Mr McCusker has been researching and developing the use of Network Behavioral Analysis (NBA) in cyber defense. In 2006 DHS S&T funded a NBA-based fusion prototype. In 2009, this work has transformed into establishing a Cyber Behavior Analytics capability. Mr McCusker has been invited to a number or workshops and symposiums including the 2009 National Cyber Leap Year NITRD, 2010 NATO R&T Cyber Defense Workshop in Estonia, and in 2011 Global Cyber-physical Supply Chain Summit in Wales with MIT. Mr McCusker holds a Masters in Computer Science from Rensselaer Polytechnic Institute and is an SME for MIT’s Geospatial Data Center.
Deriving Behavior Primitives from Aggregate Network Features using Support Vector Machines
Co-authors: Scott Brunza (Sonalysts, Inc) & Dipankar Dasgupta (University of Memphis)
Establishing long-view situation awareness of threat agents requires an operational capability that scales to large volumes of network data, leveraging the past to make-sense of the present and to anticipate the future. Yet, today we are dominated by short-view capabilities driven by misuse based strategies; triggered by the structural qualities of attack vectors. The structural aspects of cyber threats are in a constant flux, rendering most defensive technologies reactive to previously unknown attack vectors. Unlike structural signature based approaches, both the real-time and aggregate behaviors exhibited by cyber threats over a network provide insight into making-sense of anomalies found on our networks. In this work, we explore the challenges posed in identifying and developing a set of behavior primitives that facilitate the creation of threat narratives use to describe cyber threats anomalies. Thus, we investigate the use aggregate behaviors derived from network flow data establishing initial behavior models used to detect complex cyber threats such as Advanced Persistent Threats (APTs). Our cyber data fusion prototype employs a unique layered methodology that extracts features from network flow data aggregating it by time. This approach is more scalable and flexible in its application in large network data volumes. The preliminary evaluation of the proposed methodology and supporting models shows some promising results.