Abstract
This chapter describes situational understanding and diagnostics for autonomous cyber-defense agents. It covers architectural patterns, functional aspects, and interfaces with other agent capabilities. It motivates the need for situational understanding and diagnostics, outlines the major challenges to be met, and considers several illustrative examples. The material centers on the core requirements of situational understanding: diagnosing the nature of a situation, projecting possible future states, assessing associated risks, and triggering responses when situations warrant them. From a functional standpoint, this chapter describes how an agent processes sensed information, continually updates its knowledge base, and assesses a given situation. It examines how these functions must consider adversarial presence, system vulnerabilities, potential adversarial movement, and cyber-to-mission dependencies. This chapter describes agent world models to be instantiated for a given situation, which span the agent, the defended system, perceived threats, and mission context. It also considers methods for managing model and algorithmic complexity and for adapting to new situations, along with practical concerns for agents deployed within operational environments.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ackoff, R. L. (1989). From data to wisdom. Journal of Applies Systems Analysis, 16, 3–9.
Albanese, M., Jajodia, S., & Noel, S. (2012). Time-efficient and cost-effective network hardening using attack graphs. IEEE Computer Society.
Baumberger, C. (2014). Types of understanding: Their nature and their relation to knowledge. Conceptus, 40(98), 67–88.
Bellinger, G., Castro, D., & Mills, A. (2004). Data, information, knowledge, and wisdom. [Online] Available at: https://www.systems-thinking.org/dikw/dikw.htm. Accessed 8 Feb 2022.
Binduf, A., et al. (2018). Active directory and related aspects of security. IEEE.
Bodeau, D., Graubart, R., & Heinbockel, W. (2013). Mapping the cyber terrain – Enabling cyber defensibility claims and hypotheses to be stated and evaluated with greater rigor and utility (Technical Report MTR130433). The MITRE Corporation.
Buckland, J. (2021). Brigade and battalion mobile tactical operations centers. Infantry, Summer, pp. 15–17.
Dunagan, J., Zheng, A. X., & Simon, D. R. (2009). Heat-ray: Combating identity snowball attacks using machine learning, combinatorial optimization and attack graphs. ACM.
Endsley, M. (1995). Toward a theory of situation awareness in dynamic systems. Human Factors Journal, 37(1), 32–64.
Guion, J., & Reith, M. (2017). Cyber terrain mission mapping: Tools and methodologies. IEEE.
Heinbockel, W., Noel, S., & Curbo, J. (2016). Mission dependency modeling for cyber situational awareness. NATO Science and Technology Organization (STO).
Jungles, P., et al. (2014). Mitigating pass-the-hash and other credential theft. Microsoft Corporation.
Kaynar, K. (2016). A taxonomy for attack graph generation and usage in network security. Journal of Information Security and Applications, 29, 27–56.
Kordy, B., Piètre-Cambacédès, L., & Schweitzer, P. (2014). DAG-based attack and defense modeling: Don’t miss the forest for the attack trees. Computer Science Review, 13–14, 1–38.
Musman, S., & Temin, A. (2015). A cyber mission impact assessment tool. s.n.
Nettis, K. (2020, March 16). Multi-domain operations: Bridging the gaps for dominance. Wild Blue Yonder, pp. 1–9.
Noel, S. (2015). Interactive visualization and text mining for the CAPEC cyber attack catalog. ACM.
Noel, S. (2018). A review of graph approaches to network security analytics. In From databases to cyber security (Lecture Notes in Computer Science) (pp. 300–323). Springer.
Noel, S., & Jajodia, S. (2004). Managing attack graph complexity through visual hierarchical aggregation. ACM.
Noel, S., & Jajodia, S. (2017). A suite of metrics for network attack graph analytics. In Network security metrics (pp. 141–176). Springer.
Noel, S., Harley, E., Tam, K. H., & Gyor, G. (2015). Big-data architecture for cyber attack graphs: Representing security relationships in NoSQL graph databases. IEEE.
Noel, S., et al. (2016). CyGraph: Graph-based analytics and visualization for cybersecurity. In Cognitive computing: Theory and applications (Volume 35 of Handbook of Statistics) (pp. 117–167). Elsevier.
Noel, S., Bodeau, D., & McQuaid, R. (2017). Big-data graph knowledge bases for cyber resilience. NATO Science and Technology Organization (STO).
Noel, S., et al. (2021a). Graph analytics and visualization for cyber situational understanding. Journal of Defense Modeling and Simulation, Volume Impact Analysis for Cyber Defense Optimization, 1–15.
Noel, S., Swarup, V., & Johnsgard, K. (2021b). Optimizing network microsegmentation policy for cyber resilience. Journal of Defense Modeling and Simulation, Volume Impact Analysis for Cyber Defense Optimization, 1–23.
Perkins, D. (1998). What is understanding? In Teaching for understanding: Linking research with practice (pp. 39–57). Wiley.
Reiter, R. (1991). The frame problem in the situational calculus: A simple solution (sometimes) and a completeness result for goal regression. In Artificial intelligence and mathematical theory of computation: Papers in honor of John McCarthy (pp. 359–380). Academic.
Robbins, A., Vazarkar, R., & Schroeder, W. (2016–2019). Bloodhound: Six degrees of domain admin. [Online]. Available at: https://github.com/BloodHoundAD/BloodHound. Accessed 15 Jan 2022.
Sabur, A., Chowdhary, A., Huang, D., & Alshamran, A. (2022). Toward scalable graph-based security analysis for cloud networks. Computer Networks, 206, 1–20.
Schulz, A., Kotson, M., & Zipkin, J. (2015). Cyber network mission dependencies (Technical Report 1189). Lincoln Laboratory.
Sowa, J. F. (1992). Semantic networks. In N. J. Hoboken (Ed.), Encyclopedia of artificial intelligence (2nd ed., pp. 1–25). Wiley.
Tadda, G. (2008). Measuring performance of cyber situation awareness systems. s.n.
The MITRE Corporation. (1999–2022). CVE® – Common vulnerabilities and exposures. [Online]. Available at: https://cve.mitre.org. Accessed 25 Jan 2022.
The MITRE Corporation. (2007–2021). CAPEC™ – Common attack pattern enumeration and classification. [Online]. Available at: https://capec.mitre.org. Accessed 25 Jan 2022.
The MITRE Corporation. (2007–2022). Making security measurable™. [Online]. Available at: https://makingsecuritymeasurable.mitre.org. Accessed 25 Jan 2022.
The MITRE Corporation. (2015–2021). MITRE ATT&CK®. [Online] Available at: https://attack.mitre.org. Accessed 25 Jan 2022.
The MITRE Corporation (2020). Malware attribute enumeration and characterization (MAECâ„¢). [Online]. Available at: http://maecproject.github.io Accessed 25 Jan 2022.
Thieme, C., Mosleh, A., Utne, I., & Hegde, J. (2020). Incorporating software failure in risk analysis – Part 1: Software functional failure mode classification. Reliability Engineering and System Safety, 194, 1–13.
U.S. Joint Chiefs of Staff. (2018). Cyberspace operations (Joint Publication 3-12). U.S. Department of Defense.
Yee, E., Chrysikou, E. G., & Thompson-Schill, S. L. (2013). Semantic memory. In The Oxford handbook of cognitive neuroscience (Volume 1: Core Topics) (pp. 353–374). Oxford University Press.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Noel, S., Swarup, V. (2023). Situational Understanding and Diagnostics. In: Kott, A. (eds) Autonomous Intelligent Cyber Defense Agent (AICA). Advances in Information Security, vol 87. Springer, Cham. https://doi.org/10.1007/978-3-031-29269-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-29269-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-29268-2
Online ISBN: 978-3-031-29269-9
eBook Packages: Computer ScienceComputer Science (R0)