Shanchieh Jay Yang

Social Computing, Behavioral-Cultural Modeling and Prediction

In the context of modernization and development, the complex adaptive systems framework can help address the coupling of macro social constraint and opportunity with individual agency. Combining system dynamics and agent based modeling, we formalize the Human Development (HD) perspective with a system of asymmetric, coupled nonlinear equations empirically validated from World Values Survey (WVS) data, capturing the core qualitative logic of HD theory. Using a simple evolutionary game approach, we fuse endogenously derived individual socio-economic attribute changes with Prisoner’s Dilemma spatial intra-societal economic transactions. We then explore a new human development dynamics (HDD) model behavior via quasi-global simulation methods to explore economic development, cultural plasticity, social and political change.

Projecting Cyberattacks Through Variable-Length Markov Models

Previous works in the area of network security have emphasized the creation of intrusion detection systems (IDSs) to flag malicious network traffic and computer usage, and the development of algorithms to analyze IDS alerts. One possible byproduct of correlating raw IDS data are attack tracks, which consist of ordered collections of alerts belonging to a single multistage attack. This paper presents a variable-length Markov model (VLMM) that captures the sequential properties of attack tracks, allowing for the prediction of likely future actions on ongoing attacks. The proposed approach is able to adapt to newly observed attack sequences without requiring specific network information. Simulation results are presented to demonstrate the performance of VLMM predictors and their adaptiveness to new attack scenarios.

High level information fusion for tracking and projection of multistage cyber attacks

The use of computer networks has become a necessity for government, industry, and personal businesses. Protection and defense against cyber attacks on computer networks, however, are becoming inadequate as attackers become more sophisticated and as the networks and systems become more complex. Drawing analogies from other application domains, this paper introduces information fusion to provide situation awareness and threat prediction from massive volumes of sensed data. An in-depth discussion is provided to define fusion tasks for cyber defense. A novel cyber fusion system is proposed to address specifically the tracking and projection of multistage attacks. Critical assessments of the developed attack tracking and threat projection sub-components are provided with simulation results. This pioneering work elaborates the benefits, limitations, and future challenges of high level information fusion for cyber security.

TANDI: threat assessment of network data and information

Current practice for combating cyber attacks typically use Intrusion Detection Sensors (IDSs) to passively detect and block multi-stage attacks. This work leverages Level-2 fusion that correlates IDS alerts belonging to the same attacker, and proposes a threat assessment algorithm to predict potential future attacker actions. The algorithm, TANDI, reduces the problem complexity by separating the models of the attackers capability and opportunity, and fuse the two to determine the attackers intent. Unlike traditional Bayesian-based approaches, which require assigning a large number of edge probabilities, the proposed Level-3 fusion procedure uses only 4 parameters. TANDI has been implemented and tested with randomly created attack sequences. The results demonstrate that TANDI predicts future attack actions accurately as long as the attack is not part of a coordinated attack and contains no insider threats. In the presence of abnormal attack events, TANDI will alarm the network analyst for further analysis. The attempt to evaluate a threat assessment algorithm via simulation is the first in the literature, and shall open up a new avenue in the area of high level fusion.

Issues and challenges in higher level fusion: Threat/impact assessment and intent modeling (a panel summary)

Many say that we live in the information age, but in reality if you ask any analyst today they would say we live in the data age. The amount of data being presented and displayed to the analyst is overwhelming - to a point that in many cases they are missing the salient or key activities of interest. Analysts are spending the majority of their time filtering through the data rather than performing analysis. Over the past 10 years, there has been an increasing emphasis on research in higher level fusion or what many are calling situation awareness. In this paper, we describe a collection of research addressing the challenges of enabling situation awareness. We will review our reference model and provide a discussion of a flow through the model to include how we can rank various activities based on their impact and threat. We also provide a number of algorithms that have been implemented and then tested and evaluated using a set of performance metrics.

Enhancing situation awareness via automated situation assessment

The human cognitive process of situation awareness is limited to the amount of data and the level of complexity between the data elements. Situation assessment, encompassing automated threat and impact assessment, shall assist human analysts by estimating the critical activities and objects in an emerging situation. The existing work on situation assessment, while serving its individual purposes, is not driven explicitly by the need to enhance situation awareness. This article provides a summary of various related work, ranging from visualization to algorithmic threat projection, and describes a human-centered framework that associates situation assessment processes and models with requirements needed to enhance situation awareness.

Intrusion activity projection for cyber situational awareness

Previous works in the area of network security have emphasized the creation of intrusion detection systems (IDSs) to flag malicious network traffic and computer usage. Raw IDS data may be correlated and form attack tracks, each of which consists of ordered collections of alerts belonging to a single multi-stage attack. Assessing an attack track in its early stage may reveal the attackerpsilas capability and behavior trends, leading to projections of future intrusion activities. Behavior trends are captured via variable length Markov models (VLMM) without predetermined attack plans. A virtual terrain schema is developed to model network and system configurations, and used to estimate critical elements and vulnerabilities exposed to each attacker given his/her progress. Experimental results show promises for these proactive measures in ensuring continuous and critical cyber operations.

Evaluating Threat Assessment for Multi-Stage Cyber Attacks

Current practices to defend against cyber attacks are typically reactive yet passive. Recent research work has been proposed to proactively predict hackers target entities in the early stage of the attack. With prediction, there comes false alarms and missed attacks. Very little has been reported on how to evaluate a threat assessment algorithm, especially for cyber security. Because of the variety and the constantly changing nature of hacker behavior and network vulnerabilities, a cyber threat assessment algorithm is, perhaps more susceptible that for other application domains. This work sets forth the issues on evaluating cyber threat assessment algorithms, and discusses the validity of various statistical measures. Simulation examples are provided to illustrate the pros and cons of using different metrics under various cyber attack scenarios. Our results show that commonly used false positives and false negatives are necessary but not sufficient to evaluate cyber threat assessment

Context Model Fusion for Multistage Network Attack Simulation

Analyzing and predicting complex network attack strategies require an efficient way to produce realistic and up-to-date data representing a variety of attack behaviors on diverse network configurations. This work develops a simulation system that fuses four context models: the networks, the system vulnerabilities, the attack behaviors, and the attack scenarios, so as to synthesize multistage attack sequences. The separation of different context models enables flexibility and usability in defining these models, as well as a comprehensive synthesis of attack sequences under different combinations of situations. After describing the design of the context models, an example use of the simulator and sample outputs, including the ground truth actions and sensor observables, will be discussed.

Virtual Terrain : A Security-Based Representation of a Computer Network

Much research has been put forth towards detection, correlating, and prediction of cyber attacks in recent years. As this set of research progresses, there is an increasing need for contextual information of a computer network to provide an accurate situational assessment. Typical approaches adopt contextual information as needed; yet such ad hoc effort may lead to unnecessary or even conflicting features. The concept of virtual terrain is, therefore, developed and investigated in this work. Virtual terrain is a common representation of crucial information about network vulnerabilities, accessibilities, and criticalities. A virtual terrain model encompasses operating systems, firewall rules, running services, missions, user accounts, and network connectivity. It is defined as connected graphs with arc attributes defining dynamic relationships among vertices modeling network entities, such as services, users, and machines. The virtual terrain representation is designed to allow feasible development and maintenance of the model, as well as efficacy in terms of the use of the model. This paper will describe the considerations in developing the virtual terrain schema, exemplary virtual terrain models, and algorithms utilizing the virtual terrain model for situation and threat assessment.