Reasoning about Cyber Attribution

Abstract

Reasoning about Cyber Attribution - Shakarian, Arizona State University shak@asu.edu ONR-BAA15-001, ATTN: Sukarno Mertoguno, Code 31 PROPOSAL SUMMARY Research Problem. The goal of this research is to make significant progress toward the development of an intelligent system that combines multiple sources of evidence to constructively attribute cyber-attacks and at the same time provide timely and accurate attribution decisions – even when the adversary employs deception. We note that none of the previous work on cyber-attribution leverages a dataset with ground truth information of the actual hacker groups nor does any work attempt to provide a constructive result that informs, whereby the analyst is informed as to how the system arrived at a particular attribution decision. Technical Approach. The proposed work will build on the results of multiple past efforts and leverage the unique expertise of our team in the areas of artificial intelligence and cyber security. Specifically, we look to build upon our existing theoretical work on applying logic programming and argumentation to cyber attribution. Our previously-developed theoretical foundation combined argumentation, probabilistic reasoning, and logic programming – a framework called InCA (Intelligent Cyber Attribution) – is designed to overcome, by mean of an argumentation process, the inconsistencies arising from an adversary’s deceptive activities. InCA will lay the groundwork for the current effort. We will implement InCA and perform thorough experiments. In order to overcome the lack of ground truth we noted in previous work, we will use on-hand DEFCON capture-the-flag (CTF) data to test a new approach that not only identifies the hacking group (as opposed to just the computer system) but also allows for analysis of multiple sources of intelligence (network traffic, host data, and malware analysis). Our dataset, developed and analyzed over the past six months, consists of 10 million cyber events with ground truth and ample evidence of deception. Anticipated outcomes. We will design and implement an intelligent system for cyber-attribution that factors in multiple sources of information, reasons about potentially contradicting pieces of evidence, and provides a constructive result that shows the analyst how the system arrived at a given conclusion. The proposed work will build on InCA to advance the state-of-the-art in the following way: (1.) the development of tractable algorithms, (2.) the learning of the underlying knowledgebase, and (3.) experiments demonstrating the performance in a real-world setting. Further, this work is expected to enhance the state-of-the-art in argumentation and logic programming – as it will result in the first implementation of a system for probabilistic argumentative reasoning applied to a real-world application. Principle Investigator: Paulo Shakarian, Arizona State University Requested Total Funds (for three years): $400,567

Document Details

Document Type

DoD Grant Award

Publication Date

Aug 08, 2016

Source ID

N000141512742

Entities

Tags