Dr. Dustin M Mink

This work focuses on finding frequent patterns in continuous flow network traffic Big Data using incremental frequent pattern mining. A newly created Zeek Conn Log MITRE ATT&CK framework labeled dataset, UWF-ZeekData24, generated using the Cyber Range at The University of West Florida, was used for this study. While FP-Growth is effective for static datasets, its standard implementation does not support incremental mining, which poses challenges for applications involving continuously growing data streams, such as network traffic logs. To overcome this limitation, a staged incremental FP-Growth approach is adopted for this work. The novelty of this work is in showing how incremental FP-Growth can be used efficiently on continuous flow network traffic, or streaming network traffic data, where no rebuild is necessary when new transactions are scanned and integrated. Incremental frequent pattern mining also generates feature subsets that are useful for understanding the nature of the individual attack tactics. Hence, a detailed understanding of the features or feature subsets of the seven different MITRE ATT&CK tactics is also presented. For example, the results indicate that core behavioral rules, such as those involving TCP protocols and service associations, emerge early and remain stable throughout later increments. The incremental FP-Growth framework provides a structured lens through which network behaviors can be observed and compared over time, supporting not only classification but also investigative use cases such as anomaly tracking and technique attribution. And finally, the results of this work, the frequent itemsets, will be useful for intrusion detection machine learning/artificial intelligence algorithms.

The focus of this research is to establish a baseline understanding of the supervisory control and data acquisition (SCADA) systems that enable air travel. This includes the digital forensics needed to identify vulnerabilities, mitigate those vulnerabilities, and develop processes to mitigate the introduction of vulnerabilities into those systems. The pre-NextGen notional aircraft architecture uses air gap interconnection, non-IP-based communications, and non-integrated modular avionics. The degree of digital forensics accessibility is determined by the comparison of pre-NextGen Notional Aircraft Architecture and NextGen Notional Aircraft Architecture. Digital forensics accessibility is defined by addressing Eden's five challenges facing SCADA forensic investigators. The propositional and predicate logic analysis indicates that the NextGen Notional Aircraft Architecture is not digital forensic accessible.