PNNL

Abstract

Cyber entities in many ways mimic the behavior of organic systems. Individuals or groups compete for limited resources using a variety of strategies and effective strategies are re-used and refined in later ‘generations’. Traditionally this drift has made detection of malicious entities very difficult because 1) recognition systems are often built on exact matching to a pattern that can only be ‘learned’ after a malicious entity reveals itself and 2) the enormous volume and variation in benign entities is an overwhelming source of previously unseen entities that often confound detectors. To turn the tables of complexity on the would-be attackers, we have developed a method for mapping the sequence of behaviors in which cyber entities engage to strings of text and analyze these strings using modified bioinformatics algorithms. Bioinformatics algorithms optimize the alignment between text strings even in the presence of mismatches, insertions or deletions and do not require an a priori definition of the patterns one is seeking. Nor does it require any type of exact matching. This allows the data itself to suggest meaningful patterns that are conserved between cyber entities. We demonstrate this method on data generated from network traffic. The impact of this approach is that it can rapidly calculate similarity measures of previously unseen cyber entities in terms of well-characterized entities. These measures may also be used to organize large collections of data into families, making it possible to identify motifs indicative of each family.