Forensic Models of Cyberspace Behaviors
Navy STTR 2019.A - Topic N19A-T021
ONR - Mr. Steve Sullivan -
Opens: January 8, 2019 - Closes: February 6, 2019 (8:00 PM ET)


TITLE: Forensic Models of Cyberspace Behaviors


TECHNOLOGY AREA(S): Human Systems, Information Systems


OBJECTIVE: Develop an intelligent modeling framework for cyberspace threat actor behaviors that traces their genealogy and supports predicting their future evolution.

DESCRIPTION: Cyberspace threat actors develop tactics, techniques, and procedures (TTP) that evolve over time in response to environmental stimuli. This evolution may be triggered by the actors’ growing expertise or changing goals, or by changes in their targets such as discovery of threat actor tactics or improved defenses. In the absence of such stimuli, however, these behaviors tend to remain fairly constant with regard to any given goal.

Longitudinal studies of threat actors could identify inflection points in their behavior patterns, which in turn would provide valuable intelligence for defensive cyberspace operations (DCO). For example, the deployment of a new security control that lessens the effectiveness of an adversarial tactic would reasonably cause the threat actor to change behaviors if they still want to accomplish a similar goal. This change would confirm the effectiveness of the new control similarly to how one uses battle damage assessment (BDA) techniques. On the other hand, an unexpected change in TTP would tell the defenders that something of interest happened to the threat actor. If DCO personnel can find no known events that correlate to such changes, they would likely want to investigate further.

There are few techniques that support forensic analyses of cyberspace behaviors and many of these are focused on external attacks involving malware. To the extent that such studies are being performed, they are manually done by highly skilled analysts. This approach requires significant investments of staff, time, and money. It seems plausible to leverage machine learning (ML) techniques to identify, classify and track discrete cyberspace events and to infer the behaviors, and ultimately the goals, to which they are related. Such use of ML, coupled with large sensor networks, would yield an unprecedented ability to monitor what our adversaries are doing, how they are adapting to changing conditions, and their likely goals.

This STTR topic seeks novel approaches to building scalable models of cyberspace threat actor behaviors that lend themselves to analysis by both humans and machines. The models should be autonomously fitted to data from existing sensors in order to detect and classify adversarial behaviors and infer their goals. Furthermore, the models should automatically detect changes in behaviors, such as the introduction of new tools or procedures. Scalability of the proposed solution is an important consideration since the data sets are known to be very large.

PHASE I: Determine the feasibility of analyzing cyberspace observables, comparing them to behavior models, detecting the incorporation of new tools and procedures, and inferring adversaries’ goals. Identify classes of adversarial behavior that lend themselves to this analysis. Develop a detailed design for an intelligent system that collaborates with a human operator to identify the likeliest goals for an adversarial operation. Develop a Phase II plan.

PHASE II: Develop a prototype system that can classify adversarial behaviors, detect changes over time, and correlate those changes to known events. Demonstrate the prototype in a realistic information technology (IT) environment. Study and describe how this capability may be augmented with autonomous responses such as defensive countermeasures or deception.

PHASE III DUAL USE APPLICATIONS: Commercialize the technology. The solution developed in Phase II will be productized for general use across Government, commercial, and research organizations. Examples of such applications may include verification and validation of network security protocols, the development of objective criteria for assessing behavioral changes following TTPs, or the development of experimentation testbeds for cyber operations training.


1. Maymí, F., Bixler, R., Jones, R., & Lathrop, S. "Towards a definition of cyberspace tactics, techniques and procedures." Big Data (Big Data), 2017 IEEE International Conference .

2. Stillions, R. “On TTPs.” Blogspot, 22 Apr. 2014,

3. Santarcangelo, M. “Exploit Attacker Playbooks to Improve Security.” CSO from IDG, 12 July 2017.

KEYWORDS: Cyberspace Operations; Machine Learning; TTP; tactics, techniques, and procedures


Peter Walker




Amy Bolton




These Navy Topics are part of the overall DoD 2019.A STTR BAA. The DoD issued its 2019.1 BAA STTR pre-release on November 28, 2018, which opens to receive proposals on January 8, 2019, and closes February 6, 2019 at 8:00 PM ET.

Between November 28, 2018 and January 7, 2019 you may communicate directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2019
when DoD begins accepting proposals for this BAA.
However, until January 23, 2019, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.

Topics Search Engine: Visit the DoD Topic Search Tool at to find topics by keyword across all DoD Components participating in this BAA.

Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.

Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at