Malware in the Future? Forecasting of Analyst Detection of Cyber Events

There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate cyber attacks. A common approach is time-series forecasting of cyber attacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyber attacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are analyst-detected and -verified occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately seven years. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number for resource allocation, estimation of security resources, and the development of effective risk-management strategies. We used a Bayesian State Space Model for forecasting and found that events one week ahead could be predicted. To quantify bursts, we used a Markov model. Our findings of systematicity in analyst-detected cyber attacks are consistent with previous work using other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity.Comment: Revised version resubmitted to journa

Thoughts about a General Theory of Influence in a DIME/PMESII/ASCOP/IRC2 Model

The leading question of this paper is: “How would influence warfare (“iWar”) work and how can we simulate it?” The paper discusses foundational aspects of a theory and model of influence warfare by discussing a framework built along the DIME/PMESII/ASCOP dimension forming a prism with three axes. The DIME concept groups the many instruments of power a nation state can muster into four categories: Diplomacy, Information, Military and Economy. PMESII describes the operational environment in six domains: Political, Military, Economic, Social, Information and Infrastructure. ASCOPE is used in counter insurgency (COIN) environments to analyze the cultural and human environment (aka the “human terrain”) and encompasses Areas, Structures, Capabilities, Organization, People and Events. In addition, the model reflects about aspects of information collection requirements (ICR) and information capabilities requirements (ICR) - hence DIME/PMESII/ASCOP/ICR2. This model was developed from an influence wargame that was conducted in October 2018. This paper introduces basic methodical questions around model building in general and puts a special focus on building a framework for the problem space of influence/information/hybrid warfare takes its shape in. The article tries to describe mechanisms and principles in the information/influence space using cross discipline terminology (e.g. physics, chemistry and literature). On a more advanced level this article contributes to the Human, Social, Culture, Behavior (HSCB) models and community. One goal is to establish an academic, multinational and whole of government influence wargamer community. This paper introduces the idea of the perception field understood as a molecule of a story or narrative that influences an observer. This molecule can be drawn as a selection of vectors that can be built inside the DIME/PMESII/ASCOP prism. Each vector can be influenced by a shielding or shaping action. These ideas were explored in this influence wargame

Solutions to Detect and Analyze Online Radicalization : A Survey

Online Radicalization (also called Cyber-Terrorism or Extremism or Cyber-Racism or Cyber- Hate) is widespread and has become a major and growing concern to the society, governments and law enforcement agencies around the world. Research shows that various platforms on the Internet (low barrier to publish content, allows anonymity, provides exposure to millions of users and a potential of a very quick and widespread diffusion of message) such as YouTube (a popular video sharing website), Twitter (an online micro-blogging service), Facebook (a popular social networking website), online discussion forums and blogosphere are being misused for malicious intent. Such platforms are being used to form hate groups, racist communities, spread extremist agenda, incite anger or violence, promote radicalization, recruit members and create virtual organi- zations and communities. Automatic detection of online radicalization is a technically challenging problem because of the vast amount of the data, unstructured and noisy user-generated content, dynamically changing content and adversary behavior. There are several solutions proposed in the literature aiming to combat and counter cyber-hate and cyber-extremism. In this survey, we review solutions to detect and analyze online radicalization. We review 40 papers published at 12 venues from June 2003 to November 2011. We present a novel classification scheme to classify these papers. We analyze these techniques, perform trend analysis, discuss limitations of existing techniques and find out research gaps