CSIAC

Cyber Security and Information Systems Information Analysis Center

/ Journal Issues / / Synergistic Architecture for Human-Machine Intrusion Detection

Synergistic Architecture for Human-Machine Intrusion Detection

| Leave a Comment

Abstract

Modern day detection of cyber threats is a highly manual process where teams of human analysts flag suspicious events while using assistive tools such as Bro and Snort. It is the analysts’ ability to discern suspicious activity and authority to make decisions on threats that place humans into central roles in the threat detection process. However, over-reliance on human ability can lead to a high volume of undetected threats. As the tempo, diversity and complexity of cyberspace threats continues to increase, this shortcoming can only worsen. Therefore, there is a need for a new detection paradigm that is largely automated but where analysts maintain situational awareness and control of the process. We propose a synergistic detection process that captures the benefits of human cognition and machine computation while mitigating their weaknesses. The analyst provides context and domain knowledge, and the machines provide the ability to handle vast data at speed.

Introduction

As the network takes an increasingly larger role in military operations, there is an increasingly urgent need to plan, execute, and assess operations in cyberspace. A key capability is the accurate, fast, and agile assessment of network actions that are performed by friendly and hostile participants. Of particular interest is the detection of threats, i.e., actions that harm the network.
Despite constant advances in automated threat detection, human analysts and decision makers continue to play critical roles in the struggle to ensure secure networks [1]. A typical threat detection process, as illustrated in Figure 1, starts with observations of network activities that are then filtered by a set of detection tools [2]. The human analyst uses these tools and their output (i.e., information summaries and alerts) to inform the final decisions of what threats are present in the network and their possible impact on the mission.

Many features of the cyber environment challenge the capabilities and capacity of human cognition, including the ever-increasing volume of network data, the wide variety of data sources, and the frequent and unexpected changes in the network. The analyst assumes bears much responsibility for making quality decisions within the current detection process. As a result, much emphasis is placed on improving analyst training and experience. However, the quality of the decisions is limited by the quality of information presented to the analyst and by the ability to sufficiently process this information. The analyst may even impede detection as core human capabilities like memory capacity and processing speed cannot be easily enhanced to match the ever-growing volume of network traffic. Furthermore, changing the analyst decision making patterns requires a deliberate effort that can happen at a slower pace compared to the appearance of new cyber attack patterns.

We propose a framework for an adaptive detection process where the evidence collector, detection engine, and human analyst work together to share information and make higher accuracy decisions at higher speed. This framework aims to enable efficient investment of the analyst’s valuable, though limited, cognitive resources into the detection processes. The goal of the framework is to establish the foundations for a protocol between detection components such that relevant information can be transferred amongst them in order to have an adaptive process that can detect new threats. In contrast to the threat detection workflow that depends heavily on the human, the proposed framework that depicts a process where the components support and complement each other. We introduce within our framework:

  • Varying levels of analyst involvement in detection
  • Adapting detection according to the threat’s life cycle
  • Characterizing the types of interactions between detections components

While the primary role of the human analyst is to identify the real threats within a large volume of alerts, analysts are also required to gain and maintain cyber situational awareness [3]. More specifically, analysts uncover the meaning of the observed network behavior (e.g., what is that nature and origin of the behavior?) and project how this behavior might evolve and effect the mission (e.g., what the attacker will do next?). This information informs the decision of the analyst how to respond to the situation and what defense will be effective [4, 5]. Though the defense of the network is outside the scope of this article, we believe that the proposed detection framework will also improve the ability of the human analysts to acquire and maintain situational awareness in cyberspace.

References

  1. N. Ben-Asher and C. Gonzalez, “Effects of cyber security knowledge on attack detection,” Computers in Human Behavior, vol. 48, pp. 51–61, 2015.
  2. A. DAmico and K. Whitley, “The real work of computer network defense analysts,” in VizSEC 2007, pp. 19–37, Springer, 2008.
  3. C. Gonzalez, N. Ben-Asher, A. Oltramari, and C. Lebiere, “Cognition and technology,” in Cyber Defense and Situational Awareness, pp. 93–117, Springer, 2014.
  4. C. Zhong, J. Yen, P. Liu, and R. F. Erbacher, “Automate cybersecurity data triage by leveraging human analysts’ cognitive process,” in 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS), pp. 357–363, IEEE, 2016.
  5. O. S. Saydjari, “Cyber defense: art to science,” Communications of the ACM, vol. 47, no. 3, pp. 52–57, 2004.
  6. N. Virvilis, D. Gritzalis, and T. Apostolopoulos, “Trusted computing vs. advanced persistent threats: Can a defender win this game?,” in Ubiquitous Intelligence and Computing, 2013 IEEE 10th International Conference on and 10th International Conference on Autonomic and Trusted Computing (UIC/ATC), pp. 396–403, IEEE, 2013.
  7. K. Ehrlich, S. E. Kirk, J. Patterson, J. C. Rasmussen, S. I. Ross, and D. M. Gruen, “Taking advice from intelligent systems: the double-edged sword of explanations,” in Proceedings of the 16th international conference on Intelligent user interfaces, pp. 125–134, ACM, 2011.
  8. J. D. Lee and K. A. See, “Trust in automation: Designing for appropriate reliance,” Human Factors: The Journal of the Human Factors and Ergonomics Society, vol. 46, no. 1, pp. 50–80, 2004.
  9. R. Mortier, H. Haddadi, T. Henderson, D. McAuley, and J. Crowcroft, “Human-data interaction: the human face of the data-driven society,” Available at SSRN 2508051, 2014.
  10. R. Parasuraman, T. B. Sheridan, and C. D. Wickens, “A model for types and levels of human interaction with automation,” IEEE Transactions on systems, man, and cybernetics-Part A: Systems and Humans, vol. 30, no. 3, pp. 286–297, 2000.
  11. W. A. Arbaugh, W. L. Fithen, and J. McHugh, “Windows of vulnerability: A case study analysis,” Computer, vol. 33, no. 12, pp. 52–59, 2000.
  12. L. Bilge and T. Dumitras, “Before we knew it: an empirical study of zero-day attacks in the real world,” in Proceedings of the 2012 ACM conference on Computer and communications security, pp. 833–844, ACM, 2012.
  13. K. Veeramachaneni, I. Arnaldo, V. Korrapati, C. Bassias, and K. Li, “Ai2 Training a big data machine to defend,” in 2016 IEEE International Conference on Intelligent Data and Security, pp. 49–54, April 2016.

Reader Interactions

Leave a Comment