Skip to Main Content U.S. Department of Energy
Information and Infrastructure Integrity Initiative

Characterization Model for Defense Adaptability

Principal Investigator: C Hughes
Technical Advisor: G Fink, Adaptive Systems Focus Area

Purpose of research

  • Show that the innate characteristics of network data can be observed, measured and grouped into meaningful clusters
  • Cluster formation and attributes may yield the identities of the entities that underlie these clusters

Key idea

New methods for classifying and characterizing network traffic data to discover fundamental underlying entities and actors.


Discriminator for this R&D is enabling both new and existing network defenses to dynamically adapt to their security environment.


Three kinds of activities are involved in cyber defense actuation: Observation of raw data, classification of the data, and characterization of emergent qualities.

Legacy cyber defense systems start at the top with the emergent qualities of the data and make value judgments about whether they are good or bad. For example, we might decide that peer-to-peer software is bad. Then they classify these qualities in a typically static framework. An example classification framework might classify all traffic that looks like peer-to-peer traffic should be banned. Although the framework could be adaptive, this depends on adaptively being able to characterize emergent qualities of cyber data which is very difficult. Finally, legacy approaches enact static policies and controls to enforce the classification. In our example, the system might decide that when a single machine is contacted by numerous external hosts, it is part of a peer-to-peer network and is therefore against policy.

Characterization Model for Defense Adaptability (CharMDA) recognizes that the top-down approach is actually backwards.

CharMDA is a new approach for building policy via dynamic classification of network data without value judgments based on prior assumptions. We take an observation-driven, scientific approach that starts with observing activities on networks. By agnostically clustering these observations, we generate a set of "entities" that are responsible for sets of activity on the network. The entities help up generate a data-driven, dynamic classification framework similar to a "periodic table" of the network "elements." Finally, we use the elements of our classification to dynamically inform our value judgments and create policy.

CharMDA's data-driven, bottom-up approach will enable us to dynamically change policy and enforcement controls as new threats emerge.

Learn more about Characterization Model for Defense Adaptability

Project Management