CLAD: Classification Labeling of Aggregated Data

ABSTRACT: 21CT proposes the Classification Labeling of Aggregated Data (CLAD) Phase 2 effort. CLAD supports a"need-to-share"paradigm to aid in historical cyber traffic analysis and cyber target discovery. The alert-to-share capability determines if multiple analysts are continually accessing information with common entities, and alerts relevant analysts that the potential for collaboration exists. The notification indicates to users what information may be beneficial to share and why, based on the relationship of their independent investigations. The alert-to-share capability accelerates the discovery of knowledge and completion of investigations, enables users to benefit from analysis of previous or concurrent investigations, and reduces duplication of effort. BENEFIT: The alert-to-share capability connects analysts investigating similar activity, which reduces duplication of effort and improves efficiency and accuracy in determining false/true positives (by combining their historical experience/observations). Furthermore, the notifications can alert analysts to recall historical investigations, which then saves analyst the time required to start a"new"investigation from scratch. Analysts performing defensive operations often do not share information with analysts performing counter operations, and alert-to-share can facilitate coordination of their efforts to accelerate the discovery of knowledge and completion of both missions.