=Paper=
{{Paper
|id=Vol-1097/STIDS2013_T13
|storemode=property
|title=Towards a Cognitive System for Decision Support in Cyber Operations
|pdfUrl=https://ceur-ws.org/Vol-1097/STIDS2013_T13_OltramariEtAl.pdf
|volume=Vol-1097
|dblpUrl=https://dblp.org/rec/conf/stids/OltramariLVZD13
}}
==Towards a Cognitive System for Decision Support in Cyber Operations==
https://ceur-ws.org/Vol-1097/STIDS2013_T13_OltramariEtAl.pdf
Towards a Cognitive System
for Decision Support in Cyber Operations
Alessandro Oltramari and Christian Lebiere Lowell Vizenor
Functional Modeling Systems Lab Refinery 29
Department of Psychology New York, NY, USA
Carnegie Mellon University
Pittsburgh, USA
Wen Zhu Randall Dipert
Department of Philosophy
Alion Science and Technology University of Buffalo
Washington D.C., USA
Abstract— This paper presents the general requirements to cognitive architectures into an intelligent system capable of
build a “cognitive system for decision support”, capable of supporting humans in cyber operations as wells as acting
simulating defensive and offensive cyber operations. We aim to autonomously as a team member.
identify the key processes that mediate interactions between The paper is divided into four main parts. After introducing
defenders, adversaries and the public, focusing on cognitive and some aspects of special interest to modeling cyber warfare
ontological factors. We describe a controlled experimental phase (Section II), in Section III we present a hybrid decision support
where the system performance is assessed on a multi-purpose system based on cognitive architectures and ontologies.
environment, which is a critical step towards enhancing Section IV unfolds the experimentation plan to test the system
situational awareness in cyber warfare.
by means of a scalable synthetic environment, and Section V
Keywords—ontology, cognitive architecture, cyber security
delineates a framework of implementation centered on an
object-based infrastructure.
I. INTRODUCTION
II. RELEVANT CHARACTERISTICS OF CYBER WARFARE
A cyber attack by a hostile nation-state or political
organization is widely regarded as one of the most serious In general, time variables play an important role in the
threats that the U.S. will face in the next decades. While greatly design of decision support systems [3]: temporal constraints
increased use of information systems has contributed become even more stringent when those systems have to deal
enormously to economic growth, and has fueled a much more with cyber attacks, where real time responses are typically
efficient and agile national defense, it has also made the U.S. hindered by the knowledge-intensive nature of cyber
enormously vulnerable to a variety of Internet and non-Internet operations and associated tasks. Some decisions on where and
cyber attacks, and to cyber espionage [1]. when to invoke various methods of cyber defense and mitigate
There are numerous factors that make cyber warfare and damage, as well as decisions to launch a cyber counterattack,
pure cyber defense, namely cyber security, especially need to be made quickly. Large-scale cyber attacks or
problematic. The kinds of threats are diverse: destruction or counterattacks are likely going to require careful, human
theft of data, or interference with information systems and decision-making for some time into the future. Yet there are
networks, across a spectrum of private and public interests. The other responses to cyber attacks or cyber espionage that could
legal and ethical status of cyber attacks or counterattacks by and should be done immediately, such as revoking an
states are also unclear, at least when deaths or permanent employee’s access if suspicious activity is detected, blocking
destruction of physical objects does not result. It is still an open all remote access or from certain URLs and through certain
question what U.S. policy is or should be, and how cyber servers, immediate assessment of likely damage and risks, and
threats are analogous to traditional threats and policies—for so on. What we propose in this paper is the building of a
example whether “first use” deterrence, and in-kind responses cognitive system for decision support that will emulate ideal
apply, and whether a policy of pure cyber defense does not put human responses to cyber attacks. This would be accomplished
the far greater burden on attacked rather than attacking nations through careful design of its architecture, both in terms of
[2]. As this overview may suggest, untangling the complexity cognitive mechanisms and knowledge resources, and by
of cyber attacks becomes a key element for augmenting comparing its outputs on case studies with actions of human
situational awareness in the cyber environment: in this position agents. The benefits are threefold. First, by cognitive modeling
paper, we propose to tackle this problem from a semantic and we come to better understand the mechanisms underlying
cognitive modeling perspective, combining ontologies and human decisions in the realm of cyber warfare and cyber
This research was partially supported by a Defense Threat Reduction
Agency (DTRA) grant number: HDTRA1-09-1-0053 to Christian Lebiere
(Principal Investigator) and Alessandro Oltramari.
STIDS 2013 Proceedings Page 94
�espionage, coupling the cognitive aspects and the semantic based on ACT-R 2 cognitive architecture [10]. The
contents of decision-making. Second, after extensive testing we models will focus on: learning mechanisms, memory
could use this intelligent decision-making system to and attentional limitations, decision-making strategies,
recommend steps to human decision-makers—e.g., risk perception, and trusted judgments.
recommendations to gather further information, or actually to
act in a certain way and to assess the risks of not acting. • Ontologies – design and development of applied
Finally, in cases where the reliability of the system is high, and formal ontologies to 1) serve as a knowledge base for
where time is of the essence or the actions have little risk (such our cognitive models (Cyber Security Ontologies) and
as revoking one employee’s system access, or access to one to 2) classify and annotate cyber security test and
URL), the intelligent system could act swiftly and training data (Scenario Ontologies).
autonomously.
Some forms of attacks, such as Distributed Denial Of • Live, Virtual, Constructive (LVC) Integration –
Service (DDoS) and other botnet jamming of networks or Enable the analysis of cyber defense strategies;
servers, show signs of admitting purely technological solutions. support training for cyber security personnel; validate
However, human error by employees has repeatedly been cited the cognitive models developed with an
as the most common source of vulnerability [4], [5], [6], [7]. attack/mitigate/counter-attack scenarios and enhance
One technique of gaining illegitimate access to an information
them by leveraging learning mechanisms.
system that still appears with remarkable frequency is spear-
phishing: emails to DOD employees or defense contractors
By integrating these elements in a coherent multi-purpose
with spoofed addresses from acquaintances that seem to have a
system, we aim at unraveling the complex structures that
harmless photograph, PDF, or other attachment1. While this
mediate interactions among defenders, adversaries and the
exploitation might not alone gain direct access to secure
public: in this respect, the overall goal is to enhance
systems, it may allow an attacker to gather personal
situational awareness in cyber warfare by assessing human
information that can be used to guess passwords, answer
performance in a simulated environment. The system is also
security questions, and so on. Social networking sites and other
meant to interact autonomously in a hybrid team, i.e. playing
open data and the use of analytics allow attackers to identify
the role of a “teammate” sentinel in support of humans,
employers, friends, relatives, shopping and driving habits, and
eventually capable of prompting decisions and perform
so on. This aids an attacker enormously in the identification of
actions in more mature stages of development.
targets and gaining access: for instance, in a recent case the
To provide a richer characterization of our approach,
New York Times’ sites were brought down when a group
Section B illustrates the functional requirements of the
claiming to be the Syrian Free Electronic Army used social
envisioned system, while Section C and D will narrow the
media and spear phishing to gain access to employees'
focus to, respectively, ACT-R cognitive architecture (the
passwords to the server that handled the NY Times' Domain
central component of the system) and the ontologies needed to
Network System (DNS). Likewise even if smartphones and
frame the knowledge component of the architecture.
other portable devices are not used at secure locations and do
not contain classified or sensitive data, hacking into them (or B. Functional models of cyber operations
intercepting cellular and WiFi communications, including with Modeling decision-making in the cyber security framework
vehicles and home monitoring devices) can provide personal requires multiple factors to be investigated: (i) the size and the
data that can be utilized to make direct attacks. variety of knowledge which is necessary to classify and analyze
III. TOWARDS A COGNITIVE SYSTEM FOR DECISION attacks and defensive actions; (ii) the flexible behavior required
SUPPORT IN CYBER WARFARE by coupling alternative strategies of response to specific cyber
threats, updating and revising strategies when the
A. General methodology circumstances of the attack or the environmental conditions
Our approach is inspired by the notion of “sociotechnical evolve; (iii) learning by experience how to deal with cyber
system” [8], which emphasizes the interaction between people attacks; (iv) interacting in a team by building a mental
and technology in workplace. Ontology analysis has recently representation of the co-workers as well as of the enemies.
proved to be an effective tool for investigating these complex These factors can be mapped to the 12 criteria distilled in [11]
aspects [9]: nevertheless, the interactive nature of socio- (from the original list compiled by Newell in [12]) that a
technical systems demands a broader framework, where cognitive architecture would have to satisfy in order to achieve
human behavior can be studied not only in terms of action human-level functionality. In these regards, cognition is not
schematics, planning and rules, but also as a genuinely considered as a “tool” for optimal problem solving but, rather,
cognitive phenomenon, which can be properly investigated as a set of limited information processing capacities (so-called
only as a dynamic system. Accordingly, the key elements of ‘bounded rationality’ [13])3. In a similar fashion, Wooldridge
our proposed method for modeling cyber operations are: had identified the requirements that an agent should satisfy in
order to act on a rational basis [14], namely: reactivity, the
• Cognitive architecture – design and development of capacity of properly reacting to perceptual stimuli; proactivity,
cognitive models of decision-making in cyber defense the capacity of operating to pursue a goal; autonomy, implying
2
Pronounced, “act-ARE”: Adaptive Control of Thought—Rational.
1 3
Because of their prevalence and complexity in terms of kind and number of Despite the relevance of emotions in decision-making [34], our approach
cognitive agents, we intend to include these as paradigms of our use-cases. doesn’t extend to the investigation of affective aspects at this stage.
STIDS 2013 Proceedings Page 95
�an unsupervised decision making process; social ability, the them in well-defined synthetic environments. The rest of the
capacity of interacting with other agents and revising mental paper presents in more detail the basic components of such a
states accordingly. hybrid framework.
State-of-the-art research on cognitive architectures (SOAR,
ACT-R, CLARION, OpenCog, LIDA, etc.) has produced a C. Replicating cognitive mechanisms with ACT-R
significant amount of results on specifying this extensive range Cognitive architectures attempt to capture at the
of functions4 : by and large, ACT-R has accounted for the computational level the invariant mechanisms of human
broadest range of cognitive activities at a high level of fidelity, cognition, including those underlying the functions of control,
reproducing aspects of human data such as learning, errors, learning, memory, adaptivity, perception, decision-making, and
latencies, eye movements and patterns of brain activity [10]. action. ACT-R [10] is a modular architecture including
However, these results have often involved relatively narrow perceptual, motor and declarative memory components,
and predictable tasks. Most importantly, cognitive architectures synchronized by a procedural module through limited capacity
have just started to tackle the problem of how to model social buffers (see figure 1 for the general diagram of the
ability [15], which is a crucial aspect of our approach. A architecture). Declarative memory module (DM) plays an
fundamental feature of human social ability is “mindreading” important role in the ACT-R system. At the symbolic level,
[16], i.e. to understand and predict the actions of others by ACT-R agents perform two major operations on DM: 1)
means of postulating their intentions, goals and expectations: accumulating knowledge “chunks” learned from internal
this process of interpretation is feasible only if an agent can operations or from interacting with objects and other agents
learn to represent the mental states of others on the basis of populating the environment and 2) retrieving chunks that
cumulative experience and background knowledge, combining provide needed information. ACT-R distinguishes ‘declarative
the resulting mental model with the continuous stream of data knowledge’ from ‘procedural knowledge’, the latter being
from the environment, aiming at replicating the cognitive conceived as a set of procedures (production rules or
processes that have likely motivated the other agents to “productions”) which coordinate information processing
perform the observed actions. Scaling up ACT-R to account for between its various modules [10]: according to this framework,
more extensive multi-agent scenarios can help to build agents accomplish their goals on the basis of declarative
comprehensive models 5 of social conflict and cooperation, representations elaborated through procedural steps (in the
which are critical to discern the governing dynamics of cyber form of if-then clauses). This dissociation between declarative
defense. But if leveraging the ACT-R framework might be and procedural knowledge is grounded in experimental
sufficient to replicate the mechanisms described in (ii)-(iv), the cognitive psychology; major studies in cognitive neuroscience
knowledge functionality (i) can to be fulfilled only by injecting also indicate a specific role of the hippocampus in “forming
a fair amount of highly expressive knowledge structures into permanent declarative memories” and of the basal ganglia in
the architecture: accordingly, ontologies can be provide these production processes (see [22], pp. 96-99, for a general
structures in the form of semantic specifications of declarative mapping of ACT-R modules and buffers to brain areas and
memory contents [17]. As [18], [19], and [20] show, up to this [23] for a detailed neural model of the basal ganglia’s role in
time most research efforts have focused on designing methods controlling information flow between cortical regions). ACT-R
for mapping large knowledge bases to ACT-R declarative performs cognitive tasks by combining rules and knowledge:
module, but with scarce success. Here we commit to a more for reasons of space, a complete analysis of how the
efficient approach: modular ontologies. Modularity has become architecture instantiates this cognitive-based processing is not
a key issue in ontology engineering. Research into aspects of suitable here. Nevertheless, two core mechanisms need to be
ontological modularity covers a wide spectrum: [21] gives a mentioned: i) partial matching, the probability of association
good overview of the breadth of this field. Our modular between two distinct declarative knowledge chunks, computed
approach guarantees wide coverage and “manageability”: on the basis of adequate similarity measures (e.g. a bag is more
instead of tying ACT-R to a single large ontology, which is likely to resemble a basket than a tree); ii) spreading of
hard to maintain, update and query, we propose a suite of activation, the phenomenon by which a chunk distributionally
ontologies that reliably combine different dimensions of the activates the different contexts in which it occurs (a bag can
cyber defense context, e.g. representation of secure information evoke shopping, travel, work, etc.). These two basic
systems at different levels of granularity (requirements, mechanisms belong to the general sub-symbolic computation
guidelines, functions, implementation steps); categorization of underlying chunk activation, which in ACT-R controls the
attacks, viruses, malware, worms, bots; descriptions of defense retrieval of declarative knowledge elements by procedural
strategies; the mental attitudes of the assailant, and so on. rules. In particular, ACT-R chunk activation is calculated by
In our context, the computational system resulting from the the following equation:
combination of cognitive and knowledge functionalities aims at
fostering a better understanding of cyber attacks, supporting Ai = ln " t !d (1)
j + "Wk Ski + " MPl Simli + N (0, ! )
human operators in cyber warfare, eventually cooperating with j k l
4
See [33] for a comprehensive overview of the most recent advancements in On the basis of the first term, the more recently and
the area of cognitive architectures research.
5
frequently a chunk i has been retrieved, the higher the
Note that the distinction between ‘model’ and ‘agent’ when dealing with activation and the chances of being retrieved (tj is the time
cognitive architectures is a blurred one. For clarity’s sake we will henceforth
elapsed since the jth reference to chunk i and d represents the
use ‘agent’ to avoid ambiguities with the notion of semantic model
(ontology). In general, an agent is a cognitive model that dynamically memory decay rate). In the second term of the equation, the
interacts with the environment. contextual activation of a chunk i is set by the attentional
STIDS 2013 Proceedings Page 96
�weight Wk, given the element k and the strength of association view, which seeks to accurately represent the human-side of
Ski between k and the i. The third term states that, under partial cyber security, we also expand our analysis to: (i) the different
matching, ACT-R can retrieve the chunk that matches the roles that system users, defenders and policy makers play in
retrieval constraints to the greatest degree, combining the the context of cyber security; (ii) the different jobs and
similarity Simli between l and i (a negative score that is functions that the members of cyber defender team play and
assigned to discriminate the ‘distance’ between two terms) the knowledge, skills and abilities needed to fulfill these
with the scaling mismatch penalty MP. The final factor of the functions. In order to reduce the level of effort, we will reuse
equation adds a random component to the retrieval process by existing ontologies when possible 6 and only create new
including Gaussian noise to make retrieval probabilistic. ontologies that support the use cases we select.
The intertwined connection between declarative and The decentralization of knowledge organization and
procedural knowledge, weighted by stochastic computations, maintenance to a variety of interconnected ontology modules
represents the necessary substrate for realizing at the leverages a shared bridging component, i.e. BFO reference
computational level the functionalities outlined in section B: ontology7: in this sense, BFO plays the role of the common
more specifically, we claim that ACT-R can successfully be semantic infrastructure to define, populate and update multiple
used to emulate human behavior in selecting and executing context-driven cyber ontologies. The various modules will be
defense strategies, matching input data from on-going cyber encoded in W3C language OWL8: the process of porting them
attacks to deeply structured background knowledge of cyber into ACT-R is managed automatically at the architecture level
operations. In the past, ACT-R architecture has been by built-in LISP functions, which are able to a. read and
successfully used in context where integrating declarative and interpret the XML-based syntax of the semantic model and b.
procedural knowledge was also a fundamental issue, e.g. air convert it into ACT-R declarative format. A set of broad
traffic control simulations [24]. schemas drives this conversion process: for instance, the direct
mapping between the “chunk-type” primitives in ACT-R and
classes in the ontologies has been designed. Further schemas
at a narrower level of granularity will be provided, as
engineered for an analogous framework presented at STIDS
2012 [28].
IV. COGNITIVE SIMULATIONS OF CYBER OPERATIONS
A. Experimental Design
The first objective of building an intelligent system
endowed with adequate representation of cyber security
knowledge is to use it in scalable synthetic environments for
training human decision-makers. In addition, once the system
has incorporated the necessary rational capabilities (defined in
the previous section) and learned the dynamics of team
interaction, we aim at testing the possibility of deploying it as
Figure 1 ACT-R Modular Structures an autonomous defensive agent in virtual cyber operations. In
order to achieve the necessary degree of robustness and
D. Augmenting ACT-R with cyber security ontologies dependability, we plan simulations at different levels of
The development of cyber security ontologies is a critical complexity, as follows:
step in the transformation of cyber security from an art to a BSE — Basic Synthetic Environment: two ACT-R agents
science. In 2010, the DOD sponsored a study to examine the face each other playing the role of assailant and defender;
theory and practice of cyber security, and evaluate whether HSE — Hybrid Synthetic Environment: an ACT-R agent
there are underlying fundamental principles that would make and a human face each other playing the role of assailant
it possible to adopt a more scientific approach. The study team and defender;
concluded that: HSGE — Hybrid Synthetic Group Environment: two
teams, each constituted by humans and ACT-R agents face
The most important attributes would be the construction of each other playing the role of assailant and defender.
a common language and a set of basic concepts about which In order to run these incremental simulations, we will
the security community can develop a shared understanding. initially collect an experimental dataset of cyber attacks, to be
A common language and agreed-upon experimental protocols split into train and test set. In particular, we will focus on spear
will facilitate the testing of hypotheses and validation of phishing attacks, as delineated in section II. The datasets will
concepts [25]. be organized to instantiate classes and properties of the defined
modular ontologies. Each level of the cognitive-based
The need for controlled vocabularies, taxonomies, and simulation will be conceived as a block composed of multiple
ontologies to make progress toward a science of cyber security
is recognized in [26] and [27] as well. In the domain of cyber
6
security, the ontologies would include, among other things, For instance, exploiting material from this portal:
http://militaryontology.com/cyber-security-ontology.html
the classification of cyber attacks, cyber incidents, and 7
http://ontology.buffalo.edu/bfo/
malicious and impacted software programs. From our point of 8
http://www.w3.org/TR/owl-features/
STIDS 2013 Proceedings Page 97
�trials9. At the BSE level, the simulation aims at assessing the require integration with other technical components and
soundness of the cognitive mechanisms executed by the agent, frameworks. We see an opportunity to apply the concepts
serving also as a system debugging and evaluation of described in this paper for the development of an application
experimental settings. In the HSE, the agent will have to capable of assessing and reducing information systems
compete against humans, whose potentially erratic behavior vulnerabilities though live, virtual, and constructive (LVC)
will be exploited by the agent as a primary source of simulations. Such an application can support a wide range of
acquisition of cyber warfare strategies and mental cyber defense objectives, including: (i) analysis of cyber
representation of the opponent. Finally, in HSGE the scenario defense strategies and identification of network; vulnerabilities
will get more complex by shifting to a multi-agent framework, through simulated attacker-defender interaction in BSE – HSE
where each defending agent will have to learn intra-group – HSGE scenarios; (ii) training for cyber security personnel
cooperation and build mental representation of the opponent as with a suitable ACT-R agent simulating the attacker against
a group (whose members act complementarily and collectively human players; (iii) validation and enhancement of the
to harm the defending team). cognitive models developed with an attack counter-attack
In the delineated experimental phase we plan to expand our scenario. To support LVC simulations, the application will
previous work on applying cognitive architectures to decision- need to work with existing distributed modeling and simulation
making in non-zero sum games [29]: cooperative and infrastructures, such as the High Level Architecture (HLA)10 or
conflicting phenomena have been comprehensively studied Testing and Training Enabling Architecture (TENA)11. The
using game theory [30], in which complex social dynamics are key integration activities include:
narrowed down to relatively simplified frameworks of strategic
interaction. Valid models of real-world phenomena can provide • Identification and creation of reusable ‘objects’. A
better understanding of the underlying socio-cognitive distributed modeling and simulation framework such
variables that influence strategic interaction: of course these as TENA encourages objects representing things such
models need be consistent with the structural characteristics of as targets and assets to be reused across simulations12.
games, and with the actual everyday situations at hand. In this In particular, within the intelligent decision support
respect, the goal of the planned cognitive simulations is to system, we see opportunities at two levels: 1) creation
study decision-making by deploying computational rational of reusable objects representing attackers and
agents in cyber attack “gamified” scenarios. defenders (these objects can be used to simulate
behaviors of the actors); 2) creation of reusable objects
B. Evaluation plans representing IT Infrastructure components that could
As recent studies have shown [31], training users to be under cyber attacks (these objects model the
respond to cyber attacks becomes effective only after several commands and instructions that can be sent to various
iterations. But high time-costs in training can expose socio- components and their responses).
technical systems to harmful consequences, with no chance of
recovering stolen information or, even worse, of fully • Integration of reusable objects in to the middleware
restoring the functionalities of the system. Our approach aims layer of the modeling and simulation framework.
to improve cyber defense strategies and speed up the Figure 2 shows a reusable TENA object (representing
deployment of counter-measures. In particular, we plan to cyber attackers) plugged into the middleware layer.
assess the correspondence between the models’ simulations
and the human behavior in cyber-operations by analyzing • Implementation of runtime knowledge sharing in the
human data in decision-making processes. Accordingly, we modeling and simulation framework. In the example
will apply different analytical methods, such as computing shown in figure 2, the ACT-R cognitive model
means and standard errors (for decisions), medians and the 1st (representing the defender) is integrated with
and 3rd quartiles (for decision times) — similar approaches knowledge sources incrementally stored in ACT-R
have been successfully proposed in [32]. We will encode declarative memory module: a) modular cyber security
conversion functions in the system to format the outputs as ontologies, retrieved from the TENA Repository and;
discrete decisions (e.g. “delete spear phishing email”, “scan b) the modular ontologies of the scenario [1] ,
for malware”, “reactivate firewall”, etc.). Exploiting ACT-R incrementally stored in TENA Event Data
internal clock module, we will also be able to reproduce Management.
decision times at human granularity scale, tracking the
relevant stages of the rational decision-making process.
V. APPLICATION FRAMEWORK
So far we have discussed the general requirements and
described the high-level cognitive structures of an intelligent
system for decision support in cyber warfare. However, a
product or a solution based on these requirements and
architecture will need to address specific problems in the 10
http://standards.ieee.org/findstds/standard/1516-2010.html
business domain. Furthermore, the end product would likely 11
Test and Training Enabling Architecture (TENA): https://www.tena-
sda.org/display/intro/Home
9 12
Setting to 100 the number of trials should guarantee a satisfactory level of TENA object-oriented modeling features well fit our ontology-driven
stochasticity in the results. cognitive system.
STIDS 2013 Proceedings Page 98
� VI. CONCLUSION
The novelty of our approach relies on grounding a decision
support system in a broad spectrum of human-level cognitive
functionalities blended with highly structured knowledge
resources. In particular, by focusing on learning mechanism,
context-driven semantic specifications and scalable
simulations, the obtained computational system can serve both
as a training environment for cyber personnel and as
autonomous team member operating in advanced security
settings. Our position paper aims at fostering the discussion
within the communities of interest and can play the role of a
starting platform for a scientific project proposal.
[2]
Figure 2 The Cognitive System realized in the TENA framework.
[11] John R. Anderson and Christian Lebiere, "The Newell Test for a
theory of cognition," Behavioral and Brain Sciences, vol. 26, no. 5,
REFERENCES pp. 587-637, 2003.
[1] R. Dipert, "Other-Than-Internet(OTI) Cyberwarfare: Challenges [12] Allen Newell, Unified Theories of Cognition. Cambridge ,
For Ethics, Law, and Policy," Journal of Military Ethics, vol. 12, Massachusetts: Harvard University Press, 1990.
no. 1, pp. 34-53, April 2013.
[13] H. Simon, "Bounded Rationality and Organizational Learning,"
[2] R. R. Dipert, "The Ethics of Cyberwarfare," Journal of Military Organization Science, vol. 2, no. 1, pp. 125-134.
Ethics, vol. 9, no. 4, pp. 384-410, December 2010.
[14] M. Wooldridge, Reasoning about Rational Agents. Cambridge,
[3] M.I. Hwang, "Decision Making under time pressure: A model for MA, United States of America: The MIT Press, 2000.
information systems research," Information and Management, vol.
27 , pp. 197-203, 1994. [15] R. Sun, Cognition and Multi-agent Interaction, R. Sun, Ed.:
Cambridge University Press, 2006.
[4] Symantec. (2013, June) Symantec. [Online]. HYPERLINK
"http://www.symantec.com/about/news/release/article.jsp?prid=201 [16] Paul Bello, "Cognitive Foundations for a Computational Theory of
30605_01" Mindreading," Advances in Cognitive Systems, vol. 1, pp. 59-72,
http://www.symantec.com/about/news/release/article.jsp?prid=201 2012.
30605_01
[17] A. Oltramari and C. Lebiere, "Knowledge in Action: Integrating
[5] Brian Montopoli. (2013, May) CBS News. [Online]. Cognitive Architectures and Ontologies," in New Trends of
HYPERLINK "http://www.cbsnews.com/8301-201_162- Research in Ontologies and Lexical Resources, Alessandro,
57586624/how-chinese-hackers-steal-u.s-secrets/" Vossen, Piek Oltramari, Lu Qin, and Ed. Hovy, Eds.: Springer, pp.
http://www.cbsnews.com/8301-201_162-57586624/how-chinese- 135-154.
hackers-steal-u.s-secrets/
[18] J. Ball, S. Rodgers, and K. Gluck, "Integrating ACT-R and Cyc in a
[6] (2013, May) Wall Street Journal. [Online]. HYPERLINK large-scale model of language comprehension for use in intelligent
"http://online.wsj.com/article/PR-CO-20130530- agents," in Papers from the AAAI Workshop, Menlo Park, CA, pp.
906764.html?mod=googlenews_wsj" 19-25.
http://online.wsj.com/article/PR-CO-20130530-
906764.html?mod=googlenews_wsj [19] B. J. Best, N. Gerhart, and C. Lebiere, "Extracting the Ontological
Structure of OpenCyc for Reuse and Portability of Cognitive
[7] J. C. Forsythe, A. Silva, S. Stevens-Adams, and J. Bradshaw, Models. ," in Proceedings of the 17th Conference on Behavioral
"Human Dimensions in Cyber Operations Research and Representation in Modeling and Simulation, 2010.
Development Priorities," SANDIA Report 2012-9188, Technical
2012. [20] S. Douglas, J. Ball, and S. Rodgers, "Large declarative memories in
ACT-R," in Proceedings of the 9th International Conference of
[8] K. B. De Greene, Sociotechnical systems: factors in analysis, Cognitive Modeling, Manchester, UK.
design, and management.: Prentice-Hall, 1973.
[21] H. Stuckenschmidt, C. Parent, and S. Spaccapietra, "Modular
[9] N. Guarino, E. Bottazzi, R. Ferrario, and G. Sartor, "Open Ontologies - Concepts, Theories and Techniques for Knowledge
Ontology-Driven Sociotechnical Systems: Transparency as a Key Modularization," , 2009.
for Business Resiliency," in Information Systems: Crossroads for
Organization, Management, Accounting and Engineering., 2012, [22] J. R. Anderson, How Can the Human Mind Occur in the Physical
pp. 535-542. Universe? New York: Oxford University Press.
[10] John R. Anderson and Christian J Lebiere, The Atomic Components [23] A. Stocco, C. Lebiere, and J. R. Anderson, "Conditional Routing of
of Thought.: Erlbaum, 1998. Information to the Cortex: A Model of the Basal Ganglia's Role in
Cognitive Coordination," Psychological Review, vol. 117, no. 2, pp.
STIDS 2013 Proceedings Page 99
� 541-574, 2010. Modeling), Ottawa, 2013.
[24] C. Lebiere,. Constrained Functionality: Application of the ACT-R [30] A. Rapoport, M. J. Guyer, and D. G. Gordon, The 2 x 2 game. Ann
Cognitive Architecture to the AMBR Modeling Comparison. Arbor, MI: University of Michigan Press, 1976.
Mahwah, NJ: Erlbaum, 2005.
[31] B. M. Bowen, D. Ramaswamy, and S. Stolfo, "Measuring the
[25] The MITRE Corporation, "Science of Cyber-Security," The Human Factor of Cyber Security," Homeland Security Affairs, vol.
MITRE Corporation, McLean, VA, Technical 2010 (extract). 5, no. 2, 2012.
[26] D. A. Mundie and D. M. McIntire, "The MAL: A Malware [32] J. N. Marewski and K. Mehlhorn, "Using the ACT-R Architecture
Analysis Lexicon," CERT® Program - Carnegie Mellon University to specify 39 quantitative process models of decision making,"
, Technical 2013. Judgement and Decision Making, vol. 6, pp. 439-519, August 2011
[27] Randall Dipert, "The Essential Features of an Ontology for [33] J.E. Laird, The SOAR Cognitive Architecture. USA: The MIT
Cyberwarfare," in Conflict and Cooperation in Cyberspace - The Press, 2012.
Challenge to National Security, Panayotis A Yannakogeorgos and
A. B. Lowther, Eds.: Taylor & Francis, 2013, pp. 35-48. [34] C. L. Dancy, F. E. Ritter, and F. E. Berry, "Towards adding a
physiological substrate to ACT-R," in Proceedings of the 21st
[28] A. Oltramari and C. Lebiere, "Using Ontologies in a Cognitive- Conference on Behavior Representation in Modeling and
Grounded System: Automatic Action Recognition in Video Simulation, Ameli a Island, FL, 2012, pp. 78-85.
Surveillance," in Proceedings of STIDS 2012 (7th International
Conference on "Semantic Technology for Intelligence, Defense, and
Security"), Fairfax, VA, 2012.
[29] A. Oltramari, C. Lebiere, N. Ben-Asher, and C. Gonzalez,
"Strategic Dynamics Under Alternative Information Conditions," in
Proceedings of ICCM 2013 (International Conference of Cognitive
STIDS 2013 Proceedings Page 100
�