How to Use Experience

in Cyber Analysis:

An Analytical Reasoning Support System

Chen Zhong, Deepak Kirubakaran,

John Yen, Peng Liu

Pennsylvania State University

Steve Hutchinson, Hasan Cam

Army Research Lab

Cyber Analysis is a Critical Issue

Email attack

Attack web applications

Use public information

Social engineering

Analysts are Doing Important Work

50.100.*.*

Internet

10.1.*.*

Snort IDS #1Tcpdump #1

DNS Server130.203.50.2

Internal Database130.203.157.203

Internal File Server130.203.157.212

Snort IDS #2Tcpdump #2

Web Server130.203.50.11

Mail Server130.203.50.22

PC1130.203.158.101

PC2130.203.158.102

PC5130.203.158.105

Monitor the data Monitor the data

Detect the “true signal” Detect the “true signal”

Connect the dots Connect the dots

Make judgments Make judgments

Analytical Reasoning

What has happened? What has happened?

Goal

How did it happen? How did it happen?

What will happen? What will happen?

Big Challenges for Analysts

50.100.*.*

Internet

10.1.*.*

Snort IDS #1Tcpdump #1

DNS Server130.203.50.2

Internal Database130.203.157.203

Internal File Server130.203.157.212

Snort IDS #2Tcpdump #2

Web Server130.203.50.11

Mail Server130.203.50.22

PC1130.203.158.101

PC2130.203.158.102

PC5130.203.158.105

IDS Alerts

Web Server

Logs

File Server

logs

DB Logs

Packet

Dumps

Anti-Virus Reports

Vulnerability

Reports

Data are overwhelming

Data are overwhelming

and noise-abundant.

Attacks are increasingly

complex and subtle.

Attacks are increasingly

complex and subtle.

Limited capability for

• Data processing

• Analytical reasoning

Limited capability for

• Data processing

• Analytical reasoning

Limited resources of

analysts.

Limited resources of

analysts.

Firewall

Logs

? GAP

How to solve it?

How can we improve the overall performance of the analysts?

How can we make full use of the limited resources?

Sense-Making

Experience

Information

Seeking

Insight

Development

Observation

Analyzing

What to look into?

What does it m

ean?

How

to verify?

Obs

erva

tion

Hyp

othe

sis

Act

ion

Result/conclusion

Producing

Experience should be fully used

in cyber analysis.

Expert Novice

Difficulties

Representation Representation

Capture Capture

Reuse Reuse

Experience Representation:

an Analytical Reasoning Process

A-O-H Model

A-O-H: Tree Structure

E-Tree

Experience-Aided Reasoning Support

A-O-H Model Experience Guidance

Case Study Monitoring Data

(3) Hypotheses Navigation

50.100.*.*

Internet

10.1.*.*

Snort IDS #1Tcpdump #1

DNS Server130.203.50.2

Internal Database130.203.157.203

Internal File Server130.203.157.212

Snort IDS #2Tcpdump #2

Web Server130.203.50.11

Mail Server130.203.50.22

PC1130.203.158.101

PC2130.203.158.102

PC5130.203.158.105

(2) Experience Guidance

Eight monitoring

data sets

H-Tree

Details of the

selected

hypothesis

Retrieved

E-Trees

Details of

selected EU

Case

Study

(1) Experience Capturing/Using Option

Scenario 1

Scenario 2

To Recap Experience Model Formally

represented for

retrieval

Formally

represented for

retrieval

Free text

to capture

thoughts

Free text

to capture

thoughts

Thank You!

Q & A

Chen Zhong

czz111@psu.edu