Today’s defensive cyber sensors are dominated by signature-based analytical methods that require continuous maintenance and lack the ability to detect unknown threats. Anomaly detection offers the ability to detect unknown threats, but despite over 15 years of active research, the operationalization of anomaly detection and machine learning for Defensive Cyber Operations (DCO) is lagging. This article provides an introduction to machine learning concepts with a focus on the unique challenges to using machine learning for DCO. Traditional machine learning evaluation methods are challenged in favor of a value-focused evaluation method that incorporates evaluator-specific weights for classifier and sensitivity threshold selection specific to the values associated with cyber defense. A comprehensive unknown threat detection experiment is proposed to quantify a classifier’s ability to detect previously unseen threats.
Rich, Michael D.; Mills, Robert F.; Dube, Thomas E.; and Rogers, Steven K.
"Evaluating Machine Learning Classifiers for Defensive Cyber Operations,"
Military Cyber Affairs: Vol. 2
, Article 6.
Available at: https://digitalcommons.usf.edu/mca/vol2/iss1/6