Sensing for suspicion at scale: A Bayesian approach for cyber conflict attribution and reasoning

Cyber conflict monitoring remains one of the biggest challenges today, amidst increasing scaling up of cyberspace in terms of size, bandwidth and volume. Added to this, the increased determination of cyber actors to operate beneath the threshold makes it ever more difficult to identify unauthorised activities with desired levels of certainty and demonstrability. We acknowledge a case for persistent and pervasive monitoring; detection of serious sabotage and espionage activities, however, is dependent, in part, upon the ability to maintain traffic history over extended periods of time, somewhat beyond current computational and operational constraints. This makes it crucial for research in cyber monitoring infrastructures, which are configured to handle cyberspace at live and modern scale and sense suspicious activity for further investigation. This paper explores Bayesian methods together with statistical normality to judge for effective activity attribution, particularly in high-volume high-scale environments, by combining both prior and posterior knowledge in the scenario. The set of experiments presented in this paper provides tactical and operational principles for systematic and efficient profiling and attribution of activity. Such principles serve a useful purpose for technologists and policy-makers who want to monitor cyberspace for suspicious and malicious behaviour, and narrow down to likely sources. The proposed approach is domain agnostic and hence of interest to a cross-disciplinary audience interested in technology, policy and legal aspects of cyber defence.