Layered Inference for Cyber Network Knowledge Synthesis (LINKS)

Providing effective cyber defense for the DoD is compounded by the fact there is not a single physical or logical entity that defines cyberspace. In reality, DoD networks are often composed of three disparate but interacting layers: a physical layer that defines the structure of the network (e.g., computers and routers), a logical layer that represents the static or dynamic state of data within the physical layer (e.g., data accesses and modifications), and a human layer that describes the users and their interactions with each other and the other layers (e.g., project teams). Existing cyber defense solutions often only target malicious or anomalous activities within a single layer, and thereby neglect patterns, behaviors, or anomalies that may span multiple layers and indicate malicious behavior. To address this technological gap in cyber defense, Charles River Analytics proposes to design and demonstrate Layered Inference for Cyber Network Knowledge Synthesis (LINKS). This powerful tool uses real-time data to infer a multi-layer event graph and extracts complex normal and anomalous patterns across the layers of cyberspace. Ultimately, LINKS will enable cyber defenders and analysts to visualize and understand the complexity of cyberspace and more effectively respond to cyber threats.