Charles River Analytics won $2.5 million, in two phases, for modeling and inferring intent of cyberspace threat actors.

As cyberwarfare ramps up, analysts need effective forensic analysis of both kinds of cyberattacks; on IT infrastructure (cybertechnical) and through social media operations spreading disinformation (cybersocial). Unfortunately cyberattacks have become increasingly complex with explicit obfuscation techniques to avoid being detected. Worse, actors change strategies dynamically in reaction to real-time events. As a result of these complexities, forensic analysis, especially of cybersocial attacks, have largely been conducted manually.

The Cyber Adversary Discovery Engine (CADE) from Charles River Analytics delivers an AI-based tool that collaborates with analysts. By using CADE, analysts are able to visualize and test their hypotheses about the tactics, techniques, and procedures (TTP) that threat actors adopt. “With CADE, we are developing a thought accelerator system that works with the complex reasoning that analysts are already doing in their heads,” says Bryan Loyall, Director of Technology Innovation and Principal Scientist at Charles River Analytics, “having an analyst put their thoughts down in terms of visualizations helps them put the puzzle pieces together more effectively,” Loyall says.

Such a tool is especially useful at a time when trained cybersecurity analysts are a precious resource and hard to come by.

Thorough forensic analysis through AI requires three components:

• A way of modeling complex and multi-tiered TTPs from threat actors
• Recognition and interpretation of attacker behaviors in the data
• A tool that can enable analysts to visualize the complex layers and test their hypotheses easily. The tool would also alert analysts of changes in threat actor TTPs, which could signal a new front in the attack.

CADE addresses all three pillars: It represents the sophisticated TTPs of today’s cyberattackers; helps find attacks in forensic data; and collaborates with analysts to identify goals, behaviors, and changes in TTPs. The system also identifies individual threat actors by tracking their signature TTPs and their evolution over time.

The R&D funding for CADE is provided by the Office of Naval Research Small Business Technology Transfer (STTR) program which is intended to foster transitions of joint efforts between qualified small businesses and research institutions. Our research partner for the CADE effort is the University of California Santa Cruz, led by Professor Magy Seif El-Nasr. Dr. Seif El-Nasr’s research focuses on using machine learning and visualization systems to understand and track behavior through analytics.

Phase I of the project designed and demonstrated the feasibility of CADE. The project is now in Phase II which will develop a prototype that helps identify and understand adversary behavior, tracks changes over time and flags those that don’t result from known events. CADE is developed with cognitive models and probabilistic programming language-based machine learning, which can build robust models even from small amounts of data.

Future iterations of CADE will enable analysts to turn certain events “on” and “off” in visualization panels, so analysts can eliminate confirmation bias or test drive competing hypotheses and match those against the data. CADE accounts for multiple factors such as time and space so analysts can see patterns they might not have easily seen before.

CADE’s potential impact is immense, especially given the potential for cyber threat actors to spread misinformation on a massive level, Loyall says. “CADE will be a great asset for analysts doing the difficult work of trying to make the landscape better,” he says. “If we’re able to help the underresourced people who are trying to make things better, we can make a positive impact on the world.”

Contact us to learn more about CADE and our capabilities in cybersecurity.

This material is based upon work supported by the Office of Naval Research under Contract No. N68335‑20‑C‑0401. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Office of Naval Research.