MURI: Computer-Aided Human Centric Cyber Situation Awareness

Project: Research project

Description

Dr. Nancy Cooke, Professor, Arizona State University and MURI Investigator proposes to organize, host, and moderate a 1.5 day workshop in Arizona (Mesa-Tempe general vicinity) in late 2010 or early 2011 for MURI PIs and other interested local scientists and engineers. The purpose of the workshop is to demonstrate the testbed that the ASU MURI team has been developing for doing human-in-the-loop experiments on team situation awareness in the cyber security domain. Attendees will help guide the later stages of the testbed implementation and will learn how the testbed can be used by members of the MURI team for experiments and testing tool or algorithm usability, as well as logistics of testbed collaboration. In addition, other individuals who are local (ASU, AFRL) will also be invited to participate and share ideas. The objectives of are for researchers to make connections, for the ASU team to understand the needs of the other MURI team members, and to generate ideas for human-in-the-loop cyber experiments. Funds will be used for the conference facility, an event planner, and a student to assist with the technical details of the workshop. Attendees would pay for their travel and accommodations through the existing MURI grant.

Description

Networks, database systems, operating system kernels, and virtually any semi-secure system on the network today maintains transaction logs and audit trails used to track potential malfeasance. As a consequence, such logs grow enormous - often adding tens of millions or even billions of records to the logs in a single day. The ability to efficiently manage such massive logs and continuously monitor them for security violations is a major challenge. It is easy to see that transaction logs can be viewed as directed, labeled graphs. For example, a transaction where user U tries to access resource R can be viewed as a small graph. The nodes of the graph might include the resource R itself (or a URL for it), the IP address (from which U attempts the access), the intermediate nodes through which the request is transmitted from the originating IP address to R. The edges might be labeled with the type of access requested (read, write, execute), the time when the access was made, the authentication mechanism used, and so forth. Even a single request can thus generate a graph with a non-trivial number of nodes and edges. When we consider a server such as that of the US Army or that of the CIA, hundreds of millions or even billions of requests are received each day, leading to enormous transaction graphs. The principal goal of this research is to develop the data representations, mathematical foundations, and algorithms needed to represent and reason with graphs considering of tens of millions, if not 100 's of millions of edges. Team-based Cyber SA is needed when a team of analysts work together to recognize and defend large scale attacks. Dr. Cooke (ASU) and Dr. McNeese (PSU) have developed extensive capabilities for conducting research on teams as integral parts of sociotechnical systems. In particular they have developed team simulators or synthetic task environments in which to study team phenomena. In addition, Cooke and McNeese have developed a rich array of novel measures and metrics of team cognition in recent years [Perusich 2006, Cooke 2007]. In Task 12, we plan to leverage the simulation and measurement capabilities in the Cooke and McNeese labs to develop the capability to study teams of analysts in the Cyber SA domain. Simulations will be modified and aligned with the task characteristics of defense against cyber attacks and measurements will also be modified accordingly. Experiments will then be run to better understand team cognition involved in defense against cyber attacks and to refine measures so that they are valid indicators of cyber defense performance, cyber team situation awareness and coordination, and decision making. Experiments will also be designed to also assess and evaluate the influence of new cybersecurity tools (developed in the MURl) as they impact team cognition, cyber SA. Results from the experiments will have implications for theories of team-based cyber defense and for the design of collaborative tools. In the following sections we summarize the existing simulation and measurement capabilities in the Cooke and McNeese labs.
StatusFinished
Effective start/end date9/17/097/31/15

Funding

  • DOD-ARMY-ARL: Army Research Office (ARO): $628,371.00

Fingerprint

Testbeds
Experiments
Directed graphs
Authentication
Logistics
Websites
Servers
Simulators
Decision making
Students
Engineers
Testing