The language of behavior: Exploring a new formalism for resilient response

Historically, behavior-based computer security has relied on automatic classification of the activities of persons and programs to determine whether these activities should be restricted. In this paper, we argue that classification that relies exclusively upon observation of low-level events (either via signatures or anomalies) is insufficient to infer higher-level behavior correctly. However, ordering these events into linguistic structures according to a finite set of grammar rules may be sufficient. We present an argument that formal language theory offers a bridge between primitive observables and high-level behaviors in cyber systems. We believe that this restatement of the behavior recognition challenge in cyber systems will enable reasoning about the components of automated behavior recognition. Our application area is resilient systems that will identify unusual behaviors (whether good or bad) and employ limited-time, partial quarantines on the actors responsible. We wish to classify based on behaviors of actors rather than bit patterns of actions and events. To do this, we propose a definition of computermediated human behaviors and discuss whether these behaviors can be described via a formal language. If this is possible, then we may be able to classify these behaviors as desirable or undesirable, normal or abnormal. This classification would facilitate the creation of behavioral models that could be used to take automatic actions to stop actors who appear to be acting in ways that may be threatening.