Visible to the public Situational Awareness 2015Conflict Detection Enabled

SoS Newsletter- Advanced Book Block


SoS Logo

Situational Awareness 2015


Situational awareness is an important human factor for cyber security that impacts resilience, predictive metrics, and composability.  The works cited here were presented in 2015.

Hall, M.J.; Hansen, D.D.; Jones, K., "Cross-domain situational awareness and collaborative working for cyber security," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-8, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166110

Abstract: Enhancing situational awareness is a major goal for organisations spanning many sectors, working across many domains. An increased awareness of the state of environments enables improved decision-making. Endsley's model of situational awareness has improved the understanding for the design of decision-support systems. This paper presents and discusses a theoretical model to extend this to cross-domain working to influence the design of future collaborative systems. A use-case is discussed within a military context of the use of this model for cross-domain working between an operational-domain and cyber security-domain.

keywords: decision making;decision support systems;groupware;security of data;collaborative working;cross-domain situational awareness;cyber security-domain;decision-support systems;future collaborative systems;improved decision-making;operational-domain;Aerodynamics;Collaboration;Context;Decision making;Feeds;Malware;Collaboration;Cross Domain;Cyber Security;Situational Awareness (ID#: 16-9269)



Skopik, F.; Wurzenberger, M.; Settanni, G.; Fiedler, R., "Establishing national cyber situational awareness through incident information clustering," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-8, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166126

Abstract: The number and type of threats to modern information and communication networks has increased massively in the recent years. Furthermore, the system complexity and interconnectedness has reached a level which makes it impossible to adequately protect networked systems with standard security solutions. There are simply too many unknown vulnerabilities, potential configuration mistakes and therefore enlarged attack surfaces and channels. A promising approach to better secure today's networked systems is information sharing about threats, vulnerabilities and indicators of compromise across organizations; and, in case something went wrong, to report incidents to national cyber security centers. These measures enable early warning systems, support risk management processes, and increase the overall situational awareness of organizations. Several cyber security directives around the world, such as the EU Network and Information Security Directive and the equivalent NIST Framework, demand specifically national cyber security centers and policies for organizations to report on incidents. However, effective tools to support the operation of such centers are rare. Typically, existing tools have been developed with the single organization as customer in mind. These tools are often not appropriate either for the large amounts of data or for the application use case at all. In this paper, we therefore introduce a novel incident clustering model and a system architecture along with a prototype implementation to establish situational awareness about the security of participating organizations. This is a vital prerequisite to plan further actions towards securing national infrastructure assets.

keywords: business data processing;national security;organisational aspects;pattern clustering;security of data;software architecture;EU Network and Information Security Directive;NIST framework;attack channels;attack surfaces;cyber security directives;early warning systems;incident information clustering;information and communication networks;information sharing;national cyber security centers;national cyber situational awareness;national infrastructure assets;networked systems protection;organizations;risk management processes;standard security solutions;system architecture;system complexity;system interconnectedness;threats;Clustering algorithms;Computer security;Information management;Market research;Organizations;Standards organizations (ID#: 16-9270)



Shovgenya, Y.; Skopik, F.; Theuerkauf, K., "On demand for situational awareness for preventing attacks on the smart grid," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-4, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166133

Abstract: Renewable energy sources and widespread small-scale power generators change the structure of the power grid, where actual power consumers also temporarily become suppliers. Smart grids require continuous management of complex operations through utility providers, which leads to increasing interconnections and usage of ICT-enabled industrial control systems. Yet, often insufficiently implemented security mechanisms and the lack of appropriate monitoring solutions will make the smart grid vulnerable to malicious manipulations that may possibly result in severe power outages. Having a thorough understanding about the operational characteristics of smart grids, supported by clearly defined policies and processes, will be essential to establishing situational awareness, and thus, the first step for ensuring security and safety of the power supply.

keywords: electric generators;electricity supply industry;industrial control;power consumption;power generation control;power generation reliability;power system interconnection;power system management;power system security;renewable energy sources;smart power grids;ICT-enabled industrial control system;actual power consumer;implemented security mechanism;power supply safety;power supply security;renewable energy source;situational awareness;small-scale power generator;smart power grid;Europe;Generators;Power generation;Renewable energy sources;Security;Smart grids;Smart meters;industrial control systems;situational awareness;smart generator;smart grid (ID#: 16-9271)



Song, R.; Brown, J.D.; Tang, H.; Salmanian, M., "Secure and efficient routing by Leveraging Situational Awareness Messages in tactical edge networks," in Military Communications and Information Systems (ICMCIS), 2015 International Conference on, pp. 1-8, 18-19 May 2015. doi: 10.1109/ICMCIS.2015.7158713

Abstract: A desired capability in military operations is the reliable and efficient sharing of Situational Awareness (SA) data at the tactical edge network. Many implementations of SA sharing in the literature use frequent broadcasts of SA messages in order to provide an up-to-date and comprehensive operating picture to all nodes. However, SA sharing may result in an increase in bandwidth requirements at the tactical edge, where power and bandwidth are scarce. Efficient realtime routing is also a challenge in a tactical edge network. We believe there is a good opportunity to leverage the realtime periodic SA messages for assisting routing services. To the best of our knowledge, little research has been done on this front. In this paper, we propose a secure and efficient routing by leveraging SA messages (SER-SA) in tactical edge mobile ad hoc networks. The SER-SA protocol utilizes realtime broadcast SA messages to not only transmit SA data but also to facilitate Multipoint Relay (MPR) node selection and route discovery for providing both realtime broadcast and unicast communication services. In SER-SA, broadcast forwarding is performed only by MPR nodes, which can reduce bandwidth usage compared to pure flooding methods such as Multicast Ad hoc On-Demand Distance Vector Routing (MAODV). In addition, we reduce bandwidth usage even further by both avoiding dissemination of specific designated routing messages in the network and enhancing the (traditionally local) MPR selection algorithm based on a global algorithm enabled by the shared global SA. We show through simulations that the proposed SER-SA protocol facilitates route discovery in a more bandwidth efficient manner. As a result, it performs better in terms of delivery ratio for providing both broadcast and unicast services in tactical scenarios compared to the existing MANET multicast routing protocols such as Multicast Optimized Link State Routing and MAODV.

keywords: broadcast communication;military communication;mobile ad hoc networks;relay networks (telecommunication);routing protocols;telecommunication security;MPR selection algorithm;SA message leveraging;SER- SA routing protocol;SER-SA;bandwidth usage reduction;broadcast communication service;multipoint relay node selection;route discovery;situational awareness message leveraging;tactical edge mobile ad hoc network security;unicast communication service;Bandwidth;Network topology;Routing;Routing protocols;Topology;Unicast (ID#: 16-9272)



Evesti, A.; Frantti, T., "Situational Awareness for security adaptation in Industrial Control Systems," in Ubiquitous and Future Networks (ICUFN), 2015 Seventh International Conference on, pp. 1-6, 7-10 July 2015. doi: 10.1109/ICUFN.2015.7182484

Abstract: Situational Awareness (SA) offers an analysed view of system's security posture. Securing Industrial Control Systems (ICSs) and critical infrastructures requires timely and correct SA. System administrators make decisions and modify security mechanisms based on SA information. In this paper, we envision how security adaptation can facilitate administrators' work in the ICS protection. Security adaptation is not widely applied in ICS context. Moreover, existing security adaptation approaches concentrate on recognition of an adaptation need, i.e,. building situational awareness, instead of security decision making. Therefore, we present steps to create a security adaptation plan, and apply fuzzy set theory and linguistic relations for decision making, when SA information indicates that required security is not reached.

keywords: control engineering computing;critical infrastructures;decision making;industrial control;security of data;ICS protection;SA information;fuzzy set theory;industrial control systems;linguistic relations;security adaptation approach;security adaptation plan;security decision making;security mechanisms;system administrators;system security posture;Adaptation models;Analytical models;Authentication;Decision making;Monitoring;Pragmatics;ICS;critical infrastructure;decision making;self-adaptation;self-protection (ID#: 16-9273)



Gray, C.C.; Ritsos, P.D.; Roberts, J.C., "Contextual network navigation to provide situational awareness for network administrators," in Visualization for Cyber Security (VizSec), 2015 IEEE Symposium on, pp. 1-8, 25-25 Oct. 2015. doi: 10.1109/VIZSEC.2015.7312769

Abstract: One of the goals of network administrators is to identify and block sources of attacks from a network steam. Various tools have been developed to help the administrator identify the IP or subnet to be blocked, however these tend to be non-visual. Having a good perception of the wider network can aid the administrator identify their origin, but while network maps of the Internet can be useful for such endeavors, they are difficult to construct, comprehend and even utilize in an attack, and are often referred to as being “hairballs”. We present a visualization technique that displays pathways back to the attacker; we include all potential routing paths with a best-efforts identification of the commercial relationships involved. These two techniques can potentially highlight common pathways and/or networks to allow faster, more complete resolution to the incident, as well as fragile or incomplete routing pathways to/from a network. They can help administrators re-profile their choice of IP transit suppliers to better serve a target audience.



keywords: IP networks;Internet;computer network security;data visualisation;telecommunication network routing;IP;IP transit suppliers;Internet;attacks sources;best-efforts identification;commercial relationships;contextual network navigation;hairballs;incomplete routing pathways;network administrators;network maps;network steam;routing paths;situational awareness;subnet;visualization technique;Data visualization;Internet;Navigation;Peer-to-peer computing;Planning;Routing;Visualization (ID#: 16-9274)



Sheng Miao; Hammell, R.J.; Ziying Tang; Hanratty, T.; Dumer, J.; Richardson, J., "Integrating complementary/contradictory information into fuzzy-based VoI determinations," in Computational Intelligence for Security and Defense Applications (CISDA), 2015 IEEE Symposium on, pp. 1-7, 26-28 May 2015. doi: 10.1109/CISDA.2015.7208636

Abstract: In today's military environment vast amounts of disparate information are available. To aid situational awareness it is vital to have some way to judge information importance. Recent research has developed a fuzzy-based system to assign a Value of Information (VoI) determination for individual pieces of information. This paper presents an investigation of the effect of integrating subsequent complementary and/or contradictory information into the VoI process. Specifically, the idea of using complementary and/or contradictory new information to impact the previously used fuzzy membership values for the information content characteristic applied in the VoI calculations is shown to be a particularly suitable approach.

keywords: content-addressable storage;fuzzy set theory;information systems;military computing;VoI process;complementary-contradictory information integration;fuzzy membership values;fuzzy-based VoI determinations;fuzzy-based system;information content characteristics;military environment;situational awareness;value of information determination;Decision support systems;decision support;fuzzy associative memory;intelligence analysis;situational awareness;value of information (ID#: 16-9275)



Onwubiko, C., "Cyber security operations centre: Security monitoring for protecting business and supporting cyber defense strategy," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-10, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166125

Abstract: Cyber security operations centre (CSOC) is an essential business control aimed to protect ICT systems and support an organisation's Cyber Defense Strategy. Its overarching purpose is to ensure that incidents are identified and managed to resolution swiftly, and to maintain safe & secure business operations and services for the organisation. A CSOC framework is proposed comprising Log Collection, Analysis, Incident Response, Reporting, Personnel and Continuous Monitoring. Further, a Cyber Defense Strategy, supported by the CSOC framework, is discussed. Overlaid atop the strategy is the well-known Her Majesty's Government (HMG) Protective Monitoring Controls (PMCs). Finally, the difficulty and benefits of operating a CSOC are explained.

keywords: government data processing;security of data;CSOC framework;HMG protective monitoring controls;Her Majestys Government;ICT systems;business control;business protection;cyber defense strategy support;cyber security operations centre;information and communications technology;security monitoring;Business;Computer crime;Monitoring;System-on-chip;Timing;Analysis;CSOC;CSOC Benefits & Challenges;CSOC Strategy;Correlation;Cyber Incident Response;Cyber Security Operations Centre;Cyber Situational Awareness;CyberSA;Log Source;Risk Management;SOC (ID#: 16-9276)



Gendreau, A.A., "Situation Awareness Measurement Enhanced for Efficient Monitoring in the Internet of Things," in Region 10 Symposium (TENSYMP), 2015 IEEE, pp. 82-85, 13-15 May 2015. doi: 10.1109/TENSYMP.2015.13

Abstract: The Internet of Things (IoT) is a heterogeneous network of objects that communicate with each other and their owners over the Internet. In the future, the utilization of distributed technologies in combination with their object applications will result in an unprecedented level of knowledge and awareness, creating new business opportunities and expanding existing ones. However, in this paradigm where almost everything can be monitored and tracked, an awareness of the state of the monitoring systems' situation will be important. Given the anticipated scale of business opportunities resulting from new object monitoring and tracking capabilities, IoT adoption has not been as fast as expected. The reason for the slow growth of application objects is the immaturity of the standards, which can be partly attributed to their unique system requirements and characteristics. In particular, the IoT standards must exhibit efficient self-reliant management and monitoring capability, which in a hierarchical topology is the role of cluster heads. IoT standards must be robust, scalable, adaptable, reliable, and trustworthy. These criteria are predicated upon the limited lifetime, and the autonomous nature, of wireless personal area networks (WPANs), of which wireless sensor networks (WSNs) are a major technological solution and research area in the IoT. In this paper, the energy efficiency of a self-reliant management and monitoring WSN cluster head selection algorithm, previously used for situation awareness, was improved upon by sharing particular established application cluster heads. This enhancement saved energy and reporting time by reducing the path length to the monitoring node. Also, a proposal to enhance the risk assessment component of the model is made. We demonstrate through experiments that when benchmarked against both a power and randomized cluster head deployment, the proposed enhancement to the situation awareness metric used less power. Potentially, this approac- can be used to design a more energy efficient cluster-based management and monitoring algorithm for the advancement of security, e.g. Intrusion detection systems (IDSs), and other standards in the IoT.

keywords: Internet of Things;personal area networks;security of data;wireless sensor networks;Internet of Things;WPAN;WSN;distributed technologies;efficient self-reliant management and monitoring capability;heterogeneous network;object monitoring and tracking capabilities;situation awareness measurement;situation awareness metric;wireless personal area networks;wireless sensor networks;Energy efficiency;Internet of things;Monitoring;Security;Standards;Wireless sensor networks;Internet of Things;Intrusion detection system;Situational awareness;Wireless sensor networks (ID#: 16-9277)



Abraham, S.; Nair, S., "A Novel Architecture for Predictive CyberSecurity Using Non-homogenous Markov Models," in Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1, pp. 774-781, 20-22 Aug. 2015. doi: 10.1109/Trustcom.2015.446

Abstract: Evaluating the security of an enterprise is an important step towards securing its system and resources. However existing research provide limited insight into understanding the impact attacks have on the overall security goals of an enterprise. We still lack effective techniques to accurately measure the predictive security risk of an enterprise taking into account the dynamic attributes associated with vulnerabilities that can change over time. It is therefore critical to establish an effective cyber-security analytics strategy to minimize risk and protect critical infrastructure from external threats before it even starts. In this paper we present an integrated view of security for computer networks within an enterprise, understanding threats and vulnerabilities, performing analysis to evaluate the current as well as future security situation of an enterprise to address potential situations. We formally define a non-homogeneous Markov model for quantitative security evaluation using Attack Graphs which incorporates time dependent covariates, namely the vulnerability age and the vulnerability discovery rate to help visualize the future security state of the network leading to actionable knowledge and insight. We present experimental results from applying this model on a sample network to demonstrate the practicality of our approach.

keywords: Markov processes;computer network security;attack graphs;computer networks;cyber security analytics strategy;dynamic attributes;enterprise security goals;external threats;impact attacks;nonhomogeneous Markov model;nonhomogenous Markov Models;predictive cybersecurity;predictive security risk;quantitative security evaluation;time dependent covariates;Biological system modeling;Computer architecture;Computer security;Markov processes;Measurement;Attack Graph;CVSS;Cyber Situational Awareness;Markov Model;Security Metrics;Vulnerability Discovery Model;Vulnerability Lifecycle Model (ID#: 16-9278)



Angelini, M.; Prigent, N.; Santucci, G., "PERCIVAL: proactive and reactive attack and response assessment for cyber incidents using visual analytics," in Visualization for Cyber Security (VizSec), 2015 IEEE Symposium on, pp. 1-8, 25-25 Oct. 2015. doi: 10.1109/VIZSEC.2015.7312764

Abstract: Situational awareness is a key concept in cyber-defence. Its goal is to make the user aware of different and complex aspects of the network he or she is monitoring. This paper proposes PERCIVAL, a novel visual analytics environment that contributes to situational awareness by allowing the user to understand the network security status and to monitor security events that are happening on the system. The proposed visualization allows for comparing the proactive security analysis with the actual attack progress, providing insights on the effectiveness of the mitigation actions the system has triggered against the attack and giving an overview of the possible attack's evolution. Moreover, the same visualization can be fruitfully used in the proactive analysis since it allows for getting details on computed attack paths and evaluating the mitigation actions that have been proactively computed by the system. A preliminary user study provided a positive feedback on the prototype implementation of the system. A video of the system is available at:

keywords: data analysis;data visualisation;security of data;PERCIVAL;cyber incidents;cyber-defence;network security status;proactive attack;proactive security analysis;reactive attack;response assessment;security event monitoring;situational awareness;visual analytics environment;visualization;Context;Network topology;Prototypes;Security;Topology;Visual analytics;Cyber-security;attack paths;incident response assessment;proactive analysis (ID#: 16-9279)



Puuska, S.; Kansanen, K.; Rummukainen, L.; Vankka, J., "Modelling and real-time analysis of critical infrastructure using discrete event systems on graphs," in Technologies for Homeland Security (HST), 2015 IEEE International Symposium on, pp. 1-5, 14-16 April 2015. doi: 10.1109/THS.2015.7225330

Abstract: Critical infrastructure (CI) systems form an interdependent network where failures in one system may quickly affect the state of other linked systems. Real-time modelling and analysis of CI systems gives valuable time-critical insight on the situational status during incidents and standard operation. Obtaining real-time quantitative measurements about the state of CI systems is necessary for situational awareness (SA) purposes. In this paper we present a general framework for real-time critical infrastructure modelling and analysis using discrete event systems (DES) on graphs. Our model augments standard graph-theoretic analysis with elements from automata theory to achieve model which captures interdependencies in CI. The framework was tested on various graphs with differing sizes and degree distributions. The resulting framework was implemented, and benchmarks indicate that it is suitable for real-time SA analysis.

keywords: critical infrastructures;discrete event systems;graph theory;modelling;real-time systems;security of data;CI system;DES;SA;automata theory;critical infrastructure;digital security;discrete event system;graph-theoretic analysis;real-time analysis;real-time modelling;situational awareness;Analytical models;Automata;Benchmark testing;Data models;Discrete-event systems;Monitoring;Real-time systems (ID#: 16-9280)



Farantatos, E.; Del Rosso, A.; Bhatt, N.; Kai Sun; Yilu Liu; Liang Min; Chaoyang Jing; Jiawei Ning; Parashar, M., "A hybrid framework for online dynamic security assessment combining high performance computing and synchrophasor measurements," in Power & Energy Society General Meeting, 2015 IEEE, pp. 1-5, 26-30 July 2015. doi: 10.1109/PESGM.2015.7286581

Abstract: A hybrid simulation/measurement-based framework for online dynamic security assessment (DSA) is proposed in this work. It combines the strengths and features of simulation-based and measurement-based approaches to develop a tool that integrates the results and provides real-time situational awareness on available operating margins against major stability problems. High performance computing capability is suggested and used in the simulation-based engine, while synchrophasor measurements are used as the input to the measurement-based stability assessment algorithms. The proposed framework is expected to provide solid foundation for new generation of real-time DSA tools that are needed for operators to assess in real-time the system's dynamic performance and operational security risk.

keywords: parallel processing;phasor measurement;power system security;power system simulation;power system stability;high performance computing capability;measurement-based stability assessment algorithms;online dynamic security assessment;operational security risk;real-time DSA tools;real-time situational awareness;simulation-based engine;stability problems;synchrophasor measurements;Analytical models;Computational modeling;Power system stability;Real-time systems;Stability criteria;Voltage measurement;Angular Stability;Dynamic Security Assessment;High-Performance Computing;Synchrophasors;Transient Stability;Visualizations;Voltage Stability (ID#: 16-9281)



Cintuglu, M.H.; de Azevedo, R.; Ma, T.; Mohammed, O.A., "Real-time experimental analysis for protection and control of smart substations," in Innovative Smart Grid Technologies Latin America (ISGT LATAM), 2015 IEEE PES, pp. 485-490, 5-7 Oct. 2015. doi: 10.1109/ISGT-LA.2015.7381203

Abstract: To reach the future smart grid vision, comprehensively equipped test beds are required for identification of the vulnerabilities, security concerns and the impact analysis of the new control and protection concepts. The future smart substations are expected to have enhanced capabilities such as wide-area situational awareness, interoperability, and self-sustained generation capability to achieve resilient power grid goals. Prior to field deployment, any new protection and control capabilities should pass rigorous tests. With this motivation, this paper presents a real-time experimental analysis for protection and control of smart substations in a state-of the-art test bed platform. A coordinated wide-area protection approach is proposed for transmission and distribution levels enabling interoperability between IEDs at different layers. An aggregated distributed generation and storage dispatch optimization method is proposed for self-sustained smart substations in case of outage such as a blackout situation. In order to validate the proposed protection and control methods, experimental results are given.

keywords: distributed power generation;power generation dispatch;power generation protection;power grids;power transmission protection;substation protection;aggregated distributed generation;coordinated wide area protection;distribution levels;real-time experimental analysis;resilient power grid;self-sustained generation;smart substation control;smart substation protection;storage dispatch optimization;transmission levels;wide-area situational awareness;IEC Standards;Interoperability;Optimization;Protocols;Real-time systems;Smart grids;Substations;Intelligent electronic device;interoperability;phasor measurement unit;protection;smart grid;substation;test bed (ID#: 16-9282)



Paxton, N.C.; Dae-il Jang; Russell, S.; Gail-Joon Ahn; Moskowitz, I.S.; Hyden, P., "Utilizing Network Science and Honeynets for Software Induced Cyber Incident Analysis," in System Sciences (HICSS), 2015 48th Hawaii International Conference on, pp. 5244-5252, 5-8 Jan. 2015. doi: 10.1109/HICSS.2015.619

Abstract: Increasing situational awareness and investigating the cause of a software-induced cyber attack continues to be one of the most difficult yet important endeavors faced by network security professionals. Traditionally, these forensic pursuits are carried out by manually analyzing the malicious software agents at the heart of the incident, and then observing their interactions in a controlled environment. Both these steps are time consuming and difficult to maintain due to the ever changing nature of malicious software. In this paper we introduce a network science based framework which conducts incident analysis on a dataset by constructing and analyzing relational communities. Construction of these communities is based on the connections of topological features formed when actors communicate with each other. We evaluate our framework using a network trace of the Black Energy malware network, captured by our honey net. We have found that our approach is accurate, efficient, and could prove as a viable alternative to the current status quo.

keywords: computer network security;invasive software;software agents;BlackEnergy malware network;honeynet;malicious software agents;network science based framework;network security professionals;network trace;situational awareness;software induced cyber incident analysis;software-induced cyber attack;topological features;Command and control systems;Communities;IP networks;Laboratories;Malware;Servers;Software;Community Detection;Honeynets;Network Forensics (ID#: 16-9283)



Shan Lu; Kokar, M.M., "A situation assessment framework for cyber security information relevance reasoning," in Information Fusion (Fusion), 2015 18th International Conference on, pp. 1459-1466, 6-9 July 2015.  Doi:  (not provided)

Abstract: Cyber security is one of the most serious economic and national challenges faced by nations all over the world. When a cyber security incident occurs, the critical question that security administrators are concerned about is: What has happened? Cyber situation assessment is critical to making correct and timely defense decisions by the analysts. STIX ontology, which was developed by taking advantage of existing cyber security related standards, is used to represent cyber threat information and infer important features of the cyber situation that help decision makers form their situational awareness. However, due to the widespread application of information technology, security analysts face a challenge in information overload. There are still huge volumes of low level observations captured by various sensors and network tools that need to be used to derive the high level intelligence queries such as potential courses of action and future impact. Therefore, identification of the relevant cyber threat information for a specific query is a crucial procedure for cyber situation assessment. In this paper, we leverage the STIX ontology to represent cyber threat information in a logical framework. In order to recognize specific situation types and identify the minimal and sufficient information for answering a query automatically, we propose an information relevance reasoning mechanism based on situation theory. Finally, we implement our proposed framework using a dataset generated by Skaion corporation.

keywords: inference mechanisms;ontologies (artificial intelligence);security of data;STIX ontology;Skaion corporation;cyber security information relevance reasoning;cyber security related standards;cyber situation assessment framework;cyber threat information;defense decisions;high level intelligence queries;information overload;information technology;security analysts;situation theory;situational awareness;Cognition;Computer security;Computers;Knowledge based systems;Ontologies;Semantics (ID#: 16-9284)



Dawson, S.; Crawford, C.; Dillon, E.; Anderson, M., "Affecting operator trust in intelligent multirobot surveillance systems," in Robotics and Automation (ICRA), 2015 IEEE International Conference on, pp. 3298-3304, 26-30 May 2015. doi: 10.1109/ICRA.2015.7139654

Abstract: Homeland safety and security will increasingly depend upon autonomous unmanned vehicles as a method of assessing and maintaining situational awareness. As autonomous team algorithms evolve toward requiring less human intervention, it may be that having an “operator-in-the-loop” becomes the ultimate goal in utilizing autonomous teams for surveillance. However studies have shown that trust plays a factor in how effectively an operator can work with autonomous teammates. In this work, we study mechanisms that look at autonomy as a system and not as the sum of individual actions. First, we conjecture that if the operator understands how the team autonomy is designed that the user would better trust that the system will contribute to the overall goal. Second, we focus on algorithm input criteria as being linked to operator perception and trust. We focus on adding a time-varying spatial projection of areas in the ROI that have been unseen for more than a set duration (STEC). Studies utilize a custom test bed that allows users to interact with a surveillance team to find a target in the region of interest. Results show that while algorithm training had an adverse effect, projecting salient team/surveillance state had a statistically significant impact on trust and did not negatively affect workload or performance. This result may point at a mechanism for improving trust through visualizing states as used in the autonomous algorithm.

keywords: autonomous aerial vehicles;mobile robots;multi-robot systems;national security;surveillance;ROI;adverse effect;autonomous team algorithms;autonomous teammates;autonomous unmanned vehicles;homeland safety;homeland security;intelligent multirobot surveillance system;operator in the loop;operator perception;operator trust;region of interest;salient team projection;situational awareness;state visualization;surveillance state projection;team autonomy;time-varying spatial projection;Automation;Robots;Standards;Streaming media;Surveillance;Training;User interfaces (ID#: 16-9285)



Balfour, R.E., "Building the “Internet of Everything” (IoE) for first responders," in Systems, Applications and Technology Conference (LISAT), 2015 IEEE Long Island, pp. 1-6, 1-1 May 2015. doi: 10.1109/LISAT.2015.7160172

Abstract: The “Internet of Everything” (IoE) describes the “bringing together of people, process, data, and things to make networked connections more relevant and valuable than ever before”. IoE encompasses both machine-to-machine (M2M) and Internet-of-Things (IoT) technologies, and it is the pervasiveness of IoE than can be leveraged to achieve many things for many people, including first responders. The emerging IoE will continue to evolve over the next ten years and beyond, but the IoT can happen now, with automated M2M communications bringing first responder communications and situational awareness to the leading-edge of IoE-leveraged technology - exactly where they belong as they risk their lives to protect and save others. Presented here are a number of technological capabilities that are critical to achieving the IoE, especially for first responders and emergency managers, including (a) Security; (b) a global M2M standard; (c) powerful four-dimensional M2M applications; and (d) Data Privacy and trust. For advanced security, Software Defined network Perimeters (SDP) can provide the critical functionality to protect and secure M2M nodes in an ad-hoc M2M IoT/IoE network. Without a secure, dynamic, M2M network, the vision of an emergency responder instantly communicating with a “smart building” would not be feasible. But with SDP, it can, and will, happen. SDP enables an ad-hoc, secure M2M network to rapidly deploy and “hide in plain sight”. In an emergency response situation, this is exactly what we need. For M2M/IoT to go mobile and leverage global IoE capabilities anywhere (which is what emergency responders need as emergency locations are somewhat unpredictable and change every day), a global industry standard must be, and is being, developed: oneM2M. And the existing fourDscape® technology/platform could quickly support a oneM2M system structure that can be deployed in the short term, with the fo- rDscape browser providing powerful M2M IoT/IoE applications and 4D visualizations. Privacy-by-design principles can also be applied and other critical related issues addressed beyond privacy (i.e. once privacy is achieved and available IoE sensors/data can be leveraged), such as trusting, scaling, hacking, and securing M2M IoT/IoE devices and systems. Without the full package of IoE innovation embracing the very public IoE world in a very private and secure way, and can continue to evolve in parallel with emerging commercial IoE technology, first responders would not be able to leverage the commercial state-of-the-art in the short term and in the years to come. Current technology innovation can change that.

keywords: Internet of Things;computer crime;data privacy;data visualisation;innovation management;software defined networking;trusted computing;4D visualizations;Internet of Everything;Internet-of-Things technologies;IoE pervasiveness;IoT technologies;M2M network security;SDP;ad-hoc M2M IoT/IoE network;ad-hoc network;automated M2M communications;data privacy;emergency responder;emergency response situation;four-dimensional M2M applications;fourDscape browser;global IoE capabilities;global M2M standard;global industry standard;hacking;machine-to-machine;oneM2M system structure;privacy-by-design principles;responder communications;situational awareness;smart building;software defined network perimeters;technology innovation;trust;Ad hoc networks;Buildings;Computer architecture;Mobile communication;Security;Tablet computers;Internet-of-Everything;Internet-of-Things;IoE;IoT;M2M;Machine-to-Machine;PbD;Privacy-by-Design;SDP;Software Defined Network Perimeters;fourDscape (ID#: 16-9286)



Dwivedi, N.; Tripathi, A., "Event Correlation for Intrusion Detection Systems," in Computational Intelligence & Communication Technology (CICT), 2015 IEEE International Conference on, pp. 133-139, 13-14 Feb. 2015. doi: 10.1109/CICT.2015.111

Abstract: Intrusion Detection System (IDS) have grown into a mature and feature rich technology that provides advanced features to detect intrusion and provide responses. It also allows the management system for security analysis by monitoring, configuring and analyzing the intrusion data. A better understanding of alerts by using a general framework and infrastructure for detecting intrusions through event correlation strategy minimizes the amount of data generated. Event correlation techniques are needed for two reasons. First, network attack detection is usually based on information or data received from distributed sensors, e.g. intrusion detection systems. During attacks, the generated amount of events is hard to handle and so it is difficult to evaluate the current attack situation for a larger network. Thus, the concept of event or alert correlation has been introduced. Event correlation paints a picture of what is now being called as network or cyber situational awareness and tries to guide the security administrator on the actions that he can take to mitigate the crisis. The aim of the event correlation for intrusion detection system (IDS) is to improve security by correlating events and reduce the workload on an IDS analyst. This correlation has been achieved by getting together similar alerts, thus allowing the analyst to only look at a few alerts instead of hundreds or thousands of alerts. In this paper, we correlate the results of SNORT Intrusion Detection System (IDS) with SEC (Simple Event Correlator) by taking the input from the MIT DARPA (Defense advanced Research Projects Agency) dataset. The alerts generated from Snort are very large and so it is difficult for the administrators to identify them. Here we correlate the alerts based on same name coming from different IP address. This correlation removes the duplication of alerts and thus reduces the information overload on the administrator.

keywords: IP networks;computer network security;correlation methods;Defense advanced Research Projects Agency;IDS;IP address;MIT DARPA dataset;SEC;SNORT intrusion detection system;alert correlation;cyber situational awareness;distributed sensors;event correlation strategy;management system;network attack detection;security administrator;security analysis;simple event correlator;workload reduction;Computers;Correlation;Feature extraction;Intrusion detection;Monitoring;Sensors;Correlation;DARPA;IDS;SEC;events (ID#: 16-9287)



Leszczyna, R.; Wrobel, M.R., "Evaluation of open source SIEM for situation awareness platform in the smart grid environment," in Factory Communication Systems (WFCS), 2015 IEEE World Conference on, pp. 1-4, 27-29 May 2015. doi: 10.1109/WFCS.2015.7160577

Abstract: The smart grid as a large-scale system of systems has an exceptionally large surface exposed to cyber-attacks, including highly evolved and sophisticated threats such as Advanced Persistent Threats (APT) or Botnets. When addressing this situation the usual cyber security technologies are prerequisite, but not sufficient. The smart grid requires developing and deploying an extensive ICT infrastructure that supports significantly increased situational awareness and enables detailed and precise command and control. The paper presents one of the studies related to the development and deployment of the Situation Awareness Platform for the smart grid, namely the evaluation of open source Security Information and Event Management systems. These systems are the key components of the platform.

keywords: Internet;computer network security;grid computing;public domain software;APT;ICT infrastructure;advanced persistent threats;botnets;command-and-control;cyber-attacks;open source SIEM evaluation;open source security information-and-event management systems;situation awareness platform;smart grid environment;Computer security;NIST;Sensor systems;Smart grids;Software;SIEM;evaluation;situation awareness;smart grid (ID#: 16-9288)



Sixiao Wei; Dan Shen; Genshe Chen; Hanlin Zhang; Wei Yu; Blasch, E.; Pham, K.; Cruz, J.B., "On effectiveness of game theoretic modeling and analysis against cyber threats for avionic systems," in Digital Avionics Systems Conference (DASC), 2015 IEEE/AIAA 34th, pp. 4B2-1-4B2-13, 13-17 Sept. 2015

doi: 10.1109/DASC.2015.7311417

Abstract: Cyber-attack defense requires network security situation awareness through distributed collaborative monitoring, detection, and mitigation. An issue of developing and demonstrating innovative and effective situational awareness techniques for avionics has increased in importance in the last decade. In this paper, we first conducted a game theoretical based modeling and analysis to study the interaction between an adversary and a defender. We then introduced the implementation of game-theoretic analysis on an Avionics Sensor-based Defense System (ASDS), which consists of distributed passive and active network sensors. A trade-off between defense and attack strategy was studied via existing tools for game theory (Gambit). To further enhance the defense and mitigate attacks, we designed and implemented a multi-functional web display to integrate the game theocratic analysis. Our simulation validates that the game theoretical modeling and analysis can help the Avionics Sensor-based Defense System (ASDS) adapt detection and response strategies to efficiently and dynamically deal with various cyber threats.

keywords: aerospace computing;avionics;distributed sensors;game theory;security of data;ASDS;Gambit;active network sensors;avionic systems;avionics sensor-based defense system;cyber threats;cyber-attack defense;distributed collaborative detection;distributed collaborative mitigation;distributed collaborative monitoring;distributed passive network sensors;game theoretic modeling;multifunctional Web display;network security situation awareness techniques;Monitoring (ID#: 16-9289)



Glowacka, J.; Krygier, J.; Amanowicz, M., "A trust-based situation awareness system for military applications of the internet of things," in Internet of Things (WF-IoT), 2015 IEEE 2nd World Forum on, pp. 490-495, 14-16 Dec. 2015. doi: 10.1109/WF-IoT.2015.7389103

Abstract: Integration of heterogeneous objects diverse in technology, environmental constraints and level of trust is a challenging issue. The paper presents a novel trust-based cognitive mechanism making the objects of IoT infrastructure capable to build their situational awareness, and use this knowledge for appropriate reaction to detected threats. We demonstrate, by simulation, the efficiency of the proposed solution, and its robustness to attacks on the reputation system.

keywords: Internet of Things;military communication;telecommunication security;Internet of Things;IoT infrastructure;environmental constraints;heterogeneous object integration;military applications;reputation system;trust-based cognitive mechanism;trust-based situation awareness system;Cryptography;Electron tubes;Internet of things;Robustness;Routing protocols;Standards;Internet of Things;inference;reputation attack;reputation system;situation awareness;trust (ID#: 16-9290)



Torres, G.; Smith, K.; Buscemi, J.; Doshi, S.; Ha Duong; Defeng Xu; Pickett, H.K., "Distributed StealthNet (D-SN): Creating a live, virtual, constructive (LVC) environment for simulating cyber-attacks for test and evaluation (T&E)," in Military Communications Conference, MILCOM 2015 - 2015 IEEE, pp.1284-1291, 26-28 Oct. 2015. doi: 10.1109/MILCOM.2015.7357622

Abstract: The Services have become increasingly dependent on their tactical networks for mission command functions, situational awareness, and target engagements (terminal weapon guidance). While the network brings an unprecedented ability to project force by all echelons in a mission context, it also brings the increased risk of cyber-attack on the mission operation. With both this network use and vulnerability in mind, it is necessary to test new systems (and networked Systems of Systems (SoS)) in a cyber-vulnerable network context. A new test technology, Distributed-StealthNet (D-SN), has been created by the Department of Defense Test Resource Management Center (TRMC) to support SoS testing with cyber-attacks against mission threads. D-SN is a simulation/emulation based virtual environment that can provide a representation of a full scale tactical network deployment (both Radio Frequency (RF) segments and wired networks at command posts). D-SN has models of real world cyber threats that affect live tactical systems and networks. D-SN can be integrated with live mission Command and Control (C2) hardware and then a series of cyber-attacks using these threat models can be launched against the virtual network and the live hardware to determine the SoS's resiliency to sustain the tactical mission. This paper describes this new capability and the new technologies developed to support this capability.

keywords: command and control systems;computer network security;military communication;wide area networks;C2 hardware;Command and Control hardware;D-SN;LVC environment;T&E;TRMC;cyberattack simulation;cybervulnerable network context;department of defense test resource management center;distributed stealthnet;live,virtual, constructive environment;tactical network;test and evaluation;Computational modeling;Computer architecture;Computers;Hardware;Ports (Computers);Real-time systems;Wide area networks (ID#: 16-9291)



Aggarwal, P.; Grover, A.; Singh, S.; Maqbool, Z.; Pammi, V.S.C.; Dutt, V., "Cyber security: A game-theoretic analysis of defender and attacker strategies in defacing-website games," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-8, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166127

Abstract: The rate at which cyber-attacks are increasing globally portrays a terrifying picture upfront. The main dynamics of such attacks could be studied in terms of the actions of attackers and defenders in a cyber-security game. However currently little research has taken place to study such interactions. In this paper we use behavioral game theory and try to investigate the role of certain actions taken by attackers and defenders in a simulated cyber-attack scenario of defacing a website. We choose a Reinforcement Learning (RL) model to represent a simulated attacker and a defender in a 2×4 cyber-security game where each of the 2 players could take up to 4 actions. A pair of model participants were computationally simulated across 1000 simulations where each pair played at most 30 rounds in the game. The goal of the attacker was to deface the website and the goal of the defender was to prevent the attacker from doing so. Our results show that the actions taken by both the attackers and defenders are a function of attention paid by these roles to their recently obtained outcomes. It was observed that if attacker pays more attention to recent outcomes then he is more likely to perform attack actions. We discuss the implication of our results on the evolution of dynamics between attackers and defenders in cyber-security games.

keywords: Web sites;computer crime;computer games;game theory;learning (artificial intelligence);RL model;attacker strategies;attacks dynamics;behavioral game theory;cyber-attacks;cyber-security game;defacing Website games;defender strategies;game-theoretic analysis;reinforcement learning;Cognitive science;Computational modeling;Computer security;Cost function;Games;Probabilistic logic;attacker;cognitive modeling;cyber security;cyber-attacks;defender;reinforcement-learning model (ID#: 16-9292)



Neogy, S., "Security management in Wireless Sensor Networks," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-4, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166112

Abstract: This paper aims to describe the characteristics of Wireless Sensor Networks (WSNs), challenges in designing a resource-constrained and vulnerable network and address security management as the main issue. The work begins with discussion on the attacks on WSNs. As part of protection against the attacks faced by WSNs, key management, the primary requirement of any security practice, is detailed out. This paper also deals with the existing security schemes covering various routing protocols. The paper also touches security issues concerning heterogeneous networks.

keywords: routing protocols;telecommunication security;wireless sensor networks;WSN;heterogeneous networks;routing protocols;security management schemes;wireless sensor networks;Cryptography;Receivers;Routing;Routing protocols;Wireless sensor networks;attack;cryptography;key management;protocol;routing;security;wireless sensor network (ID#: 16-9293)



Pietrowicz, S.; Falchuk, B.; Kolarov, A.; Naidu, A., "Web-Based Smart Grid Network Analytics Framework," in Information Reuse and Integration (IRI), 2015 IEEE International Conference on, pp. 496-501, 13-15 Aug. 2015. doi: 10.1109/IRI.2015.82

Abstract: As utilities across the globe continue to deploy Smart Grid technology, there is an immediate and growing need for analytics, diagnostics and forensics tools akin to those commonly employed in enterprise IP networks to provide visibility and situational awareness into the operation, security and performance of Smart Energy Networks. Large-scale Smart Grid deployments have raced ahead of mature management tools, leaving gaps and challenges for operators and asset owners. Proprietary Smart Grid solutions have added to the challenge. This paper reports on the research and development of a new vendor-neutral, packet-based, network analytics tool called MeshView that abstracts information about system operation from low-level packet detail and visualizes endpoint and network behavior of wireless Advanced Metering Infrastructure, Distribution Automation, and SCADA field networks. Using real utility use cases, we report on the challenges and resulting solutions in the software design, development and Web usability of the framework, which is currently in use by several utilities.

keywords: Internet;power engineering computing;smart power grids;software engineering;Internet protocols;MeshView tool;SCADA field network;Web usability;Web-based smart grid network analytics framework;distribution automation;enterprise IP networks;smart energy networks;smart grid technology;software design;software development;wireless advanced metering infrastructure;Conferences;Advanced Meter Infrastructure;Big data visualization;Cybersecurity;Field Area Networks;Network Analytics;Smart Energy;Smart Grid;System scalability;Web management (ID#: 16-9294)



Puri, Colin; Dukatz, Carl, "Analyzing and Predicting Security Event Anomalies: Lessons Learned from a Large Enterprise Big Data Streaming Analytics Deployment," in Database and Expert Systems Applications (DEXA), 2015 26th International Workshop on, pp. 152-158, 1-4 Sept. 2015. doi: 10.1109/DEXA.2015.46

Abstract: This paper presents a novel and unique live operational and situational awareness implementation bringing big data architectures, graph analytics, streaming analytics, and interactive visualizations to a security use case with data from a large Global 500 company. We present the data acceleration patterns utilized, the employed analytics framework and its complexities, and finally demonstrate the creation of rich interactive visualizations that bring the story of the data acceleration pipeline and analytics to life. We deploy a novel solution to learn typical network agent behaviors and extract the degree to which a network event is anomalous for automatic anomaly rule learning to provide additional context to security alerts. We implement and evaluate the analytics over a data acceleration framework that performs the analysis and model creation at scale in a distributed parallel manner. Additionally, we talk about the acceleration architecture considerations and demonstrate how we complete the analytics story with rich interactive visualizations designed for the security and business analyst alike. This paper concludes with evaluations and lessons learned.

keywords: Conferences; Databases; Expert systems; D3 visualization; anomaly detection; batch analytics; data acceleration; graph analytics; log content analytics; streaming analytics (ID#: 16-9295)



Nasir, M.A.; Nefti-Meziani, S.; Sultan, S.; Manzoor, U., "Potential cyber-attacks against global oil supply chain," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-7, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166137

Abstract: The energy sector has been actively looking into cyber risk assessment at a global level, as it has a ripple effect; risk taken at one step in supply chain has an impact on all the other nodes. Cyber-attacks not only hinder functional operations in an organization but also waves damaging effects to the reputation and confidence among shareholders resulting in financial losses. Organizations that are open to the idea of protecting their assets and information flow and are equipped; enough to respond quickly to any cyber incident are the ones who prevail longer in global market. As a contribution we put forward a modular plan to mitigate or reduce cyber risks in global supply chain by identifying potential cyber threats at each step and identifying their immediate counterm easures.

keywords: globalisation;organisational aspects;petroleum industry;risk management;security of data;supply chain management;cyber incident;cyber risk assessment;cyber-attack;damaging effect;energy sector;financial losses;global market;global oil supply chain;global supply chain;information flow;organization;ripple effect;Companies;Computer hacking;Information management;Supply chains;Temperature sensors;cyber-attacks;cyber-attacks countermeasures;oil supply chain;threats to energy sector (ID#: 16-9296)



Evangelopoulou, M.; Johnson, C.W., "Empirical framework for situation awareness measurement techniques in network defense," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-4, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166132

Abstract: This paper presents an empirical framework for implementing Situation Awareness Measurement Techniques in a Network Defense environment. Bearing in mind the rise of Cyber-crime and the importance of Cyber security, the role of the security analyst (or as this paper will refer to them, defenders) is critical. In this paper the role of Situation Awareness Measurement Techniques will be presented and explained briefly. Input from previous studies will be given and an empirical framework of how to measure Situation Awareness in a computing network environment will be offered in two main parts. The first one will include the networking infrastructure of the system. The second part will be focused on specifying which Situation Awareness Techniques are going to be used and which Situation Awareness critical questions need to be asked to improve future decision making in cyber-security. Finally, a discussion will take place concerning the proposed approach, the chosen methodology and further validation.

keywords: computer crime;computer network security;decision making;computing network environment;cyber-crime;cybersecurity;decision making;network defense environment;situation awareness measurement techniques;Computer security;Decision making;Human factors;Measurement techniques;Monitoring;Unsolicited electronic mail;Cyber Security;CyberSA;Decision Making;Intrusion Detection;Network Defense;Situation Awareness;Situation Awareness Measurement Techniques (ID#: 16-9297)



Bjerkestrand, T.; Tsaptsinos, D.; Pfluegel, E., "An evaluation of feature selection and reduction algorithms for network IDS data," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-2, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166129

Abstract: Intrusion detection is concerned with monitoring and analysing events occurring in a computer system in order to discover potential malicious activity. Data mining, which is part of the procedure of knowledge discovery in databases, is the process of analysing the collected data to find patterns or correlations. As the amount of data collected, store and processed only increases, so does the significance and importance of intrusion detection and data mining. A dataset that has been particularly exposed to research is the dataset used for the Third International Knowledge Discovery and Data Mining Tools competition, KDD99. The KDD99 dataset has been used to identify what data mining techniques relate to certain attack and employed to demonstrate that decision trees are more efficient than the Naïve Bayes model when it comes to detecting new attacks. When it comes to detecting network intrusions, the C4.5 algorithm performs better than SVM. The aim of our research is to evaluate and compare the usage of various feature selection and reduction algorithms against publicly available datasets. In this contribution, the focus is on feature selection and reduction algorithms. Three feature selection algorithms, consisting of an attribute evaluator and a test method, have been used. Initial results indicate that the performance of the classifier is unaffected by reducing the number of attributes.

keywords: Bayes methods;data mining;decision trees;feature selection;security of data;C4.5 algorithm;KDD99 dataset;SVM;computer system;data mining technique;decision tree;feature selection;intrusion detection;naive Bayes model;network IDS data;network intrusion;potential malicious activity;reduction algorithm;third international knowledge discovery and data mining tools competition;Algorithm design and analysis;Classification algorithms;Data mining;Databases;Intrusion detection;Knowledge discovery;Training;KDD dataset;data mining;feature selection and reduction;intrusion detection;knowledge discovery (ID#: 16-9298)



Adenusi, D.; Kuboye, B.M.; Alese, B.K.; Thompson, A.F.-B., "Development of cyber situation awareness model," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-11, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166135

Abstract: This study designed and simulated cyber situation awareness model for gaining experience of cyberspace condition. This was with a view to timely detecting anomalous activities and taking proactive decision safeguard the cyberspace. The situation awareness model was modelled using Artificial Intelligence (AI) technique. The cyber situation perception sub-model of the situation awareness model was modelled using Artificial Neural Networks (ANN). The comprehension and projection submodels of the situation awareness model were modelled using Rule-Based Reasoning (RBR) techniques. The cyber situation perception sub-model was simulated in MATLAB 7.0 using standard intrusion dataset of KDD'99. The cyber situation perception sub-model was evaluated for threats detection accuracy using precision, recall and overall accuracy metrics. The simulation result obtained for the performance metrics showed that the cyber-situation sub-model of the cybersituation model better with increase in number of training data records. The cyber situation model designed was able to meet its overall goal of assisting network administrators to gain experience of cyberspace condition. The model was capable of sensing the cyberspace condition, perform analysis based on the sensed condition and predicting the near future condition of the cyberspace.

keywords: artificial intelligence;inference mechanisms;knowledge based systems;mathematics computing;neural nets;security of data;AI technique;ANN;Matlab 7.0;RBR techniques;anomalous activities detection;artificial intelligence;artificial neural networks;cyber situation awareness model;cyberspace condition;proactive decision safeguard;rule-based reasoning;training data records;Artificial neural networks;Computational modeling;Computer security;Cyberspace;Data models;Intrusion detection;Mathematical model;Artificial Intelligence;Awareness;cyber-situation;cybersecurity;cyberspace 9299) 9299)



Bode, M.A.; Alese, B.K.; Oluwadare, S.A.; Thompson, A.F.-B., "Risk analysis in cyber situation awareness using Bayesian approach," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-12, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7166119

Abstract: The unpredictable cyber attackers and threats have to be detected in order to determine the outcome of risk in a network environment. This work develops a Bayesian network classifier to analyse the network traffic in a cyber situation. It is a tool that aids reasoning under uncertainty to determine certainty. It further analyze the level of risk using a modified risk matrix criteria. The classifier developed was experimented with various records extracted from the KDD Cup'99 dataset with 490,021 records. The evaluations showed that the Bayesian Network classifier is a suitable model which resulted in same performance level for classifying the Denial of Service (DoS) attacks with Association Rule Mining while as well as Genetic Algorithm, the Bayesian Network classifier performed better in classifying probe and User to Root (U2R) attacks and classified DoS equally. The result of the classification showed that Bayesian network classifier is a classification model that thrives well in network security. Also, the level of risk analysed from the adapted risk matrix showed that DoS attack has the most frequent occurrence and falls in the generally unacceptable risk zone.

keywords: Bayes methods;belief networks;computer network security;data mining;inference mechanisms;pattern classification;risk analysis;Bayesian approach;Bayesian network classifier;DoS attacks;KDD Cup 99 dataset;U2R attacks;association rule mining;classified DoS equally;cyber attackers;cyber situation;cyber situation awareness;cyber threats;denial of service attacks;genetic algorithm;modified risk matrix criteria;network environment;network security;network traffic analysis;risk analysis;user to root attacks;Bayes methods;Intrusion detection;Risk management;Telecommunication traffic;Uncertainty;Bayesian approach;Cyber Situation Awareness; KDD Cup'99; Risk matrix (ID#: 16-9300)



Stevanovic, M.; Pedersen, J.M., "An analysis of network traffic classification for botnet detection," in Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on, pp. 1-8, 8-9 June 2015. doi: 10.1109/CyberSA.2015.7361120

Abstract: Botnets represent one of the most serious threats to the Internet security today. This paper explores how network traffic classification can be used for accurate and efficient identification of botnet network activity at local and enterprise networks. The paper examines the effectiveness of detecting botnet network traffic using three methods that target protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. We propose three traffic classification methods based on capable Random Forests classifier. The proposed methods have been evaluated through the series of experiments using traffic traces originating from 40 different bot samples and diverse non-malicious applications. The evaluation indicates accurate and time-efficient classification of botnet traffic for all three protocols. The future work will be devoted to the optimization of traffic analysis and the correlation of findings from the three analysis methods in order to identify compromised hosts within the network.

keywords: Internet;computer network security;invasive software;learning (artificial intelligence);pattern classification;telecommunication traffic;Internet security threats;attack traffic;botnet C&C;botnet command and control;botnet detection;botnet network activity;botnet network traffic detection;enterprise networks;local networks;network traffic classification analysis;nonmalicious applications;random forest classifier;traffic analysis optimization;Feature extraction;IP networks;Malware;Monitoring;Ports (Computers);Protocols;Botnet;Botnet Detection;Features Selection;MLAs;Random Forests;Traffic Analysis;Traffic Classification (ID#: 16-9301)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.