Towards Modeling Host-based Data for Cyber-PsychologicalAssessment in Cyber Threat Detection

Cyber attacks are constantly on the rise, affecting everything from financial institutions to higher education. Many critical infrastructures such as health care, transportation and electric network, colonial pipeline, etc. are becoming highly targeted for service disruption, information system sabotage, intellectual property theft, or disclosure of classified information. With technological advancements, modern cyber-attacks are more sophisticated and stealthy in compromising high-end computer networks and cyber-physical systems (CPS).

Traditional signature or anomaly-based cyber threat detection approaches using cyber data often fails to contain sophisticated attack campaigns, especially insider threat. However, multidomain data analysis with psychological aspects is inevitable to combat the overwhelmingly increasing security breaches and attack campaigns. Many already established research associated user cyber behavior in any human-in-the-loop system with psychological behavior for effective cyber threat detection and forensics [1, 2]. Moreover, reports show that humans are considered to be the weakest link to security [3].

This research attempts three main objectives: i) evaluate and assess the relevance, influence, and utility of psychological behavior (e.g., impulsivity, risk-taking, personality trait) with host data, ii) develop a high accuracy, high fidelity, and robust deep learning framework, and iii) evaluate the effectiveness of host data for run-time anomaly detection and threat investigation. This work proceeds with four different case studies to experiment and evaluate the research objectivesand proposed four deep frameworks DeepRan, LogSHIELD, GraphCH, and ExHPD for threat detection. In this dissertation, we conduct an IRB-approved study to collect host data from real human subjects and introduce a benign host dataset (WHLB) containing 90 days of host logs from 35 workstations and a malware log dataset running 140 malware samples.

The findings of this study from four case studies demonstrate the effectiveness of host data in anomaly detection. The results also validated that the cyberspace activities of computer users can be mapped with their psychological behavior which improves the malicious activity detection performance of the AI detectors.