Upload
lytuong
View
221
Download
0
Embed Size (px)
Citation preview
How to Use Experience
in Cyber Analysis:
An Analytical Reasoning Support System
Chen Zhong, Deepak Kirubakaran,
John Yen, Peng Liu
Pennsylvania State University
Steve Hutchinson, Hasan Cam
Army Research Lab
Cyber Analysis is a Critical Issue
Email attack
Attack web applications
Use public information
Social engineering
Analysts are Doing Important Work
50.100.*.*
Internet
10.1.*.*
Snort IDS #1Tcpdump #1
DNS Server130.203.50.2
Internal Database130.203.157.203
Internal File Server130.203.157.212
Snort IDS #2Tcpdump #2
Web Server130.203.50.11
Mail Server130.203.50.22
PC1130.203.158.101
PC2130.203.158.102
PC5130.203.158.105
Monitor the data Monitor the data
Detect the “true signal” Detect the “true signal”
Connect the dots Connect the dots
Make judgments Make judgments
Analytical Reasoning
What has happened? What has happened?
Goal
How did it happen? How did it happen?
What will happen? What will happen?
Big Challenges for Analysts
50.100.*.*
Internet
10.1.*.*
Snort IDS #1Tcpdump #1
DNS Server130.203.50.2
Internal Database130.203.157.203
Internal File Server130.203.157.212
Snort IDS #2Tcpdump #2
Web Server130.203.50.11
Mail Server130.203.50.22
PC1130.203.158.101
PC2130.203.158.102
PC5130.203.158.105
IDS Alerts
Web Server
Logs
File Server
logs
DB Logs
Packet
Dumps
Anti-Virus Reports
Vulnerability
Reports
Data are overwhelming
Data are overwhelming
and noise-abundant.
Attacks are increasingly
complex and subtle.
Attacks are increasingly
complex and subtle.
Limited capability for
• Data processing
• Analytical reasoning
Limited capability for
• Data processing
• Analytical reasoning
Limited resources of
analysts.
Limited resources of
analysts.
Firewall
Logs
? GAP
How to solve it?
How can we improve the overall performance of the analysts?
How can we make full use of the limited resources?
Sense-Making
Experience
Information
Seeking
Insight
Development
Observation
Analyzing
What to look into?
What does it m
ean?
How
to verify?
Obs
erva
tion
Hyp
othe
sis
Act
ion
Result/conclusion
Producing
Experience should be fully used
in cyber analysis.
Expert Novice
Case Study Monitoring Data
(3) Hypotheses Navigation
50.100.*.*
Internet
10.1.*.*
Snort IDS #1Tcpdump #1
DNS Server130.203.50.2
Internal Database130.203.157.203
Internal File Server130.203.157.212
Snort IDS #2Tcpdump #2
Web Server130.203.50.11
Mail Server130.203.50.22
PC1130.203.158.101
PC2130.203.158.102
PC5130.203.158.105
(2) Experience Guidance
Eight monitoring
data sets
H-Tree
Details of the
selected
hypothesis
Retrieved
E-Trees
Details of
selected EU
Case
Study
(1) Experience Capturing/Using Option
Scenario 1
Scenario 2
To Recap Experience Model Formally
represented for
retrieval
Formally
represented for
retrieval
Free text
to capture
thoughts
Free text
to capture
thoughts