Current computer defense techniques, for technical and economic reasons, are mostly reactive. To be proactive, one needs to know the target organizational missions, resources and their inter-dependencies. Also, one needs to know the attacker to be able to predict his next probable steps, and prevent them from succeeding. Cyber situations are extremely diverse. The resources and missions and their inter-dependencies vary widely from one organization to another. Also, attackers can have largely different sets of goals, skills, and capabilities. For example, an attacker can be a script-kiddie, a hobbyist hacker, a political hacktivist, a cyber criminal, or a member of a cyber army. These adversaries can have largely different goals, capabilities, and sets of skills. An effective defense mechanism for a specific type of attacker or a specific type of organization with specific asset inter-relationship might not be effective against another type of attacker targeting a different organization. For example, the goals and capabilities of and the ways to deal with a hobbyist hacker, a hacktivist, a script-kiddie, a cyber-crime ring, and a cyber army are vastly different. (While obfuscation, use of over-the-counter security tools, and the threat of legal action might be effective against script-kiddies and hacktivists, they might not be as effective against a cyber army.) An optimal defense strategy depends on these three components: the adversary, the organizational missions, and the organizational resources.

To provide an effective defense mechanism, attacks should be analyzed in the context of the target organizational missions and resources, and the goal of the adversary. In this thesis, I present four improvements over existing approaches for adding context to security. First and second, I present automated passive and active detection of organizational resources and their inter-dependencies. Third, I present predicting next steps of an attack based on previously observed behavior of the attacker. At the end, I present detecting DDoS attacks by modeling the normal access patterns of the target system resources.