Cyber-Social Security Models
Cybersecurity is paramount to protecting our national interests in domains that extend well beyond defense and finance. However, current state-of-the-art cyber-defenses have severely limited predictive and attribution capabilities. The majority is reactive in nature and relies on evidence produced by post-event electronic trace analysis. As a result, cyber-attacks can at best be detected while they occur and, in most cases, are discovered well after the attack has terminated. However, detecting and understanding attacks is not sufficient. To understand why a cyber-attack has occurred, and most importantly, when it will occur and by whom it may be perpetrated, we need to understand what the identities, values, incentives, and communication modes of the involved individuals are.
We develop systematic methods for classifying adversarial groups based on distinct features of their cyber footprint. To accomplish this goal, we model cyber-attack features using feature-extraction techniques on diverse data sources (electronic traces, IP/AS connectivity maps, geo-location, social engineering attack logs, malware databases). We further classify adversarial groups based on their feature similarities and enhance the group classification using analytic techniques from social network science. Our goal is to establish fundamental links between cyber-threats and the adversarial groups that launch them. More specifically, we investigate different models for constructing joint representations of computer and social networks under a multi-mode graph framework. We develop data reduction and feature extraction techniques for attributing large datasets to the unified graph model. We apply social network models and analytic tools to infer the adversarial group typology.