Ontology-based Adaptive Systems of Cyber Defense Noam Ben-Asher⇤‡ , Alessandro Oltramari† , Robert F. Erbacher⇤ , Cleotilde Gonzalez† ⇤ U.S. Army Research Laboratory Adelphi, MD, USA nbenash@us.ibm.com, robert.f.erbacher.civ@mail.mil † Carnegie Mellon University Pittsburgh, PA, USA aoltrama@andrew.cmu.edu, coty@cmu.edu ‡ IBM T.J.Watson Research Center, Yorktown Heights, NY Abstract—In this paper we outline a holistic approach computational cognitive agent can be used to understand the for understanding and simulating human decision making in human analyst reasoning process, which may then serve as knowledge-intensive tasks. To this purpose, we integrate semantic guide to develop decision support technology for the analyst. and cognitive models in a hybrid computational architecture. The contribution of the paper is twofold: first we describe a packet- II. K NOWLEDGE M ODEL centric ontology to represent network traffic. We show how the ontology is used to describe real-world network traffic and also From a cyber security standpoint, variations in network traf- serve as a basis for higher level ontologies of cyber operation, fic are the primary prompts of analyst’s behavioral responses; threat and risk. Second, we demonstrate how the combination nevertheless, full situational awareness can emerge only from of the packet-centric ontology with an adaptive cognitive agent with learning capabilities, can be used to understand the human a projection of observations and decisions into a more com- defender reasoning processes when monitoring network traffic. prehensive context that includes knowledge about threat and Through simulation experiments we evaluated the proposed attack types, executable defensive maneuvers, system vulner- hybrid computational architecture and demonstrate its ability abilities, risk mitigation and time constraints, among others. to successfully detect malicious port scanning within legitimate In this regard, building a rigorous model of this complex network traffic. We discuss the implications of these findings for improving our understanding of the cognitive processes and context is a key requirement for the study of human decision knowledge requirements of the cyber defender, as well as the making in cyber security. Computational ontologies are the possible use of the hybrid architecture as a cognitively inspired knowledge component in this holistic approach, as they can decision support tool. provide a machine-readable semantic representation of cyber scenarios. In virtue of their logical properties and schematic I. I NTRODUCTION structure, ontologies can be used by automatic reasoners in Disruption of computers and the loss of sensitive infor- dynamic tasks: in particular, in our work we apply ontology- mation through cyber-attacks are becoming a widespread based reasoning to a detection task, where an agent simulates threat and a critical concern for citizens, organizations, and a human analyst’s cognitive capabilities, including the capa- governments. Even with recent advances in information and bility of using domain knowledge and temporal information network security and the development of new monitoring to reason about perceived events [6]. To this purpose, we and threat detection tools, many of the tasks performed by engineered a packet-centric ontology of network traffic, a cyber-defenders (i.e., security analysts) remain challenging, module of a larger ontology framework called CRATELO [7], resulting in weak and uncertain cyber-defense. The analytical the suite of modular ontologies under development in the U.S. capabilities of the human decision maker are needed and indis- Army Research Laboratory Cyber Security Collaborative Al- pensable for the process of cyber-defense [1]. Security analysts liance. CRATELO is constituted of several domain ontologies transform network traffic data into cyber situation awareness, a (collectively indicated as OSCO), integrated on the basis of high level of processing that is difficult to automate [2]. This DOLCE top level [8] extended with a security-related middle process may be seen as analogous to the Data-Information- layer. These top, middle and domain level ontologies currently Knowledge-Wisdom (DIKW) hierarchical model that is central add up to 330 classes, connected by 162 relationships (132 for information and knowledge management [3]. Within this object properties and 30 datatype properties) and encoded in context, cognition serves as the driver that governs the transi- OWL-DL. The packet-centric ontology presented in this paper, tions between the different levels of information representation henceforth abbreviated to PACO, is a partition of OSCO1 . [4]. While there is a large body of research on technologies Our reseach efforts in developing CRATELO are inspired by that detect port scanning [5], there is a limited understanding Obrst and colleagues’s proposal of a wide-ranging ontology of the cognitive processes cyber security analysts use to detect framework of cyber security [9], that spans from top-level, port scanning and specifically how these cognitive abilities system-oriented ontologies and human factors ontologies. In interact with and information representation. In this regard, 1 CRATELO stands for ‘Three Levels Ontology for the ARL the contribution of this paper is twofold: first we describe a Collaborative Research Alliance’. OSCO stands for ontology of packet-level ontology that represents network traffic. Second, cyber operations. For more details about the program see also: we demonstrate how the integration of this ontology with a http://www.arl.army.mil/www/default.cfm?page=1417 STIDS 2015 Proceedings Page 34 this long-term endeavour, we have been working with ARL to desired outcomes. According to IBLT, the decision maker domain experts and cyber analysts to distill the necessary represents decision making situations as instances stored in knowledge of the cyber domain. As the state of the art shows, memory. An instance is composed of three parts: (1) situation a preliminary step in understanding any new domain is to (S) a set of attributes representing a situation; (2) decision (D) produce accessible definitions and classifications of entities that is made in the particular situation; and (3) utility (U) that is [10]: discussions on cyber security often begin with the the experienced outcome from a decision. The IBLT decision difficulties created by misused terminology (such as char- cycle includes several stages: recognition, judgment, choice, acterizing cyber espionage as an attack). In this regard, the and execution. In the Recognition stage, a decision maker Joint Chiefs of Staff created a list of cyber term definitions identifies relevant attributes for a specific decision situation. (allegedly extended and refined for a classified version). None Judgment stage determines the relevancy of past experiences of these definitions, however, were formulated as an ontology. (instances) in current decision making situation. The activation Likewise, various agencies and corporations (NIST, MITRE, of instances in memory is a representation of relevancy. Acti- Verizon) have formulated enumerations of types of malware, vation is influenced by the recency and frequency an instance vulnerabilities, and exploitations. In particular MITRE, which occurred in the past and the similarity between the current has been very active in the field, maintains two dictionar- decision situation and the situation stored in the instance. This ies, CVE (Common Vulnerabilities and Exposure) and CWE activation mechanism is a simplification of the mechanism (Common Weakness Enumeration), a classification of attack originally proposed in the ACT-R architecture. Memory ac- patterns (CAPEC - Common Attack Pattern Enumeration and tivation determines the probability that an instance will be Classification), and an XML-structured language to represent retrieved from memory and participate in the next phase. In cyber threat information (STIX - Structure Threat Information the absence of previous experiences that may be relevant to Expression). the current situation, pre-defined heuristics are triggered for Despite of the important role played by these and further decision making. In the Choice, the retrieved instances and initiatives, the lack of a shared formal semantics make ter- their retrieval probability are used to calculate the expected minologies hard to define, sustain, and port into a machine- utility for each of the decision options, and the option with processable format: here we try to overcome these problems, the highest expected utility is chosen. Finally, in the Execution, embracing a holistic approach to model cyber security factors. feedback regarding the last decision is provided to the decision In fact, if the ontology outlined in this paper is tailored to a maker [11]. In this work, we chose IBL to model the decision packet-centric model of network traffic, it can be framed at a making as it captures the adaptive human decision making higher level of conceptualization by means of the integration and learning processes in dynamic environment as well as the with CRATELO: for instance, when modeling the behavior of transition between exploration and maximization. a cyber analysts during an attack, packets can be seen as parts Agents based on IBL models successfully account for of the evidence collection process, and specific attributes of human decision making and behavior in a variety of tasks. packets (e.g. internal or external IP addresses, low or high Lejarraga et al. [14] demonstrate that a single IBL model packet rate, etc.) may hint to specific intentions of the adver- constructed for a specific repeated binary choice task can be sary (also called anti-goals). As mentioned at the beginning of generalized to different variants of repeated tasks requiring a the section, ontologies can serve as knowledge bases to agents: binary decision as well as to probability learning tasks. More conversely, the dynamics of the agent’s decision process and specifically, IBL models can reflect human behavior in simple learning from experience are captured by an Instance-based stimulus-response practice and skill acquisition tasks and train- Learning (IBL) cognitive model [11], which is a computational ing. Furthermore, the experience-based learning process of an representation of the processes that guide human behavior. IBL model was successfully extended to include descriptive Next section reviews what cognitive models are, and how they information and biases as risk aversion [15]. A pair of IBL can be used to study human decision making. models successfully consider the dynamics of cooperation in iterated Prisoner’s Dilemma as well as reciprocity and other III. C OGNITIVE M ODEL complex social interactions [16], [17]. In a dynamic decision making setting, cognitive architec- tures, such as ACT-R [12], SOAR [13] and others, have IV. A PACKET-C ENTRIC N ETWORK O NTOLOGY been commonly used to provide an integrated representation In this section we describe the structure of PACO, and how of human cognition. Cognitive models, constructed using it can be used to instantiate thousands of packets generated these architectures, allow for a careful examination of various by capturing actual network traffic. As Fig. 1 shows, the cognitive processes that drive human decision making [11]. class ‘PacketTransmission’ is considered the atomic element Cognitive models based on IBL theory (IBLT) focus on of a ‘NetworkSession’. Intuitively, this means that without an decision making and learning from experience in dynamic actual exchange of packets between a source and a destination settings [11]. IBLT emerging from ACT-R, proposes a generic node, no network session can be deemed as properly complete. decision-making process that recognizes decision situations, In fact, there are additional features of network sessions: generates instances through the interaction with the decision for instance, when considering TCP connections, a complete task, and finishes with reinforcement of the instance leading handshake with SYN, SYN+ACK and ACK packets transmis- STIDS 2015 Proceedings Page 35 Fig. 1. A Protégé visualization of PACO. From the bottom-left corner (clockwise): 1) The DL expressivity derived by the HermiT 1.3.8 reasoner; 2) the backbone taxonomy of classes; 3) an informal definition of packet transmission as value of annotation property; 4) property restrictions. sion is necessary to enable a packet transmission between two former is more appropriate than the latter for the simulation nodes, though this is not the case for communication protocols experiment reported in the next section, since the dataset was like UDP, where handshake dialogues are not supported. Fol- collected with a rate of about 83 packets per second. In other lowing the actual packet transmission between the two network words, in our specific cyber scenario knowing the sequence of nodes and after the data are exchanged, a session is usually events is more meaningful than knowing the real time stamps resetted (although this final stage is not essential to qualify from the defender’s perspective, although - to be general it as complete - and session can also end due to a timeout). enough - the ontology has to support both representational In summary, when a communication between a source and a formats. As depicted in Fig. 2, the role of a packet in the destination node is established, a complete network session handshake sequence can be captured by three booleans data consists of the transmission of a unit of data from source A to properties, respectively ‘has tcp.flags.syn’, ‘has tcp.flags.ack’ destination B, and of the transmission of a unit of data from and ‘has tcp.flags.reset’. In the ‘PacketTrasmission1024’ case, source B to destination A. From the ontological standpoint, however it is unclear whether this packet represents the first this constraint is represented by the cardinality restriction ‘min stage of a handshake or is part of a port scanning [19]. This 2’ on the object property ‘has member’ holding between ‘Net- can be resolved by evaluating the properties of the proceeding workSession’ and ‘PacketTransmission’ classes, respectively packet exchange (i.e., session) between the two nodes. As the the domain and the range of ‘has member’. next section will show, we conducted an experiment to elicit Apart from network-specific information associated to source relevant information from instantiated ontology, and make the and destination nodes, like IP and port numbers, communi- resulting knowledge chunks available to the cognitive model cation protocols, packet size, etc., we have introduced a data of a cyber defender. This process of knowledge elicitation property ‘has time stamp’ that assigns a specific time stamp from PACO is driven by a set of SPARQL queries3 , properly to each network event and a data property ‘has order’ that designed to extract and present relevant information that an binds each individual network event to its relative position in agent can use to decide whether a specific event is a threat or a given sequence (the first event, the second event, etc.). This not. For instance, the query in Fig. 3 is designed to collect all twofold modeling choice provides us with a flexible model the pairs of distinct source and destination ports in the dataset of temporal knowledge: 1) it pinpoints the discrete temporal of network events: on the basis of the retrieved information, coordinates of each event according to a universal time format an analyst can gauge the volume of network traffic on a per (based on the XML schema specifications2 ); 2) it allows for unique port basis; moreover, Fig. 4 represents a query built to representing and reasoning over qualitative temporal relations assess how many times a given source has sent a packet to a like ‘before’, ‘after’, and ‘overlap’, as defined by Allen’s closed port. In the latter case, the returned result, around one temporal axioms [18]). Figure 2 shows a situation where the thousand times, can be used as a clue of the maliciousness of ordinal scale of the packet is captured (i.e., the 1024th packet) the source: so many attempts of communication with closed but the time stamp is not represented: the reason is that the ports may, in fact, suggest a port scanning attack. Note that 2 http://www.w3.org/TR/xmlschema11-2/ 3 http://www.w3.org/TR/rdf-sparql-query/ STIDS 2015 Proceedings Page 36 Fig. 2. A Protégé visualization of a specific instance of the ‘PacketTransmission’ class. both queries have been used dynamically in the experiment PREFIX owl: described in the next section, where the goal is to replicate the PREFIX xsd: PREFIX rdfs: analyst’s incremental understanding of the considered cyber PREFIX IBLOd: scenario. SELECT DISTINCT ?srcport ?dstport WHERE {{?event IBLOd:member IBLOd:NetworkTraffic-041215; Following a basic modeling strategy, in PACO we directly IBLOd:has_src_port ?srcport; IBLOd:has_dst_port ?dstport; assign specific data sizes to each network event through IBLOd:has_source_node ?s; the data property ‘has frame length’: an alternative option IBLOd:has_destination_node ?d; IBLOd:has_order ?order. would have been to introduce the class ‘Packet’ (a subclass FILTER(?order >= "1"ˆˆxsd:positiveInteger && of ‘information object’ in DOLCE), and use the object prop- ?order<= "4735"ˆˆxsd:positiveInteger).}} erty ‘participation’ to link ‘Packet’ and ‘PacketTransmission’, switching the domain of the data property ‘has frame length’ Fig. 3. A SPARQL query that returns all the distinct combinations of source from PacketTransmission’ to ‘Packet’. At the current stage of and destination ports for a packets exchange sequence between two nodes. development, representing the data contents of packet trans- missions doesn’t add any fundamental benefit to our modeling framework, although we don’t exclude this option in the future. be used by the decision maker at the cyber operation level. In Additional semantic structures of PACO concern network principle, using CRATELO we can also model beliefs, goals topology and services: for instance, every network node runs and emotions of defenders and attackers, although it’s beyond a set of services, and each service uses an official commu- the scope of the current work to address these dimensions. nication port and a specific protocol to establish a network session with another node. It follows that when a port is open, a service is running on a node, and if a port is closed, no services are currently running for that particular node. Thanks to the interoperability between PACO and CRATELO, services V. U SING H YBRID M ODELS IN C YBER D EFENSE can be modeled in the context of user’s actions: for instance, a system administrator can decide to start or stop an HTTP Next, we examine the interplay between knowledge and service, or access to the event log service on a server. By and cognition in cyber defense by integrating the packet-centric large, the originality of our approach relies on the flexibility in ontology with cognitive agents who make decisions regarding the granularity of the representation: PACO is only a module the state of a network into a hybrid computational architecture. of a more comprehensive framework that sees the detection as For the packet-centric knowledge-base we use PACO and the a socio-technical task, where packet-centric information can agents are computational models of the IBL theory. STIDS 2015 Proceedings Page 37 PREFIX owl: TABLE I PREFIX xsd: PAYOFF MATRIX WHICH DETERMINING THE FEEDBACK FOR AN AGENT PREFIX rdfs: MAKING A DECISION IN A GIVEN SITUATION PREFIX IBLOd: SELECT (COUNT(?order) AS ?numberOfACKResponses) Agent’s Decision WHERE {?event IBLOd:member IBLOd:NetworkTraffic-041215; Scan No Scan IBLOd:has_source_node ?sn; Scan Hit: 10 Miss: -10 IBLOd:has_destination_node ?dn; Packet Type IBLOd:has_tcp.flags.syn false; No Scan False alarm: -5 Correct Rejection: 5 IBLOd:has_tcp.flags.ack true; IBLOd:has_tcp.flags.reset true; IBLOd:has_order ?order. FILTER (?order >= "1"ˆˆxsd:positiveInteger && Where p is the protocol type (e.g., TCP, HTTP) of the ?order <= "4735"ˆˆxsd:positiveInteger).} packet, sIP and dIP are the source and destination IP addresses of the packet. SY N , ACK and RST are 1-bit Fig. 4. A SPARQL query that returns the number of times a source node boolean flags that indicate on the state of a connection. sent packets to a closed port on the destination node. The agent observed a situation Si and made a decision which corresponds to classifying a packet as being part of a A. Port Scanning Scenario scan or not. This decision process involves retrieving relevant instances (i.e., past experiences) from the agent’s memory, Port scanning is designed to probe network nodes for open computing retrieval probability for each of the instances and, ports. The existence of an open port can provide some indi- choosing the decision option that yields the highest expected cation on the availability of services. This type of information utility, based on the previous decisions recorded in the in- gathering can be part of a defensive or offensive operation. stances. The process of choosing the option with the highest From the attacker’s perspective, a port scan is useful for gather- expected utility is influenced by the recency and frequency of ing relevant information for launching a successful attack and past experiences, memory decay (d) and a noise parameter for indeed most attacks are preceded by some form of scanning capturing the variability in memory activation ( ) [11]. activity (reconnaissance), particularly vulnerability scanning After making a decision, the agent received a utility feed- [20]. Therefore, the defender will try to detect external scans back, representing the outcome of the decision in a given while the attacker interest is to perform a scan without being situation. The experienced utility (i.e., payoff) is determined detected [21]. based on the payoff matrix illustrated in Table I. The payoff In this work, we assume first that the attacker uses external that an agent receives following a decision, is determined resources to identify the attack IP address (i.e., the target). by the accuracy of the decision, based on the ground truth, Following, the attacker identifies port ranges to scan on the detailed in section V-C. The payoffs in the matrix emphasize specific target. These are the ports for services for which the the positive and negative utilities from hits and misses over attacker has sophisticated attacks available. We also assume, correct rejections and false alarms. that the target is using standard ports and not randomized 2) Semantic Information and Experience Agent: In contrast ports. Thus, knowing that a port is open provides an accurate to the previous agent model, this agent can send SPARQL indication that a service is running on the target. queries to the PACO ontology, that provides specific knowl- B. Cognitive Models for Port Scanning Detection edge of the scenario, temporal information and augmented To better understand the interplay between cognition and situational awareness. As such, this model observes the same knowledge and how semantic information supports the ongo- situation as the Experience Only agent: however, instead of ing work of the cyber defender, we developed two cognitive using this information to make a decision, the agent uses the models for cyber defender agents. Both agents observe a information to generate queries (which, in turn, provides richer situation, make decisions whether there is a scan or not, information). Using PACO, the agent can generalize from and learn from feedback and past experiences. However, the and reason about the characteristics of a sequence of packets one agent operates without the knowledge based provided by transferred from one network node to the other. Therefore, PACO, while the other is querying PACO to acquire temporal the situation observed by the agent consist of the outputs information and situational awareness. from multiple queries regarding the conversation between two 1) Experience Only Agent: To examine the interplay be- specific IP addresses, where one is the source and the other tween information, cognition and knowledge, we initially con- is the destination. The situation for any packet, transmitted structed an agent using an IBL model which classifies network between a source and a destination IP addresses, is given by events based on their attributes and learns from experience only. The decision making process of this IBL agent depends Si = {p, sP orts, dP orts, avgSY N, avgACK-RST } (2) on the low level network traffic information, and the agent could learn only from its own experiences without the ability Where the attributes of the situation represent properties of to acquire knowledge by querying the ontology. The situation a communication between source and destination IPs, using as observed by the agent in this condition is given by protocol p. The communication consists of a sequence of packets exchanged between the two network nodes up to the Si = {p, sIP, dIP, SY N, ACK, RST } (1) current packet. Thus, the agent can examine each packet within STIDS 2015 Proceedings Page 38 the context of a sequence. Given the source IP of the current package, attribute sP orts indicates on the average number of ports in the source node that sent packets to the destination node. Similarly, attribute dP orts indicates how many ports in the destination node received packets from the source. The attribute avgSY N describes the average ratio between SYN packets and normal traffic recived from the source of the packet. Attribute avgACK-RST provides complementary information, the average ratio of between ACK-RST packets and normal traffic the destination sent back to the source. This type of answer indicates that the packet was sent to a closed port (i.e., a port that is not used by any service on the target node). Based on the set of attributes described above, the Semantic information and Experience agent classified packets. The Fig. 5. Proportions of hits and false alarms for the two agents. Semantic information and Experience agent received feedback for these decisions using the same payoff matrix as the Experience Only agent. 3) Learned classification rule indicates on the decision rule the agents constructed from the repeated experi- C. Simulation Experiment ences. We evaluated the differences between the two agent models VI. R ESULTS through simulation experiment. In the experiment, agents classified the packets captured from the traffic in a small In this section, we show our experimental results and ana- network with 16 nodes (i.e., unique IP addresses). The cap- lyze the observed trends based on the performance comparison tured communication between the network nodes included of the two modeling approaches. 4735 packets. The nodes used several types of protocols to Correct packet classification When analyzing the ability exchange packets, for example SMB and SSL. However, the of the agents to classify correctly a scan packet, and as majority of the traffic (99.56%) used the TCP protocol. Within seen in Fig. 5, we find that the Experience Only agent this network, the adversary was located in a node with the IP (mean=.999, SD=0) and the Semantic Information and Experi- address of 192.168.1.8. The adversary used a specific port to ence agent (mean=.992, SD=.002) performed similarly with a scan the 1000 common ports of the target node (192.168.1.3) minor advantage to the Experience Only agent, t(38)=.387, using Nmap defaults [22]. This information was not provided p=ns. However, the Semantic Information and Experience to the agents and served as the ground truth for evaluating the agent (mean=.050, SD=.077) generated a significantly higher detection performance of the agents and providing them with number of false alerts compared to the Experience Only agent feedback. The captured network traffic was converted into an (mean=.004, SD=0), t(38)=2.661, p=.011. XML data structure that was used to populate PACO and the Correct detection of scanning sequence utilizes the classi- Semantic Information and Experience agent could then query fication of a packet as belonging to a scan or to normal traffic using SPARQL. The output of the SPARQL queries served as between two network nodes. This high level decision aims the attributes of a situation as described in Eq. 2. to answer the question whether network node A is scanning The values of the free parameters across the two agents network node B. With respect to this question, if the network were kept the same, with d = 1.5 for memory decay and traffic from node A to node B includes one or more packets = .25 for noise. These values are considered to be the that are classified as scan packets, then node A is scanning ACT-R defaults and are commonly used for IBL models as node B. When analyzing the ability of the two agents to answer well [23]. Each agent classified the 4735 packets and received the question whether node A is scanning node B, both agents feedback following each decision, and this was repeated for detected that the adversary was scanning a specific network 20 iterations. node (i.e., 192.168.1.8 SY N scan ! 192.168.1.3). However, the To compare the performance of the Experience Only agent Experience Only agent detected on average additional 2.3 out with the Semantic Information and Experience agent we used of 22 sequences between network nodes as scans (i.e., 10% the following metrics: false scans), while the decisions of the Semantic Information 1) Correct packet classification indicates on the propor- and Experience agent yielded 0 false classification of packet tion of packets classified correctly as being a Scan or sequences. Despite the higher false classification rate of inde- No Scan packet. vidual packets the Semantic Information and Experience agent 2) Correct detection of scanning sequence indicates on had, all these false classified packets belonged to the responses the proportion of conversations between two IPs that of the scanned node (ACK packets) to the adversary scan (i.e., ACKresponse were correctly classified as scans. 192.168.1.3 ! 192.168.1.8). STIDS 2015 Proceedings Page 39 an ongoing scan between the source of the packet and its destination. This rule yields high accuracy in detecting scan packets as all the scan packets had a SYN flag. However, packets with SYN flag are also part of legitimate handshake between network node and for that reason the Experience Only agent detected a higher proportion of packets sequences as scans. In contrast, the Semantic Information and Experience agent observed the temporal properties of a packet sequence. The decision rule formulated by this agent suggests that a scan packet uses TCP protocol and is part of a sequence of packets in which the source node is using a low number of ports to send packets to a high number of destination ports and the average number of SYN packets sent to a Fig. 6. Detection outcomes of the Experience Only agent during a single iteration with black arrows highlighting false classification of packets, red port is very close to 1. In addition, the rule constructed by cross marks indicating on sequences of packets that were incorrectly classified the Semantic Information and Experience agent indicates the as scans and green check mark for correct classification. based on experience, the target node of the packet is very likely to respond to the current packet with a ACK-RST packet, indicating that the destination of the packets coming from the source node tends to be a closed port. VII. D ISCUSSION AND C ONCLUSION Analytical capabilities of the human decision maker are needed and are indispensable when ensuring the security of any cyber infrastructure. It is the human abilities to inte- grate information, to reason, to learn and to quickly adjust to changes that make such significant contribution to cyber security. The understanding of these processes relies on our integration of knowledge from human cognitive theories and knowledge-based technologies. In this study we propose an architecture to combine cognitive models and ontologies in Fig. 7. Detection outcomes of the Semantic Information and Experience agent the domain of cyber defense. during a single iteration with green check mark indicating on the correct We developed a packet-centric ontology PACO which allows classification of a packet sequence. us to represent and capture the atomic elements of network communication, i.e., packets and sequences of packets. PACO serves as the basis for more holistic semantic representations Figures 6 and 7 illustrate the interplay between packet of cyber operation, cyber assets, threats and risks, available classification and sequence classification. In both figures, we through CRATELO. We also developed an IBL cognitive model present the same network sequences and how the packets were capable of accessing the information in PACO and using it classified by each agent. As seen in Fig. 6, the Experience Only when detecting adversarial port scan. When making decisions, agent generated a very low number of false alerts (highlighted the ability of the IBL agent to access PACO and retrieve by arrows). However, these packets corresponding to these information improved its performance, compared to the same alarms were distributed across multiple sequences. As a result, IBL agent that did not utilize PACO. We show that when the entire sequence was classified as a scan. On the other answering the questions ’Is IP A scanning IP B?’, an agent hand, and as seen in Fig. 7, the false alerts generated by the with access to a packet-centric ontology delivers a much Semantic Information and Experience agent were all part of lower false alerts rate and by that show superior performance. the communication between the scanned node to the source of Overall, the access to semantic information allowed the agent the scan. Note that both agents were able to separate between to acquire better situation awareness by incorporating sum- legitimate traffic between 192.168.1.8 and 192.168.1.3 that marized information into the decision making process. PACO was not part of the scan and used UDP and other protocols. extended the agents ability to inspect temporal relationship The Learned classification rule used by each agent can be between a packet sent from a specific source and previous formalized by examining the instances stored in the memory of replays of packet’s destination to communication coming from each agent, and their activation. The combination of attributes that source. Such reasoning requires a representation of a and decision in highly activated instances represent beliefs re- source and a destination, as well as the ability to switch garding a relationship between a situation and the appropriate between these roles in order to observe the response patterns. decision. The decision rule formulated by the Experience only The agents explored rules in the form of IF a situation agent was that any TCP packet with a SYN flag is part of THEN a decision, and learned which rule maximizes their STIDS 2015 Proceedings Page 40 payoff. While the attributes of the situation part are influenced [5] C. B. Lee, C. Roedel, and E. Silenok, “Detection and characterization by the availability of information, the cutoff values of the of port scan attacks,” Technical report, Univeristy of California, Depart- ment of Computer Science and Engineering, 2003. attributes were learned from experience. Furthermore, the [6] A. Oltramari, N. Ben-Asher, L. Cranor, L. Bauer, and N. Christin, “Gen- decision rule that the agent with access to a packet-centric eral requirements of a hybrid-modeling framework for cyber security,” ontology learned from experience is valid and useful beyond in Military Communications Conference (MILCOM). IEEE, 2014, pp. 129–135. the limited scope of the network scenario we used in the study. [7] A. Oltramari, L. F. Cranor, R. J. Walls, and P. McDaniel, “Building an However, the existence of knowledge is a precondition ontology of cyber security,” in 9th International Conference on Semantic rather than a guarantee for improvement: correctly querying Technologies for Defense, Intelligence and Security (STIDS), 2014, pp. 54–61. the information is the key for the major improvement. In the [8] C. Masolo, S. Borgo, A. Gangemi, N. Guarino, A. Oltramari, R. Oltra- process of modeling, we used domain experts to construct mari, L. Schneider, L. P. Istc-cnr, and I. Horrocks, “Wonderweb deliv- the queries that aggregate and retrieve information. By using erable d17. the wonderweb library of foundational ontologies and the dolce ontology,” 2002. cognitive agent we were able to test different queries and [9] L. Obrst, P. Chase, and R. Markeloff, “Developing an ontology of the combinations of attributes, to identify representations that cyber security domain.” in 7th International Conference on Semantic facilitate the decision making process of a network defender. Technologies for Defense, Intelligence and Security (STIDS), 2012, pp. 49–56. While PACO has the potential of representing packet level [10] D. A. Mundie and D. M. McIntire, “The mal: A malware analysis information for complex and diverse network communication, lexicon,” DTIC Document, Tech. Rep., 2013. the current cognitive model was developed to accommodate [11] C. Gonzalez, J. F. Lerch, and C. Lebiere, “Instance-based learning in dynamic decision making,” Cognitive Science, vol. 27, no. 4, pp. 591– a simplistic network scenario. Port scanning can take many 635, 2003. forms (vertical and horizontal scans), can use different pro- [12] J. R. Anderson and C. Lebiere, The atomic components of thought. tocols and can be highly distributed over time (i.e., low- Lawrence Erlbaum Associates Publishers, 1998. [13] J. E. Laird, A. Newell, and P. S. Rosenbloom, “Soar: An architecture and-slow scan). Therefore, although we used a high fidelity for general intelligence,” Artificial intelligence, vol. 33, no. 1, pp. 1–64, network traffic, future research should scale up the volume of 1987. traffic as well as the complexity of the network scan. Such [14] T. Lejarraga, V. Dutt, and C. Gonzalez, “Instance-based learning: A gen- eral model of repeated binary choice,” Journal of Behavioral Decision additions will likely challenge the cognitive agent. However, Making, vol. 25, no. 2, pp. 143–153, 2012. providing the agent access to the middle and high levels [15] N. Ben-Asher, V. Dutt, and C. Gonzalez, “Accounting for the integration of CRATELO might be the key component for the agent’s of descriptive and experiential information in a repeated prisoner’s dilemma using an instance-based learning model,” in 22th Behavior success in more complex and challenging tasks. The benefit Representation in Modeling & Simulation (BRiMS) Conference, 2013, of pairing cognitive agents and ontologies goes beyond the pp. 11–14. ability to gauge into the decision making process of the human [16] C. Gonzalez, N. Ben-Asher, J. M. Martin, and V. Dutt, “A cognitive model of dynamic cooperation with varied interdependency informa- analyst. Such combination can serve as an initial step towards tion,” Cognitive science, 2014. the development of cognitively inspired decision aid tool for [17] C. Gonzalez and N. Ben-Asher, “Learning to cooperate in the prison- automating some tasks that are currently performed by human ers dilemma: Robustness of predictions of an instance-based learning model,” in 35th annual meeting of the Cognitive Science Society (CogSci analyst. 2014), 2014, pp. 2287–2292. [18] J. F. Allen, “Maintaining knowledge about temporal intervals,” Commu- ACKNOWLEDGMENT nications of the ACM, vol. 26, no. 11, pp. 832–843, 1983. [19] M. De Vivo, E. Carrasco, G. Isern, and G. O. de Vivo, “A review of This research was sponsored by the Army Research Lab- port scanning techniques,” ACM SIGCOMM Computer Communication oratory and was accomplished under Cooperative Agreement Review, vol. 29, no. 2, pp. 41–48, 1999. [20] E. M. Hutchins, M. J. Cloppert, and R. M. Amin, “Intelligence-driven Number W911NF-13-2-0045 (ARL Cyber Security CRA). The computer network defense informed by analysis of adversary campaigns views and conclusions contained in this document are those and intrusion kill chains,” Leading Issues in Information Warfare & of the authors and should not be interpreted as representing Security Research, vol. 1, p. 80, 2011. [21] M. H. Bhuyan, D. Bhattacharyya, and J. K. Kalita, “Surveying port scans the official policies, either expressed or implied, of the Army and their detection methodologies,” The Computer Journal, vol. 10, pp. Research Laboratory or the U.S. Government. The U.S. Gov- 1565–1581, 2011. ernment is authorized to reproduce and distribute reprints for [22] Nmap network mapper. [Online]. Available: https://nmap.org/ [23] N. Ben-Asher, J.-H. Cho, and S. Adalı, “Cognitive leadership frame- Government purposes notwithstanding any copyright notation work using instance-based learning,” in 24th Conference on Behavior here on. Representation in Modeling and Simulation (BRiMS), March 2015. R EFERENCES [1] C. Gonzalez, N. Ben-Asher, A. Oltramari, and C. Lebiere, “Cognition and technology,” in Cyber Defense and Situational Awareness, ser. Advances in Information Security, A. Kott, C. Wang, and R. F. Erbacher, Eds. Springer International Publishing, 2014, vol. 62, pp. 93–117. [2] A. DAmico and K. Whitley, “The real work of computer network defense analysts,” in VizSEC 2007. Springer, 2008, pp. 19–37. [3] J. E. Rowley, “The wisdom hierarchy: representations of the dikw hierarchy,” Journal of information science, 2007. [4] N. Ben-Asher and C. Gonzalez, “Effects of cyber security knowledge on attack detection,” Computers in Human Behavior, vol. 48, pp. 51–61, 2015. STIDS 2015 Proceedings Page 41