This paper discusses how methods used for conventional multiple hypothesis tracking (MHT) can be extended to
domain-agnostic tracking of entities from non-kinematic constraints such as those imposed by cyber attacks in a
potentially dense false alarm background. MHT is widely recognized as the premier method to avoid corrupting tracks
with spurious data in the kinematic domain but it has not been extensively applied to other problem domains. The
traditional approach is to tightly couple track maintenance (prediction, gating, filtering, probabilistic pruning, and target
confirmation) with hypothesis management (clustering, incompatibility maintenance, hypothesis formation, and Nassociation
pruning). However, by separating the domain specific track maintenance portion from the domain agnostic
hypothesis management piece, we can begin to apply the wealth of knowledge gained from ground and air tracking
solutions to the cyber (and other) domains. These realizations led to the creation of Raytheon's Multiple Hypothesis
Extensible Tracking Architecture (MHETA).
In this paper, we showcase MHETA for the cyber domain, plugging in a well established method, CUBRC's
INFormation Engine for Real-time Decision making, (INFERD), for the association portion of the MHT. The result is a
CyberMHT. We demonstrate the power of MHETA-INFERD using simulated data. Using metrics from both the
tracking and cyber domains, we show that while no tracker is perfect, by applying MHETA-INFERD, advanced nonkinematic
tracks can be captured in an automated way, perform better than non-MHT approaches, and decrease analyst
response time to cyber threats.
Extensive discussions have taken place in recent year regarding impact assessment - what is it and how can we do it? It
is especially intriguing in this modern era where non-traditional warfare has caused either information overload or
limited understanding of adversary doctrines. This work provides a methodical discussion of key elements for the broad
definition of impact assessment (IA). The discussion will start with a process flow involving components related to IA.
Two key functional components, impact estimation and threat projection, are compared and illustrated in detail. These
details include a discussion of when to model red and blue knowledge. Algorithmic approaches will be discussed,
augmented with lessons learned from our IA development for cyber situation awareness. This paper aims at providing
the community with a systematic understanding of IA and its open issues with specific examples.
Much research has been put forth towards detection, correlating, and prediction of cyber attacks in recent years. As this
set of research progresses, there is an increasing need for contextual information of a computer network to provide an
accurate situational assessment. Typical approaches adopt contextual information as needed; yet such ad hoc effort may
lead to unnecessary or even conflicting features. The concept of virtual terrain is, therefore, developed and investigated
in this work. Virtual terrain is a common representation of crucial information about network vulnerabilities,
accessibilities, and criticalities. A virtual terrain model encompasses operating systems, firewall rules, running services,
missions, user accounts, and network connectivity. It is defined as connected graphs with arc attributes defining
dynamic relationships among vertices modeling network entities, such as services, users, and machines. The virtual
terrain representation is designed to allow feasible development and maintenance of the model, as well as efficacy in
terms of the use of the model. This paper will describe the considerations in developing the virtual terrain schema,
exemplary virtual terrain models, and algorithms utilizing the virtual terrain model for situation and threat assessment.
Current practice for combating cyber attacks typically use Intrusion Detection Sensors (IDSs) to passively detect and block multi-stage attacks. This work leverages Level-2 fusion that correlates IDS alerts belonging to the same attacker, and proposes a threat assessment algorithm to predict potential future attacker actions. The algorithm, TANDI, reduces the problem complexity by separating the models of the attacker's capability and opportunity, and fuse the two to determine the attacker's intent. Unlike traditional Bayesian-based approaches, which require assigning a large number of edge probabilities, the proposed Level-3 fusion procedure uses only 4 parameters. TANDI has been implemented and tested with randomly created attack sequences. The results demonstrate that TANDI predicts future attack actions accurately as long as the attack is not part of a coordinated attack and contains no insider threats. In the presence of abnormal attack events, TANDI will alarm the network analyst for further analysis. The attempt to evaluate a threat assessment algorithm via simulation is the first in the literature, and shall open up a new avenue in the area of high level fusion.