Hybrid Modeling of Cyber Adversary Behavior

  • Amy SlivaEmail author
  • Sean Guarino
  • Peter Weyhrauch
  • Peter Galvin
  • Daniel Mitchell
  • Joseph Campolongo
  • Jason Taylor
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10354)


Cyber adversaries continue to become more proficient and sophisticated, increasing the vulnerability of the network systems that pervade all aspects of our lives. While there are many approaches to modeling network behavior and identifying anomalous and potentially malicious traffic, most of these approaches detect attacks once they have already occurred, enabling reaction only after the damage has been done. In traditional security studies, mitigating attacks has been a focus of many research and planning efforts, leading to a rich field of adversarial modeling to represent and predict what an adversary might do. In this paper, we present an analogous approach to modeling cyber adversaries to gain a deeper understanding of the behavioral dynamics underlying cyber attacks and enable predictive analytics and proactive defensive planning. We present a hybrid modeling approach that combines aspects of cognitive modeling, decision-theory, and reactive planning to capture different facets of adversary decision making and behavior.


Cyber defense Adversary modeling Cognitive models Decision theory Predictive analytics Cyber simulation 



This material is based upon work supported by the Communications-Electronics, Research, Development and Engineering Center (CERDEC) under Contract No. W56KGU-15-C-0053 and the Office of the Director of National Intelligence (ODNI) and the Intelligence Advanced Research Projects Activity (IARPA) via the Air Force Research Laboratory (AFRL) contract number FA8750-16-C-0108. The US Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon.

Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of CERDEC, ODNI, IARPA, AFRL, or the US Government.”


  1. 1.
    Bremmer, I.: These 5 Facts Explain the Threat of Cyber Warfare, TIME, 19 June 2015Google Scholar
  2. 2.
    Rosenberg, B., Furtak, M., Guarino, S., Harper, K., Metzger, M., Neal Reilly, S., Niehaus, J., Weyhrauch, P.: Easing behavior authoring of intelligent entities for training. In: Conference on Behavior Representation in Modeling and Simulation (BRIMS) (2011)Google Scholar
  3. 3.
    Furtak, M.: Introducing AgentWorks. In: 14th Intelligent Agents Sub-IPT (2009)Google Scholar
  4. 4.
    Li, S., Rickert, R., Sliva, A.: Risk-based models of attacker behavior in cybersecurity. In: Greenberg, A.M., Kennedy, W.G., Bos, N.D. (eds.) SBP 2013. LNCS, vol. 7812, pp. 523–532. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-37210-0_57 CrossRefGoogle Scholar
  5. 5.
    Pfeffer, A.: Probabilistic relational models for situational awareness. In: AIAA Infotech@Aerospace (2010)Google Scholar
  6. 6.
    Friedman, N., Getoor, L., Koller, D., Pfeffer, A.: Learning probabilistic relational models. In: Sixteenth International Joint Conference on Artificial Intelligence (IJCAI-1999) (1999)Google Scholar
  7. 7.
    Murphy, K.: Dynamic Bayesian networks: representation, inference, and learning, U.C. Berkeley (2002)Google Scholar
  8. 8.
    Pfeffer, A., Tai, T.: Asynchronous dynamic Bayesian networks. In: Uncertainty in Artificial Intelligence (2005)Google Scholar
  9. 9.
    Hongeng, S., Nevatia, R.: Large-scale event detection using semi-hidden Markov models. In: International Conference on Computer Vision, vol. 2, pp. 1455–1462 (2003)Google Scholar
  10. 10.
    Schrodt, P.A.: Forecasting conflict in the Balkans using hidden Markov models. In: Trappl, R. (ed.) Programming for Peace. Springer, Dordrecht (2006)Google Scholar
  11. 11.
    Halliday, M.A.: On Language and Linguistics, vol. 3. Continuum, New York (2003)Google Scholar
  12. 12.
    Winograd, T.: Understanding natural language. Cogn. Psychol. 3, 1–191 (1972)CrossRefGoogle Scholar
  13. 13.
    Mann, W.C., Matthiessen, C.: Nigel: a systemic grammar for text generation, USC/Information Sciences Institute (1983)Google Scholar
  14. 14.
    Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms, pp. 71–79 (1998)Google Scholar
  15. 15.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 217–224 (2002)Google Scholar
  16. 16.
    Firby, J.R.: Adaptive execution in complex dynamic worlds, Yale University, Department of Computer Science (1989)Google Scholar
  17. 17.
    Loyall, A.B.: Believable Agents: Building Interactive Personalities. Carnegie Mellon University, Pittsburgh (1997)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Amy Sliva
    • 1
    Email author
  • Sean Guarino
    • 1
  • Peter Weyhrauch
    • 1
  • Peter Galvin
    • 1
  • Daniel Mitchell
    • 1
  • Joseph Campolongo
    • 1
  • Jason Taylor
    • 1
  1. 1.Charles River AnalyticsCambridgeUSA

Personalised recommendations