Situational Awareness Analysis Tools - Research Proposal Example

2.2 SA Research Initiatives Situation awareness in cyber (CSA) defense entails the realization and recognition cognitively, of performance of technical enterprise, the relationship between technical performance and sets of missions that are under support, recognition of threats internal and external toward the enterprise and have the activity awareness in relation to the broader agency (Kumar et al, Situational Awareness Analysis Tools for Aiding Discovery of Security Events and Patterns). CSA involves having an understanding of the happenings in the surroundings of a specified domain in an effort to comprehend how information, events and expected outcomes of actions instigated by command goals and objectives which are projected, having been established by command (Sushil et al, Situational awareness). Having a comprehensive, intuitive, precise, and well-timed CSA is vital for decision makers wanting to change decision and infrastructure commands with regards to curbing and defending against cyber crimes and attacks (Leigh et al, Bringing Knowledge to Network Defense). Positive outcomes of CSA cause it to be applied and successfully be a route by which cyber defense achieves its objectives of diminishing and curbing the attacks of an enemy. Cyber SA is still considered a new field of research that made its mark with Denning’s (1987, 2002) pioneering work on using expert systems to detect computer attacks in 1987. That was followed by a plethora of experiments covering areas such as anomaly detection, pattern matching, agent-based systems etc., which are now described within the confines of level 0 or early level 1 data fusion (Salerno et al. 2008, Tadda 2006, 2008). The early stage of experiments shaped the concept of tactical fusion, which was proposed by the JDL (Joint Director’s Laboratory) model in 1992, which gained popularity among the researchers. This model contains five functional levels such as 0, 1, 2, 3, and 4. It was published by Hall, and Llinas (1997) and it focused solely on data management to prevent cyber attacks. Here most of the tasks are concentrated on level 0, 1, and 4. Tadda finds the JDL model as a bottom-up, data driven model (Figure 3). The significance of JDL model lies in the fact that highlighted the significance of algorithmic techniques towards supporting situation awareness (Salerno, Hinman, &Boulware 2005). Figure 3: Tactical Fusion/JDL Model [Adapted from (Tadda 2008)] However, the work on successfully comprehending the concept of Situation Awareness (henceforth will be mentioned as SA) was very much on, since the researchers rightfully sensed that human elements are equally important in achieving quality SA. From a simple point of view SA refers to the knowledge about ongoing events in the cyber environment, but the three elements hidden in that definition such as knowledge, ongoing events, and cyber environment, contain a plethora of elements that command human abilities such as perceiving, comprehending and projecting the situation. In wake of such requirements, Endsley (2000: 3) provided one of the briefest yet comprehensive definitions of SA when he stated that SA refers to “the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future.” The definition above clearly underpins three essential drivers of SA, such as perception, comprehension, and projection. Endsley (2000) observes that perception of cues (which he refers to as Level 1 SA) appears fundamental, since in the absence of basic perception of important information the chance of wrongly visualizing the situation drastically increases. To sustain his argument he cites a finding that showed 76% of SA errors of the pilots (either system failure or cognitive processing problem) emanated from lack of perception of the required information (Jones &Endsley 1996). Comprehension on the other hand, refers to an outcome of how people interpret, associate, store, and retain information, and thus makes it place in SA process as Level 2 SA in Endsley’s (1995c) definition. Flach (1995: 3) argues that “the construct of situation awareness demands that the subjective interpretation (awareness) and in the sense of objective significance or importance (situation).” Alongside, Jones and Endsley (1996) observe that lack of comprehension can cause 20 percent of SA error. The Level 3 SA, i.e., Projection helps operators to perform at the highest level of SA, since it enables the operators to forecast situation events and its dynamics, suggests Endsley (2000). Endsley argued that from an intuitive point of view SA is all about “knowing what is going on,” while from a formal point of view it is all about “the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future” (Endsley 1995b: 36). Thus Endsley further consolidated the theoretical perspective of SA by adding human factors in it, thereby opening a new horizon of developments towards achieving quality SA (Wickens 2008: 397). Endorsement of the above view from a host of researchers (Endsley 1993, 1994, Endsley& Rodgers 1994, Endsley& Robertson 1996, Endsley et al. 1998) highlighted the temporal aspects of time, as the above view showed that both perception of time and temporal dynamics associated with events play crucial roles in the formulation of SA, and a critical part of SA involves understanding of the amount of time available in the occurrence of an event or in the course of an action. Such developments helped researchers to underpin time as an integral part of Level 2 (comprehension) and Level 3 (projection) SA. Endsley (1995c) argues that the approach to earn quality SA should be goal-driven, since operators have multiple goals within any environment, which makes SA dependent on task performance and goals set in a specific environment. Smith and Hancock’s (1995: 139) view that SA is “purposeful behavior directed toward achieving a goal in a specific task environment,” also supports Endsley’s view. Based on her theoretical understanding of SA, Endsley (1995a) developed her SA model, which is mostly referred to as a mental model comprising of three levels such as perception, comprehension, and projection (Figure 4). Figure 4: Endsley’s Model (1995b) The above model segregates SA from decision making and performance stages to depict it as an operator’s mental model of the state of the environment, which acts as the main precursor to the decision making processes. According to Endsley (2000), the central tenet of cyber operation is to convert quality situation awareness into successful performance, which in turn requires treating SA as a separate stage of functioning. Model Analysis The model brings about the aspect of awareness of the current situation by the defender. In the perception level, the defender recognizes that an attack from an enemy is occurring (Leslie et al, Situation awareness of cyber defense). The defender then identifies what type of attack it is, who or what is the source of the attack, i.e., enemy identification, and the target of the attack, that is, where the enemy is targeting the attack. Situation perception is beyond intrusion detection, which incorporates the intrusion detection system – IDS, which is normally only a sensor that is quite primitive, it does not identify or recognize an attack, but merely gives an identity of an event that could possibly be part of an attack once the event adds to an activity of recognition and identification (Klein et al, Model-based Cyber Defense Situational Awareness). This model at the SA level enables the defender to be aware of the impact of the attack caused by the enemy. The defender gets to assess both the current and the future impact of the attack, this leads to the analysis of vulnerability and assessment of threat. The defender can also track how the enemy evolved the situation and be aware of the behavior of the adversary. Being aware of the adversary’s behavior in the situation is the vital and major component in this model. Forensics and back-tracking are used for casualty analysis so as to know how and why the current is caused (Malviya et al, Situational Awareness As a Measure of Performance in Cyber Security Collaborative Work). The SA enables awareness of the trustworthiness of the information items on situation awareness collected, and the decisions of knowledge-intelligence founded on these information items. The defender thus assesses the current situation’s probable futures. This can be achieved through a number of technologies for foretelling the possible actions of the enemy in the future, and, therefore, take possible preventive measures (Onwubiko et al, Situational Awareness in Computer Network Defense: Principles, Methods and Applications). This constraining necessitates knowing the enemy’s objective, capability and opportunity and an understanding of the defender as well. The cyber situation awareness as per this model is made up of the perception, comprehension and projection levels as illustrated and discussed above (Aschenbruck et al, internet source). Tadda (2008) uses three broad areas of operation such as Anticipation, Comprehension, and Perception, and illustrates how it works when applied the cyber SA: Figure 6: Tadda’s (2008) SA Awareness Reference Model Applied to cyber SA Tadda (2008) suggests that this combo model applied to cyber domain would collect evidence at Perception level, and then would Comprehendthe situation by recognizing intrusion attempts and exploiting a priori knowledge, which in turn would enable it to anticipate the possible magnitude of impact. He illustrates the same through another diagram: Figure 7: Tadda’s (2008) Model Applied to Cyber Domain Tadda (2008) underpins seven variables as the main contributors to SA, such as 1. Evidence: Gathered through IDS Alerts (Snort, Dragon), System logs, service logs (Apache and IIS), and network flow data; 2. Track: This refers to the collection of all evidence that are available against one or more targets made by one or more attackers; 3. Situation: This refers to the set of tracks at a snapshot of time; 4. Situation Awareness of a Network: This refers to the mental model of the analyst; 5. True Positive: This refers to a successful attack; 6. False Positive: This refers to an incorrectly identified attack; 7. Non-relevant Positive: This refers to the situation where the operators correctly identify the attack that has failed to penetrate. Cyber Deception as a tool against cyber war Deception in cyber war entails distorting of the enemy’s perception of the reality. It aims at putting the adversary (the enemy), at a disadvantage. The control system defender can do so by deploying a cheap and simple computer as a canary so as to discover if an attacker has entered the system (McQueen &Boyer, Deception Used for Cyber Defense of Control System). Deception, thus, involves dissimulation (hiding the real), and simulation (showing the false). Simulation techniques which can be helpful in curbing cyber crime comprise of inventing the false by creating a perception that a relevant object exists when it does not. For instance, a honeypot can be used to give a subnet appearance of machines containing IP specific addresses when in reality, there is no subnet as such (McQueen &Boyer, Deception Used for Cyber Defense of Control System). Mimicking is another simulation technique. It invents the false by presenting the characteristics of a relevant, actual object. Decoying, on the other hand, displays the false by attracting attention away from more relevant objects. Dissimulation comprises masking, repackaging and dazzling. Masking is a method of preventing an attacker from observing services that are associated with the control systems. Repackaging conceals service information by causing the service to appear to be of no interest to the attacker. Dazzling hides the system services information by making what the attacker can observe to be unintelligible or confusing. The defense of control system cyber security may use deception in interactions of human systems to frustrate the plans of attackers (McQueen &Boyer, Deception Used for Cyber Defense of Control System). Emerging points from literature Since cyber war is no less important than real-time-war, it becomes pertinent to consider the eight interrelated variables recommended by the United States Army’s (2010) Cyberspace Operations Concept Capability Plan 2016-2028. Those variables are: political, military, economic, social, information, infrastructure, the physical environment, and time. Therefore, under the context of this study, it becomes highly important for any cyber SA model to answer the following questions, which together can be termed as Safety Framework: Who is/are attacking? What is/are the motive/s behind attack? What is the location of the attack? What is/are the objective/s of the attacker/s? What are the capabilities of the attacker/s? What is/are weakness/es of the attacker/s? What could be the impact of attack on the operator’s domain? How the attack could be defused beforehand? At this point it becomes pertinent to analyze the three models reviewed in this study as well as the promises offered by the ASAM under the context of the above safety framework: Table 4: Analysis of SA Models under Safety Framework Variables JDL Endsley Fusion ASAM Identity of attacker/s No No No Yes Motive/s behind attack No No No Yes Location/s of the attacker/s No No No Yes Achievement goal/s of the attacker/s No No No Yes Capabilities of the attacker/s No No No Yes Weakness/es of the attacker/s No No No Yes Impact of the attack No No No Yes Ability to deter the attack/s No No No Yes The above table shows that the three models reviewed in this study fail to identify the above variables, which in turn points to their severe limitations in providing quality cyber security. On the other hand ASAM proposes to identify all of the above variables, which makes it far more competent than its counterparts. One may argue at this point that how ASAM could perform so many tasks. This can be defended by stating that the main driving force of ASAM would be intelligence generated from new knowledge (gathered from the adversary domain), which would operate with enhanced ability to deter cyber attack. Thus ASAM would operate in the following style: Figure 13: Proposed Operation Style of ASAM The above diagram makes the fact clear that in ASAM’s case, a continuous flow of intelligence would provide an upper hand to the operator dealing with security threats even before their occurrence. For example, ASAM would influence (Figure 9) the attacker by exploiting OODA loop (Observe, Orient, Decide, and Act), which is a decision-making model and a part of Colonel John Boyd’s Asymmetric Fast Transient theory of conflict (Boyd 1987). The central tenet of OODA theory from military perspective is to defeat the adversary strategically, by psychological paralysis (Value Based Management 2011). Accordingly, covering issues ranging from Basic Knowledge to Advanced Knowledge the extended theoretical model of ASAM appears like below: Figure 14: Overall Model for Active Cyber Situational Awareness Defense Reference Aschenbruck, Nils, Peter Martini, Michael Meier, and Jens Tölle. Future Security: 7th Security Research Conference, Future Security 2012, Bonn, Germany, September 4-6, 2012. Proceedings. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012. Internet resource. Cumiford, Leslie D. Situation Awareness for Cyber Defense. Ft. Belvoir: Defense Technical Information Center, 2006. Internet resource. Jajodia, Sushil. Cyber Situational Awareness: Issues and Research. New York: Springer, 2010. Internet resource. Klein, Gabriel, Simon Hunke, Heiko Günther, and Marko Jahnke. "Model-based Cyber Defense Situational Awareness." 35.1 (n.d.). Print. Kumar, Vipin, Yongdae Kim, Jaideep Srivastava, Zhi-Li Zhang, Mark Shaneck, Varun Chandola, Haiyang Liu, Changho Choi, Gyorgy Simon, and Eric Eilertson. Situational Awareness Analysis Tools for Aiding Discovery of Security Events and Patterns. Ft. Belvoir: Defense Technical Information Center, 2005. Internet resource. Leigh, Flagg, Streeter Gordon, and Potter Andrew. Bringing Knowledge to Network Defense. Society for Computer Simulation International, PO Box 17900, San Diego, CA 92177, USA, 2007. Print. Bottom of Form Malviya, Ashish, Glenn A. Fink, Landon H. Sego, and Barbara E. Endicott-Popovsky. Situational Awareness As a Measure of Performance in Cyber Security Collaborative Work. United States: IEEE Computer Society, Los Alamitos, CA, United States(US, n.d.. Print. Malware Forensics: Discovery of the Intent of Deception. Research Online, 2010. Internet resource Myles A. McQueen, Wayne F. Boyer. Deception Used for Cyber Defense of Control System: 2009. INL/CON-08-15204 Preprint Onwubiko, Cyril, and Thomas Owens. Situational Awareness in Computer Network Defense: Principles, Methods and Applications. Hershey, Pa: IGI Global (701 E. Chocolate Avenue, Hershey, Pennsylvania, 17033, USA, 2012. Print. Top of Form Read More