Analytic tools designed to catch terrorists might also be useful in cyber-space
For years, a company called Modus Operandi, Inc. has been developing software tools that help intelligence analysts extract bits-and-pieces of valuable information from a wide variety of printed materials by finding patterns and relationships among those pieces of data that can help the analyst identify terrorists and the plots they are hatching.
Now, the same company is trying to use similar analytic tools to identify the tell-tale traces in cyber-space that bad actors have penetrated a computer network and are trying infect that network, steal valuable property or bring it down altogether.
“We intend to bring in Cyber Intelligence – or “CyberInt” – as another data source,” explained Peter Mozloom, the recently hired vice president of cyber solutions at Modus Operandi, who spoke exclusively with Government Security News on Dec. 16. “It seems like a logical extension of the technology that already exists.”
To understand how this analytic technology can be applied to cyber-space, it is important to understand how “real-world” intelligence analysts operating in the physical realm are currently using it to track down terrorists.
Take a completely hypothetical example. Suppose an intelligence analyst had received a 100-page typed transcript of a conversation – secretly recorded – between two suspected terrorists, who were sitting in an Internet café in Vienna, Austria. During the course of their one-hour conversation, the two suspects may have mentioned a dozen different individuals, cited numerous bars, restaurants, banks, tourist attractions and other offices, located in half a dozen different countries and 15 different cities and geographic locations. It would be a monumental task for an intelligence analyst to extract all that specific data, correlate it with other references found in other documents that mention similar-sounding people, in similar locations, in the same countries, etc.
The analytic tools developed by Modus Operandi, which it calls WAVE-EF, or Wave Exploitation Framework, applies sophisticated algorithms and enormous computing power to tackle these extraction and classification tasks. For instance, WAVE-EF develops a “gazetteer” of all known and suspected terrorists and terrorist groups operating in a particular “domain” which includes all of the different possible spellings of the same person’s name. Thus, WAVE-EF will be able to discern that a reference to “Al Qaeda” in one document is referring the same group cited as “al Qaida” in another document.
Similarly, WAVE-EF would be able to know that “Vienna, Austria” is equivalent to “the capital of Austria” as well as a precise “latitude-and-longitude” description of the geographic location of Vienna. It could “know” that any of these off-hand references were referring to the same city.
Take a more obscure example. Suppose one of the terrorist suspects in the Internet café mentioned the reprint of the “Cezanne painting” hanging behind the cash register. That tiny bit of information might be correlated with another fleeting reference to a “Cezanne painting” in a completely different document found at a terrorist hideout. WAVE-EF might make a connection between those two isolated bits of information – and thereby zero in on the same Internet café -- that an individual analyst could never hope to make.
“They may find something interesting in System X and then go into System Y,” Mozloom explained to GSN. “You can start inferring things based on the information you find.”
Of course, the concept of drilling down into various documents – transcripts of recorded conversations, reports from surreptitious surveillance, records from “human intelligence,” or HUMINT, field trips, etc. – is not unique to Modus Operandi, but the company may be pushing the envelope in building comprehensive gazeteers and finding “hidden” relationships that lurk beneath the radar in multiple databases.
Modus Operandi is now planning to test whether it can successfully bring this tried-and-true methodology to the quest to find cyber-intruders and cyber-thieves.
Mozloom explained that the “raw material” for these cyber investigations would be the intrusion detection logs, intrusion prevention logs, network traffic records, Defense Department and other government reports whose “comments” sections often discuss various cyber-threats in open, free text, and much more. By identifying names, locations and relationships – as well as specific bugs, viruses, bots, etc. – it is possible that this same methodology can produce fruitful insights for cyber-sleuths.
Mozloom brings to Modus Operandi more than 20 years of experience in military information assurance, emerging technologies, virtualization, and certification and accreditation of classified systems, the company said in a December 6 press release. More specifically, he has been supporting the Air Force Research Laboratory (AFRL) Rome Research Site, based in upstate Rome, NY, for more than two decades.
The company is now hoping to sign a Cooperative Research and Development Agreement (CRADA) with the information assurance folks at AFRL which would enable Mozloom and his colleagues to obtain Air Force cyber data and begin examining it. Mozloom told GSN that he was “pretty confident” this new relationship with AFRL will proceed.
One important goal, said Mozloom, is for the Air Force – and any owner of a sensitive computer network – to be able to spot intruders while the intrusion is actually occurring, rather than after the fact.
“There is so much network traffic going on, unless there is something blatantly obvious, these investigations wind up becoming forensic exercises, after the event has happened,” Mozloom said. “We’re interested in the attacks that develop ‘low-and-slow’,” he continued. By identifying critical relationships between disparate data – perhaps residing in different databases – Modus Operandi hopes to provide valuable “heads-up” alerts in real-time. If this approach by Modus Operandi succeeds, Mozloom hopes to be able to tell a cyber-network owner in real-time: “You might want to look at this…over here.”