Predicting threat potential using cyber sensors.

摘要

The proliferation of the Internet has created a culture of a connected society dependent upon technology for communication and information sharing needs. In this dissertation, we hypothesize that attackers are increasingly using electronic resources that are capable of leaving a digital footprint, such as social media services, e-mail, text messages, blogs, and websites for the communication, planning, and coordination of attacks. In its current form, however, traffic analysis is primarily concerned with using communications volume to extract intelligence information, but largely ignores the content of communications transmissions that is needed to meet the security challenges and demands of continually emerging threats.;In this dissertation, we make use of the enormous amount of electronic data potential and propose a model framework that is capable of predicting malicious intent based on mathematically sound principles in traffic flow theory. We define a set of objects, called threat agents, acting on a threat network and derive the set of values and conditions that allow us to predict the behavior of the network much in the same way a traffic flow model can be used to predict the behavior of a road system. This is accomplished using a set of variables created analogous to velocity, density, and flux in traffic flow theory that allow us to measure the level of congestion on which the threat prediction is based.;In this dissertation, we also apply the data mining techniques of classification and clustering analyses to derive not only the basis for our threat network but also to generate locational and categorical information. This contextual information provides a more complete picture of the potential threat that allows us to be in a position to better understand and respond to impending threats in a timely manner. We present experimental results obtained on a set of articles appearing on the Reuters newswire to predict threats defined within the context of the data set. Using a threat prediction profile produced from the model framework, we validate our test results by mapping the predicted threats to actual event occurrences contained within the data set itself with promising results.