In this paper we introduce SCARE — the Spatial Cultural Abductive Reasoning Engine, which solves spatial abduction problems (Shakarian, Subrahmanian, and Sapino 2009). We review results of SCARE for activities by Iranian-sponsored “Special Groups” (Kagan, Kagan, and Pletka 2008) operating throughout the Baghdad urban area and compare these findings with new experiments where we predict IED cache sites of the Special Groups in Sadr City. We find that by localizing the spatial abduction problem to a smaller area we obtain greater accuracy - predicting cache sites within 0.33 km as opposed to 0.72 km for all of Baghdad. We suspect that local factors of physical and cultural geography impact reasoning with spatial abduction for this problem.
When Randy Bilyeu disappeared, he was hunting for the Fenn Treasure, a chest allegedly filled with gold, precious stones, and jewelry, supposedly hidden in the Rocky Mountains north of Santa Fe, New Mexico. In 2010, millionaire art dealer (and Former Vietnam fighter pilot) 79-year-old Forrest Fenn filled a bronze chest with rare metals, jewels, and artifacts, and then hid it in the mountains. Later that year, he published his autobiography, The Thrill of the Chase, which included a 24-line poem that he says contains the clues necessary to track down the treasure chest. Since then, he's become something of a global celebrity; in 2013, he appeared on NBC's Today Show to issue some new clues about the place where the chest had been hidden. Bilyeu happened to catch the episode on TV and became obsessed with finding the Fenn treasure--against all odds and his friends and family's better judgement.
Recent incidents of data breaches call for organizations to proactively identify cyber attacks on their systems. Darkweb/Deepweb (D2web) forums and marketplaces provide environments where hackers anonymously discuss existing vulnerabilities and commercialize malicious software to exploit those vulnerabilities. These platforms offer security practitioners a threat intelligence environment that allows to mine for patterns related to organization-targeted cyber attacks. In this paper, we describe a system (called DARKMENTION) that learns association rules correlating indicators of attacks from D2web to real-world cyber incidents. Using the learned rules, DARKMENTION generates and submits warnings to a Security Operations Center (SOC) prior to attacks. Our goal was to design a system that automatically generates enterprise-targeted warnings that are timely, actionable, accurate, and transparent. We show that DARKMENTION meets our goal. In particular, we show that it outperforms baseline systems that attempt to generate warnings of cyber attacks related to two enterprises with an average increase in F1 score of about 45% and 57%. Additionally, DARKMENTION was deployed as part of a larger system that is built under a contract with the IARPA Cyber-attack Automated Unconventional Sensor Environment (CAUSE) program. It is actively producing warnings that precede attacks by an average of 3 days.
Robertson, John (Arizona State University) | Paliath, Vivin (Arizona State University) | Shakarian, Jana (Arizona State University) | Thart, Amanda (Arizona State University) | Shakarian, Paulo (Arizona State University)
Penetration testing is regarded as the gold-standard for understanding how well an organization can withstand sophisticated cyber-attacks. However, the recent prevalence of markets specializing in zero-day exploits on the darknet make exploits widely available to potential attackers. The cost associated with these sophisticated kits generally precludes penetration testers from simply obtaining such exploits -- so an alternative approach is needed to understand what exploits an attacker will most likely purchase and how to defend against them. In this paper, we introduce a data-driven security game framework to model an attacker and provide policy recommendations to the defender. In addition to providing a formal framework and algorithms to develop strategies, we present experimental results from applying our framework, for various system configurations, on real-world exploit market data actively mined from the darknet.
A major challenge in cyber-threat analysis is combining information from different sources to find the person or the group responsible for the cyber-attack. It is one of the most important technical and policy challenges in cyber-security. The lack of ground truth for an individual responsible for an attack has limited previous studies. In this paper, we overcome this limitation by building a dataset from the capture-the-flag event held at DEFCON, and propose an argumentation model based on a formal reasoning framework called DeLP (Defeasible Logic Programming) designed to aid an analyst in attributing a cyber-attack to an attacker. We build argumentation-based models from latent variables computed from the dataset to reduce the search space of culprits (attackers) that an analyst can use to identify the attacker. We show that reducing the search space in this manner significantly improves the performance of classification-based approaches to cyber-attribution.