that provides services that enable modern conveniences such as education, potable water, electricity, natural gas, and financial transactions. Disruption of any of these services could have widespread impacts not only to citizens’ well-being. As such, these critical services may be targeted by malicious hackers during cyber warfare. Due to the increasing dependence on computers for military and infrastructure purposes, it is imperative to not only protect them and mitigate any immediate or potential threats, but to also understand the current or potential impacts beyond the cyber networks or the organization. This increased dependence means that a cyber attack may not only affect the cyber network, but also other tasks or missions that are dependent upon the network for execution and completion. It is therefore necessary to try to understand the current and potential impacts of cyber effects on the overall mission of a nation’s military, infrastructure, and other critical services. The understanding of the impact is primarily controlled by two processes: state estimation and impact assessment. State estimation is the process of determining the current state of the assets while impact assessment is the process of calculating impact based on the current asset states.

Multiple hypothesis tracking for the cyber domain

This paper discusses how methods used for conventional multiple hypothesis tracking (MHT) can be extended to domain-agnostic tracking of entities from non-kinematic constraints such as those imposed by cyber attacks in a potentially dense false alarm background. MHT is widely recognized as the premier method to avoid corrupting tracks with spurious data in the kinematic domain but it has not been extensively applied to other problem domains. The traditional approach is to tightly couple track maintenance (prediction, gating, filtering, probabilistic pruning, and target confirmation) with hypothesis management (clustering, incompatibility maintenance, hypothesis formation, and Nassociation pruning). However, by separating the domain specific track maintenance portion from the domain agnostic hypothesis management piece, we can begin to apply the wealth of knowledge gained from ground and air tracking solutions to the cyber (and other) domains. These realizations led to the creation of Raytheons Multiple Hypothesis Extensible Tracking Architecture (MHETA). In this paper, we showcase MHETA for the cyber domain, plugging in a well established method, CUBRCs INFormation Engine for Real-time Decision making, (INFERD), for the association portion of the MHT. The result is a CyberMHT. We demonstrate the power of MHETA-INFERD using simulated data. Using metrics from both the tracking and cyber domains, we show that while no tracker is perfect, by applying MHETA-INFERD, advanced nonkinematic tracks can be captured in an automated way, perform better than non-MHT approaches, and decrease analyst response time to cyber threats.

Dynamic creation of social networks for syndromic surveillance using information fusion

To enhance the effectiveness of health care, many medical institutions have started transitioning to electronic health and medical records and sharing these records between institutions. The large amount of complex and diverse data makes it difficult to identify and track relationships and trends, such as disease outbreaks, from the data points. INFERD: Information Fusion Engine for Real-Time Decision-Making is an information fusion tool that dynamically correlates and tracks event progressions. This paper presents a methodology that utilizes the efficient and flexible structure of INFERD to create social networks representing progressions of disease outbreaks. Individual symptoms are treated as features allowing multiple hypothesis being tracked and analyzed for effective and comprehensive syndromic surveillance.