Enhancing Cyber Situational Awareness through Active Defense - Research Paper Example

Enhancing Cyber Situational Awareness through Active Defense 2.2 SA Research Initiatives Situation Awareness Research Initiative has the primary objective of collaborating to advance research and technology in relation to cyber functionality, security, efficiency, dependability, reliability and security situations awareness as initiatives aimed at improving and refining related metrics, standards, mission assurance practices and visualization of the cyber projects. Effective Cyber Situation awareness will involve taking initiatives that integrate a number of factors such as metrics, mission assurance, dynamic risk assessment and visualization of the general architecture. After reviews of the cyber defense state of art, the following shortlisted measures will be considered for efficiency, effectiveness and security purposes. They include: i. Visualization of Situation Awareness data/ information ii. Metrics iii. Dynamic Risk Assessment for Mission Assurance However, Cyber Situation Awareness is still considered a new field of research that made its mark with Denning’s (1987, 2002) pioneering work on using expert systems to detect computer attacks in 1987, followed by a plethora of experiments thereafter. The early stage of experiments shaped the concept of tactical fusion, which was proposed by the JDL (Joint Director’s Laboratory) model in 1992. This model contains five functional levels such as 0, 1, 2, 3, and 4. It was published by Hall, and Llinas (1997). It focused solely on data management to prevent cyber attacks. In it, most of the tasks are concentrated on level 0, 1, and 4. Tadda finds JDL model as a bottom-up, data driven model (Figure 3). The significance of JDL model lies in the fact that it highlights the significance of algorithmic techniques towards supporting situation awareness (Salerno, Hinman, & Boulware 2005). Figure 3: Tactical Fusion/JDL Model [Adapted from (Tadd 2008)] Explanation From a simple point of view, SA refers to the knowledge about ongoing events in the cyber environments. According to Ensley (2000: 3), SA defines three essential drivers which include perception, comprehension, and projection. As per Ensley, perceptions of cues (which he refers to as Level 1 SA) are fundamental, since in the absence of basic perception of important information the chance of wrongly visualizing the situation drastically increases. In support of this argument she cites a finding that showed 76% of SA errors of the pilots emanated from lack of perception of the required information (Jones & Ensley 1996). Comprehension on the other hand, refers to an outcome of how people interpret, associate, store, and retain information, and thus makes its place in SA process as Level 2 SA in Ensley’s (1995c). The Level 3 SA, i.e., Projection helps operators to perform at the highest level of SA, since it enables the operators to forecast on situation events and its dynamics, Ensley (2000). Ensley further explains that SA is all about “knowing what is going on,” while from a formal point of view it is all about “the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future” (Ensley 1995b: 36). In a nutshell, Ensley consolidated the theoretical perspective of SA by adding human factors in it, thereby opening a new horizon of developments towards achieving quality SA (Wickes 2008: 397). Endorsement of the above view from a host of researchers (Ensley 1993, 1994; Ensley & Rodgers 1994; Ensley & Robertson 1996; and Endsley et al. 1998) highlighted the temporal aspects of time, as the above view showed that both perception of time and temporal dynamics associated with events play crucial roles in the formulation of SA, and a critical part of SA involves understanding of the amount of time available in the occurrence of an event or in the course of an action. Such developments helped researchers to underpin time as an integral part of Level 2 (comprehension) and Level 3 (projection) SA. Analysis The approach to quality SA is goal-driven. This is due to the fact that operators have multiple goals within surrounding environment, which makes SA dependent on task performance and goals set in that specified environment. Additionally, SA is known to be behavior directed toward achieving a goal in a specific task environment given conditions that are required. Based on her theoretical understanding of SA, Endsley (1995a) developed her SA model, which is mostly referred to as a mental model comprising of three levels i.e. perception, comprehension, and projection as shown in (Figure 4: Endsley’s Model, 1995b) below. Analysis The above model segregates SA from decision making and performance stages by depicting it as an operator’s mental model of the state of the environment, acting as the main precursor to the decision making. According to Endsley (2000), the central tenet of cyber operation is to convert quality situation awareness into successful performance, which in turn requires treating SA as a separate stage of functions. Reasons behind this being that while it is possible to obtain quality SA, it is not always possible to convert the same into the actions due to other intervening factors such as poor strategy selection, lack of decision choices, technical constraints, lack of training, e.t.c. Alternatively, this model depicts SA as a package containing both tacit and explicit knowledge (Nonaka 1994, Nonaka & Nishiguchi 2001), the successful exploitation of which depends on other appropriate external channels, such as technology, training, and amount of freedom in decision making. 2.2.1 Tadda’s Situation Awareness Reference Model (Combo Model) Tadda (2008) considers JDL model as a Bottom-up, Data-driven, and Functional model and Endsley’s model as a Top-down, Goal-driven, and Mental model. He recognizes the utility value of both and accordingly proposes a combined model comprising of the best elements of both models besides new elements such as initial data requirement and textual input, as demonstrated in Figure 5: Tada’s Combination of JDL & Endsley Model ( Tadda 2008) below. Analysis This model begins by defining the problem/goal in a top-down manner at level 0/1 and then opts for Processing Flow, under which actions such as projection (the alerts), comprehension (model analysis), perception (data collection, parsing/extraction, and data cleansing) take place. Next is Process Refinement which deals with missing data, additional data and input for sensor management before the model takes up the task of Off-line Processing involving knowledge discovery. In another illustration, Tadda (2008) uses three broad areas of operation such as Anticipation, Comprehension, and Perception, to illustrate how the same system works when applied the cyber SA: Figure 6: Tadda’s (2008) SA Awareness Reference Model Applied to cyber SA Analysis This combo model considerably has advantages over the JDL model in that when applied to cyber domain, it would collect evidence at Perception level, and then Comprehend the situation by recognizing intrusion attempts and exploiting a prior knowledge, which in turn enables it to anticipate the possible magnitude of the resulting impact. The same is as illustrated in the diagram below: Figure 7: Tadda’s (2008) Model Applied to Cyber Domain Explanation In accordance to Tadda (2008), the following seven variables (depicted in the diagram above) are the main contributors to SA: Evidence which is gathered through IDS Alerts, System logs, service logs, and network flow data; Track, referring to the collection of all evidence that are available against targets made by attackers; Situation, a set of tracks at a snapshot of time; Situation Awareness of a Network, the mental model of the analyst; True Positive, a successful attack; False Positive, an incorrectly identified attack; lastly, Non-relevant Positive where the operators correctly identify the attack that has failed to penetrate. Emerging points from the literature Since cyber war is no less important than real-time-war, it becomes pertinent to consider the eight interrelated variables recommended by the United States Army’s (2010) Cyberspace Operations Concept Capability Plan 2016-2028. The variables are: political, military, economic, social, information, infrastructure, the physical environment, and time. Therefore, under the context of this study, it becomes highly important for any cyber SA model to answer the following questions, which together can be termed as Safety Framework: Who is/are attacking?; What is/are the motive/s behind attack?; What is the location of the attack?; What is/are the goal/s of the attacker/s?; What are the capabilities of the attacker/s?; What is/are weakness/es of the attacker/s?; What could be the impact of attack on the operator’s domain?; and How the attack could be defused beforehand? Situation Analysis on Safety framework based on different models At this point it becomes pertinent to analyze the three models reviewed in this study as well as the promises offered by the ASAM under the context of the above safety framework. Table 4: Analysis of SA Models under Safety Framework Variables JDL Endsley Fusion ASAM Identity of attacker/s No No No Yes Motive/s behind attack No No No Yes Location/s of the attacker/s No No No Yes Achievement goal/s of the attacker/s No No No Yes Capabilities of the attacker/s No No No Yes Weakness/es of the attacker/s No No No Yes Impact of the attack No No No Yes Ability to deter the attack/s No No No Yes The above table shows that the three models reviewed in this study failed to identify the above variables, which in turn points to their severe limitations in providing quality cyber security. Contrary, ASAM proposes to identify all of the above variables, which makes it far more competent than its counterparts. It is therefore justified that ASAM could perform so many tasks perfectly due to the fact that main driving force of ASAM are intelligence generated from new knowledge (gathered from the adversary domain), which would operate with enhanced ability to deter cyber attack. Thus ASAM would operate in the following style: Figure 13: Proposed Operation Style of ASAM Analysis of proposed operation style of ASAM From the above diagram, it is clear that in ASAM’s case, a continuous flow of intelligence would provide an upper hand to the operator dealing with security threats even before their occurrence. For example, ASAM would influence (Figure 9) the attacker by exploiting OODA loop (Observe, Orient, Decide, and Act), which is a decision-making model and a part of Colonel John Boyd’s Asymmetric Fast Transient theory of conflict (Boyd 1987), and thereby resolving for the best protective measure. Accordingly, covering issues ranging from Basic Knowledge to Advanced Knowledge of the extended theoretical model of ASAM appears like below: Figure 14: Extended Theoretical Model (ASAM) Importance of cyber deception According to this strategy, a communication channel can convey false information, hence be used for deception (Miller & Stiff, 1993). Deception is an interaction between two parties (deceiver and target) where the deceiver successfully makes the target to take in as true and specific irrelevant version of reality, with the intension of making the target to act in a beneficial way to the deceiver. Key relevancies of deceptions in cyber-attacks include: i. Cyberspace communication links which carry less data as compared to normal face-to-face interactions. Hence, cues i.e. voice infections and body languages are normally lost in email communication, permitting spoofing where messages appear to have come from someone other than the author. ii. Little permanence exists since information in cyberspace can be quickly and easily created or altered. Figure 15 below is an overall model of Enhanced Cyber Situational Awareness Active Defense system. Works Cited Lippmann, R., Fried, D., Graf, I., Haines, J., Kristopher, J., et al. (2000). "Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation," DARPA Information Survivability Conference & Exposition - Vol. 2, pp.1012. M. Endsley. Toward a theory of situation awareness in dynamic systems. In Human Factors Journal, volume 37(1), pages 32–64, March 1995. B. McGuiness and J. L. Foy. A subjective measure of SA: The crew awareness rating scale (cars). In Proceedings of the first human performance, situation awareness, and automation conference, Savannah, Georgia, USA, October 2000. U.S. Department of Defense, Data Fusion Subpanel for the Joint Directors of Laboratories, and Technical Panel for C3. Data fusion lexicon. 1991. J. Salerno. Measuring situation assessment performance through the activities of interest score. In Proceedings of the 11th International Conference on Information Fusion, Cologne GE, June 30 - July 3 2008. McHugh, J. (2000). "Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory." ACM Trans. Information System Security 3(4), 262-294. Benzel, T., Braden, R., Kim, D., Joseph, A., Neuman, C., Ostrenga, R., Schwab, S., and Sklower, K. (2007). “Design, Deployment, and Use of the DETER Testbed”. In Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test, August 2007. Aschenbruck, Nils, Peter Martini, Michael Meier, and Jens Tölle. (2012). Future Security: 7th Security Research Conference, Future Security 2012, Bonn, Germany, and September 4-6, 2012. Proceedings. Berlin, Heidelberg: Springer Berlin Heidelberg. Cumiford, Leslie D. (2006). Situation Awareness for Cyber Defense. Ft. Belvoir: Defense Technical Information Center. Jajodia, Sushil. (2010). Cyber Situational Awareness: Issues and Research. New York: Springer. Klein, Gabriel, Simon Hunke, Heiko Günther, and Marko Jahnke. "Model-based Cyber Defense Situational Awareness." 35.1 (n.d.). Print. Malviya, Ashish, Glenn A. Fink, Landon H. Sego, and Barbara E. Endicott-Popovsky. Situational Awareness as a Measure of Performance in Cyber Security Collaborative Work. United States: IEEE Computer Society, Los Alamitos, CA, United States US, n.d. Print. Malware Forensics: Discovery of the Intent of Deception. Research Online, 2010. Myles A. McQueen, Wayne F. Boyer. (2009) . Deception Used for Cyber Defense of Control System: INL/CON-08-15204 Preprint Gardner H. (1987). The Mind’s New Science: A History of the Cognitive Revolution, Basic Books. D. Geer Jr., K. S. Hood, A. Jesuit (2003). “Information security: Why the future belongs to the quant’s,” IEEE Security & Privacy. Endsley, Mica (1995). “Toward a theory of situation awareness in dynamic systems”. Human Factors 37(1), 32-64. White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S., et al. (2002). “An Integrated Experimental Environment for Distributed Systems and Networks”. Proceedings of the Fifth Symposium on Operating System Design and Implementation, Dec 2002, 255 - 270. G. da G. and et al. (2012). “Realizing situation awareness within a cyber environment,” In Multisensory, Multisource Information Fusion: Architectures, Algorithms, and Applications, B. V. Onwubiko, Cyril, and Thomas Owens. Situational Awareness in Computer Network Defense: Principles, Methods and Applications. Hershey, Pa: IGI Global (701 E. Chocolate Avenue, Hershey, Pennsylvania, 17033, USA. Print. Undercoffer, J., Pinkston, J., Joshi, A., and Finin, T. (2003). “Target-Centric Ontology for Intrusion Detection,” IJCAI Workshop on Ontologies and Distributed Systems (IJCAI03), August, 2003. Dana, D.A. (2001). Rethinking the puzzle of escalating penalties for repeat offenders, Yale Law Journal, 110, 733–783 Dinev, T., & Hart, P. (2006). An Extended Privacy Calculus Model for E-Commerce Transactions, Information Systems Research, 17(1), 61–80. Felson, M., & Clarke, R. (1998). Opportunity Makes the Thief. Policing and Reducing Crime Unit, Research, Development and Statistics Directorate Unit, Paper 98. London. Home Office Grady, M. F., & Parisi, F. (2006). The Law and Economics of Cyber Security, Cambridge University Press. IC3 (2010). Internet Crime Complaint Centre Report (2006-2010). Retrieved from http://www.ic3.gov/media/annualreports.aspx Jahankhani H. & Al-Nemrat A. (2010). Examination of Cyber-criminal Behavior. International Journal of Information Science and Management, 41-48. Longe, O.B., & Osofisan, O.A. (2011). On the Origins of Advance Fee Fraud Electronic Mails: A Technical Investigation Using Internet Protocol Address Tracers. The African Journal of Information Systems, 3(1). Retrieved from http://digitalcommons.kennesaw.edu/ajis/vol3/iss1/2 Read More