Cyber Adversary Discovery Engine (CADE)

Cyber warfare is a rapidly expanding, critical battlefield for the US Navy. Attacks on infrastructure, ship systems, and sailors themselves can significantly reduce operational readiness and deployment time, and can be very costly. To prepare and successfully defend this rapidly evolving battlefield, defensive cyberspace operations (DCOs) must analyze and forensically investigate attacks, but few tools support this analysis. Skilled analysts must manually and forensically analyze attacker behaviors, which requires significant investments in staff, time, and money, and limits the breadth and depth of the possible analyses. These constraints limit situation awareness of critical adversary behaviors, defensive preparedness, and the ability to defend critical assets. To address this need, Charles River Analytics conducted a Phase I effort to design and demonstrate the feasibility of the Cyber Adversary Discovery Engine (CADE) for forensic cyber analysis. CADE combines expressive behavioral modeling technology with machine learning to automatically recognize adversary behaviors, goals, and tactics, techniques and procedures (TTPs). CADE also automatically recognizes changes in adversary TTPs that occur in forensic data, and provides a collaborative AI-based partner to enable analysts to deeply understand the behaviors, goals and TTPs of attackers. We propose a Phase II effort to develop a full-scope CADE system, which will include: (1) the Cyber Behavioral Modeling System, which models the dynamic and adaptive cyber attacker behaviors; (2) algorithms and methods, based on probabilistic programming, that infer behaviors, goals, and TTPs from data; and (3) the Interactive Cyber Visualization and Exploration system, which visualizes complex cyber data, as well as the inferred behaviors, goals, and TTPs. Under a Phase II effort, we will demonstrate and evaluate this system under realistic conditions to elicit feedback and assess functionality to ensure CADE meets the expectations of end users. Ultimately, CADE’s cutting-edge behavioral analysis will help analysts in Government and commercial markets understand the higher level TTPs and goals of adversaries, and will advance the technology used to perform forensic cyber analysis for cyber-social and cyber-technical attacks. Understanding the behaviors of adversaries will support a wide range of defensive strategies that are key to our national security, and will help create simulation environments to bolster our nation’s defense against subtle and pervasive attacks on social media platforms and computer systems.