Cyber Situation Awareness: Modeling the Security Analyst in a Cyber-Attack Scenario through Instance-Based Learning

In a corporate network, the situation awareness (SA) of a security analyst is of particular interest. A security analyst is in charge of observing the online operations of a corporate network (e.g., an online retail company with an external webserver and an internal fileserver) from threats of random or organized cyber-attacks. The current work describes a cognitive Instance-based Learning (IBL) model of the recognition and comprehension processes of a security analyst in a simple cyber-attack scenario. The IBL model first recognizes cyber-events (e.g., execution of a file on a server) in the network based upon events’ situation attributes and the similarity of events’ attributes to past experiences (instances) stored in analyst’s memory. Then, the model reasons about a sequence of observed events being a cyber-attack or not, based upon instances retrieved from memory and the risk-tolerance of a simulated analyst. The execution of the IBL model generates predictions of the recognition and comprehension processes of security analyst in a cyber-attack. An analyst’s decisions are evaluated in the model based upon two cyber SA metrics of accuracy and timeliness of analyst’s decision actions. Future work in this area will focus on collecting human data to validate the predictions made