Baseline Cyber Attribution Models

Attributing the culprit of a cyberattack is widely considered one of the major technical and policy challenges of cybersecurity. While the lack of ground truth for an individual responsible for a given attack has limited previous studies, here we overcome this limitation by leveraging DEFCON capture-the-flag (CTF) exercise data where the actual ground truth is known. In this chapter, we use various classification techniques to identify the culprit in a cyberattack and find that deceptive activities account for the majority of misclassified attacks. We also explore several heuristics to alleviate some of the misclassification caused by deception.