Modelling the Security Analyst’s Role: Effects of Similarity and Past Experience on Cyber Attack Detection

Cyber attacks, the disruption of normal functioning of computers in a network due to malicious events (threats), are becoming widespread. Security analysts are likely to play an important role in protecting networks by accurately and timely detecting cyber attacks. However, currently little is known on how certain cognitive factors might influence the analyst’s accurate and timely detection. In this paper, we investigate the role of two cognitive factors, (i) similarity between present and past events and, (ii) past experience, which are likely to influence a simulated analyst’s detection of cyber attacks. We use an existing cognitive model, based upon Instance-Based Learning Theory (IBLT), which represents the decision-making process of a security analyst. We manipulate the experience and similarity assumptions in the model and evaluate their effects on the model’s accurate and timely detection of cyber attacks. An IBL model was defined by experience of threats in memory: threat-prone (75% threats and 25% non-threats) and nonthreat-prone (25% threats and 75% non-threats); and, different similarity mechanisms to compare experiences in memory with network events: geometric and feature-based. Results reveal that experience plays a significant role in cyber attack detection while the role of similarity is much smaller. We highlight the implications of our findings for training human security analysts in their job.

[1]  Christian Lebiere,et al.  The Newell Test for a Theory of Mind , 2002 .

[2]  Cleotilde Gonzalez,et al.  Instance-based learning in dynamic decision making , 2003, Cogn. Sci..

[3]  T. Wickens Elementary Signal Detection Theory , 2001 .

[4]  Cleotilde Gonzalez,et al.  Cyber Situation Awareness: Modeling the Security Analyst in a Cyber-Attack Scenario through Instance-Based Learning , 2011, DBSec.

[5]  C. Lebiere,et al.  The Atomic Components of Thought , 1998 .

[6]  R. Shepard The analysis of proximities: Multidimensional scaling with an unknown distance function. II , 1962 .

[7]  T. Brunel Cyber Situation Awareness through Instance-Based Learning : Modeling the Security Analyst in a CyberAttack Scenario , 2011 .

[8]  C. Lebiere,et al.  The Newell Test for a theory of cognition , 2003, Behavioral and Brain Sciences.

[9]  Helmut Leopold,et al.  Cyber Situational Awareness , 2015, Elektrotech. Informationstechnik.

[10]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[11]  A. Ortony,et al.  Similarity and Analogical Reasoning , 1991 .

[12]  Peng Liu,et al.  Using Bayesian networks for cyber security analysis , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[13]  R. Shepard The analysis of proximities: Multidimensional scaling with an unknown distance function. I. , 1962 .

[14]  Cleotilde Gonzalez,et al.  Cyber Situation Awareness , 2013, Hum. Factors.

[15]  Richard A. Clarke,et al.  Cyber War: The Next Threat to National Security and What to Do About It , 2010 .

[16]  Steve Reeves,et al.  Atomic Components , 2004, ICTAC.

[17]  A. Tversky Features of Similarity , 1977 .

[18]  B. Obama,et al.  Office of the Press Secretary , 2009 .