Predicting Malicious Behavior

ffirs.indd i

5/15/2012 11:36:48 AM


ffirs.indd ii

5/15/2012 11:36:49 AM


Predicting Malicious
Behavior
Tools and Techniques for Ensuring
Global Security

Gary M. Jackson, PhD

ffirs.indd iii

5/15/2012 11:36:49 AM


Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security
Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256

www.wiley.com

Copyright © 2012 by Gary M. Jackson
Published by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-16613-0
ISBN: 978-1-118-22625-4 (ebk)
ISBN: 978-1-118-23956-8 (ebk)
ISBN: 978-1-118-26418-8 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted
under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright
Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to
the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc.,
111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at ey
.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all
warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be
created or extended by sales or promotional materials. The advice and strategies contained herein may not
be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in
rendering legal, accounting, or other professional services. If professional assistance is required, the services
of a competent professional person should be sought. Neither the publisher nor the author shall be liable for
damages arising herefrom. The fact that an organization or website is referred to in this work as a citation
and/or a potential source of further information does not mean that the author or the publisher endorses
the information the organization or website may provide or recommendations it may make. Further, readers
should be aware that Internet websites listed in this work may have changed or disappeared between when
this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department
within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included

with standard print versions of this book may not be included in e-books or in print-on-demand. If this book
refers to media such as a CD or DVD that is not included in the version you purchased, you may download
this material at . For more information about Wiley products, visit
www.wiley.com.
Library of Congress Control Number: 2012933633
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc.,
and/or its affiliates, in the United States and other countries, and may not be used without written permission.
All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated
with any product or vendor mentioned in this book.
Disclaimer: All statements of fact, opinion, or analysis expressed are those of the author and do not reflect
the official positions or views of the CIA or any other U.S. Government agency. Nothing in the contents
should be construed as asserting or implying U.S. Government authentication of information or Agency
endorsement of the author’s views. This material has been reviewed by the CIA to prevent the disclosure of
classified information.

ffirs.indd iv

5/15/2012 11:36:53 AM


I dedicate this book to the Reverend Manuel Lee Jackson and Linnie
Mae Jackson, my loving parents, recently deceased, and my sister, Reita
(DeDe) Carringer, and brother, Kevin Lee Jackson.

ffirs.indd v

5/15/2012 11:36:54 AM


ffirs.indd vi


5/15/2012 11:36:54 AM


About the Author

Dr. Gary M. Jackson is an Assistant Vice President and Technical Lead within
the CyberSecurity Business Unit at Science Applications International Corporation
(SAIC). A behavioral psychologist with specialties in artificial intelligence and
automated assessment, Dr. Jackson has designed and developed scores of advanced
applications across both corporate and U.S. Government settings. Dr. Jackson’s
career has spanned academia as Assistant and Associate Professor (University
of South Florida), Director of R&D and Treatment Development in various clinical settings, Research Psychologist within the U.S. Secret Service Intelligence
Division, Intelligence Officer and Chief of three advanced technology branches
within the Central Intelligence Agency, Vice President and Director of Research
and Development for Psychological Assessment Resources (PAR), Director of
the Center for the Advancement of Intelligent Systems (CAIS) for the American
Institutes for Research, and, until recently, the Founder, President, and CEO
of Psynapse Technologies in Washington, D.C. Dr. Jackson has extensive R&D
and field experience in counterterrorism, counterintelligence, and asymmetric
warfare prediction. He was a former President of the Florida Association for
Behavior Analysis (FABA). He holds B.A. and Ph.D. degrees from Southern
Illinois University–Carbondale and an M.A. degree from University of Illinois.
He has completed additional postdoctoral training in neurophysiology at the
University of South Florida Medical School. Fusing the behavioral and computer sciences, Dr. Jackson is the inventor of the patented automated behavioral
assessment (AuBA) technology, CheckMate intrusion protection system, InMate
misuse detection system for insider threat, and automated prediction of human
behavior technology.

vii


ffirs.indd vii

5/15/2012 11:36:54 AM


ffirs.indd viii

5/15/2012 11:36:54 AM


Credits
Executive Editor
Carol Long
Senior Project Editor
Kevin Kent
Technical Editor
Dr. Eric Cole
Production Editor
Kathleen Wisor
Copy Editors
Caroline Johnson
Gayle Johnson
Editorial Manager
Mary Beth Wakefield
Freelancer Editorial Manager
Rosemarie Graham
Associate Director of Marketing
David Mayhew
Marketing Manager

Ashley Zurcher
Business Manager
Amy Knies
Production Manager
Tim Tate

Vice President and Executive
Group Publisher
Richard Swadley
Vice President and Executive
Publisher
Neil Edde
Associate Publisher
Jim Minatel
Project Coordinator, Cover
Katie Crocker
Proofreader
Nicole Hirschman
Indexer
Johnna VanHoose Dinse
Cover Designer
Ryan Sneed
Media Project Manager 1
Laura Moss-Hollister
Media Associate Producer
Josh Frank
Media Quality Assurance
Doug Kuhn

ix


ffirs.indd ix

5/15/2012 11:36:54 AM


ffirs.indd x

5/15/2012 11:36:54 AM


Acknowledgments

Although I conceptualized, designed, and led the development of AuBA over
the past three decades, it takes very talented developers to pursue, develop, and
validate new technology in such a radical area as prediction of human behavior.
Skeptics abound, and traditional statisticians loom large. It takes a village to pursue radical new approaches and methodologies. For these reasons, I have many
to thank for their dedication, contributions, and effort to make AuBA a reality.
Beginning in the early clinical days, my colleague and lifelong friend Charles
Antonelli and I developed methods to alter institutional environments to provide
antecedents and consequences to support adaptive behavior and suppress highly
inappropriate and maladaptive behavior. The precursors to AuBA were born in
those early clinical days, and thoughts started focusing on prediction and not
just behavior change. At the time, Lincoln State School in Lincoln, Illinois, was
the largest institution for the developmentally disabled in the world. Indeed a
challenge; we made a difference.
Carrying what was known as contingency management to Florida at Sunland
Center of Miami working with such colleagues as Melinda S. Gentile and then
Florida Mental Health Institute (FMHI) at the University of South Florida, I
continued in research and treatment development, leading several programs

for different populations with serious mental illness. At USF such talented colleagues as Dr. Roger Patterson, Dr. Lawrence Schonfeld, Dr. Louis Penner, Dr.
Carla Kelly, David Eberly, and I developed new behavior methods to significantly
impact the downward slide of the elderly, and developed methods to reverse the
occurrence of serious behavior associated with aging. We found that creating
the right environment and providing appropriate behavioral treatment could
enhance the lives of many elderly patients. The clinical methods I developed
were direct precursors to AuBA.
xi

ffirs.indd xi

5/15/2012 11:36:54 AM


xii

Acknowledgments

In 1985, I left academia for the government. Many individuals were key in
continuing to pursue significant changes in altering a statistical view of prediction
to one with a strong science of human behavior foundation that incorporated
proven principles of behavior analysis. At the top of the list of individuals to
thank is a very talented developer who after hearing my brief on how we could
pursue a new technology for prediction of human behavior stopped what he
was doing and joined my team as lead developer within the U.S. Secret Service.
Marion Georgieff was a loyal and dedicated professional, and our ideas and
concepts starting taking shape in advanced pattern classification and software
supported by Special Agents David Bressett, Kenneth Baker, and Phil Leadroot.
Then the missing years — the CIA. During this period of time very special
recognition is given to those who must remain nameless. They made those

years possible for me and were contributors to, as well as supporters of, the new
anticipatory vision. Leaving the CIA, I took a position as Vice President and
Director of Research and Development for Psychological Assessment Resources
in Lutz, Florida. Working closely with Dr. R. Bob Smith, Cathy Smith, and later
Justin Smith as part of the AuBA team, the PAR psychological team helped
me to fuse ideas of commercial psychological assessment practices into the
developing predictive methodology. The development of interpretive reports
was especially important, as well as the insistence on quality development
of software that is psychologically based. Coming back to Washington to the
American Institutes for Research (AIR), I created the Center for the Advancement
for Intelligent Systems (CAIS), which morphed into my own spin-off, Psynapse
Technologies, to market the developing AuBA technology. This was a time of
exuberant growth in the technology thanks to government funding and the
strong support from Mr. Larry Willis, the Defense Advanced Research Projects
Agency (DARPA) Program Manager. Larry realized the vision and spearheaded
support that made AuBA actually possible. Without Larry’s vision and directed
support, there would not be the AuBA of today. Other key support from DARPA
included Dr. Sean O’Brien and Dr. Robert Hummel. Dr. Ruth Willis at the Naval
Research Laboratory (NRL) added significantly to support provided. Special
appreciation is expressed to the Office of Naval Research support provided by
William Krebs and Anita Berger, as well as the former Deputy Chief of Naval
Operations, Former Vice Admiral John Morgan.
Of special note is Byron Raines, who has remained part of the AuBA approach
for over 11 years now, and, until taking a new position recently, Joan Wang,
who has been a faithful AuBA developer for over 11 years. In addition for the
past 22 years, Rosemarie Hesterberg has provided undying support and loyalty
and was responsible for suggesting that I use AuBA for network protection.
While dedicated staff may come and go, the contributions of these dedicated
colleagues rank very high and their fingerprints are all over AuBA. I truly
appreciate their dedication not only to the technology but also to supporting


ffirs.indd xii

5/15/2012 11:36:54 AM


Acknowledgments

xiii

the AuBA vision. There are also other notables who contributed to development
at this time. Mona Habib lent her Arabic expertise. Helene Mullaney was a key
staff member who quickly grasped the concepts and mentored/trained others
in the rapidly developing methodology and automation. A born leader as smart
as they come, she helped move the technology forward. Bob McMahon was a
key contributor to CheckMate and InMate as cyber applications constructed
from AuBA technology. AIR Company support provided by Dr. Michael Kane
and Sol Pelavin, the talented AIR CEO, was always appreciated and necessary
for continued growth.
Spinning off Psynapse Technologies, my wife, Dr. Stephanie Jackson, my
Deputy at the time, demonstrated her considerable talent as a professional and
former school principal. She provided superb support for all company operations, and for that, I am appreciative. Dr. Terry Gudaitis, Julian Kamil, and Jeff
Hall assisted in moving the technology forward on the application side, as well
as Byron Raines and Joan Wang. Of special mention is a world-class expert who
has supported AuBA since beginning with the CIA. A computer scientist and
network intrusion expert, Dr. Eric B. Cole was there at the beginning when we
worked out the first cyber network protection prototype for government funding and is still contributing today. Dr. Cole graciously consented to be technical
editor for this book and wrote the foreword. Eric is actually a part of the vision
of providing a paradigm shift in security. AuBA offers a new approach, and his
support as one of the best has been truly appreciated, as have his contributions.

At SAIC, who acquired AuBA intellectual property, special appreciation is
expressed to supporters Clay Stewart, Richard Shipman, and Dennis Andersh,
as well as Hawaii staff Roger Medd and Brian Banks. Dr. Mary M. Quinn’s support as a behavioral colleague has been invaluable. Current support by Roger
Tjarks as a Chief Scientist and Julie Taylor as Director of our Cyber operations is
especially appreciated. Although many teams have worked on the development
of AuBA over the years, the current Columbia, Maryland, team of Byron Raines,
Ricky Smith, Garrett Henderson-Tjarks, Gary Cruttenden, Jonathon Conti-Vock,
Erin Britz, Kyle Kubin, William Pollock, Kyle Mann, June Liu, and James (Don)
Bowers led by the very talented development team leader Paul McAllister, and
the Arlington, Virginia, team of Carl Symborski, Marguerite Barton, Geoffrey
Cranmer, Jasmine Pettiford, and Kathleen Wipf are at the top. Paul McAllister,
as a true collaborator, has made more recent developments a reality through
new and improved software application. On a personal note, much appreciation
is expressed to my family: Dr. Stephanie Jackson, daughter Ashley Henley and
her husband Jason, daughter Kary Borden, and grandchildren Kayla and Jared
Borden for supporting me over the decades and tolerating many hours of work
above and beyond the norm that was necessary to develop AuBA.
Last, but certainly not least, I would like to acknowledge John Wiley & Sons.
Writing the content of a book is the purview of the author, but publishing a book

ffirs.indd xiii

5/15/2012 11:36:55 AM


xiv

Acknowledgments

is a collaboration and ongoing interaction between an author and publications

staff. From the early collaboration of the book with Carol Long, Acquisition
Editor, to the very talented editorial leadership and personal work of Senior
Project Editor Kevin Kent supported by content editors Maureen Spears, Rebekah
Worthman, and Rayna Erlick, and Technical Editor Dr. Eric B. Cole, I express
great appreciation for their talent and patience. I also want to thank all of the staff
members who worked on the evolutionary development of AuBA with names
just too high in number to list individually, but your many contributions are
deeply appreciated. Most important, thank you reader for taking the time to read
and study what this village of professionals has done for the future of security.

ffirs.indd xiv

5/15/2012 11:36:55 AM


Contents at a Glance

Foreword

xxvii

Introduction

xxix

Part I

Understanding the Dark Side: Malicious Intent

1


Chapter 1

Analyzing the Malicious Individual

3

Chapter 2

Analyzing the Malicious Group

35

Chapter 3

Analyzing Country-Level Threats

63

Chapter 4

Threats and Security Nightmares:
Our Current Reactive State of Security

91

Chapter 5

Current Network Security


113

Chapter 6

Future Threats to Our National Security

137

Part II

Dissecting Malicious Behavior

161

Chapter 7

Applying Behavior Principles: Predicting Individual
Malicious Behavior

163

Applying Behavior Principles:
Predicting Group Malicious Behavior

183

Applying a Predictive Methodology:
From Principles to Practice

203


Chapter 8
Chapter 9

Chapter 10 Predicting Domestic Threat

231

Chapter 11 Computer Networks: Protection from External Threat

255

xv

ffirs.indd xv

5/15/2012 11:36:55 AM


xvi

Contents at a Glance
Chapter 12 Computer Networks: Protection from Internal Threat

277

Chapter 13 Predicting Global Threat

299


Part III

329

Chapter 14 Predictive Capability in Software:
Tools for a New Approach

331

Chapter 15 Predictive Behavioral Modeling:
Automated Tools of the Trade

357

Chapter 16 Developing AuBA Applications

383

Chapter 17 Mastering AuBA Tools for
Real-World Use

405

Chapter 18 Analyzing Future Malicious Behavior

425

Part IV

Predicting Malicious Behavior: Tools and

Methods to Support a Paradigm Shift in Security

449

Chapter 19 AuBA Future Extensions Today

451

Chapter 20 How to Predict Malicious Behavior: A Walkthrough

471

Appendix

497

Index

ffirs.indd xvi

Applying Tools and Methods

What’s on the DVD?

501

5/15/2012 11:36:55 AM


Contents


Foreword

xxvii

Introduction

xxix

Part I

Understanding the Dark Side: Malicious Intent

1

Chapter 1

Analyzing the Malicious Individual
Analyzing the Unique Individual
Richard Reid: The Shoe Bomber

3
4
7

The Event
The Motivation
Causes
A Behavior Analysis


Ted Bundy: The Infamous Serial Murderer
Similarities of Targets
The Motivation
Determining the Complexities Underlying
Individual Malicious Behavior: A Behavior Analysis
Removing Subjectivity and Bias from the
Behavior Analysis

The Individual Cyber Attacker

7
8
9
9

11
12
12
13
15

15

Identifying the Threat from the Lone Cyber Attacker
Recognizing the Power of Being Anonymous
Recognizing When a Hacker Is Detached from the Target
Recognizing Motivation
Identifying the Power of Disruption
Recognizing the Need for Theft
A Behavior Analysis


16
18
19
20
21
23
25

Modeling the Individual: Advantages and Disadvantages

25

How Individuals May Vary

26

xvii

ftoc.indd xvii

5/15/2012 11:29:54 AM


xviii

Contents
The Loner
The Chameleon
The Social Misfit

The Individual versus the Group

Chapter 2

Advantages of AuBA #1: Automated Summarization
In Summary

29
32

Analyzing the Malicious Group
Understanding the Group Adversary
Analyzing al-Qaeda

35
36
37

Automated Behavior Analysis Summary
The Organization
Group Dynamics
The Motivation
Declarations of War
A Behavior Analysis

Analyzing Hezbollah
The Organization
Consistency of Behavior
The Motivation
Targeting Consistency

A Behavior Analysis

Analyzing the Coordinated Group Cyber Threat
The Group Structure
The Motivation
A Behavior Analysis

Chapter 3

37
41
41
42
42
43

45
45
46
47
47
48

50
53
56
57

Advantages of AuBA #2: Theme-Guided
Smart Searches

In Summary

59
61

Analyzing Country-Level Threats
Threats to Our National Infrastructure
Analyzing the Specific Threat of Terrorist Attacks

63
64
69

Current Terrorist Threats to the United States
Preventing Terrorist Attacks on U.S. Soil

70
75

Improving Network Security

78

Current Network Security
Current Foreign Threats to Network Security
Understanding Current Technology for
Protecting Our Networks

83


Facing Chemical, Biological, Radiological, and
Nuclear (CBRN) Threats

84

Understanding the Threat of a Biological Attack
Anticipating the Dirty Bomb

Advantages of AuBA #3: Reducing Errors and Inefficiencies of
Manual Predictive Modeling
In Summary

ftoc.indd xviii

27
27
28
29

79
82

85
86

87
89

5/15/2012 11:29:54 AM



Contents
Chapter 4

Threats and Security Nightmares:
Our Current Reactive State of Security
Analyzing Mall, School, Workplace, and
Other Seemingly Random Public Violence
Making Sense of Seemingly Senseless Public Attacks
Why Are We Violent?

Unanticipated Terrorist Network Attacks

Chapter 5

98
99

104

Can Technology Detect First-Time Attacks?

107
108

Advantages of AuBA #4: Building Predictive Applications
In Summary

109
111


Current Network Security
Hacking and National Network Security
Growing Damage and Threat
Assessing Current Technology

113
114
117
120

Moving Toward Fixing Current Ineffective
Network Protection
Winning or Losing?
Adjusting Our Approach: The Need for a Paradigm Shift
Augmenting the Concept of Network
Behavior with Human Behavior
Identifying Human Intent by Analyzing Packets
External Threat Assessment: CheckMate
Internal Threat Assessment: InMate

Envisioning an Effective Future Network
Protection Technology
Enhancing Current Technology with Behavior Analysis
Extracting Human Behavior from Digital Data

Advantages of AuBA #5: Conducting a Human
Behavior Assessment of Threats from Network Packets
In Summary


ftoc.indd xix

92

105
106

Signature Detection
Forensics: The Key to Defining New
Signatures for Detection
False Negative: Missing the New Attack
Anomaly Detection
Defining the Norm
Unanticipated Network Attacks: The Bane of
Network Security

Chapter 6

91

Understanding the Element of Surprise
Anticipating the Unknown
Detecting the New Attack

Future Threats to Our National Security
Our Growing National Security Dependency
on Computers and Networks
Increasing Threat on a Global Basis

xix


120
122
123
124
126
128

128
129
129
130
131
132
132

133
134
134

135
136
137
138
139

5/15/2012 11:29:55 AM


xx


Contents
The Ever-Increasing Sophistication of the Adversary
Anticipating Additional Asymmetric Warfare Attacks
in the Future — Another 9/11?
Unanticipated Terrorist Attacks
Weapons of Mass Destruction
Water and Food Resources
Diminishing Effectiveness of Network Security
Decreasing Safety for Americans Worldwide
Post Osama bin Laden
Threats to Our Fragile Financial Markets

The Dire Need for New Proactive Methods

145
146
147
148
150
150
152

154

Moving from Reactive to Proactive Methodology
Interjecting Behavior Analysis
Informed Security: Removing the Element of Surprise

154

155
155

Advantages of AuBA #6: Automated Pattern Classification
In Summary

156
158

Part II

Dissecting Malicious Behavior

161

Chapter 7

Applying Behavior Principles: Predicting Individual
Malicious Behavior
Using a Behavior Analysis Methodology
That Works
Using Behavior Principles to Analyze Behavior
Environmental Variables
Different Environments, Different Antecedents
Antecedents, Behavior, and Consequences
Behavior Modeling
Automated Behavior Analysis (AuBA)
Using Tools to Assist Our Understanding
Predicting Adversarial Behavior
Influencing and Preventing Adversarial Behavior


Chapter 8

163
163
166
169
171
172
175
176
177
178
178

Advantages of AuBA #7: Incorporating, Refining, and
Expanding Behavior Principles for Global Security
In Summary

180
182

Applying Behavior Principles:
Predicting Group Malicious Behavior
Analyzing Threat
Group Attempts to Inflict Harm and Damage

183
184
185


When Threats Turn into Actions
Attempts to Steal and Deceive
Obtaining Data to Assist in Understanding
Adversary Behavior
Moving from Applied Behavior Analysis and the Classroom
to Global Adversary Behavior with AuBA
Determining Who, What, Where, When, and
How from Historical Data

ftoc.indd xx

142

185
187
187
190
191

5/15/2012 11:29:55 AM


Contents
Behavior-Based Analytics

Moving from Analysis to Prediction
of Malicious Behavior
What Is Prediction?
Predicting Events before They Happen

Examples of Real-World Event Prediction
Predicting from Historical Information
Predicting When Historical Data Is Rare or Missing

How Do You Know the Predictive
Application Works?
Advantages of AuBA #8: Automating Behavioral
and Computer Sciences to Ensure Success
In Summary
Chapter 9

Applying a Predictive Methodology:
From Principles to Practice
Construction of Predictive Models
The Problem to Solve
Gathering and Formatting Input Data
Historical Events
AuBASME
Model Development and Data Processing
Validation and Testing

194
196
198
198
199
199

200
201

202
203
203
204
204
205
205
206
207

207

Using the Manual Approach
Using Tools to Assist the Manual Approach
Excel
Statistics and Correlation
Automated Behavioral Modeling Tools
Automated Behavior Analysis (AuBA)

209
211
212
213
213
215

Chapter 10 Predicting Domestic Threat
Characterizing Domestic Threat
Defining Domestic Terrorism
Differentiating Domestic from Foreign Threat

Differences
Similarities

The Malicious Insider: Spies, Thieves,
and Sabotage
Spies
Sabotage
Tradecraft of Those with Malicious Intent

ftoc.indd xxi

192

What Is Needed: The Behavioral Methodologies

Making Sure It Works: An Introductory Example
Testing and Use in the Real World: Implications
Advantages of AuBA #9: Designing the Focus of
an AuBA-Developed Model
In Summary

xxi

220
225
227
228
231
232
235

236
236
238

239
240
242
243

5/15/2012 11:29:55 AM


xxii

Contents
Known Tradecraft
New Tradecraft
Traditional-New Method Hybrids
The Digital and Network Equivalents of
Traditional Spycraft
Recognizing Deception: Nothing Is as It Seems

Advantages of AuBA #10: Moving from
Reactive to Proactive
In Summary
Chapter 11 Computer Networks: Protection from External Threat
Protecting Against Known Attacks:
Signature Detection
Network Signature Detection
Terrorism Signature Detection: A Comparison

Identifying Criminal Signatures

Identifying Unknown and First-Time Attacks
Identifying Anomalies
Network Anomaly Detection
Advantages of Anomaly Detection
Disadvantages of Anomaly Detection
Methods of Detection
Anticipating Anomalies
Terrorism
Networks
Criminal Behavior
Using Behavior Analysis to Identify
New, First-Time Attacks

Forensics: Studying and Defining the Past
Is the Past the Best Predictor of Future Behavior?
Updating How to Use Past Information

Advantages of AuBA #11: Network Intrusion — Converting
Digital Information to Human Behavior Assessment
In Summary

248
251

252
253
255
256

258
259
260

263
266
267
267
267
269
269
270
271
272
273

273
274
274

275
276

Chapter 12 Computer Networks: Protection from Internal Threat
Defining the Insider

277
278

The Significance of Insider Threat

Discovering Malicious Intent: Insider Motivations
Acting on Malicious Intent: Insider Behaviors
Insider Methods of Operations
Deception: The Primary Core of the Malicious Insider
Behavior of an Insider Network Thief

279
281
283
284
290
291

Current Trends in Insider Threat Protection
A Lack of Proactive Capability
Signature Detection and Rules
Anomaly Detection: False Positives Waiting to Happen

ftoc.indd xxii

243
246
247

292
293
293
293

5/15/2012 11:29:55 AM



Contents
Establishing the Need for a Paradigm Shift to
Proactive Capabilities
The Top 10 Features of a Paradigm Shift in
Network Security
AuBA, CheckMate, and InMate

294
295

Advantages of AuBA #12: Powerful Predictive
Analysis Engines That Fit on a Laptop
In Summary

296
297

Chapter 13 Predicting Global Threat
Understanding State-Sponsored Threat

Describing and Identifying Future Global Threat

306
311
312
313

317


Other Forensic Science Approaches Compared
to Network Forensics
Using Past Events to Predict Future Events

319
319

Determining State Support of Terrorist Activities

321

Gathering Evidence of State-Supported
Malicious Behavior
The Behaviorprint
From Fingerprints to Behaviorprints
Modeling as a Form of Proof

321
322
324
324

Moving from Detection to Protection: A Major Leap
Advantages of AuBA #13: The AuBA Behaviorprint and
How It Compares to Signatures
In Summary

325


Applying Tools and Methods

329

Chapter 14 Predictive Capability in Software:
Tools for a New Approach
Fusing Computer and Behavioral Sciences
Sampling and Presidential Polls
High-Speed Automated Stock Market Prediction
AuBA Prediction of Terrorism

Using the Computer’s Speed and Memory to
Our Benefit
Applying Simple Tools to Gain Advanced Results
Excel and the Analysis ToolPak: Methods and Examples
Advanced Tools: SPSS, SAS, and Other
Statistical Packages

ftoc.indd xxiii

299
300
301
302
305

Understanding the Role of Network Forensics

Part III


294

Organized State Support
Foreign State-Supported Terrorist Attacks
Foreign State-Supported Cyber Attacks
A Review of the AuBA Modeling Methods
AuBA Methodology
Automated Behavior Analysis Using Subject Matter
Experts (AuBASME)

xxiii

326
327

331
332
333
334
336

337
338
340
344

5/15/2012 11:29:55 AM


xxiv


Contents
Human Bias: The Enemy to Accuracy and Analysis
An Example of Biased but Publishable Bad Research
Identifying Bias
Removing Bias via Automation
Automating Behavioral Principles: Applying AuBA

Capturing Cultural Nuances
Moving from Theory to Practice: A
Necessary Transition
Advantages of AuBA #14: Incorporating Key
Technological Advances
In Summary
Chapter 15 Predictive Behavioral Modeling:
Automated Tools of the Trade
Automated Behavior Analysis (AuBA)
ThemeMate
Human Interaction with AuBA Automated Features
Language Independence
Other ThemeMate Features, Including Cross-Language
Text Summarization: Automated CliffsNotes?
Identifying Predictive Indicators (Antecedents)
Constructing Data Arrays for Predictive Analysis

AutoAnalyzer
Using the Advantages of Speed, Accuracy, and
Lack of Bias
Speed
Accuracy

Bias

Conducting Behavioral Modeling: Integrating
ThemeMate and AutoAnalyzer
Advantages of AuBA #15: What Is the
AuBA Predictive Engine?
In Summary
Chapter 16 Developing AuBA Applications
Modeling from Text Accounts of Past Behavior
Modeling Adversaries and Adversarial Groups
Extracting Significant Data from Past News Articles
Testing Your Model
Using Your Model to Predict
Constructing Open Source Cyber Threat Models

Modeling from Sensor Output
Predicting Malicious Behavior from Sensor Tracking
of Movement
CheckMate and InMate: Implementing
Behavior-Based Network Protection
CheckMate Network Intrusion Protection System
InMate Misuse Detection System

ftoc.indd xxiv

345
346
349
350
351


352
352
354
355
357
358
359
361
363
364
366
366
367

373
375
375
375
376

377
379
381
383
384
386
387
388
389

390

393
394
396
397
399

5/15/2012 11:29:55 AM


Contents
Testing and Validation for CheckMate

Advantages of AuBA #16: Extending Our Analytical Brains
In Summary
Chapter 17 Mastering AuBA Tools for
Real-World Use
Predicting the Unpredictable: Identifying Future
Malicious Behavior
Applying AuBA to Future Threat
Current U.S. Citizen Trends to Aid Terrorism
Leaving the Country
Remaining Inside the United States as a Foreign Agent
Acting on Their Own
Cyber Attacks
Applying AuBA to Network Security
CheckMate: Protecting Networks from External Threat
InMate: Identifying Insider Threat


Advantages of AuBA #17: Versatility
In Summary
Chapter 18 Analyzing Future Malicious Behavior
The Necessity of Context in Predicting
Future Behavior
Analyzing the Individual and the Group
Gathering Background Information
Selecting Documents for the Basic Corpus
Determining Inner Dynamics from External Data
Anticipating Adversarial Individual and Group Transition
What to Do When Data Is Missing
AuBASME: A New Method for Using Subject
Matter Expertise
AuBASME and Prediction

Analyzing Threat on a Global Level
Incorporating Multiple Models
Interpreting Results of Multiple Models
Anticipating Events

Part IV

405
406
406
407
408
408
408
411

412
413
420

423
423
425
426
429
430
432
433
434
435
436
437

440
442
444
445

447
448

Predicting Malicious Behavior: Tools and
Methods to Support a Paradigm Shift in Security

449


Defining Future Signatures: The Department of Pre-crime?
Converting Reactive Technology to Proactive Protection

ftoc.indd xxv

400

402
404

Implications for Security
Advantages of AuBA #18: Automated
Characterization of Network Attacks
In Summary

Chapter 19 AuBA Future Extensions Today
Predicting New Adversary Threat with
Enhanced Accuracy

xxv

446

451
452
453
455

5/15/2012 11:29:55 AM