Army uses behavioral analytics to detect cyberspace invaders

Cyber behavioral pattern analysis, a state-of-the-art commercial method, emerged from the Army’s month-long Cyber Quest 2017 event as one answer to the cyber threat, according to Army officials speaking at a Cyber Quest ’17 media roundtable at Ft. Gordon, GA.

The pattern-based cyber threat detection method is a commercial innovation just entering the cyber-defense domain, according to Col. Steven Rhen. The key is to monitor and understand the normal patterns of traffic and user behaviors on a given network, he said. Then, it becomes possible to rapidly identify anomalies that could indicate an enemy cyber intruder.  

There’s a physical layer, a network layer, a social layer, and a persona layer to cyberspace, according to the commercial developers. Monitoring for threats includes gathering behavioral data on each layer and then correlating and combining that data.

It’s a method that is “no longer looking at rules, but looking at the pattern of life on that network,” said Col. Rhen. It can be approached from the persona approach (monitoring email traffic and times the network is in use), a physical approach (monitoring where the network is in use), or a network approach.

According to Col. Rhen, a network approach involves asking, “this server always talks to this server, but why is that server suddenly talking to a router or a different server that it’s never talked to?” These types of anomalies will trigger an alert and further investigations.

If applied to the internal networks of the services, the behavioral pattern analytics method would also be a valuable tool for what Gen. Don B. Morrison Jr. referred to during the roundtable as “information assurance.” In other words, by monitoring internal network patterns, it would be able to mitigate the threat of insider cyber-attacks and security breaches.

With all the monitoring data and pattern analytics required, it’s no surprise that this method creates as a “big data problem,” in Gen. Morrison’s words. The solution: artificial intelligence (AI) and machine-to-machine learning technology.

“It’s going to be a combination of artificial intelligence and machine-to-machine learning…advances in artificial intelligence are going to allow us to react much, much quicker to things that are happening in cyber space,” said Col. Rhen. “You don’t have to look at every bit and byte…now a machine says something is happening that doesn’t normally happen on the network, and then you can go check it out.”

However, many of the latest innovations in AI and machine learning are coming from the commercial sector, and are being developed faster than the Army can obtain them through traditional acquisition processes.

“The traditional acquisition model will not work for cyber, I’ll be that definitive,” said Gen. Morrison. He announced a new acquisition model, designed for rapid acquisition of the latest commercial technologies, has been developed. Formal approval of the model is expected at the end of the summer.

Part of the new acquisition process will likely be more events like Cyber Quest, focused on identifying operational gaps and fielding prototype solutions with real soldiers in an experimental setting. Then, if a new technology is promising, it can be rapidly improved and moved forward, explained the Lt. Col. Stephen Roberts, another speaker at the roundtable.

“[Using] rapid prototypes is going to drive things forward in the cyberspace domain,” added Gen. Morrison.

The speakers did not specify when the behavioral pattern analytics method for defending networks against cyber-attacks will be widely implemented. However, with the new rapid cyber-based acquisition model, it is likely that the latest in commercial cyber defense technology, like the behavioral pattern analytics method, will become more accessible to U.S. cyber defense forces.