CybOnt is unique in that, (1) it is architected following the Joint Directors of Laboratories (JDL) fusion levels, (2) it uses formal ontology for the T-Box (types) and A-Box (actuals), and (3) it computes mathematically-principled -- and thus robust -- likelihood ratios of attack behavior hypotheses.  Inference links are visualized in a graph database tool that allows customized viewing tailored to operator requirements.  The likelihood ratios can be thresholded to give operators control over display clutter.  It runs in a tactical cloud environment and uses big data technologies.

The JDL fusion levels have served DoD, IC, academia, and industry well for many decades for air defense, Air Traffic Control (ATC), Electronic Warfare (EW), Anti-Submarine Warfare (ASW), and Intelligence across many sensor modalities.   Silver Bullet developed an innovative adaption to cyberspace sensor and data fusion.  Applied to cyber, the JDL fusion levels are:

·       JDL Fusion Level 0 – extracts features, computes features, and receives observations from cyber sensors such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), network devices, Host Based Security System (HBSS), and Continuous Diagnostics and Monitoring (CDM). 

·       JDL Fusion Level 1 – develops hypotheses and associated likelihood ratios for Attack Pattern Steps, Attack Patterns, Attacker Types, and Objective Types.  Correlates hypotheses and merges beliefs with other level 1 fusion processes.  Utilizes knowledge bases derived from sources such as Common Attack Pattern Enumeration and Classification (CAPEC™).    

·       JDL Fusion Level 2 -- develops hypotheses and associated likelihood ratios for Spatio-temporal Group Associations, Mission Attack Associations, and Critical Capability Attack Associations.   

·       JDL Fusion Level 3 -- develops hypotheses and associated likelihood ratios for TTP Correlation and Attacker Types to Candidate Attackers.