You are here

Cognitive Modeling for Cyber Defense


OBJECTIVE: Develop and validate a computational model of the cognitive processes from cues to actions of the attackers, defenders, and users to create a synthetic experimentation capability to examine, explore, and assess effectiveness of cyber operations. DESCRIPTION: Cyber networks in the US are being successfully attacked. Battlespace boundaries are ill-defined temporally and spatially. The enemy is co-evolving and ethereal. Current defensive strategies are reactive in nature, meaning that the defender is forced to follow behind exploits to close holes rather than reducing the potential space in which the attacker can move. The relationship between network characteristics, attacker goals and exploit selection is not well understood. Defense has focused on modifying user behavior via training, warnings and restrictions on capabilities. Defenders must process large volumes of complex, high tempo data; yet ground truth with respect to the presence and/or actions of an attacker are rarely known. Metrics of user policy compliance do not include the impact of policy on productivity. Adding to the complexity of the problem is a lack of understanding or visualization of the cues, features and characteristics that are used by attackers to select targets and lack of cognitive models of attacker decision processes of how these cues combine with attacker goals to yield the exploit that is used on a network. This topic will explore the potential to reduce the cyber battlespace by identifying the relationship between system characteristics, attacker goals and exploit selection. The results of a recent workshop by Sandia National Laboratory concluded that research and development in cyber warfare is needed to capture key processes that mediate interactions between defenders, users, adversaries, and the public (see [1]). While attackers have multiple methods to influence user and defender behavior to their advantage, defenders lack the tools to influence or predict attacker behavior; as a result, security policies often limit user behaviors. However, limiting the actions of users can have the unintended consequence of limiting the effectiveness and utility of the system to the users. Many defense strategies have focused on new technology to prevent access or training of users rather than development of cognitive models of the attacker to bound potential actions the attacker could take, which would reduce the potential battlespace. Recent work in modeling of complex cognitive processes, as well as in the nature of cyber defense, can be leveraged to allow modeling of attacker actions and behaviors. We seek cognitive models that link the cues, features and characteristics monitored and used by attackers in terms of their relation to attacker goals and exploit selection. These models should link to how system cues prompt defender and user actions. PHASE I: Phase I should develop a model for attacker-defender decision making, such as a simulation or computational model (e.g., ACT-R, SOAR, EPIC or other model) that links system characteristics to attacker exploit selection. Proposals should focus on the human role in cyber security rather than solely on new technological solutions. Areas of interest for Phase I include: The roles of users, defenders, attackers and policy makers to create an extensible collection of use cases for scenario development and modeling. The different jobs and functions within cyber defender teams and the associated knowledge, skills and abilities needed to fulfill these functions; Cognitive processes involved in typical tasks and associated measures of performance both as a basis for selection and training and operational performance assessment. The use of modeling to develop a multi-purpose environment for test and evaluation of alternative tactics, procedures and policies for network defense. In developing the concept, model the decision making process of attackers in order to identify points in the decision making process which would allow defenders to select actions that could disrupt the decision process. Models or simulations that enable exploration of alternative tactics, procedures and policies would increase the effectiveness of defender strategies, and allow bounding of the battlespace. Models that focus on the links between network characteristics and vulnerabilities, attacker goals and attacker selection of exploits would further bound the potential battlespace, allowing defenders to be more precise in their selection of tactics. Exploration of the allocation of functions between humans and machines, including opportunities to augment human performance through specific technological developments, would be useful. The focus supports a constructive simulation that extends to team interactive virtual experiments. The constructive simulation would assess tactics against process models. Tactical action officers and analysts can optimize processes and refine models with iterative simulation. Human players can be inserted for a collaborative synthetic environment whereby humans interact with agents in a simulated scenario. PHASE II: Leverage the concept developed in Phase I in support of a multi-purpose environment for test and evaluation of tactics, procedures and policies. Develop and test a model or prototype in simulation. Initial demonstrations may be conducted using a notional scenario and synthetic data; however, evaluations with actual data are desired by the end of Phase II. Conduct one or more controlled experiments to validate models and simulated environment and quantifiably demonstrate their benefit in improved tactic and policy selection. PHASE III: Leverage the models to develop tools to assist defenders and users who support network security. Prepare guidelines and documentation for transition of the tool to an operational setting. Use the results of the development phase to build and test a prototype simulation environment that can be used to assess alternative tactics and policies on network defense. Conduct testing to validate the models and simulation environment. Implement models in a field experiment. Develop guidelines and documentation for transition to an operational setting. Field test the models and resulting tools in an operational setting to validate the improvement in security. PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: Private sector products could utilize modeling and simulation tools and techniques to assess and reduce vulnerabilities in systems. These might include system security software improvements, reduction in reliance on policy for network security, and increased detection of network intrusions. REFERENCES: 1. Forsythe, J. C., Silva, A., Stevens-Adams, S., & Bradshaw, J. (2012). Human Dimensions in Cyber Operations Research and Development Priorities. SANDIA REPORT SAND 2012-9188. Unlimited Release. 2. McNeese, M., Cooke, N., Amico, A., Endsley, M., Gonzalez, C., Roth, E., and Salas, E. (2011). Perspectives on the Role of Cognition in Cyber Security. Proceedings of the Human Factors and Ergnomics Society 56th Annual Meeting. 3. Hernandez, J. (2010). The Human Element Complicates Cybersecurity. Defense Systems. Available at 4. Bonabeau, E. (March 24, 2011). Cyber-Security Can"t Ignore Human Behavior. The Atlantic. Available at 5. Bowen, B., Ramaswamy, D., and Stolfo, S. (2011). Measuring the Human Factor of Cyber Security. Homeland Security Affairs, Supplement 5, 6. Joint Publication 3-13 Information Operations. 7. Wikipedia. Proactive Cyber Defence. Available at
US Flag An Official Website of the United States Government