You are here

Utilization Of Inference Engine Technology For Navy Cyber Situational Awareness


OBJECTIVE: Develop a means of employing inference engine technology to improve accuracy and speed to response for Navy Cyber Situational Awareness (NCSA) application. DESCRIPTION: Fleet Cyber Command/U.S. Tenth Fleet (FCC/C10F) is the operational entity responsible for assuring timely, trusted, and comprehensive situational awareness of the cyberspace domain. FCC/C10F currently relies on a variety of disparate tools many of which are based on unique display and database technologies. The current solution fails to meet the objective of providing an integrated, tailorable Cyber Situational Awareness (SA) capability that can incorporate dynamic data feeds synchronized with the maritime operating environment. FCC/C10F desires a Cyber SA system that can utilize data obtained from disparate tools by dynamically consolidating the most relevant information in an amalgamated display. Support of this objective necessitates a means to provide: (1) a well-coordinated picture of Cyber SA, (2) the ability to perform deep analysis of input data from a single source, (3) a solution that is adaptable to new threats and data feeds, (4) agile software development cycles, and (5) a long-term sustainment strategy. The research question is to explore the extent to which inference engine technology can improve accuracy and speed to response by making inferences from multiple Cyber SA data sources. WolframAlpha is one such example of an inference engine technology. Of particular interest is the determination of how quickly and directly the technologies can select desired output formats (i.e. visualization, text) appropriate for a particular scenario. As an example an NCSA analyst may receive information from a data source indicating that a particular device has been compromised within a Navy protected enclave. The analyst would likely want to know the location of the device along with any other information related to why the device may be compromised. Inference engine technology has the potential to make associations that may indicate causal or contributing factors to the device compromise. Inference engine technology can also serve to display any such associations in ways that are more meaningful to an analyst such that they are able to more readily determine a response and mitigation. Data sources in support of NCSA include NetOps (Enterprise Networks Systems Management [ENMS]) and Computer Network Defense [CND] (for example, Host Based System Security [HBSS] and Assured Compliance Assessment Solution [ACAS]); SPACE; Signal Intelligence (SIGINT); and Information Operations (IO). Candidate data sources will include any form of output produced from any system or device within those primary groups (e.g., processed alerts, audit logs, raw data). In the above example, the indication of a device compromise might result from an ENMS source. The ACAS and HBSS sources could contain information related to the device in question. In such a case the additional ACAS and HBSS data sources would likely contain information identifying causal or contributing events resulting in the device compromise. In addition the data sources could indicate a potential escalation of further device compromise. The accuracy of the correlation of events from such data sources is a key component to Cyber SA. The speed to response is key to contain and correct the situation. Inference engine technology has the potential to make associations related to device query and present the results in a manner that enables an analyst to respond rapidly. PHASE I: Determine the applicability and relative benefits of inference engine technology to NCSA (candidate inference engine technologies to be discussed at kickoff). Establish control and baseline metrics from which to quantify potential improvements to NCSA accuracy and speed to response. Determine the extent to which the benefit of inference engine technology can be improved through tailoring. Identify other aspects of inference engine technology that may provide additional NCSA utility or new capability. The phase 1 deliverable will address at least these factors: Baseline control metrics of existing NCSA solution accuracy and speed to response Initial improvements to NCSA accuracy and speed to response resulting from the use of inference engine technology Further improvements to NCSA accuracy and speed to response resulting from tailoring of inference engine technology Aspects of inference engine technology that may provide additional NCSA utility or new capability PHASE II: Provide a practical implementation of the solution researched and designed in Phase I, whether it is an extension of existing inference engine technology or a completely new inference engine technology. Testing and evaluation should be accompanied to illustrate both feasibility and practicality. The solution should also show how the solution can be aligned with NCSA agile development methodologies. Disclosures to the operational environment may be made, making work under Phase II potentially classified. PHASE III: Transition the proposed solution to current Navy systems that support NCSA. PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: The big data analytics component realized from this topic also affects industry. Scoping the research and development to improve accuracy and speed would also benefit industry components that already use current solutions. REFERENCES: (1)"Analytics in a Big Data Environment"- (2)"Fact Sheet: Big Data Across the Federal Government"(pg. 1) -
US Flag An Official Website of the United States Government