• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ Journal Issues / Cyber Science & Technology at the Army Research Laboratory (ARL) / Synergistic Architecture for Human-Machine Intrusion Detection

Synergistic Architecture for Human-Machine Intrusion Detection

Published in Journal of Cyber Security and Information Systems
Volume: 5 Number: 1 - Cyber Science & Technology at the Army Research Laboratory (ARL)

Authors: Dr. Noam Ben-Asher and Paul Yu
Posted: 01/26/2017 | Leave a Comment

Abstract

Modern day detection of cyber threats is a highly manual process where teams of human analysts flag suspicious events while using assistive tools such as Bro and Snort. It is the analysts’ ability to discern suspicious activity and authority to make decisions on threats that place humans into central roles in the threat detection process. However, over-reliance on human ability can lead to a high volume of undetected threats. As the tempo, diversity and complexity of cyberspace threats continues to increase, this shortcoming can only worsen. Therefore, there is a need for a new detection paradigm that is largely automated but where analysts maintain situational awareness and control of the process. We propose a synergistic detection process that captures the benefits of human cognition and machine computation while mitigating their weaknesses. The analyst provides context and domain knowledge, and the machines provide the ability to handle vast data at speed.

Introduction

As the network takes an increasingly larger role in military operations, there is an increasingly urgent need to plan, execute, and assess operations in cyberspace. A key capability is the accurate, fast, and agile assessment of network actions that are performed by friendly and hostile participants. Of particular interest is the detection of threats, i.e., actions that harm the network.
Despite constant advances in automated threat detection, human analysts and decision makers continue to play critical roles in the struggle to ensure secure networks [1]. A typical threat detection process, as illustrated in Figure 1, starts with observations of network activities that are then filtered by a set of detection tools [2]. The human analyst uses these tools and their output (i.e., information summaries and alerts) to inform the final decisions of what threats are present in the network and their possible impact on the mission.

Many features of the cyber environment challenge the capabilities and capacity of human cognition, including the ever-increasing volume of network data, the wide variety of data sources, and the frequent and unexpected changes in the network. The analyst assumes bears much responsibility for making quality decisions within the current detection process. As a result, much emphasis is placed on improving analyst training and experience. However, the quality of the decisions is limited by the quality of information presented to the analyst and by the ability to sufficiently process this information. The analyst may even impede detection as core human capabilities like memory capacity and processing speed cannot be easily enhanced to match the ever-growing volume of network traffic. Furthermore, changing the analyst decision making patterns requires a deliberate effort that can happen at a slower pace compared to the appearance of new cyber attack patterns.

We propose a framework for an adaptive detection process where the evidence collector, detection engine, and human analyst work together to share information and make higher accuracy decisions at higher speed. This framework aims to enable efficient investment of the analyst’s valuable, though limited, cognitive resources into the detection processes. The goal of the framework is to establish the foundations for a protocol between detection components such that relevant information can be transferred amongst them in order to have an adaptive process that can detect new threats. In contrast to the threat detection workflow that depends heavily on the human, the proposed framework that depicts a process where the components support and complement each other. We introduce within our framework:

  • Varying levels of analyst involvement in detection
  • Adapting detection according to the threat’s life cycle
  • Characterizing the types of interactions between detections components

While the primary role of the human analyst is to identify the real threats within a large volume of alerts, analysts are also required to gain and maintain cyber situational awareness [3]. More specifically, analysts uncover the meaning of the observed network behavior (e.g., what is that nature and origin of the behavior?) and project how this behavior might evolve and effect the mission (e.g., what the attacker will do next?). This information informs the decision of the analyst how to respond to the situation and what defense will be effective [4, 5]. Though the defense of the network is outside the scope of this article, we believe that the proposed detection framework will also improve the ability of the human analysts to acquire and maintain situational awareness in cyberspace.

Pages: Page 1 Page 2 Page 3 Page 4

Previous Article:
« Machine Learning and Network Intrusion Detection: Results...
Next Article:
Security of Cyber-Physical Systems »

References

  1. N. Ben-Asher and C. Gonzalez, “Effects of cyber security knowledge on attack detection,” Computers in Human Behavior, vol. 48, pp. 51–61, 2015.
  2. A. DAmico and K. Whitley, “The real work of computer network defense analysts,” in VizSEC 2007, pp. 19–37, Springer, 2008.
  3. C. Gonzalez, N. Ben-Asher, A. Oltramari, and C. Lebiere, “Cognition and technology,” in Cyber Defense and Situational Awareness, pp. 93–117, Springer, 2014.
  4. C. Zhong, J. Yen, P. Liu, and R. F. Erbacher, “Automate cybersecurity data triage by leveraging human analysts’ cognitive process,” in 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS), pp. 357–363, IEEE, 2016.
  5. O. S. Saydjari, “Cyber defense: art to science,” Communications of the ACM, vol. 47, no. 3, pp. 52–57, 2004.
  6. N. Virvilis, D. Gritzalis, and T. Apostolopoulos, “Trusted computing vs. advanced persistent threats: Can a defender win this game?,” in Ubiquitous Intelligence and Computing, 2013 IEEE 10th International Conference on and 10th International Conference on Autonomic and Trusted Computing (UIC/ATC), pp. 396–403, IEEE, 2013.
  7. K. Ehrlich, S. E. Kirk, J. Patterson, J. C. Rasmussen, S. I. Ross, and D. M. Gruen, “Taking advice from intelligent systems: the double-edged sword of explanations,” in Proceedings of the 16th international conference on Intelligent user interfaces, pp. 125–134, ACM, 2011.
  8. J. D. Lee and K. A. See, “Trust in automation: Designing for appropriate reliance,” Human Factors: The Journal of the Human Factors and Ergonomics Society, vol. 46, no. 1, pp. 50–80, 2004.
  9. R. Mortier, H. Haddadi, T. Henderson, D. McAuley, and J. Crowcroft, “Human-data interaction: the human face of the data-driven society,” Available at SSRN 2508051, 2014.
  10. R. Parasuraman, T. B. Sheridan, and C. D. Wickens, “A model for types and levels of human interaction with automation,” IEEE Transactions on systems, man, and cybernetics-Part A: Systems and Humans, vol. 30, no. 3, pp. 286–297, 2000.
  11. W. A. Arbaugh, W. L. Fithen, and J. McHugh, “Windows of vulnerability: A case study analysis,” Computer, vol. 33, no. 12, pp. 52–59, 2000.
  12. L. Bilge and T. Dumitras, “Before we knew it: an empirical study of zero-day attacks in the real world,” in Proceedings of the 2012 ACM conference on Computer and communications security, pp. 833–844, ACM, 2012.
  13. K. Veeramachaneni, I. Arnaldo, V. Korrapati, C. Bassias, and K. Li, “Ai2 Training a big data machine to defend,” in 2016 IEEE International Conference on Intelligent Data and Security, pp. 49–54, April 2016.

Authors

Dr. Noam Ben-Asher
Dr. Noam Ben-Asher
Dr. Noam Ben-Asher is a researcher at the Computational and Information Sciences Directorate at US-Army Research Laboratory. Before this position, Noam was a postdoctoral fellow at the Dynamic DecisionMaking Laboratory at Carnegie Mellon University. His primary interests lie at the intersection of cognitive science, decision science and human factors engineering, with a particular interest in cyber security. In this field, he combines behavioral studies with computational cognitive modeling to study cyber defenders and attackers situation awareness and dynamic decision making processes in cyber warfare.
Paul Yu
Paul Yu
Paul Yu (Member, IEEE) received a B.S. in Mathematics, a B.S. degree in Computer Engineering, and a Ph.D. degree in Electrical Engineering, all at the University of Maryland, College Park. Since 2006, he has been with the U.S. Army Research Laboratory (ARL) where his work is in the area of signal processing for wireless networking and autonomy. He received the Outstanding Invention of the Year award in 2008 and the Jimmy Lin Award for Innovation and Invention in 2009, both from the University of Maryland, and a Best Paper award at the 2008 Army Science Conference.

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 1 Series: Programming Language Comparisons
  • Digital Engineering Implementation Progress and Plans Series: CSIAC Webinars
  • Assessing the Operational Risk Imposed by the Infrastructure Deployment Pipeline Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Jan 28

Data Privacy Day

January 28, 2022
Jan 28

Data Privacy Day

January 28, 2023
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT