Cyber Science and Technology at the Army Research Laboratory


Posted: January 23, 2017 | By: Dr. Alexander Kott

All this research yields results, many of which transitioned to practice as tools and systems. For example, Interrogator is an ARL-developed suite of network monitoring, intrusion detection and intrusion analysis tools. Used at ARL, as well as at a number of other organizations, its architecture is optimized for government cyber security operations, for defense against sophisticated threats, and for rapid insertion of research tools as plug-ins. Another example, Interrogator-in-a-Box, was developed for defense of mobile tactical networks. In addition, DShell is a framework for forensic analysis, popular with users at government agencies. ARL researchers attracted multiple, valuable international collaborators – and a good number of comments on social media – when they developed an open-source version of DShell and placed it on GitHub (see Other examples of practical tools developed at ARL include COBWebS, a simulation tool that incorporate cyber warfare elements into training exercises, and a decision support tool for cybersecurity assessments, which helps perform assessments using public knowledge sources and custom data.

Looking further out, our long-term campaign of cyber research is guided by the vision of the future Army battlefield. In the year 2040, it will be a highly converged virtual-physical space, where cyber operations will be an integral part of the fight (Kott et al 2015). Cyber fires are the activities that will degrade, disrupt, deny, deceive and destroy not only informational, computational and communication resources of the adversary, but also the physical capabilities of its platforms, weapons, robots, munitions, and even of personnel. Cyber maneuver refers to activities that will rapidly move and transform the friendly informational-computational resources to deny the adversary an opportunity to attack, while imposing on him a new unsolvable problem (Fig. 2). Cyber fires and maneuver will rely on effective cyber intelligence collection capabilities.

Operating on multiple time scales, often far faster than human cognitive processes, in a highly dynamic, non-contiguous battlefield, these fires and maneuvers will join the conventional, kinetic fires and movements. Future cyber capabilities will have to support continuous (real-time, not just deliberate) planning and execution of highly agile, daring, aggressive cyber fires and maneuvers This will be performed in a way that is necessarily highly automated and reliant on machine intelligence, and yet responsive to human intent and guidance.

For these reasons, our cyber research efforts will increasingly focus on developing the models, methods, and understanding to overcome existing barriers to the realization of effective cyber fires and maneuvers in a tactical environment. The goals of this work are to pursue near-autonomous detection and identification of malicious activity directed at friendly networks; methods to rapidly respond to adversarial activities; predictive characterization of network vulnerabilities; and a robust framework to assess networks. Moreover, our research program will focus on the realization of methodologies for the reliable reconfiguration of friendly cyber assets to evade or recover from attack; covert means for collection and predictive analysis of enemy actions; and methodologies to degrade or destroy adversarial cyber assets with high certainty and predictable probabilities of kill. The articles assembled in this special issue reflect some of the steps ARL is taking towards this ambitious vision.

Fig. 2 ARL cyber research is increasingly focused on cyber fires and maneuvers in tactical environments

ACKNOWLEDGEMENTS: Iris Saunders helped prepare the manuscript, Jerry Clarke built the presentation that served as the outline of this introduction, and Latasha Solomon orchestrated the development of all articles for this issue.


  1. Acosta J, Edwards J, Shearer G, Parker T, Braun T, Marvel L. Modeling the decision processes of cybersecurity analysts to improve security assessments and defense strategies. Paper presented at: 23rd Annual National Fire Control Symposium (NFCS); 2016 Feb 8–11; Lake Buena Vista, FL.
  2. Ben-Asher N, Morris-King J, Thompson B, Glodek W. Attacker Skill, Defender Strategies, and the Effectiveness of Migration-Based Moving Target Defense in Cyber Systems. Paper presented at: 11th International Conference on Cyber Warfare and Security; 2016; Boston, MA.
  3. Caliskan-Islam A, Harang R, et al. De-anonymizing Programmers via Code Stylometry. SEC’15 Proceedings of the 24th USENIX Security Symposium; 2015; Washington, DC. Berkeley, CA: USENIX Association; c2015. p. 255-270.
  4. Cam H. Risk Assessment by Dynamic Representation of Vulnerability, Exploitation, and Impact. In: Ternovakiy, IV, Chin P. Proc. SPIE 9458 Cyber Sensing; 2015 April 20-24; Baltimore, MD. SPIE Proceedings Vol. 9548; c2015.
  5. Cho J, Cam H, Oltramari A. Effect of personality traits on trust and risk to phishing vulnerability: Modeling and analysis. 2016 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA). IEEE, 2016.
  6. Harang R, Marvel L, Parker T, Glodek W. Bandwidth Conserving DCO Signature Deployment with Signature Set Privacy. IEEE MILCOM 2015; Tampa, FL; October 2015.
  7. Hess M. The Worm that Changed the Internet. Everything CBTN. From [accessed 2016 Feb 3].
  8. Kott A, Alberts D A, Wang C. Will Cybersecurity Dictate the Outcome of Future Wars?. Computer 48.12 (2015):98-101.
  9. Kott A, Arnold C. The promises and challenges of continuous monitoring and risk scoring. IEEE Security & Privacy 11.1 (2013):90-93.
  10. Kott A, Wang C, Erbacher RF eds. 2014. Cyber Defense and Situational Awareness. New York: Springer.
  11. Marvel L, Harang RE, Glodek WJ , Parker TW, Ritchey RP. A Proposed Model for Active Computer Network Defense. IEEE MILCOM 2014; Baltimore, MD; 2014 October.
  12. Smith SC, Hammell RJ, Parker TW, and Marvel LM. A theoretical exploration of the impact of packet loss on network intrusion detection. International Journal of Networked and Distributed Computing, 4(1): 2016 Jan 1.
  13. Stoll C. The Cuckoo’s Egg. New York, NY Simon & Schuster, 1989.
  14. Mell, P., & Harang, R. E. (2014, June). Using network tainting to bound the scope of network ingress attacks. In proceedings of the Eighth International Conference on Software Security and Reliability (pp. 206-215). IEEE.

Want to find out more about this topic?

Request a FREE Technical Inquiry!