George Cybenko

• Ph.D.
• Professor at Dartmouth College

It is well documented that artificial intelligence (AI) systems have various types of vulnerabilities and associated risks. As such systems are deployed in safety-critical domains, it has become necessary not only to identify and enumerate the vulnerabilities but also to quantify the resulting risks. In this position paper, we discuss approaches fo...

Source separation problems are a long-standing and well-studied challenge in signal processing and information sciences. The "Cocktail Party Phenomenon" and other classical source separation problems are vector representable and additive, and thus solvable by well-established linear algebra techniques. However, the proliferation and adoption of Int...

OpenAI released ChatGPT, an advanced chatbot based on the generative pre-trained transformer model, in late 2022. After its release, ChatGPT has performed so remarkably well at a diverse set of assigned tasks that critics have expressed concern over possible misuse of its capability (e.g., students using ChatGPT to write their school assignments, m...

Autonomous systems, both cyber and physical, operate in highly contested environments in which it must be assumed that adversaries are capable, agile, and informed about state‐of‐the‐art technology. In order to sustain performance in such environments, systems must be able to adapt autonomously through online machine learning ‐ that is, improve the...

Data conflation refers to the superposition data produced by diverse processes resulting in complex, combined data objects. We define the data deconflation problem as the challenge of identifying and separating these complex data objects into their individual, constituent objects. Solutions to classical deconflation problems (e.g., the Cocktail Par...

Autonomous systems will operate in highly contested environments in which it must be assumed that adversaries are equally capable, agile and informed. To achieve and sustain dominant performance in such environments, autonomous systems must be able to adapt through online machine learning while managing and tolerating attrition - that is, improve t...

Autonomous systems, both cyber and physical, operate in highly contested environments in which it must be assumed that adversaries are capable, agile, and informed about state‐of‐the‐art technology. In order to sustain performance in such environments, systems must be able to adapt autonomously through online machine learning ‐ that is, improve the...

We present new results on inferring the hidden states in trackable weak models. A weak model is a directed graph where each node has a set of colors which may be emitted when that node is visited. A hypothesis is a node sequence consistent with a given color sequence. A weak model is trackable if the worst case number of hypotheses grows polynomial...

This report is a survey of the relationships between various state-of-the-art neural network architectures and formal languages as, for example, structured by the Chomsky Language Hierarchy. Of particular interest are the abilities of a neural architecture to represent, recognize and generate words from a specific language by learning from samples...

This chapter outlines a variety of challenges related to adaptation in adversarial operations. Such issues arise in autonomous systems that operate in hostile environments, where the adversaries can adapt and shape the environment as well. This includes national security systems like autonomous cyber operations, battlefield Internet of Things, unma...

We present several new results on the feasibility of inferring the hidden states in strongly-connected trackable weak models. Here, a weak model is a directed graph in which each node is assigned a set of colors which may be emitted when that node is visited. A hypothesis is a node sequence which is consistent with a given color sequence. A weak mo...

This book explores fundamental scientific problems essential for autonomous cyber defense. Specific areas include: • Game and control theory-based moving target defenses (MTDs) and adaptive cyber defenses (ACDs) for fully autonomous cyber operations; • The extent to which autonomous cyber systems can be designed and operated in a framework that i...

This chapter briefly summarizes recent research on the problem of inferring security properties of a computation from measurements of unintended electromagnetic emissions from the processing system on which the computation is being executed. The particular approach described involves two ingredients: (i) signal processing and machine learning to ma...

Directed contact networks (DCNs) are temporal networks that are useful for analyzing and modeling phenomena in transportation, communications, epidemiology and social networking. Specific sequences of contacts can underlie higher-level behaviors such as flows that aggregate contacts based on some notion of semantic and temporal proximity. We descri...

A colored graph is a directed graph in which nodes or edges have been assigned colors that are not necessarily unique. Observability problems in such graphs consider whether an agent observing the colors of edges or nodes traversed on a path in the graph can determine which node they are at currently or which nodes were visited earlier in the trave...

The purpose of this chapter is to introduce cyber security researchers to key concepts in modern control and game theory that are relevant to Moving Target Defenses and Adaptive Cyber Defense. We begin by observing that there are fundamental differences between control models and game models that are important for security practitioners to understa...

Moving Target Defense (MTD) has the potential to increase the cost and complexity for threat actors by creating asymmetric uncertainty in the cyber security landscape. The tactical advantages that MTD can provide to the defender have led to the development of a vast array of diverse techniques, which are designed to operate under different constrai...

Organizations increasingly rely on complex networked systems to maintain operational efficiency. While the widespread adoption of network-based IT solutions brings significant benefits to both commercial and government organizations, it also exposes them to an array of novel threats. Specifically, malicious actors can use networks of compromised an...

This chapter introduces cyber security researchers to key concepts in the data streaming and sketching literature that are relevant to Adaptive Cyber Defense (ACD) and Moving Target Defense (MTD). We begin by observing the challenges met in the big data realm. Particular attention is paid to the need for compact representations of large datasets, a...

This part of the book presents two alternative – but not incompatible – views on how to quantify cyber resilience via suitable metrics. This chapter – the first of the two – takes the perspective in which system performance is central to the metrics. As discussed in the introduction chapter of this book, cyber resiliency has become an increasingly...

Today’s cyber defenses are largely static allowing adversaries to pre-plan their attacks. In response to this situation, researchers have started to investigate various methods that make networked information systems less homogeneous and less predictable by engineering systems that have homogeneous functionalities but randomized manifestations. The...

This book constitutes revised selected papers from the 5th International Workshop on Graphical Models for Security, GraMSec 2018, held in Oxford, UK, in July 2018. The 7 full papers presented in this volume were carefully reviewed and selected from 21 submissions. The book also contains one invited talk. The contributions deal with the latest resea...

A colored graph is a directed graph in which either nodes or edges have been assigned colors that are not necessarily unique. Observability problems in such graphs are concerned with whether an agent observing the colors of edges or nodes traversed on a path in the graph can determine which node they are at currently or which nodes they have visite...

Many dedicated embedded processors do not have memory or computational resources to coexist with traditional (host-based) security solutions. As a result, there is interest in using out-of-band analog side-channel measurements and their analyses to accurately monitor and analyze expected program execution. In this paper, we describe an approach to...

Vulnerability remediation is a critical task in operational software and network security management. In this article, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: (1) time-to-vulnerability remediation (TVR) and (2) to...

Many dedicated embedded processors do not have memory or computational resources to coexist with traditional (host-based) security solutions. As a result, there is interest in using out-of-band analog side-channel measurements and their analyses to accurately monitor and analyze expected program execution. In this paper, we describe an approach to...

This paper presents and analyzes an attack graph optimization problem that arises in modeling certain adversarial cyber attack and defend scenarios. The problem formulation is based on representing attacks againt a system as a finite, weighted, directed graph in which the directed edges represent transitions between states in an attack and edge wei...

Botnets are increasingly being used for exfiltrating sensitive data from mission-critical systems. Research has shown that botnets have become extremely sophisticated and can operate in stealth mode by minimizing their host and network footprint. In order to defeat exfiltration by modern botnets, we propose a moving target defense approach for dyna...

A deception is often enabled by cloaking or disguising the true intent and corresponding actions of the perpetrating actor. In cyber deception, the degree to which actions are disguised or cloaked is typically called “covertness.” In this chapter, we describe a novel approach to quantifying cyber covertness, a specific attribute of malware relative...

The hidden Markov model (HMM) is widely used to model time series data. However, the conventional Baum- Welch algorithm is known to perform poorly when applied to long observation sequences. The literature contains several alternatives that seek to improve the memory or time complexity of the algorithm. However, for an HMM with N states and an obse...

Cyber resliency has become an increasingly attractive research and operational concept in cyber security. While several metrics have been proposed for quantifying cyber resiliency, a considerable gap remains between those metrics and operationally measurable and meaningful concepts that can be empirically determined in a scientific manner. This pap...

A system of computers, networks and software has some level of vulnerability exposure that puts it at risk to criminal hackers. Presently, most vulnerability research uses data from software vendors, and the National Vulnerability Database (NVD). We propose an alternative path forward through grounding our analysis in data from the operational info...

The second ACM workshop on cloud data management is held in Denver, Colorado, USA on October 12, 2015 and co-located with the ACM 22nd Conference on Computer and Communications Security (CCS). The main idea of moving-target defense (MTD) is to impose an asymmetric disadvantage on attackers by making systems dynamic and therefore harder to explore a...

Presents the views of George Cybenko, an SMCS society volunteer.

Current network and information systems are static, making it simple for attackers to maintain an advantage. Adaptive defenses, such as Moving Target Defenses (MTD) have been developed as potential “game-changers” in an effort to increase the attacker’s workload. With many new methods being developed, it is difficult to accurately quantify and comp...

For over 2000 years, military strategists have recognized the importance of capturing and holding the physical “high ground.” As cyber warfare strategy and tactics mature, it is important to explore the counterpart of “high ground” in the cyber domain. To this end, we develop the concept for botnet operations. Botnets have gained a great deal of at...

Increasingly, techniques from data analytics fields of statistics, machine learning, data mining, and natural language processing are being employed for challenges in cyber-security and privacy. This panel examines which techniques from these fields are essential for current and future cyber-security practioners and what are the related considerati...

Deep learning has generated much research and commercialization interest recently. In a way, it is the third incarnation of neural networks as pattern classifiers, using insightful algorithms and architectures that act as unsupervised auto-encoders which learn hierarchies of features in a dataset. After a short review of that work, we will discuss...

Increasingly, techniques from data analytics fields of statistics, machine learning, data mining, and natural language processing are being employed for challenges in cyber-security and privacy. This panel examines which techniques from these fields are essential for current and future cyber-security practioners and what are the related considerati...

Today’s cyber defenses are largely static. They are governed by slow deliberative processes involving testing, security patch deployment, and human-in-the-loop monitoring. As a result, adversaries can systematically probe target networks, pre-plan their attacks, and ultimately persist for long times inside compromised networks and hosts. A new clas...

Confidentiality, integrity and availability (CIA) are traditionally considered to be the three core goals of cyber security. By developing probabilistic models of these security goals we show that: • the CIA goals are actually specific operating points in a continuum of possible mission security requirements; • component diversity, including certa...

This paper presents a threat-driven quantitative mathematical framework for secure cyber-physical system design and assessment. Called The Three Tenets, this originally empirical approach has been used by the US Air Force Research Laboratory (AFRL) for secure system research and development. The Tenets were first documented in 2005 as a teachable m...

A history of the development and launch of "IEEE Security & Privacy" magazine is presented

Discusses the purpose, scope and articles that will appear in the IEEE Transactions on Computational Social Systems.

It is well known that computer and network security is an adversarial challenge. Attackers develop exploits and defenders respond to them through updates, service packs or other defensive measures. In non-adversarial situations, such as automobile safety, advances on one side are not countered by the other side and so progress can be demonstrated o...

This paper develops techniques for attacking and defending behavioral anomaly detection methods commonly used in network traffic analysis and covert channels. The main new result is our demonstration of how to use a behavior's or process' k-order statistics to build a stochastic process that has the same k-order stationary statistics but possesses...

While long considered an important aspect of strategic and theater planning, situational awareness (SA) is the linchpin to both cyber planning and execution. As stated in Joint doctrine, before military activities in the information environment can be accurately and effectively planned, the “state” of the environment must be understood. At its core...

Summary form only given, as follows. The Insider Threat (IT) problem has been receiving increased attention in the academic, commercial and government research communities. Three reasons for this include: a) the IT problem typically involves attacks by trusted, as opposed to untrusted, individuals and hence remains outside the domain of many existi...

Real world adversarial dynamics such as those encountered in Computer and Network security require models which allow for both imperfect and incomplete information. Recently game theoretic models and specically signaling games have been at the forefront of interest for modeling these scenarios. We propose a modication of signaling games, a type of...

To date, cyber security investment by both the government and commercial sectors has been largely driven by the myopic best response of players to the actions of their adversaries and their perception of the adversarial environment. However, current work in applying traditional game theory to cyber operations typically assumes that games exist with...

We describe a method for the estimation of an opponent's utility matrix in a finite repeated game, given that he selects his actions by a known deterministic algorithm with some unknown parameters. We also investigate the prediction, based on the utility matrix estimate, of this opponent's future actions, and a simple method by which the opponent c...

The replicator equations are first-order (in time), nonlinear differential equations which can be used to model the time evolution of probabilities in evolutionary game theory. They are obtained by assuming that the percentage rate of change of a probability be simply proportional to the difference between a payoff and some average payoff. Here we...

The magazine's founding editor in chief, George Cybenko, and his first successor, Carl E. Landwehr, provide perspectives on the need for measuring security and the meaning of those measurements in the context of adversarial dynamics.

The transition from system-to information-based security has continued steadily over the last 30 years. Correspondingly, it is increasingly not the computer that is at risk, but the information in it. The human operator is ultimately the cornerstone of information security, an integral part of the information infrastructure. We are therefore forced...

At present much of the research which proposes to provide solutions to Imperfect Information Non-Cooperative games provides superficial analysis which then requires a priori knowledge of the game to be played. We propose that High Card, a simple Multiplayer Imperfect Information Adversarial game, provides a more robust model for such games, and fur...

Information push and information pull have recently emerged as useful concepts to describe the operation of distributed information resources. Information push, in particular, is becoming closely associated with intelligent agent functionality. Loosely speaking, if a user requests and receives a very specific piece of information, this is informati...

The Baum-Welsh algorithm together with its derivatives and variations has been the main technique for learning Hidden Markov Models (HMM) from observational data. We present an HMM learning algorithm based on the non-negative matrix factorization (NMF) of higher order Markovian statistics that is structurally different from the Baum-Welsh and its a...

In this paper we present methods for attacking and defending $k$-gram statistical analysis techniques that are used, for example, in network traffic analysis and covert channel detection. The main new result is our demonstration of how to use a behavior's or process' $k$-order statistics to build a stochastic process that has those same $k$-order s...

As a result of consistent double-digit year-over-year growth rates in e-commerce sales, marketing firms continue to aggressively seek better means to aid in classifying user's cyber behaviors, thereby improving personalization, product recommendation and prediction. While motivated purely by financial incentives, this type of work has provided grea...

With the explosive international growth in mobile phone adoption, there is an increasing number of text message-based applications providing mission-critical services to mobile phone owners. With such an unexpected leap in the mobile subscriber base, questions have arisen over the reliability of Short Message Service (SMS) as a communication channe...

The rise of Internet-based social networks has shifted many decision-impacting discussions online. Increasingly, people weigh new ideas, choose products, pick technologies, find entertainment and socialize virtually by engaging in online discourse. The participants depend on who people find online, who they get to know and trust, and who they consi...

This work concerns cyber attack and defense in the context of game theory—specifically hypergame theory. Hypergame theory extends classical game theory with the ability to deal with differences in players' expertise, differences in their understanding of game rules, misperceptions, and so forth. Each of these different sub-scenarios, or subgames, i...

In recent years the internet has facilitated an explosion of growth in social networks, allowing individuals to interact with one another in a variety of different contexts. Interactions between individuals in networks such as twitter and NASDAQ produce events which co-occur in time. If we make the assumption that events in networks are anonymized...

Techniques for dynamic behavioral analysis and modeling have recently become an increasingly researched topic. In essence, they aim to understand the mechanics of a set of variables over time, allowing for prediction of future data, anomaly or change detection, or estimation of a latent variable. Much of this research has focused on the sequential...

Social networks generally provide an implementation of some kind of groups or communities which users can voluntarily join. Twitter does not have this functionality, and there is no notion of a formal group or community. We propose a method for identification of communities and assignment of semantic meaning to the discussion topics of the resultin...

In many security environments, the textual content of communications may be unavailable. In these instances, it is often desirable to infer the status of the network and its component entities from patterns of communication flow. Conversational dynamics among entities in the network may provide insight into important aspects of the underlying socia...

In this paper, we explore new models for explaining trends in high frequency market data. Market depth information such as volume at different price levels is used to develop more robust prediction models than typical ones learned on aggregate trade data. The latter ignore many of the evolving interactions of the agent based network. In light of th...

Human and machine behavioral modeling and analysis are active areas of study in a variety of domains of current interest. Notions of what behavior means as well as how behaviors can be represented, compared, shared, integrated and analyzed are not well established and vary from domain to domain, even from researcher to researcher. Our current resea...

Mobile devices can produce continuous streams of data which are often specific to the person carrying them. We show that cell phone tracks from the MIT Reality dataset can be used to reliably characterize individual people. This is done by treating each person's data as a separate language by building a standard n-gram language model for each "auth...

QuERIES offers a novel multidisciplinary approach to quantifying risk associated with security technologies resulting in investment-efficient cybersecurity strategies. R esearchers can use the QuERIES methodology to rigorously determine, for the first time, appropriate investment levels and strategies for the protection of intellectual property in...

This paper introduces a novel method of tracking user computer behavior to create highly granular profiles of usage patterns. These profiles, then, are used to detect deviations in a users’ online behavior, detecting intrusions, malicious insiders, misallocation of resources, and out-of-band business processes. Successful detection of these behavio...

This work introduces a robust method for identifying and tracking clandestinely operating sub-nets in an active social network. The methodology is based on the Process Query System (PQS) previously applied to process mining in various physical contexts. Given a collection of process descriptions encoding personal and/or coordinated behavior of soci...

This paper describes a network flow analyzer that is ca-pable of attribution and aggregation of different flows into single activity events for the purposes of identifying suspicious and illegitimate behaviors. Flows are corre-lated with security events using the Process Query Sys-tem (PQS) infrastructure. We show results from initial experiments a...

Security and privacy concerns touch on all aspects of pervasive computing, including hardware, operating systems, networks, databases, user interfaces, and applications. The seven articles selected for this special issue draw on ideas from many of these fields and provide a flavor of the kinds of security and privacy challenges and opportunities in...

Information markets, Markov Decision Processes and game theory un- derlie a new quantitative approach to cybersecurity risk assessment.

A look at the past few years in the magazine's history, and a farewell message from the editor in chief.

The concept of trackability is intimately related to the establishment of optimal trade-offs between the nosiness of the environment, due to poor sensing, and the randomness of the kinematics of the phenomena being examined, due to poor knowledge of their behaviors. Classically, a sensor system receives low level data in the form of numerical or an...

Within an organization, the possibility of a confidential information leak ranks among the highest fears of any executive. Detecting information leaks is a challenging problem, since most organizations depend on a broad and diverse communications network. It is not always straightforward to conclude which information is leaving the organization leg...

One of the significant problems in visual tracking of objects is the requirement for a human analyst to post-process and interpret the data. For instance, consider the task of tracking a target, in this case a moving person, using video imagery. When this person hides behind an obstruction, and is therefore no longer visible by the camera, conventi...

This paper presents a framework and demonstrates results from a process detection based approach to tracking an airborne plume in sensor networks. Data integration and pattern detection in large sensor networks measuring gas and radiation plumes suffer from low resolution observations, missed detections, and numerous false positive reports. Large n...

We have developed a general framework, called a Process Query System (PQS), that serves as a foundation for formulating tracking problems, implementing software solutions to tracking problems and understanding theoretical issues related to tracking in specific scenarios. The PQS framework posits that an environment consists of multiple dynamical pr...

One significant drawback to currently available security products is their inabilty to correlate diverse sensor input. For instance, by only using network intrusion detection data, a root kit installed through a weak username-password combination may go unnoticed. Similarly, an administrator may never make the link between deteriorating response ti...

The detection and tracking of embedded malicious subnets in an active social network can be computationally daunting due to the quantity of transactional data generated in the natural interaction of large numbers of actors comprising a network. In addition, detection of illicit behavior may be further complicated by evasive strategies designed to c...