Experience-Based Cyber Security Analytics

Open Access
Chen, Po-Chun
Graduate Program:
Computer Science and Engineering
Doctor of Philosophy
Document Type:
Date of Defense:
August 31, 2010
Committee Members:
  • John Yen, Dissertation Advisor
  • John Yen, Committee Chair
  • Peng Liu, Committee Member
  • C Lee Giles, Committee Member
  • Prasenjit Mitra, Committee Member
  • Runze Li, Committee Member
  • Cyber Situation Awareness
  • Intrusion Detection
  • Situation Recognition
As the demand for computational resources and connectivity increases and contemporary computer network systems become more complex, the management of cyber security is progressively becoming a serious issue. Cyber situation recognition is a challenging problem, particularly when the network size is large. The amount of data produced by existing intrusion detection tools and sensors usually significantly exceeds the cognition throughput of a human analyst. In attempting to align a huge amount of information and the limited human cognitive load, a critical disconnection between human cognition and cyber security tools has been identified. Although the problem of cyber intrusion detection has been studied from several perspectives using various approaches, the key component to bridging the gap between existing tools and human analysts' experiences is missing. A method to capture and leverage cyber security expertise for situation recognition from a high-level viewpoint on the entire network is important, but it is rarely mentioned in the literature. The goal of this research is to address the problem of cyber intrusion recognition from the viewpoint of leveraging cyber experts' experiences and reflections. We developed a systematic approach to capture and utilize experiences and reflections of security analysts to enhance cyber situation awareness. The contributions of the research include: 1) proposing an approach to enable systematic capture of experience and reflection of cyber security analysts; 2) enhancing the recognition of cyber situations using the captured experiences of cyber security analysts; 3) providing a knowledge-based strategy for relaxing the constraints of Horn logic-based experience patterns to enhance their utilization; and 4) demonstrating the benefit of experience-based cyber situation recognition through simulations.