Cyber Situation Awareness: Modelling the Effects of Similarity and Scenarios on Cyber Attack Detection

Abstract

Cyber attacks, the disruption of normal functioning of computers in a network due to malicious events (threats), are becoming widespread. The role of security analysts, who are tasked with protecting networks by accurately and timely detecting cyber attacks, is becoming important. However, currently little is known on how certain cognitive and environmental factors might influence the analyst’s accurate and timely detection of cyber attacks. In this paper, we investigate the role of similarity (how an analyst’s way of comparing network events with experiences in memory) and the role of attack strategy (how the timing of cyber attacks by an attacker) in influencing timely and accurate cyber attack detection. An existing cognitive model, based upon Instance-Based Learning Theory, represents the decision-making process of a security analyst. We manipulate the attack strategy and similarity assumptions in the model and evaluate the effects of their manipulation on model’s accurate and timely detection of cyber attacks. An IBL model was defined by different similarity mechanisms to compare experiences in memory with network events: geometric (model uses geometric distance to evaluate similarity) and feature-based (model uses common and uncommon features to evaluate similarity). Also, attack strategy was manipulated as patient (all threats occur at the end of a scenario) and impatient (all threats occur at the beginning of a scenario). Results reveal that although attack strategy plays a significant role in cyber attack detection; the role of similarity is non-existent.


Back to Table of Contents