CybOnt is unique in that, (1) it is
architected following the Joint Directors of Laboratories (JDL) fusion
levels, (2) it uses formal ontology for the T-Box (types) and A-Box
(actuals), and (3) it computes mathematically-principled -- and thus robust
-- likelihood ratios of attack behavior hypotheses. Inference links are visualized in a graph
database tool that allows customized viewing tailored to operator
requirements. The likelihood ratios
can be thresholded to give operators control over
display clutter. It runs in a
tactical cloud environment and uses big data technologies.
The JDL
fusion levels have served DoD, IC, academia, and industry well for many
decades for air defense, Air Traffic Control (ATC), Electronic Warfare
(EW), Anti-Submarine Warfare (ASW), and Intelligence across many sensor
modalities. Silver Bullet developed
an innovative adaption to cyberspace sensor and data fusion. Applied to cyber, the JDL fusion levels
are:
·
JDL Fusion Level 0 – extracts features,
computes features, and receives observations from cyber sensors such as
Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS),
network devices, Host Based Security System (HBSS), and Continuous Diagnostics
and Monitoring (CDM).
·
JDL Fusion Level 1 – develops hypotheses and
associated likelihood ratios for Attack Pattern Steps, Attack Patterns,
Attacker Types, and Objective Types.
Correlates hypotheses and merges beliefs with other level 1 fusion
processes. Utilizes knowledge bases
derived from sources such as Common Attack Pattern Enumeration and
Classification (CAPEC™).
·
JDL Fusion Level 2 -- develops hypotheses
and associated likelihood ratios for Spatio-temporal
Group Associations, Mission Attack Associations, and Critical Capability
Attack Associations.
·
JDL Fusion Level 3 -- develops hypotheses
and associated likelihood ratios for TTP Correlation and Attacker Types to
Candidate Attackers.
|