Army Cyber Institute
Permanent URI for this collection
Browse
Recent Submissions
Item When AI Fails, Who Do We Blame? Attributing Responsibility in Human-AI Interactions(Institute of Electrical and Electronics Engineers (IEEE), 2024-01-10) Schoenherr, Jordan Richard; Thomson, RobertWhile previous studies of trust in artificial intelligence have focused on perceived user trust, the paper examines how an external agent (e.g., an auditor) assigns responsibility, perceives trustworthiness, and explains the successes and failures of AI. In two experiments, participants (university students) reviewed scenarios about automation failures and assigned perceived responsibility, trustworthiness, and preferred explanation type. Participants’ cumulative responsibility ratings for three agents (operators, developers, and AI) exceeded 100%, implying that participants were not attributing trust in a wholly rational manner, and that trust in the AI might serve as a proxy for trust in the human software developer. Dissociation between responsibility and trustworthiness suggested that participants used different cues, with the kind of technology and perceived autonomy affecting judgments. Finally, we additionally found that the kind of explanation used to understand a situation differed based on whether the AI succeeded or failed.Item Free Speech is an Information Advantage(Peacekeeping and Stability Operations Institute (PKSOI), 2023-10) Eerhart, DanielFollowing the Arab Spring civil protests in 2011, there was a significant decrease in the percentage of civil resistance movements that successfully achieved their stated goals. Ensuring nations honor their citizens' free speech is essential to peaceful democratic processes. As free speech-suppressing technologies become ubiquitous, the opportunities to settle polarizing disputes below the threshold of violent armed conflict proportionally decrease. Therefore, civilian and military leaders operating within the domain of international relations must understand why the decline has occurred and give outlets to elevate citizen voices without relying upon violent armed conflict.Item Training Outside "The Box"(Association of the United States Army (AUSA), 2023-12-05) Eerhart, DanielThe realities of modern warfare are that America’s principal adversaries can disrupt any step in the deployment process, resulting in cascading gridlock. The first time these Soldiers will contact the enemy will be at home station, through adversary information warfare. While they are transporting their equipment, the enemy will take deliberate action to delay and disrupt Soldiers’ ability to enter the combat theater. The enemy will be maneuvering in the cyber domain and exploiting publicly available information to disrupt and influence Soldiers before they even step on the battlefield. This paper contends that the addition of an information warfare company to the opposing force (OPFOR) battalions can better prepare rotational training units at combat training centers (CTCs) for the difficulties of modern warfare. Additionally, expanding the training scope to integrate pre-deployment infrastructure wargame exercises and adding a microtargeting risk assessment team to the operations group would ensure that deploying Soldiers are prepared to confront the asymmetric challenges of the current multidomain battlefield.Item Preprocessing Network Traffic using Topological Data Analysis for Data Poisoning Detection(IEEE, 2023-11-07) Monkam, Galamo F.; De Lucia, Michael J.; Bastian, Nathaniel D.The rise of cyber attacks has prompted researchers to develop innovative techniques for detecting malicious activities to improve network security. Data poisoning attacks present a unique challenge when training machine learning (ML) models for the detection of malicious activity within network traffic. Traditional techniques for identifying such data poisoning attacks often lack efficiency when applied to network traffic. In this paper, we propose a novel approach that combines Topological Data Analysis (TDA) with unsupervised learning for preprocessing network traffic, aiming to improve data poisoning detection. TDA enables the capture of complex topological properties and underlying patterns in data sets, which we hypothesize can aid in identifying subtle adversarial modifications within network data. By leveraging TDA combined with an unsupervised learning algorithm, our proposed method can effectively detect poisoned data, enabling developers to remove it before training a MLbased model for network intrusion detection. This work opens up new avenues for research in network security and highlights the potential of TDA for pre-processing network traffic data.Item Towards Robust Learning using Diametrical Risk Minimization for Network Intrusion Detection(IEEE, 2023-11-07) McCollum, Kelson J.; Bastian, Nathaniel D.; Royset, Johannes O.Currently, deep neural networks show great promise in the detection of malicious network traffic at machine speed. However, these networks are typically trained using Empirical Risk Minimization (ERM), which is not robust to misclassified or altered training data. We propose applying Diametrical Risk Minimization (DRM), which is shown to lead to more robust optimization solutions, to train deep neural networks to classify malicious network traffic. Using two different network traffic datasets, we find that when state-of-the-art deep neural networks are trained on partially mislabeled data, utilizing DRM results in higher accuracy compared to equivalent models trained with ERM. More importantly, when models are tested against previously unseen cyber-attack types, models trained with DRM correctly identify the previously unseen cyber-attacks more often. We then show that these deep neural networks are computationally tractable to deploy in real-time on edge computing systems utilizing commercial-off-the-shelf hardware.Item RIDE: Real-time Intrusion Detection via Explainable Machine Learning Implemented in a Memristor Hardware Architecture(IEEE, 2023-11-07) Chen, Jingdi; Zhang, Lei; Riem, Joseph; Adam, Gina; Bastian, Nathaniel D.; Lan, TianDeep Learning (DL) based methods have shown great promise in network intrusion detection by identifying malicious network traffic behavior patterns with high accuracy, but their applications to real-time, packet-level detections in highspeed communication networks are challenging due to the high computation time and resource requirements of Deep Neural Networks (DNNs), as well as lack of explainability. To this end, we propose a packet-level network intrusion detection solution that makes novel use of Recurrent Autoencoders to integrate an arbitrary-length sequence of packets into a more compact joint feature embedding, which is fed into a DNN-based classifier. To enable explainability and support real-time detections at micro-second speed, we further develop a Software-Hardware Co-Design approach to efficiently realize the proposed solution by converting the learned detection policies into decision trees and implementing them using an emerging architecture based on memristor devices. By jointly optimizing associated software and hardware constraints, we show that our approach leads to an extremely efficient, real-time solution with high detection accuracy at the packet level. Evaluation results on real-world datasets (e.g., UNSW and CIC-IDS datasets) demonstrate nearly three-nines detection accuracy with a substantial speedup of nearly four orders of magnitude.Item Empirical Evaluation of Autoencoder Models for Anomaly Detection in Packet-based NIDS(Proceedings of the 2023 IEEE Conference on Dependable and Secure Computing, 2023) Hore, Soumyadeep; Nguyen, Quoc; Xu, Yulun; Shah, Ankit; Bastian, Nathaniel D.; Le, TrungAnomaly detection is critical for network security. Unsupervised learning models trained on benign network traffic data aim to detect anomalies without relying on attack data sets. Autoencoder-based models have emerged as a promising approach for detecting anomalies in network intrusion data. While autoencoder models have predominantly been utilized in flow-based approaches, which are suitable for offline analysis, there is a notable gap in research concerning unsupervised learning, particularly autoencoder-based techniques, for packetbased network intrusion detection. Packet-based network intrusion detection systems (NIDS) enable real-time detection at a granular level, making this area of investigation crucial. In this work, we compare autoencoder models for anomaly detection in packet-based NIDS. A methodological framework is presented for implementing an autoencoder-based network intrusion detection mechanism with packet data. A novel reconstruction error metric is proposed for autoencoders, which is evaluated at different threshold levels to compare the detection accuracies of network traffic anomalies. The effectiveness of autoencoder models is demonstrated on various network attacks and adversarial samples obtained from publicly available network intrusion data sets. The analysis highlights the strengths and limitations of different autoencoders for network traffic anomaly detection. The insights obtained from the empirical evaluation offer valuable guidance to researchers and practitioners aiming to develop an autoencoder-based network intrusion detection mechanism.Item Deans Significant Activities Report 06-28-2019(USMA, 2019) StaffThe Dean’s Weekly Significant Activities Report is an internal report on all activities conducted within the Departments, Centers & Staff. The Report is provided to the Dean for situation awareness, throughout the organization for shared situation awareness, and to select external organizations for outreach and communication.Item Deans Significant Activities Report 07-05-2019(USMA, 2019) StaffThe Dean’s Weekly Significant Activities Report is an internal report on all activities conducted within the Departments, Centers & Staff. The Report is provided to the Dean for situation awareness, throughout the organization for shared situation awareness, and to select external organizations for outreach and communication.Item You Can’t Always Get What You Want: How Will Law Enforcement Get What It Needs In A Post-Calea, Cybersecurity-Centric Encryption Era?(NORTH CAROLINA JOURNAL OF LAW & TECHNOLOGY, 2016) Pell, Stephanie K.In recent years, many technology companies have enabled encryption by default in their products, thereby burdening law enforcement efforts to intercept communications content or access data stored on smartphones by traditional means. Even before such encryption technologies were widely used, however, the Federal Bureau of Investigation (“FBI”) claimed its surveillance capabilities were “Going Dark” due to the adoption by consumers of new IP-based communication technologies, many of which are not subject to any surveillance-enabling obligations under the Communications Assistance for Law Enforcement Act (“CALEA”). The heightened tension produced by the introduction of encryption by default into an environment where terrorism has magnified the need for efficient law enforcement access (surveillance) supported by a newly-expanded CALEA framework is often framed as a contest between privacy and security. It is, however, more accurately framed as a security issue on both sides, one side which integrates traditional privacy concerns with the growing focus upon cybersecurity equities (the “cybersecurity” argument) into a critique of a second regime of “exceptional access” posited by law enforcement to sustain its access advantages either: (1) by mandating that manufacturers insert “backdoors” into applications, devices and communications networks; or (2) by forcing companies, after-the-fact, to circumvent and undermine security features they purposefully build into their products and services. The cybersecurity and, incidentally, pro-privacy position rejects exceptional access as a dangerous fiction that would, among other things, create new attack surfaces, rendering networks more vulnerable to every form of predation, from financial crime and IP theft to cyber espionage, ultimately generating unacceptable risks to our national and economic security. The reconciliation of these competing visions of security—of law enforcement’s traditional public safety mission with cybersecurity—will require law enforcement to employ investigative techniques that may include, among other things, enhanced collection and exploitation of metadata, which is not generally thwarted by the use of encryption technology. Although many sources and forms of metadata are already available to law enforcement, the widespread adoption of Internet of Things (“IoT”) technology will generate additional forms of metadata, potentially revealing sensitive information that would have been difficult for the government to obtain in the past. Moreover, many IoT devices include microphones and cameras that could be used to eavesdrop remotely on targets, whether through direct hacking or through law enforcement’s power to compel third parties to facilitate such eavesdropping, thereby potentially mitigating surveillance losses due to a target’s use of encrypted communications. This Article asserts that, for better or worse, law enforcement has entered a new post-CALEA, cybersecurity-centric investigative era where the use of encryption and other security-enhancing technologies is an irreversible fact and where getting a warrant or court order will not, in and of itself, guarantee law enforcement access to communications data. In this new surveillance era, law enforcement will more often find itself forced to employ individualized “collection” solutions for specific investigations, rather than enjoy the ready-made access provided by a CALEA like regime. That is, law enforcement will need, among other things, to target end-point devices, such as phones, computers and IoT devices, rather than the surveillance mechanisms mandated by a CALEA-like regime. As law enforcement seeks to employ old and new kinds of investigative techniques that involve neither designing access points into communications networks nor mandating circumvention of security features in mobile devices—policy choices necessary to support fundamental imperatives of cybersecurity—policy makers will be forced to consider how to facilitate, regulate, and oversee these law enforcement capabilities and activities, balancing what law enforcement may need against the social benefits of transparency and electronic privacy. The current debate over law enforcement exceptional access is more consistently divisive than not and, for the most part, not focused on how to get law enforcement what it needs without undermining fundamental principles of cybersecurity. A new dialogue on how to get law enforcement what it actually needs in a Post-CALEA, default-encryption era would be a much-needed step forward. That journey forward, however, will require a return to some of the historical debates about metadata collection and standards governing law enforcement access to various kinds of new revelatory metadata, such as that generated through the ever-expanding IoT. Moreover, this journey will raise new legal, ethical, and policy questions about when and if law enforcement should be permitted to use IoT apertures for seeing and hearing activities inside the home.Item Why older satellites present a cyber risk(C4ISRNET, 2018) Kallberg, JanThe most cost-effective and simplistic cyberattack in space, one with the intent to bring down a targeted satellite, is likely to use an older satellite now viewed as space junk that still has fuel and can respond to communications. Hackers could then use that satellite to ram or force targeted space assets out of orbit. The benefits for the attacker are numerous.Item Why Iran would avoid a major cyberwar(C4ISRNET, 2020) Kallberg, JanDemonstrations in Iran last year and signs of the regime’s demise raise a question: What would the strategic outcome be of a massive cyber engagement with a foreign country or alliance? Authoritarian regimes traditionally put survival first. Those who do not prioritize regime survival tend to collapse. Authoritarian regimes are always vulnerable because they are illegitimate. There will always be loyalists that benefit from the system, but for a significant part of people, the regime is not legit. The regime only exists because they suppress popular will and use force against any opposition.Item What COVID-19 can teach us about cyber resilience(C4ISRNET, 2020) Kallberg, Jan; Hamilton, Stephen S.The COVID pandemic is a challenge that will eventually create health risks to Americans and have long-lasting effects. For many, this is a tragedy, a threat to life, health, and finances. What draws our attention is what COVID-19 has meant our society, the economy, and how in an unprecedented way, family, corporations, schools, and government agencies quickly had to adjust to a new reality.Item What Do the Trump Administration’s Changes to PPD-20 Mean for U.S. Offensive Cyber Operations?(Council on Foreign Relations, 2018) Borghard, Erica D.; Lonergan, Shawn W.The White House has reportedly made it easier for U.S. Cyber Command to conduct offensive cyber operations, leading some observers to fret that it will create undue risks of escalation. Those concerns might be overblown.Item WHAT THE HECK IS THREATCASTING? To imagine the future, we also need to think about potential dangers(Arizona State University, 2017) Johnson, Brian David; Vanatta, NatalieThe power of threatcasting comes from the details that arise in looking to the future. Harriet Downs had it all: a great job, a loving husband, and two beautiful children. She was an up-and-coming programmer at Goldman Sachs for the company’s A.I. trading bots, on the fast track to management. She; her husband, Steve; and the kids had just moved into a beautiful new house in Sevenoaks. Life was good.Item When Good Ninjas Turn Bad: Preventing Your Students from Becoming the Threat(Proceedings of the 16th Colloquium for Information Systems Security Education, 2012) Cook, Thomas; Conti, Gregory; Raymond, DavidInformation security programs teach dangerous skills to their students. Despite our best efforts as instructors and mentors, some students will use these skills in inappropriate, and sometimes illegal, ways. As a result, students jeopardize their careers, hurt others, and put their institution’s entire information security program at risk. In this article, we present results from interviews with information security instructors from academic and government information security education programs. This article includes analysis of real-world incidents where students crossed the line in using their skills, and suggests best practices for deterring student misbehavior as well as techniques for mitigating damage and maximizing learning when an incident does occur.Item Why Government Organizations Don’t Care: Perverse Incentives and an Analysis of the OPM Hack(The Heinz Journal, 2016) Twist, James; Hutchinson, Matthew; Rhoades, Blake; Gagnon, RyanMany security experts have addressed the financial and personal security risks involved with the recent data breach at the Office of Personnel Management (OPM). This work supplements previous analyses of the event, and explores how the recently disclosed OPM breach has impacted the national security of the United States. By examining the elements of the breach - within the context of the stolen data and linkages to other data breaches - this work points to a larger offensive cyber campaign as the primary concern for U.S. leaders and policy makers. After thoroughly examining the details of the attack itself and its implications on DoD and national cybersecurity, we argue that government organizations lack appropriate incentives to secure their networks and personal data. The solution to this problem lies with organizational leaders, who must give guidance that incentivizes information security at the “tactical level.”Item WHY YOUR INTUITION ABOUT CYBER WARFARE IS PROBABLY WRONG(Small Wars Journal, 2012) Conti, Gregory; Brickey, Jon; Miller, Matthew LouisSince the dawn of time, when one caveman first struck another, humans have relied on a natural understanding of their physical environment to conduct warfare. We have an inborn ability to understand the laws of the physical world. In order to shoot an artillery round farther, just add more powder; to provide cover for protection against bullets, hide behind a rock. A private might accidentally shoot the wrong target, but the potential damage is limited by the maximum range of his or her rifle. The laws of physics, however, are counterintuitive in cyberspace. In cyberspace, our understanding of the “laws of physics” is turned on its head. Weapons can be reproduced instantly, “bullets” travel at near the speed of light, destroyed targets can be brought back from the dead, and a seventeen year old can command an army. As human beings we are at a distinct disadvantage when thinking intuitively about cyber warfare. In this article we study where our intuition fails us in cyber warfare and suggest alternate ways to think about the conduct of cyber war that account for the vast differences between the kinetic and the non-kinetic fight. A correct understanding and appreciation of these differences and common misconceptions is absolutely necessary to conduct cyber warfare and to integrate cyber effects into the kinetic battlefield. To ground this work we need to define the term “cyber.” There is significant and evolving debate regarding the precise definition of cyber. For purposes of this article we define cyber as a spectrum of cyberspace operations including Computer Network Attack (CNA), Computer Network Exploitation (CNE), and Computer Network Defense (CND).Item Your Secret Stingray’s No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance And Its Impact On National Security And Consumer Privacy(Harvard Journal of Law & Technology, 2014) Soghoian, Christopher; Pell, Stephanie K.In the early 1990s, off-the-shelf radio scanners allowed any snoop or criminal to eavesdrop on the calls of nearby cell phone users. These radio scanners could intercept calls due to a significant security vulnerability inherent in then widely used analog cellular phone networks: calls were not encrypted as they traveled over the air. In response to this problem, Congress, rather than exploring options for improving the security of cellular networks, merely outlawed the sale of new radio scanners capable of intercepting cellular signals, which did nothing to prevent the potential use of millions of existing interception-capable radio scanners. Now, nearly two decades after Congress passed legislation intended to protect analog phones from interception by radio scanners, we are rapidly approaching a future with a widespread interception threat to cellular communications very reminiscent of the one scanners posed in the 1990s, but with a much larger range of public and private actors with access to a much more powerful cellular interception technology that exploits security vulnerabilities in our digital cellular networks. This Article illustrates how cellular interception capabilities and technology have become, for better or worse, globalized and democratized, placing Americans’ cellular communications at risk of interception from foreign governments, criminals, the tabloid press and virtually anyone else with sufficient motive to capture cellular content in transmission. Notwithstanding this risk, US government agencies continue to treat practically everything about this cellular interception technology, as a closely guarded, necessarily secret “source and method,” shrouding the technical capabilities and limitations of the equipment from public discussion, even keeping its very name from public disclosure. This “source and method” argument, although questionable in its efficacy, is invoked to protect law enforcement agencies’ own use of this technology while allegedly preventing criminal suspects from learning how to evade surveillance. This Article argues that current policy makers should not follow the worn path of attempting to outlaw technology while ignoring, and thus perpetuating, the significant vulnerabilities in cellular communications networks on which it depends. Moreover, lawmakers must resist the reflexive temptation to elevate the sustainability of a particular surveillance technology over the need to curtail the general threat that technology poses to the security of cellular networks. Instead, with regard to this destabilizing, unmediated technology and its increasing general availability at decreasing prices, Congress and appropriate regulators should address these network vulnerabilities directly and thoroughly as part of the larger cyber security policy debates and solutions now under consideration. This Article concludes by offering the beginnings of a way forward for legislators to address digital cellular network vulnerabilities with a new sense of urgency appropriate to the current communications security environment.Item Train, promote and lose: The battle for retention(C4ISRNET, 2018) Kallberg, JanThe United States is an engineering country where technical solutions are born, and solutions are thought up, in an innovation-friendly environment of academia and industry. There are gaps, but the United States is highly adaptive and able to face technological challenges due to its research capacity and industrial base.