Proceedings Article | 17 September 2011
KEYWORDS: Kinematics, Sensors, Information security, Computer intrusion detection, Data processing, Computer simulations, Physics, Computer security, Computer networks, Analytical research
This paper discusses how methods used for conventional multiple hypothesis tracking (MHT) can be extended to
domain-agnostic tracking of entities from non-kinematic constraints such as those imposed by cyber attacks in a
potentially dense false alarm background. MHT is widely recognized as the premier method to avoid corrupting tracks
with spurious data in the kinematic domain but it has not been extensively applied to other problem domains. The
traditional approach is to tightly couple track maintenance (prediction, gating, filtering, probabilistic pruning, and target
confirmation) with hypothesis management (clustering, incompatibility maintenance, hypothesis formation, and Nassociation
pruning). However, by separating the domain specific track maintenance portion from the domain agnostic
hypothesis management piece, we can begin to apply the wealth of knowledge gained from ground and air tracking
solutions to the cyber (and other) domains. These realizations led to the creation of Raytheon's Multiple Hypothesis
Extensible Tracking Architecture (MHETA).
In this paper, we showcase MHETA for the cyber domain, plugging in a well established method, CUBRC's
INFormation Engine for Real-time Decision making, (INFERD), for the association portion of the MHT. The result is a
CyberMHT. We demonstrate the power of MHETA-INFERD using simulated data. Using metrics from both the
tracking and cyber domains, we show that while no tracker is perfect, by applying MHETA-INFERD, advanced nonkinematic
tracks can be captured in an automated way, perform better than non-MHT approaches, and decrease analyst
response time to cyber threats.