TECHNOLOGY AREA(S): Human Systems

ACQUISITION PROGRAM: ONR Code 34, Human and Bioengineered Systems Division � Human Factors of Cyber Security portfolio

OBJECTIVE: The objective of this topic is to develop innovative capabilities to map features and entities across all three layers of cyberspace (physical, logical, and cyber-persona) in order to detect and classify anomalous behavior.

DESCRIPTION: Cyberspace comprises three distinct but interrelated layers, each of which captures important characteristics of and behaviors on this domain.� The physical layer consists of geographic features and physical network components.� The logical layer is best described as data at rest, in motion, or in use within the physical layer.� Finally, the cyber-persona layer comprises digital representations of entities that are interacting with each other and with the other two layers.� Each layer�s features and entities have been mapped separately and with various degrees of effectiveness.� Representations of the physical layer benefit from the maturity of Geospatial Information Systems (GIS) that have been used for decades in the other domains of warfare.� The other two layers have piecemeal solutions that map networks, social interactions, and other limited data sets.� Still, there exists no holistic mapping that encompasses all three layers of cyberspace and adequately captures intra- and inter-layer interactions.

The DoD requires enhanced capabilities to simultaneously leverage information contained in all three layers of cyberspace in order to detect, classify and track a multitude of anomalous behaviors in near-real time.� Such capabilities could provide early warning of malicious insider threats and even inform the most effective, proactive countermeasures.� They could also illuminate complex and stealthy attacks by external actors.� Alternatively, these capabilities could also help identify innovative benign behaviors such as non-conventional uses of cyberspace assets in order to enhance mission accomplishment.� In short, the multi-layer mapping would highlight complex interactions and allow the user to visualize their effects, benign or otherwise.� Such mapping would also enable much more sophisticated cyberspace operational planning and execution by taking into account not only geographic features, networked nodes, and data, but also the personas that operate on them.

This topic seeks innovative approaches to aggregating very large sets of heterogeneous data, correlating them to detect causal relationships, and displaying both the data and its relationships in a manner that enables novel cyberspace operations.� Of particular interest would be the capability to anticipate (and not simply document) evolving features and behaviors.� Such predictive capability would allow friendly forces to outmaneuver adversaries in cyberspace.� Viable proposals should be able to quantify the confidence of their cross-layer inferences and predictions, and also show autonomous self-improvement over time.

PHASE I: Assess the feasibility of combining information across all three layers of cyberspace in order to identify abnormal (i.e., outlier) behaviors.� Here, abnormal behavior might be defined as the interaction of the three interrelated layers of cyberspace in an unorthodox or unpredictable fashion.� For example, individuals may interact with either the data at rest of the physical data without a need to access.� The expected deliverables of Phase I include multiple operationally meaningful scenarios within which the new system would deliver revolutionary new capabilities.� For example, Phase I efforts might be geared toward model development and the assessment of cyber adversary behaviors as they relate to the multi-layer mapping of the cyber domain.� Here, these models might be focused on specific visualization tools for tracking and collecting data in faster-than-real-time.� Other efforts might be to develop models of detection and classification of anomalous behaviors.� Develop a Phase II plan.

PHASE II: Develop and demonstrate a prototype system that leverages tri-layer mapping in an operationally meaningful context.� This specific context will be chosen by the Government from among the scenarios developed in Phase I.

PHASE III DUAL USE APPLICATIONS: This resulting capability could be used in a broad range of military (and potentially commercial) applications.� One such example might be a training and experimentation testbed for cyber defense.� Similar use examples might be for verification and validation of existing cyber defense technologies.� Phase III will focus on developing an operational capability, integrating the technology into DoD operations, and potentially transitioning to commercial production or for commercial application.

REFERENCES:

1. Joint Publication 3-12: Cyberspace Operations, JP 3-12(R), Joint Chiefs of Staff, United States Department of Defense, Washington D.C., 2013. http://www.dtic.mil/doctrine/new_pubs/jp3_12R.pdf

2. Lathrop, S. D., Trent, S., and Hoffman, R. �Applying Human Factors Research Towards Cyberspace Operations: A Practitioner�s Perspective.� Advances in Human Factors in Cyber Security: Proceedings of the AHFE 2016 International Conference on Human Factors in Cyber Security, July 27-31, 2016, Walt Disney World�, Florida, USA, D. Nicholson, Ed. Cham: Springer International Publishing, 2016, pp. 281�293. https://link.springer.com/chapter/10.1007/978-3-319-41932-9_23

3. Fanelli, R. and Conti, G. �A methodology for cyber operations targeting and control of collateral damage in the context of lawful armed conflict.�� 2012 4th International Conference on CyberConflict (CYCON 2012), 2012. https://ccdcoe.org/cycon/2012/proceedings/d1r3s2_fanelli.pdf

4. Conti, G., Nelson, P., and Raymond, D.� �Towards a Cyber Common Operating Picture.� 2013 5th International Conference on Cyber Conflict (CYCON 2013), 2013. https://ccdcoe.org/cycon/2013/proceedings/d1r2s4_conti.pdf

KEYWORDS: Cyberspace Layers; Multi-modal Data Fusion; Data Mining; Cyber Security; Network Security; Information Dominance