Archer: A system for rapid cyber hypotheses evolution and resolution
While signature-based methods are effective against previously observed attacks, detection and reaction to novel and advanced threats require behavioral analysis. As evidenced by the lack of anomaly detection systems in operation, large variation across and within networks necessitates analysis by domain professionals with network-specific expertise. Cyber operations now have widespread data collection, but protection against advanced attacks relies mainly on intuition and manual investigations that are proving vastly insufficient. Next generation security requires analytical tools allowing analysts to leverage their domain expertise and environment knowledge to enable scientific enquiry of their data. The goal of the proposed work is to bring powerful, flexible analytics to the analysts’ fingertips. We propose a novel, visual-analytics platform allowing analysts to create, refine, and evaluate hypotheses nearly instantaneously. By allowing analysts to easily choose data subsets for investigation and receive easy-to-understand results, this capability will replace the intuition-based data interactions performed today. Sophisticated modeling and hypothesis testing will occur “under the hood”, requiring little user training and no algorithmic expertise. The necessary manual investigations that currently take hours or are outside analysts’ means will be possible in a matter of seconds with this capability. Finally, the prototype will provide a platform for scientific investigation of algorithmic and visualization developments targeting cyber applications.