Abstract

In the presence of cyber warfare or cyber attacks, the security analysts need to answer four critical questions What has happened What is the impact Why did it happen What should I do Answers to the first three questions form the core of Cyber Situational Awareness Cyber SA. Whether the last question can be satisfactorily answered is greatly dependent upon the cyber SA capability of an enterprise. Gaining SA is a human centric process through perception, comprehension, and projection. Compared to physical world SA, cyber SA has several unique characteristics, including extremely high situation evolving speed, extremely large amount of situation information, and fully automated services. These unique characteristics imply that physical world SA techniques cannot apply in cyberspace. These unique characteristics also indicate the importance of computer-aided SA and the cognition throughput challenge in gaining cyber SA. In this project, we take a holistic, end-to-end approach to integrate the human cognition aspects and the cyber tools aspects of cyber SA. We will develop cyber SA specific cognition models. We will leverage these models to develop cognition-friendly SA techniques, tools, and analytics, so that we can fill the gap between the sensor side and the analyst side of cyber SA. These cognition-friendly SA analytics and tools include but are not limited to situation knowledge reference model, fusion, cross-layer mission-driven SA analytics, adversary intent analysis, probabilistic graphical models, and automated reasoning. In addition, we will build test-beds to evaluate the proposed approach.