Graham Mueller

We present an online algorithm for detecting changes in computer network activity. Anomalous activity in IT systems often appear as changes in network topology as edges evolve in a dynamic graph; identifying these behavioral changes can be a challenging task. We propose a method that uses principles of Hyperdimensional Computing to encode graphs to a real valued space where anomalies are easily identifiable. With reasonable assumptions of the baseline edge generating process, our approach… Show more

We present an online algorithm for detecting changes in computer network activity. Anomalous activity in IT systems often appear as changes in network topology as edges evolve in a dynamic graph; identifying these behavioral changes can be a challenging task. We propose a method that uses principles of Hyperdimensional Computing to encode graphs to a real valued space where anomalies are easily identifiable. With reasonable assumptions of the baseline edge generating process, our approach operates in real time and can produce an anomaly score primitive for one sample independently of all others. This score lends itself easily to an online Bayesian confidence estimate in constant memory, which is essential for real-world applications where networks are extremely large and interpretable predictions are needed in real time. We demonstrate the effectiveness of our approach on both synthetic and real-world datasets. Show less

Computer network intrusions are of increasing concern to governments, companies, and other institutions. While technologies such as Intrusion Detection Systems (IDS) are growing in sophistication and adoption, early warning of intrusion attempts could help cybersecurity practitioners put defenses in place early and mitigate the effects of cyberattacks. It is widely known that cyberattacks progress through stages, which suggests that forecasting network intrusions may be possible if we are able… Show more

Computer network intrusions are of increasing concern to governments, companies, and other institutions. While technologies such as Intrusion Detection Systems (IDS) are growing in sophistication and adoption, early warning of intrusion attempts could help cybersecurity practitioners put defenses in place early and mitigate the effects of cyberattacks. It is widely known that cyberattacks progress through stages, which suggests that forecasting network intrusions may be possible if we are able to identify certain precursors. Despite this potential, forecasting intrusions remains a difficult problem. By leveraging the rapidly growing and widely varying data available from network monitoring and Security Information and Event Management (SIEM) systems, as well as recent advances in deep learning, we introduce a novel intrusion forecasting application. Using six months of data from a real, large organization, we demonstrate that this provides improved intrusion forecasting accuracy compared to existing methods. Show less

Causal discovery algorithms are increasingly being used to discover valid, novel, and significant causal relationships from large amounts of observational data. Cyberattacks are hypothesized to evolve according to the Cyber Kill Chain® which consists of a causal model describing the phases of a cyberattack. This paper introduces causal discovery to cybersecurity research and provides evidence of the kill chain with an extensive empirical assessment of two databases of real cyberattacks.

Early detection of cyberattacks – such as data breaches or ransomware – is critical to mitigate their effects. Despite advances in automated cyberattack sensors, many attacks are still detected days or months after they occur. We propose a new approach using statistical relational learning to fuse cyberattack sensor outputs and generate attack predictions. Leveraging the graphical structures of both sensor outputs and cyberattack events themselves, we achieve higher accuracy than individual… Show more

Early detection of cyberattacks – such as data breaches or ransomware – is critical to mitigate their effects. Despite advances in automated cyberattack sensors, many attacks are still detected days or months after they occur. We propose a new approach using statistical relational learning to fuse cyberattack sensor outputs and generate attack predictions. Leveraging the graphical structures of both sensor outputs and cyberattack events themselves, we achieve higher accuracy than individual sensors by reasoning collectively over both sensors and attacks. In addition to improved accuracy, our predictions also are more useful to analysts because they are structured objects containing details of the predicted attacks. We measure accuracy and scalability in an extensive empirical evaluation of our approach using a database of real cyberattacks against a large corporation. We show that, relative to a sensors-only baseline, our approach increases accuracy by up to seven percent and doubles the lift of high-confidence predictions. Show less

Breaking cybersecurity events are shared across a range of websites, including security blogs (FireEye, Kaspersky, etc.), in addition to social media platforms such as Face- book and Twitter. In this paper, we investi- gate methods to analyze the severity of cyber- security threats based on the language that is used to describe them online. A corpus of 6,000 tweets describing software vulnerabilities is annotated with authors’ opinions toward their severity. We show that our corpus supports the… Show more

Breaking cybersecurity events are shared across a range of websites, including security blogs (FireEye, Kaspersky, etc.), in addition to social media platforms such as Face- book and Twitter. In this paper, we investi- gate methods to analyze the severity of cyber- security threats based on the language that is used to describe them online. A corpus of 6,000 tweets describing software vulnerabilities is annotated with authors’ opinions toward their severity. We show that our corpus supports the development of automatic classifiers with high precision for this task. Furthermore, we demonstrate the value of analyzing users’ opinions about the severity of threats reported online as an early indicator of important soft- ware vulnerabilities. We present a simple, yet effective method for linking software vulner- abilities reported in tweets to Common Vul- nerabilities and Exposures (CVEs) in the Na- tional Vulnerability Database (NVD). Using our predicted severity scores, we show that it is possible to achieve a Precision@50 of 0.86 when forecasting high severity vulnerabilities, significantly outperforming a baseline that is based on tweet volume. Finally we show how reports of severe vulnerabilities online are predictive of real-world exploits. Show less

We examine a dynamic model of network formation in which individuals use reinforcement learning to choose their actions. Typically, economic models of network formation assume the entire network structure to be known to all individuals involved. The introduction of reinforcement learning allows us to relax this assumption. Q-learning is a reinforcement learning algorithm from the artificial intelligence literature that allows for state-dependent learning. Using Q-learning, one may allow for… Show more

We examine a dynamic model of network formation in which individuals use reinforcement learning to choose their actions. Typically, economic models of network formation assume the entire network structure to be known to all individuals involved. The introduction of reinforcement learning allows us to relax this assumption. Q-learning is a reinforcement learning algorithm from the artificial intelligence literature that allows for state-dependent learning. Using Q-learning, one may allow for varying degrees of information available to the agents. We determine what networks, if any, the model may converge to in the limit. Show less