Cyber Situation Awareness: Rational Methods versus Instance-Based Learning Theory for Cyber Threat Detection

Abstract

Cyber-attacks pose a grave threat to corporations and disrupt their normal functioning. The number of cyber attacks has been ever increasing and due to the loss of priceless information on account of these attacks there is an urgent necessity to check their prevalence. In this regard, the role of a security analyst, a human decision maker whose task is to accurately and timely detect cyber attacks,, is becoming indispensable. In this paper, we try to evaluate the popular view that a rational approach to cyber attack detection would likely yield better results than a cognitive approach applied to the same problem. An existing cognitive model, based upon Instance-Based Learning Theory (IBLT), is used to detail the decision-making process of a security analyst. Also, the same analyst’s decision-making process is detailed using a rational-actor Naïve Bayes Classifier (NBC) model. Both the IBL and NBC models are evaluated in their ability to accurately and timely detect cyber attacks in scenarios that differ in an attacker’s strategy: patient (threats occur late in an attack) and impatient (threats occur early in an attack). Results reveal that, in general, the IBL model has greater accuracy and timeliness in detecting cyber threats compared to the NBC model; however, the benefits of the cognitive (IBL) approach only show-up when the attacker’s strategy is impatient rather than patient. We discuss the implications of our results for cyber security.


Back to Table of Contents