The Future of Cyber Analytics:

Identity Classification for

Systematic and Predictive Insight

June 4, 2019Mary C. (Kay) Michel

Computer Engineering and SciencesFlorida Institute of Technology (FIT)

Melbourne, Florida, USAmichelm1998@my.fit.edu

Michael C. KingComputer Engineering and SciencesFlorida Institute of Technology (FIT)

Melbourne, Florida, USAmichaelking@fit.edu

PhD Extended Abstract

The Internet...Constant-changing infrastructure and technology connects people across the world.

To understand a cyber identity today, more sophisticated methods are needed that can adapt and aid in establishing/strengthen linkages between cyber-physical-human systems[1].

6/4/2019 Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology 2

Human

We introduce a novel identity classifier with a defined scheme of salient systematic features and mathematical axiom-based model logic.

Utilizes mapped type patterns with contextual reasoning over time for consistent, long-term analysis.

Identity Analysis Timeline

Categorical

Digital

20001990 2010 Present

PC Devices/Apps

Forensic ToolsMobile Device/Apps

Forensic Tools

Cyber / Network

Forensic Tools

DATA

BiographicBehavioral

Relationship

Physiological

Machine Learning

(ML)

Biometrics

Human

Physical

Cyber

Time/ContextC-DNA Dimensions

Identity Analysis Timeline

Categorical

Digital

20001990 2010 Present

PC Devices/Apps

Forensic ToolsMobile Device/Apps

Forensic Tools

Cyber / Network

Forensic Tools

DATA

BiographicBehavioral

Relationship

Physiological

Machine Learning

(ML)

Biometrics

Topic Agenda

• Introduction

• Background

• Design Aspects and Prototype

• Experiment Trials & Findings

• Conclusion and Future Work

My background…• C.S. PhD Candidate in Computer Science at FIT• 15+yrs. as R&D P.I. & Chief Software Engineer• 10yrs. researching Cyber, Identity, AR, and VW’s• Artist and Market Analyst

Dr. Michael King’s background…• Associate Professor and Research Scientist at FIT• Director, Applied Research and Innovation

3Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology6/4/2019

Introduction

Novel Classification and Situational Awareness (SA) Approach

• HYPOTHESIS: A holistic identity classification scheme and model logic design which provides systematic insight on the most effective salient cyber-physical features can predictively map an identity to a human, profile, person, and/or cybercriminal type.

• QUESTION: How can the most effective cyber-physical, and human feature patterns be mapped to an identity type in a broad, systematic, and predictive manner?

• TECHNICAL GOAL: Design and evaluate effectiveness of a holistic adaptive identity feature classification system based on representative real-world case scenarios.

4Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology6/4/2019

Research involves the study of systematic diversity and relationships over time among hierarchical categorized features of living and non-living organisms in Cyber-Physical-Human systems.

Background of Holistic Identity• Superidentity Project[2]: single identity of an individual's cyber and physical identity information

with core set of elements that provide a basis for defining a person's real identity using transforms

Superidentity

Cyber Psychological Biographical Biological

5Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology6/4/2019

Physical Identity of a Person (Suspect/Criminal)

Biographical Behavioral Biometric

Criminal Case Situation Location

• Situation, Barwise and Dempster-Shafer Theory Ontologies[3]: our approach adds cyber aspects

• Other methods:• Multi-Biometric or fused data• Social Network connections• Psychological, relationships, physiological • NEW: Bio-inspired, systematic aspects

Our comprehensive approach aims to improve current methods with4 feature dimensions of Time/Context, Cyber, Physical, and Human (TCPH).

This design addresses a technological gap for a robust identity classifier.

Initial Design Thought ExperimentsInitial experiment results yielded:

• Identity extended cyber-physical feature set classification-based ontology design

• Identity core with temporal states of mapped features, profile, and unique identity evidence

• Contextual cybercrime salient feature sets with aspects of real-world cybercrime cases on cyber-physical timeline visualizations[4]

6Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology6/4/2019

Initial design was promising in resolving an identity for several types of cybercrime, but it revealed the need to more precisely determine a

broader range of identities and support emerging features.

Refined Design

A holistic, broad perspective of identities that support the past, present, and future leveraging scientific theory:

• Bio-inspired adaptable complex feature map structures and expression, and systematic classification of living, non-living, and new synthetic species variance[5][6][7]

• Cybernetics and systematics for defined control and measurement of feature similarities and variation in cyber, physical, and human system types[8]

• Information theory for determining or predicting measured temporal contextual salience, sets, and model logic with respect to time[9][10]

6/4/2019 Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology 7

Mapped Identity Type

•Profile•Cybercriminal Type•Human•Person

Cybernetic DNA (C-DNA) combines these theoretical aspects into a feature classifier with 4 dimensions (TCPH).

Cybernetics

Time/Context

Information Theory

Bio-Inspired

Cyber-Physical-Human Systematic Feature Sets

Prototyped design consists of a feature classification scheme and rule logic for:

- A system-based blueprint for a robust identity classifier

- A bio-inspired complex, systematic feature structure that can adapt

- Time/Context-Cyber-Physical-Human (TCPH) feature dimensions

- Features with salient and variant aspects to help determine types of humans vs. non-humans, profiles, cybercriminals, and unique people

Built a reference architecture prototype in Java integrated with Jena/OWL API:

8Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology6/4/2019

Let’s discuss experiment trials with a cybercrime case scenario.

Cybernetic DNA (C-DNA) Prototype and Experiments

Input EvidenceSnapshot (.csv)

Output Inferred Mapped Identities(visualization, .owl & .xml)

C-DNA Identity Classifier

Evaluation

• The C-DNA Classifier provides cyber-physical-human systematic insight into evaluated unsolved real-world case scenarios to aid with resolution and prediction of mapped identity classes, types, and subtypes.

• Systematic has several meanings: 1) done according to a fixed plan or system[11], 2) arranged as ordered systems of classifications[12], and 3) the study of the diversification of living forms over time[13].

• Experiment trials evaluate effectiveness of the systematic design and feature sets.

• There are 3 trials to evaluate how well the C-DNA artifact can determine types of evidence-mapped identities to solve a real-world cybercrime Botnet Attack case.

6/4/2019 Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology 9

TRIAL #1:

Cybercrime case 1st feature evidence snapshot in a series of 3 linked to Mirai IoT Botnet[14][15][16]

Research question: Can the design classify a bot and bot type identity based on mapped salient systematic data?

• Key OSI identifiers

• IoT botnet malware exhibits a signature utilizing Telnet on port 23 with Linux operating systems. Evidence for a botnet attack logged a 600gbps TCP SYN flood[15]

• October 1, 2016: Feature Matrix MIRAI v1 evidence

= Time/Context= Cyber= Physical= Human

Evaluation (cont.)

6/4/2019 Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology 10

= Time/Context= Cyber= Physical= Human

TRIAL #2:

Cybercrime case 2nd feature evidence snapshot in a series of 3 linking Mirai IoT Botnet to Botmaster Suspect[14][15][16]

Research question: Can the design classify a human identity type with activity mapped to the Mirai IoT Botnet, aliases, and online liveness indicators?

• Botmaster_Suspect identity based on modeled salient system-based classes, properties, and logic specific to cybercrime type

• Multiple aliases (e.g., Anna-Senpai) linked to Mirai code, other identities, botnet confessions, and various generated social network and chat account profiles revealed interesting patterns of similar text and message content/style along with human liveness indicators on Skype

• November 1, 2016: Feature Matrix MIRAI v2 evidence

TRIAL #3:

Cybercrime case 3rd, final feature evidence snapshot in a series of 3 linking Mirai IoT Botnet to Botmaster Criminal[14][15][16]

Research question: Can the design classify a human identity with Mirai Botnet Criminal activity linked to aliases and a known person name?

• Botmaster_Criminal identity based on modeled salient system-based classes, properties, and logic specific to cybercrime

• Binary and non-binary expressive instance-based restrictive values related to contextual cybercrime type and evidence including command and control (C2) server mapped to an eventual cell phone number and owner, human liveness indicators, aliases, and known name

• Botmaster Criminal mapped to Mirai IoT Botnet evidence and person’s name

• December 1, 2016: Feature Matrix MIRAI v3 evidence

Conclusion and Future Work

1. Effectively mapped the most salient systematic cybercrime features to 3 human & non-human identities: 1) IoT Botnet (Non-human Type), 2) IoT Botmaster Suspect (Targeted Human Type), and 3) IoT Botmaster Criminal (Person) plus generalized profile types such as human, male, US male

2. More precise classification for a broad range of identities utilizing organized high dimensional mapped features from each of the 4 dimensions: Time/context, Cyber, Physical, and Human (TCPH) to provide unique insight of complex cybercrime problems and identities that are organically evolving thru the time dimension and contextual events as human vs. non-human system-based attributes

3. Design supports predictive action and behavior since types can be classified based on system-based feature set instance expression and repeatable logic inference patterns

Identity reference architecture is a foundation for future experimentation and refinement.

Future experiment trials will evaluate:

• Bio-inspired variant trait expression patterns and adaptability with learned, extended, and optimized features

• System control loop feedback indicators, threshold alerts, and content effectors/enhancers

• Qualitative evaluation of multi-dimensional support for mixed media SA visualizations (e.g., Reality, Augmented Reality, and Virtual Reality) based on the cyber identity classification architecture

11Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology6/4/2019

Novel C-DNA Classification System prototyped experiment findings:

References[1] “Internet Crime Center Report (IC3) 2016 Annual Report.” https://www.ic3.gov/media/annualreports.aspx, 22 June 2017.

[2] S. Creese, T. Gibson-Robinson, M. Goldsmith, D. Hodges, D. Kim, O. Love, J.R.C. Nurse, B. Pike, and J. Scholtz. Tools for Understanding Identity. In Proceedings of IEEE International Conference on Technologies for Homeland Security (HST), 2013.

[3] M. McDaniel, et al. "Situation-based ontologies for a computational framework for identity focusing on crime scenes." In Proceedings of Cognitive and Computational Aspects of Situation Management (CogSIMA), 2017 IEEE Conference on, 2017.

[4] NBC News. “Accused Silk Road Operator Ross Ulbricht Convicted on All Counts.” http://www.nbcnews.com/tech/tech-news/accused-silk-road-operator-ross-ulbricht-convicted-all-counts-n299606. last retrieved: July 26, 2017., 2015.

[5] M.W. Strickberger, Evolution, 3rd Edition, Jones & Bartlett Pub, 2000.

[6] J.D. Watson, A. Berry, K. Davies, DNA: The Story of the Genetic Revolution. Alfred A. Knopf, 2017.

[7] S. Zhao et. al., “Advanced Heat Map and Clustering Analysis Using Heatmap3”, Procedings of BioMed Research International, US National Library of Medicine, National Institute of Health, 2014.

[8] N. Wiener. Cybernetics or Control and Communication in the Animal and the Machine. The M.I.T. Press, 2013 (created in 1948).

[9] C.E. Shannon, W. Weaver, W. (1949) The Mathematical Theory of Communication, Univ of Illinois Press.

[10] K. Michel, M. Carvalho, H. Crawford, A. Esterline, “Salient Trait Ontology and Computational Framework to Aid in Solving Cybercrime”, In Proceedings of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (Trustcom-18), New York, 2018.

[11] Oxford Dictionaries, 2019.

[12] Dictionary.com, 2019.

[13] “Systematics: Meaning, Branches and Its Application". Biology Discussion. 2016-05-27. Retrieved 2017-04-12.

[14] C. Seaman, “Threat Advisory: Mirai Botnet”, Akamai Technologies, Inc., 2016.

[15] H. Zimmermann, "OSI Reference Model - The ISO Model of Architecture for Open Systems Interconnection," in IEEE Transactions on Communications, vol. 28, no. 4, pp. 425-432, April 1980.

[16] “Krebs on Security.” Brian Krebs, 18 Jan. 2018, krebsonsecurity.com/2018/01/serial-swatter-tyler-swautistic-barrisscharged-with-involuntary-manslaughter/.

12Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology6/4/2019

Thank you!

Questions?

Back-up Reference Slides

Timeline Visualization: Mirai Botmaster

Authors: Mary C. (Kay) Michel, Michael King, Florida Institute of Technology6/4/2019

ALERT: IoT Botmaster profile behavior

Sources:[1] https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html[2] https://www.rsaconference.com/writable/presentations/file_upload/hta-w10-mirai-and-iot-botnet-analysis.pdf[3] https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/[4] https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/

8/2016 10/20/16Dyn, Twitter,

etc. attack

IoT Botnet attack targeting Web Server x

Context

Physical

Human

CyberOS / IF’s / versions

Ctrl Actuator

Sensor

FW/SW App Presentation

1. Botmaster x sends Botnet attack cmd via C2 API (in TOR) 2. Botmaster x uses MAC Addr x3. Botmaster x uses IP Addr x

?

4. Botnet server x receives Botnet attack cmd5. Botnet server x sends Botnet attack cmd6. Botnet server x uses MAC Addr x7. Botnet server x uses IP Addr x in Country x

8. Botnet device x receives Botnet attack cmd/logon9. Botnet device x sends Botnet attack reqs (SYN, HTTP, ACK)10. Botnet device x uses MAC Addr x11. Botnet device x uses IP Addr x

12. Target Web Server x receives Botnet attack cmd13. Target Web Server x hangs due to DDOS14. Target Web Server x uses MAC Addr x15. Target Web Server x uses IP Addr x in San Jose, CA

Web Server x down due to IoT Botnet Attack

Physical

Security

NW HW Device/NICData Link

Transport

Session

Application

1. Malware ELF Linux Executable SW Mirai scans Internet hosts for open port 23 (telnet)2. Malware ELF Linux Executable SW Mirai loaders enters weak password attacks on IoT devices with Busybox OS shell & specific CPU type3. IoT device becomes a Botnet listener connected to C2 Botnet server

Botnet scanning IoT devices

9/20/16Krebs attack

12/13/16

BotmasterAdmission

ALERT: IoT Bot scanner

9/19/16OVH attack

ALERT: IoT Botmaster profile behavior - attack

Code has Minecraft game server links

1. Botmaster Anna-Senpai alias confesses on hacker sites2. Botmaster Anna-Senpai alias is Paras Jha, Rutgers Student3. Mirai IoT’s linked to Jha, J. White, and D. Norman4. Botmaster charged with Computer Fraud

9/30/16Malware

code posted

Mirai code posted to deter authorities

?

MATCH ID:Alias, Face, NW IP logs to Email, cell #, Name

Snapshot #1 Snapshot #2 & 3