The war to establish cyber supremacy continues, and the literature is crowded with strictly technical cyber security measures. We present the results of a three year LDRD project using Linkography, a methodology new to the field of cyber security, we establish the foundation necessary to track and profile the microbehavior of humans attacking cyber systems. We also propose ways to leverage this understanding to influence and deceive these attackers. We studied the science of linkography, applied it to the cyber security domain, implemented a software package to manage linkographs, generated the preprocessing blocks necessary to ingest raw data, produced machine learning models, created ontology refinement algorithms and prototyped a web application for researchers and practitioners to apply linkography. Machine learning produced some of our key results: We trained and validated multinomial classifiers with a real world data set and predicted the attacker's next category of action with 86 to 98% accuracy; dimension reduction techniques indicated that the linkography-based features were among the most powerful. We also discovered ontology refinement algorithms that advanced the state of the art in linkography in general and cyber security in particular. We conclude that linkography is a viable tool for cyber security; we look forward to expanding our work to other data sources and using our prediction results to enable adversary deception techniques.
In the realm of cyber security, recent events have demonstrated the need for a significant change in the philosophies guiding the identification and mitigation of attacks. The unprecedented increase in the quantity and sophistication of cyber attacks in the past year alone has proven the inadequacy of current defensive philosophies that do not assume continuous compromise. This has given rise to new perspectives on cyber defense where, instead of total prevention, threat intelligence is the crucial tool allowing the mitigation of cyber threats. This paper formalizes a new framework for obtaining threat intelligence from an active cyber attack and demonstrates the realization of this framework in the software tool, LinkShop. Specifically, using the behavioral analysis technique known as linkography, our framework allows cyber defenders to, in an automated fashion, quantitatively capture both general and nuanced patterns in attacker's behavior - pushing capabilities for generating threat intelligence far beyond what is currently possible with rudimentary indicators of compromise and into the realm of capability needed to combat future cyber attackers. Furthermore, this paper shows in detail how such knowledge can be achieved by using LinkShop on actual cyber event data and lays a foundation for further scientific investigation into cyber attacker behavior.