Ontology-based Adaptive Systems of Cyber Defense

In this paper we outline a holistic approach for understanding and simulating human decision making in knowledge-intensive tasks. To this purpose, we integrate semantic and cognitive models in a hybrid computational architecture. The contribution of the paper is twofold: first we describe a packetcentric ontology to represent network traffic. We show how the ontology is used to describe real-world network traffic and also serve as a basis for higher level ontologies of cyber operation, threat and risk. Second, we demonstrate how the combination of the packet-centric ontology with an adaptive cognitive agent with learning capabilities, can be used to understand the human defender reasoning processes when monitoring network traffic. Through simulation experiments we evaluated the proposed hybrid computational architecture and demonstrate its ability to successfully detect malicious port scanning within legitimate network traffic. We discuss the implications of these findings for improving our understanding of the cognitive processes and knowledge requirements of the cyber defender, as well as the possible use of the hybrid architecture as a cognitively inspired decision support tool.

[1]  Leo Obrst,et al.  Developing an Ontology of the Cyber Security Domain , 2012, STIDS.

[2]  David A. Mundie,et al.  The MAL: A Malware Analysis Lexicon , 2013 .

[3]  Marco de Vivo,et al.  A review of port scanning techniques , 1999, CCRV.

[4]  Cynthia Bailey Lee,et al.  Detection and Characterization of Port Scan Attacks , 2003 .

[5]  Nicola Guarino,et al.  WonderWeb Deliverable D17. The WonderWeb Library of Foundational Ontologies and the DOLCE ontology , 2002 .

[6]  Allen Newell,et al.  SOAR: An Architecture for General Intelligence , 1987, Artif. Intell..

[7]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[8]  Lujo Bauer,et al.  General Requirements of a Hybrid-Modeling Framework for Cyber Security , 2014, 2014 IEEE Military Communications Conference.

[9]  Jugal K. Kalita,et al.  Surveying Port Scans and Their Detection Methodologies , 2011, Comput. J..

[10]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[11]  Cleotilde Gonzalez,et al.  Accounting for the integration of descriptive and experiential information in a repeated prisoner's dilemma using an instance-based learning model , 2013 .

[12]  Cleotilde Gonzalez,et al.  A Cognitive Model of Dynamic Cooperation With Varied Interdependency Information , 2015, Cogn. Sci..

[13]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[14]  Jennifer E. Rowley,et al.  The wisdom hierarchy: representations of the DIKW hierarchy , 2007, J. Inf. Sci..

[15]  Cleotilde Gonzalez,et al.  Learning to cooperate in the Prisoner's Dilemma: Robustness of Predictions of an Instance-Based Learning Model , 2014, CogSci.

[16]  Cleotilde Gonzalez,et al.  Effects of cyber security knowledge on attack detection , 2015, Comput. Hum. Behav..

[17]  Lorrie Faith Cranor,et al.  Building an Ontology of Cyber Security , 2014, STIDS.

[18]  C. Lebiere,et al.  The Atomic Components of Thought , 1998 .

[19]  Cleotilde Gonzalez,et al.  Instance-based learning in dynamic decision making , 2003, Cogn. Sci..

[20]  Cleotilde Gonzalez,et al.  Cognition and Technology , 2014, Cyber Defense and Situational Awareness.

[21]  Cleotilde Gonzalez,et al.  Instance‐based Learning: A General Model of Repeated Binary Choice , 2012 .