Modern day detection of cyber threats is a highly manual process where teams of human analysts flag suspicious events while using assistive tools such as Bro and Snort. It is the analysts’ ability to discern suspicious activity and authority to make decisions on threats that place humans into central roles in the threat detection process. However, over-reliance on human ability can lead to a high volume of undetected threats. As the tempo, diversity and complexity of cyberspace threats continues to increase, this shortcoming can only worsen. Therefore, there is a need for a new detection paradigm that is largely automated but where analysts maintain situational awareness and control of the process. We propose a synergistic detection process that captures the benefits of human cognition and machine computation while mitigating their weaknesses. The analyst provides context and domain knowledge, and the machines provide the ability to handle vast data at speed.
As the network takes an increasingly larger role in military operations, there is an increasingly urgent need to plan, execute, and assess operations in cyberspace. A key capability is the accurate, fast, and agile assessment of network actions that are performed by friendly and hostile participants. Of particular interest is the detection of threats, i.e., actions that harm the network.
Despite constant advances in automated threat detection, human analysts and decision makers continue to play critical roles in the struggle to ensure secure networks . A typical threat detection process, as illustrated in Figure 1, starts with observations of network activities that are then filtered by a set of detection tools . The human analyst uses these tools and their output (i.e., information summaries and alerts) to inform the final decisions of what threats are present in the network and their possible impact on the mission.
Many features of the cyber environment challenge the capabilities and capacity of human cognition, including the ever-increasing volume of network data, the wide variety of data sources, and the frequent and unexpected changes in the network. The analyst assumes bears much responsibility for making quality decisions within the current detection process. As a result, much emphasis is placed on improving analyst training and experience. However, the quality of the decisions is limited by the quality of information presented to the analyst and by the ability to sufficiently process this information. The analyst may even impede detection as core human capabilities like memory capacity and processing speed cannot be easily enhanced to match the ever-growing volume of network traffic. Furthermore, changing the analyst decision making patterns requires a deliberate effort that can happen at a slower pace compared to the appearance of new cyber attack patterns.
We propose a framework for an adaptive detection process where the evidence collector, detection engine, and human analyst work together to share information and make higher accuracy decisions at higher speed. This framework aims to enable efficient investment of the analyst’s valuable, though limited, cognitive resources into the detection processes. The goal of the framework is to establish the foundations for a protocol between detection components such that relevant information can be transferred amongst them in order to have an adaptive process that can detect new threats. In contrast to the threat detection workflow that depends heavily on the human, the proposed framework that depicts a process where the components support and complement each other. We introduce within our framework:
- Varying levels of analyst involvement in detection
- Adapting detection according to the threat’s life cycle
- Characterizing the types of interactions between detections components
While the primary role of the human analyst is to identify the real threats within a large volume of alerts, analysts are also required to gain and maintain cyber situational awareness . More specifically, analysts uncover the meaning of the observed network behavior (e.g., what is that nature and origin of the behavior?) and project how this behavior might evolve and effect the mission (e.g., what the attacker will do next?). This information informs the decision of the analyst how to respond to the situation and what defense will be effective [4, 5]. Though the defense of the network is outside the scope of this article, we believe that the proposed detection framework will also improve the ability of the human analysts to acquire and maintain situational awareness in cyberspace.