You are here

Portable Analytics for Multi-Stage Cyber Attack Investigation


OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Integrated Sensing and Cyber; Trusted AI and Autonomy


OBJECTIVE: Develop forward-deployed portable analytics to automate initial stages of cyber attack investigation in connectivity-disadvantaged tactical platforms. The technology is needed to reconstruct attack stories, distilling the most important related events from vast quantities of low-level system and network data.


DESCRIPTION: As cyber attacks continue to escalate in complexity and Advanced Persistent Threat (APT) actors shift to using low-and-slow multi-stage attacks, cyber intrusion detection has come to be treated as a Big Data problem. Modern approaches require that a wide variety of information and sensor streams come together in an integrated analysis environment, with human and machine analytics combing the data feeds, hunting for needles in the haystack.


However, in connectivity-disadvantaged tactical environments, all of the fine-grained cyber event data (interface calls, low-level system logs, packet captures, event attestation, etc.) generated by a platform’s information systems is unable to be streamed back to a centralized repository in a timely manner. This results in limitations for cyber attack investigations: either central analysis relies on incomplete, untimely, or reduced-precision data, or analytics expecting a global picture have to be pushed out to edge nodes, simultaneously reducing their effectiveness and separating them from the cyber hunt experts best equipped to make use of them.


To better address the problem of conducting effective Defensive Cyber Operations (DCO) on systems where connectivity is Denied, Degraded, Intermittent, or Limited (DDIL), new technology is needed to enable a multi-stage forensics approach to cyber event analysis and investigation. To feed later stages of analysis, portable analytics designed to be edge deployed need to be developed that distill the rich, onboard system and network event data, enabling the platform to make the most efficient use of any upstream connection.


The analytics must not rely on having any backhaul connectivity or onboard operator expertise beyond a most basic set of hints such as an operator noticing that a service crashed or that a subsystem was behaving oddly. The analytics should seek out connections and sequences in the system and network data that map to possible attack tactics, techniques, and procedures (TTPs), then bundle relevant data for priority offboarding to a more centralized analysis platform where it could be further triaged.


PHASE I: Define and develop a concept for automated rapid cyber forensics that can enable multi-stage cyber attack investigation and meet the constraints outlined in the Description. Provide a model of how the analytics would feed the cyber event distillation. Phase I Option, if exercised, would develop the initial distillation capability to create the full prototype in Phase II.


PHASE II: Develop a containerized portable analytic capability to validate the concepts defined in Phase I. Demonstrate attack story reconstruction and key data distillation by ingest on several different types of system and network data. The prototype should be deployable on a connectivity-disadvantaged edge node and able to inform a cyber big data platform by the end of Phase II.


PHASE III DUAL USE APPLICATIONS: Integrate the Phase II developed portable analytics prototype to a program as a component to a DCO system. Field containerized analytic with appropriate data ingestors and capability to integrate with existing data fabrics. Commercial use includes cyber security analysis in various sectors such as automotive, IoT, robotics, agricultural, and industrial control.



  1. Alsaheel, A.; Nan, Y.; Ma, S.; Yu, L.; Walkup, G.; Celik, Z.B.; Zhang, X. and Xu, D. “ATLAS: A sequence-based learning approach for attack investigation.” 30th USENIX Security Symposium, 2021.
  2. Pei, K.; Gu, Z.; Saltaformaggio, B.; Ma, S.; Wang, F.; Zhang, Z.; Si, L.; Zhang, X. and Xu, D. “Hercule: Attack story reconstruction via community discovery on correlated log graph.” Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC), 2016.
  3. Navarro, J.; Deruyver, A. and Parrend, P. “A systematic survey on multi-step attack detection.” Computers & Security, 76, 2018, pp.214-249.
  4. Hassan, W.U.; Noureddine, M.A.; Datta, P. and Bates, A. “Omegalog: High-fidelity attack investigation via transparent multi-layer log analysis.” Network and distributed system security symposium (NDSS), 2020.
  5. Milajerdi, S.M.; Gjomemo, R.; Eshete, B.; Sekar, R. and Venkatakrishnan, V.N. “Holmes: real-time apt detection through correlation of suspicious information flows.” IEEE Symposium on Security and Privacy (IEEE S&P), 2019.


KEYWORDS: Cyber, Defensive Cyber Operations, Forensics, Sequence Learning, Situational Awareness, Artificial Intelligence/Machine Learning, AI/ML, Denied, Degraded, Intermittent, or Limited, DDIL

US Flag An Official Website of the United States Government