Intelligent Methods for Cyber Warfare

Malware analysts use Machine Learning to aid in the fight against the unstemmed tide of new malware encountered on a daily, even hourly, basis. The marriage of these two fields (malware and machine learning) is a match made in heaven: malware contains inherent patterns and similarities due to code and code pattern reuse by malware authors; machine learning operates by discovering inherent patterns and similarities. In this chapter, we seek to provide an overhead, guiding view of machine learning and how it is being applied in malware analysis. We do not attempt to provide a tutorial or comprehensive introduction to either malware or machine learning, but rather the major issues and intuitions of both fields along with an elucidation of the malware analysis problems machine learning is best equipped to solve.

Epidemical crisis prediction is one of the most challenging examples of decision making with uncertain information. As in many other types of crises, epidemic outbreaks may pose various degrees of surprise as well as various degrees of “derivatives” of the surprise (i.e., the speed and acceleration of the surprise). Often, crises such as epidemic outbreaks are accompanied by a secondary set of crises, which might pose a more challenging prediction problem. One of the unique features of epidemic crises is the amount of fuzzy data related to the outbreak that spreads through numerous communication channels, including media and social networks. Hence, the key for improving epidemic crises prediction capabilities is in employing sound techniques for data collection, information processing, and decision making under uncertainty and exploiting the modalities and media of the spread of the fuzzy information related to the outbreak. Fuzzy logic-based techniques are some of the most promising approaches for crisis management. Furthermore, complex fuzzy graphs can be used to formalize the techniques and methods used for the data mining. Another advantage of the fuzzy-based approach is that it enables keeping account of events with perceived low possibility of occurrence via low fuzzy membership/truth-values and updating these values as information is accumulated or changed. In this chapter we introduce several soft computing based methods and tools for epidemic crises prediction. In addition to classical fuzzy techniques, the use of complex fuzzy graphs as well as incremental fuzzy clustering in the context of complex and high order fuzzy logic system is presented.

The field of Intelligence and security informatics (ISI) is resulted from the integration and development of advanced information technologies, systems, algorithms, and databases for international, national, and homeland security-related applications, through an integrated technological, organizational, and policy-based approach. Traditionally, ISI research and applications have focused on information sharing and data mining, social network analysis, infrastructure protection, and emergency responses for security informatics. Recent years, with the continuous advance of related technologies and the increasing sophistication of national and international security, new directions in ISI research and applications have emerged that address the research challenges with advanced technologies, especially the advancements in social computing. This is the focus of discussion in the current chapter.

Cyber warfares, as well as conventional ones, do not only comprise direct military conflicts involving weapons like DDoS attacks. Throughout their history, intelligence and counterintelligence played a major role as well. Information sources for intelligence can be closed (obtained during espionage) or open. In this chapter, we show that such open information sources as microfiles can be considered a potentially important additional source of information during cyber warfare. We illustrate by using real data based example that ignoring issues concerning providing group anonymity can lead to leakage of confidential information. We show that it is possible to define fuzzy groups of respondents and obtain their distribution using appropriate fuzzy inference system. We conclude the chapter with discussing methods for protecting distributions of crisp as well as fuzzy groups of respondents, and illustrate them by solving the task of providing group anonymity of a fuzzy group of “respondents who can be considered military enlisted members with the high level of confidence.”

This chapter describes a decision support system specially designed for applications in open source intelligence. The decision support system was developed within the framework of the FP7 VIRTUOSO project. Firstly, we describe the overall scope and architecture of the VIRTUOSO platform. Secondly, we describe with detail some of most representative components of the DSS. The components employ computational intelligence techniques such as knowledge representation, soft-fusion and fuzzy logic. The DSS together with other tools developed for the VIRTUOSO platform will help intelligence analysts to integrate diverse sources of information, visualize them and have access to the knowledge extracted from these sources. Finally, we describe some applications of decision support systems in cyber-warfare.

The Data and Information Fusion (DIF) process can be argued to have three main functions: Common Referencing (CR) (also known as “Alignment”), Data Association (DA), and State Estimation, as shown in Fig. 1.

Intrusions carry a serious security risk for financial institutions. As new intrusion types appear continuously, detection systems have to be designed to be able to identify attacks that have never been experienced before. Insights provided by knowledgeable experts can contribute to a high extent to the identification of these anomalies. Based on a critical review of the relevant literature in intrusion detection and similarity measures of interval-valued fuzzy sets, we propose a framework based on fuzzy ontology and similarity measures to incorporate expert knowledge and represent and make use of imprecise information in the intrusion detection process. As an example we developed a fuzzy ontology based on the intrusion detection needs of a financial institution.

In this paper, a novel multi-objective genetic algorithm (MOGA) based approach is proposed for effective intrusion detection based on benchmark datasets. The proposed approach can generate a pool of non-inferior individual solutions and ensemble solutions thereof. The generated ensembles can be used to detect the intrusions accurately. For intrusion detection problem, the proposed MOGA based approach could consider conflicting objectives simultaneously like detection rate of each attack class, error rate, accuracy, diversity etc. The proposed approach can generate a pool of non-inferior solutions and their ensemble thereof having optimized trade-offs values of multiple conflicting objectives. In this paper, a three phase MOGA based approach is proposed to generate solutions with a simple chromosome design in first phase. In first phase, a Pareto front of non-inferior individual solutions is approximated. In the second phase of the proposed approach, entire solution set is further refined to determine effective ensemble solutions considering solution interaction. In this phase, another improved Pareto front of ensemble solutions over that of individual solutions is approximated. The ensemble solutions in improved Pareto front reported improved detection results based on benchmark datasets for intrusion detection. In third phase, a combination method like majority voting method is used to fuse the predictions of individual solutions for determining prediction of ensemble solution. Benchmark datasets namely KDD cup 1999 and ISCX 2012 dataset are used to demonstrate and validate the performance of the proposed approach for intrusion detection. The proposed approach can discover individual solutions and ensemble solutions thereof with good support and detection rate from benchmark datasets (in comparison with well-known ensemble methods like bagging and boosting). In addition, the proposed approach is a generalized classification approach that is applicable to the problem of any field having multiple conflicting objectives and a dataset can be represented in the form of labeled instances in terms of its features.

Cyber insider detection is challenging due to the difficulty in differentiating legitimate activities from malicious ones. This chapter will begin by providing a brief review of exiting works in the machine learning community that offer treatments to cyber insider detection. The review will lead to our recent research advance that focuses on early detection of ongoing insider mission instead of trying to determine whether individual events are malicious or not. Multiple automated software agents are assumed to possess different account privileges on different hosts, to perform different dimensions of a complex insider mission. This work develops an integrated approach that utilizes Hidden Markov Models to estimate the suspicious level of insider activities, and then fuses these suspiciousness values across insider activity dimensions to estimate the progression of an insider mission. The fusion across cyber insider dimensions is accomplished using a combination of Fuzzy rules and Ordered Weighted Average functions. Experimental results based on simulated data show that the integrated approach detects the insider mission with high accuracy and in a timely manner, even in the presence of obfuscation techniques.

The nature of the cyber warfare environment creates a unique confluence of situational awareness, understanding of correlations between actions, and measurement of progress toward a set of goals. Traditional fusion methods leverage the physical properties of objects and actions about those objects. These physical properties in many cases simply do not apply to cyber network objects. As a result, systematic, attributable measurement and understanding of the cyber warfare environment requires a different approach. We describe the application of a mathematical search engine having inherent design features that include tolerance of missing or incomplete data, virtually connected action paths, highly dynamic tactics and procedures, and broad variations in temporal correlation. The ability efficiently to consider a breadth of possibilities, combined with a chiefly symbolic computation outcome, offers unique capabilities in the cyber domain.

Cyber networks are used extensively by not only a nation’s military to protect sensitive information and execute missions, but also the primary infrastructure that provides services that enable modern conveniences such as education, potable water, electricity, natural gas, and financial transactions. Disruption of any of these services could have widespread impacts not only to citizens’ well-being. As such, these critical services may be targeted by malicious hackers during cyber warfare. Due to the increasing dependence on computers for military and infrastructure purposes, it is imperative to not only protect them and mitigate any immediate or potential threats, but to also understand the current or potential impacts beyond the cyber networks or the organization. This increased dependence means that a cyber attack may not only affect the cyber network, but also other tasks or missions that are dependent upon the network for execution and completion. It is therefore necessary to try to understand the current and potential impacts of cyber effects on the overall mission of a nation’s military, infrastructure, and other critical services. The understanding of the impact is primarily controlled by two processes: state estimation and impact assessment. State estimation is the process of determining the current state of the assets while impact assessment is the process of calculating impact based on the current asset states.

The current research scenario shows considerable work on the fundamental considerations for Cybersecurity. The physical world will fuse with the digital world in the future through enhanced technologies. However, there still exists the problem of radical uncertainty, particularly in the form of information theft. In this project we provide an analysis of the critical factors affecting the security of internet-based businesses; we also present a casual model-based security system that affects and helps the central characteristics of contemporary internet-based businesses.